Policy-based routing (lower)

 

Application-Based Policy Routing

Network Topology

Background and requirements

A company is a high-tech enterprise that provides network system integration and maintenance for customers. The company has two lines for Internet access. All employees of the company use these two lines for Internet access.

In normal times, the company's personnel responsible for customer network maintenance remotely log on to the customer's network through these two lines to provide maintenance services for the customer's network equipment. However, due to the expansion of the company's business, the company has joined many new employees. The staff of the customer's network maintenance department began to complain about the slow rate of remote login access to the customer's network, their normal maintenance work has been affected.

Case Analysis and Solution

Our analysis: the number of employees in the company is increasing, and the remote login rate of customer service personnel is also getting slower and slower. This is probably caused by the increase in Internet traffic and the amount of bandwidth occupied by the two lines.

Solution: We should define a policy routing Route Map statement based on the application on the company's network egress router, and apply this statement to the router's Ethernet interface, the application-based policy routing is used to route data streams from the Ethernet interface, so that all data packets on the web page can pass through one line, and the other line is left for remote login.

Before applying the Route Map statement to meet the needs of this case, we can use two routers to build a simulated environment and test the Route Map statement to be applied.

Case implementation: configuration steps and instance Configuration

1. Define the Route Map statement

First, define the Route Map statement to specify the application type of the data packet and the operation on the data packet.

Router (config) # route-map-name [permit | deny] [sequence-number]

Router (config-route-map) # match {conditions}

Router (config-route-map) # set ip next-hop-address

In application-Based Policy Routing statements, the conditions should specify a pre-defined access control list (which defines the application type ).

2. Apply the Route Map Statement on the Interface

After the Policy Routing statement based on the source IP address is defined, the Route Map statement should be applied to the inbound interface of the data stream.

Router (config-if) # ip policy route-map-name

After this command is applied on the interface, all data packets entering the vro through this interface will be forcibly compared to find the data packets that require policy routing.

3. The data packets generated by the vro are also managed based on the policy route of the source IP address.

Generally, the data packets generated by the vro are not controlled by the policy route statement. In order to allow the data packets generated by the vro itself to be managed by the policy route, use the following command in global mode:

Router (config) # ip local policy route-map-name

The configuration examples in this case are given below for your reference. The key configuration steps are in bold.

Vroa A is configured as follows:

Enable secret 5 $1 $ McUN $ G2SyweoQsFjZUrGNZu/tM1 ! Username lwb secret 5 $1 $ ZHy5 $ r6M1V. 2Ydq9Is5Bz979Wx0 ! Interface Loopback1 Ip address 192.168.1.1 255.255.255.0 ! Interface Ethernet0/0 Ip address 150.1.1.1 255.255.255.0 ! Interface Ethernet0/1 Ip address 151.1.1.1 255.255.255.0 ! Router rip Version 2 Network 150.1.0.0 Network 151.1.0.0 Network 192.168.1.0 No auto-summary ! Line vty 0 4 Login local

 

Vrob B configuration is as follows:

Interface Ethernet0/0 Ip address 150.1.1.2 255.255.255.0 ! Interface Ethernet0/1 Ip address 151.1.1.2 255.255.255.0 ! Interface Ethernet0/2 Ip address 152.1.1.1 255.255.255.0 Ip policy route-map lable1 ! Router rip Version 2 Network 150.1.0.0 Network 151.1.0.0 Network 152.1.0.0 No auto-summary ! Ip local policy route-map lable1 ! Access-list 101 permit tcp any eq www Access-list 102 permit tcp any eq telnet ! Route-map lable1 permit 10 Matches ip address 101 Set interface Ethernet0/0/set ip next-hop 150.1.1.1 ! Route-map lable1 permit 20 Matches ip address 102 Set interface Ethernet0/1/set ip next-hop 151.1.1.1

 

Monitor the Routing Status of a policy

Use the debug ip policy command to monitor policy routing on vrob B

Use the telnet 192.168.1.1 command on vrob B to remotely log on to 192.168.1.1. Then, vrob B will output the Monitoring Result and observe the packet direction.

RB # telnet 192.168.1.1 Trying 192.168.1.1... Open * Mar 1 00:14:52. 687: IP: s = 150.1.1.2 (local), d = 192.168.1.1, len 44, policy match * Mar 1 00:14:52. 687: IP: route map lable1,Item 20, Permit * Mar 1 00:14:52. 687: IP: s = 150.1.1.2 (local), d = 192.168.1.1 (Ethernet0/1), len44, policy routed * Mar 1 00:14:52. 691: IP: local to Ethernet0/1 151.1.1.1 User Access Verification Username:

 

The table above shows:"Policy match"Indicates that the data packet meets the condition of a Policy Routing statement."Lable1, item 20 "indicates that the data packet conforms to Route Map lable1.The condition of the second statement in,"Policy routedIndicates that the data packet is sent according to the Policy Routing rules.E0/1Interface transmission.

 

Run the telnet 192.168.1.1 www command on vrob B to send packets whose destination port is an HTTP port. At this time, vrob B will output the Monitoring Result and observe the data packet trend.

RB # telnet 192.168.1.1 www Trying 192.168.1.1, 80... Open * Mar 1 00:21:24. 931: IP: s = 150.1.1.2 (local), d = 192.168.1.1, len 44, policy match * Mar 1 00:21:24. 931: IP: route map lable1, item 10, permit * Mar 1 00:21:24. 935: IP: s = 150.1.1.2 (local), d = 192.168.1.1 (Ethernet0/0), len44, policy routed * Mar 1 00:21:24. 935: IP: local to Ethernet0/0 150.1.1.1

 

The table above shows:"Policy match"Indicates that the data packet meets the condition of a Policy Routing statement."Lable1, item 10 "indicates that the data packet conforms to Route Map lable1.The condition of the second statement in,"Policy routed"Indicates that the data packet is sent according to the Policy Routing rules, and the data packet accessing the application on the webpage passes throughE0/0Interface transmission.

Use the telnet 192.168.1.1 ftp command on vrob B to send packets whose destination port is an HTTP port. At this time, vrob B will output the Monitoring Result and observe the data packet trend.

RB # telnet 192.168.1.1 ftp Trying 192.168.1.1, 21... % Connection refused by remote host * Mar 1 00:25:43. 135: IP: s = 150.1.1.2 (local), d = 192.168.1.1, len 44, policy rejected -- normal forwarding RB #

 

The table above shows:Policy rejected -- normal forwardingThis indicates that the data packet does not meet any routing condition of the policy. The data packet is processed according to the route in the route table.

Summary: I have introduced the principle of policy-based routing. There are many ways to implement policy-based routing, here we only focus on the most flexible and widely used Route Map. At the same time, I also explained how Route Map works and its differences with the access control list, and gave the basic command format of Route Map. We have provided three cases for your reference only. When you encounter problems, you can use them flexibly. From: Liu Wenbin 3313 BLOG