Cisco switch performs Policy Routing

Based on the principle of cost saving and rational use of existing devices, the author has developed a solution: Using MikroTikRouterOS, the author transformed several ordinary PCs after office elimination into soft routes, share the traffic of the original firewall to jointly undertake the network egress task, and implement policy routing on the layer-3 Switch to achieve different data flows, so as to achieve the purpose of traffic distribution. This article does not elaborate on the installation and configuration of soft routing (ROS). This article focuses on the implementation of policy routing and the problems and optimization encountered during policy routing. The so-called policy formulation in Policy Routing depends on the access control list (ACL). Therefore, policy formulation in Policy Routing is convenient and flexible, and can meet different needs. In this way, the data that conforms to the access-list100 under the vlan201 interface is forwarded to the soft route with 10.10.3.2 as the Intranet interface, thus realizing the shunt.
Key words: Policy Routing, shunting, ACL, soft Routing

0. Introduction
Campus Network is the infrastructure for informatization construction of colleges and universities, and is also a necessary platform for the informatization modernization of teaching management. With the development of my school and the increasing number of network applications, the original network is increasingly unable to meet the requirements. After that, although the core layer-3 switch of the network is upgraded, the firewall purchased in the early stage has become a bottleneck of the campus network due to its limited performance.
Upgrading the network egress device is certainly a good solution to this bottleneck, but a high-performance router or firewall is often expensive, and there may be a single point of failure, which cannot completely solve the problem. To this end, based on the principle of cost saving and rational use of existing devices, the author has developed a solution: Using MikroTik RouterOS, the author transformed several ordinary PCs that have been eliminated from the office into soft routes, share the traffic of the original firewall to jointly undertake the network egress task, and implement policy routing on the layer-3 Switch to achieve different data flows, so as to achieve the purpose of traffic distribution. This article does not elaborate on the installation and configuration of soft routing (ROS). This article focuses on the implementation of policy routing and the problems and optimization encountered during policy routing.
1. Policy Routing Overview
Policy routing is a more flexible data packet forwarding mechanism that Billy uses the target network for routing. The priority of Policy Routing is higher than that of common routing. After a policy route is applied, the router determines how to process the data packets to be routed based on the policy specified by the user. After an interface applies a policy route, all packets received by this interface are checked. packets that do not conform to the policy route are forwarded according to the traditional route, data packets that comply with a user policy are forwarded according to the next hop address or router interface specified by the user policy. The so-called policy formulation in Policy Routing depends on the access control list (ACL). Therefore, policy formulation in Policy Routing is convenient and flexible, and can meet different needs. There are three common policy routes: IP address-Based Policy Routing, packet size-Based Policy Routing, and application-based policy routing. Thesis detection.
2. Policy Routing for shunting
The author's case is in the Cisco WS-C3750G-24TS core switch for Policy Routing, to achieve the key office application traffic is still undertaken by the original firewall, and the data center and the electronic reading room and other traffic is undertaken by the soft route of the PC transformation, to achieve the purpose of shunting. Note that for this vswitch, if its IOS is ipbase, it does not support policy routing and needs to be upgraded, in addition, you must enter the sdm prefer routing command and reload command in configuration mode before configuring the policy route. However, some commands are not supported on this switch. The steps and descriptions of IP address-based policy routing configuration are as follows:
C3750G (config) # access-list 100 permit ip 10.100.0.0 0.0.255.255 any
* Use the access control list to capture the route first. Here, it is the IDC network segment (the segment starting with "*" is commented by the author, the same below)
C3750G (config) # route-map toros permit 10
* Name, for example, toros. 10 is the policy route number.
C3750G (config-route-map) # match ip address 100
* Match an access list. Here, 100 is the access list number.
C3750G (config-route-map) # set ip next-hop 10.10.3.2
* Set a policy to define the next hop 10.10.3.2, which is the Intranet interface address of the soft route.
C3750G (config-route-map) # exit
C3750G (config) # int vlan 201
* Enter the interface configuration, where the vlan 201 interface is used as the vlan of an IDC.
C3750G (config-if) # ip policy route-map toros
* Interface call
C3750G (config-if) # exit
In this way, data conforming to access-list 201 under the vlan 100 interface is forwarded to a soft route using 10.10.3.2 as the Intranet interface, thus implementing traffic distribution.
3. Policy route configuration Improvement
After the above configuration, the purpose of shunting has been basically achieved. However, during the Internet control of the data center, the author found a problem: When I disable Internet access for a data center on the ROS soft route, access to intranet resources of the data center suddenly becomes abnormal and slow. Our goal is to allow the data center to access intranet resources by switching on the core switch, and to access the Internet by using a policy route through a soft route.
Why is this happening? According to the analysis, all vlan data in the data center is first forwarded to the soft route. For example, if the destination is an Intranet resource and then directed back to the core switch, the data is bent, but when I close a policy on a soft route, it seems that the route cannot be rolled around. How can this problem be solved? You only need to intercept data destined for intranet resources on the core switch and use the ACL. Thesis detection. Specifically, the access-list 100 mentioned above is improved. The improved ACL is as follows:
Access-list100 deny ip 10.100.0.0 0.0.255.255 10.10.0.0 0.0.255.255
Access-list100 deny ip 10.100.0.0 0.0.255.255 10.100.0.0 0.0.255.255
* The above lines can be used to enable switch on the core switch when the server room vlan accesses internal resources, without forwarding to the soft route through a policy, if there are other Intranet CIDR blocks, you must add the corresponding ACL. Thesis detection.
* The following two actions are the original ACL
Access-list100 permit ip 10.100.0.0 0.0.255.255 any
After the improvement of the above ACL, the vlan of the IDC and the electronic reading room can access the Intranet and Internet smoothly.
4. Conclusion
The Policy Routing is used to achieve traffic distribution and solve problems encountered during implementation. The author believes that this method is economical and practical, and has achieved good results over the past year, it also facilitates independent management and control of the Internet of the data center.