Sunday, August 11, 2013

Policy-Based Routing

In certain cases, the best path isn't always the "best path". Mainly best path is determined by the routing protocol depending on metric calculations which may be simple like in OSPF and RIP or complex in case of EIGRP. The key here is that the routing protocols affects all types of traffic since it all run under the same rule of the IGP best path.
Sometimes we want to change the default behavior for security reasons or “actual” best path reasons. This can be achieved by policy-based routing or PBR.

There are two types of PBR.
1.   Transient traffic PBR: which is the traffic passing by a router along it path
2.   Local traffic PBR: which is traffic sourced from the router itself.

Transient traffic PBR

To understand how transient traffic is processed in both incoming and outgoing directions, Let’s take a look Cisco routers process packets.

Incoming Packet
Outgoing Packet
. If IPSec then check input access list
. If IPSec then check input access list
. decryption - for CET (Cisco Encryption Technology) or IPSec
. decryption - for CET or IPSec
. check input access list
. check input access list
. check input rate limits
. check input rate limits
. input accounting
. input accounting
. redirect to web cache
. redirect to web cache
. policy routing
. NAT outside to inside (globalto local translation)
. routing
. policy routing
. NAT inside to outside (local to global translation)
. routing
. crypto (check map and mark for encryption)
. crypto (check map and mark for encryption)
. check output access list
. check output access list
. inspect (Context-based Access Control (CBAC))
. inspect CBAC
. TCP intercept
. TCP intercept
. encryption
. encryption
. Queueing
. Queueing

From the table above, PBR matches before routing, thus it skips the normal routing.

From the topology shown below, let’s see a traceroute from R4 loopback to R1 loopback nothing that all routers below are using OSPF as their routing protocols without any special modifications.

R4#traceroute source numeric

Type escape sequence to abort.
Tracing the route to

  1 24 msec 28 msec 16 msec
  2 52 msec 44 msec 16 msec
  3 72 msec *  52 msec

The trace shows that for R4 to get to R1, R3 as a transient router will choose R2 to forward the packets to since the link cost to R1 is 64 and to R2 is 1.

Now let’s enforce transient traffic with source ip and destination ip to go to R1 directely instead of R2.

First let’s create a named extended access-list to match our traffic.
R3(config)#ip access-list extended PBR
R3(config-ext-nacl)#permit ip host host

Now let’s create a route-map to match the access-list traffic and set “next-hop or exit interface” to R1 directly.

This is how you set it for next-hop IP
route-map PBR permit 10
 match ip address PBR
 set ip next-hop

And this is for exit interface
route-map PBR permit 10
 match ip address PBR
 set interface Serial0/0

Now let’s apply the route-map under the incoming interface in R3, in our case its interface F1/0
R3(config)#int f1/0
R3(config-if)#ip policy route-map PBR

As a final set, let’s check interface F1/0
R3#show ip int f1/0
FastEthernet1/0 is up, line protocol is up
  Internet address is
  Broadcast address is
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined:
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is enabled, using route map PBR
  Network address translation is disabled
  BGP Policy Mapping is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled

R3#show ip policy
Interface      Route map
Fa1/0          PBR

Now for the final test, let’s ping again from R4 loopback to R1 loopback
R4#traceroute source numeric

Type escape sequence to abort.
Tracing the route to

  1 24 msec 28 msec 16 msec
  2 48 msec *  72 msec

The traffic sourced from and destined to is redirected to the least preferred path which is Serial0/0 on R3.

Now let’s try to ping from another source, R4’s interface F0/0

R4#traceroute source

Type escape sequence to abort.
Tracing the route to

  1 32 msec 24 msec 16 msec
  2 48 msec 40 msec 20 msec
  3 68 msec

Since the source ip isn’t matched in the access-list PBR, it will take the normal routing path R3-R2-R1

A valid question might arise at this point, what is the difference between exit interface and next-hop? In the network world there are various devices that do many functions other than routing and switching. Deep Packet Inspectors or “DPIs” as an example doesn’t necessarily need IPs for transient traffic to be sniffed or inspected. So when you need to redirect IP traffic to devices like DPIs there is no next-hop IPs to forward traffic to, this is where you set an exit interface instead of next-hop. Another important note is that then the interface goes down, all matched traffic will be dropped in case of setting exit interface.

Local traffic PBR

Local traffic is the traffic generated by the router. As an example, Telnet, SSH, ICMP etc.
Since this is the sole difference between it and transient traffic PBR, we don’t need to elaborate too much about it. Let’s go directly for configuration.

Let’s say we want to telnet from R3 to R1 using the serial interface. The steps are exactly the same as we did earlier. What only matters is where we apply the route-map in our case now.

R3(config)#ip access-list extended PBR-LOCAL
R3(config-ext-nacl)#permit tcp any host eq telnet

R3(config)#route-map PBR-LOCAL permit 10
R3(config-route-map)#match ip address PBR-LOCAL
R3(config-route-map)#set ip next-hop

R3(config)#ip local policy route-map PBR-LOCAL

To verify our configuration

R3#show ip policy
Interface      Route map
local          PBR-LOCAL

R3#show ip local policy
Local policy routing is enabled, using route map PBR-LOCAL
route-map PBR-LOCAL, permit, sequence 10
  Match clauses:
    ip address (access-lists): PBR-LOCAL
  Set clauses:
    ip next-hop
  Policy routing matches: 160 packets, 10240 bytes