Policy-based routing (medium)

 

Application Policy Routing Based on Message Size

Network Topology

Background and requirements

An enterprise headquarters has two office buildings, Block A and block B. The two office buildings are connected with two optical fibers, which are respectively connected by routers of Block A and B.

Employees in the two office buildings mainly use OA software to coordinate work, transfer information and data, and handle various business in the workflow.

Employees in the-seat often report that they send messages to the other building through the OA system at the same time, sometimes fast, sometimes slow, and the network slows down appears irregular. In addition, network slowdown does not occur when data is transmitted in the same building.

We observed the traffic and type of data streams in enterprises for a certain period of time. We found that the OA system often sends two types of data packets, one of which is smaller than 100 bytes, the number of such data packets accounts for 45% of network traffic. The size of another data packet ranges from 100 bytes to 1000 bytes. The number of such data packets accounts for about 50% of network traffic, other types of data packets are rare in the network.

An enterprise installs a firewall with the anti-virus function at the internal network exit, installs anti-virus software on each terminal, and the virus libraries of these anti-virus devices and software are upgraded in the most timely manner.

Enterprises require us to formulate policies based on our observation of network traffic and types to alleviate or solve the problem of slow network transmission between Block A and block B.

Case Analysis and Solution

We analyzed that the network transmission is slow and the possibility of virus is low. In addition, data transmission only slows down for blocks A and B, while data transmission in the same building is no problem; Data slows down and there is no regularity, none of which meets the characteristics of virus attacks. This should be because when data is transmitted between two buildings, the problem of occasionally occupying too many lines (for example, the load balancing of data works according to each data flow, rather than per packet ).

By analyzing the data traffic and type of the Enterprise, we can see that the two data packets account for about half of the network traffic of the enterprise. We can set A policy on vroa A to transfer the two data packets from one line to share the data load.

We should define a Route Map statement for Policy Routing Based on the packet size on router B, and apply this statement to the Ethernet interface of router B, to route data streams from the Ethernet Interface Based on the packet size policy, so that data packets smaller than 100 bytes are transmitted from the S0 interface, and data packets larger than 100 bytes are transmitted from the S1 interface, in this way, the network burden is shared.

Here we use two routers to build a simulated environment and test the Route Map statement to be applied.

Case implementation: configuration steps and instance Configuration

1. Define the Route Map statement

First, define the Route Map statement to specify the data packet size and operations on the data packet.

Router (config) # route-map-name [permit | deny] [sequence-number]

Router (config-route-map) # match length {length}

Router (config-route-map) # set ip next-hop-address

In the policy routing statement based on the packet size, the packet size should be set at the length of the condition sub-command, set the next data transmission address at next-hop-address of the set sub-command.

2. Apply the Route Map Statement on the Interface

After the Policy Routing statement based on the packet size is defined, the Route Map statement should be applied to the inbound interface of the data stream.

Router (config-if) # ip policy route-map-name

After this command is applied on the interface, all data packets entering the vro through this interface will be forcibly compared to find the data packets that require policy routing.

3. the packets generated by the vro itself are also managed by the Policy Routing Based on the packet size.

Generally, the data packets generated by the vro are not controlled by the policy route statement. In order to allow the data packets generated by the vro itself to be managed by the policy route, use the following command in global mode:

Router (config) # ip local policy route-map-name

The configuration examples in this case are given below for your reference. The key configuration steps are in bold.

Vroa A is configured as follows:

Interface Loopback1 Ip address 192.168.1.1 255.255.255.0 ! Interface Ethernet0/0 Ip address 150.1.1.1 255.255.255.0 ! Interface Ethernet0/1 Ip address 151.1.1.1 255.255.255.0 ! Router rip Version 2 Network 150.1.0.0 Network 151.1.0.0 Network 192.168.1.0 No auto-summary

 

Vrob B configuration is as follows:

Interface Ethernet0/0 Ip address 150.1.1.2 255.255.255.0 ! Interface Ethernet0/1 Ip address 151.1.1.2 255.255.255.0 ! Interface Ethernet0/2 Ip address 152.1.1.1 255.255.255.0 Ip policy route-map lable1 ! Router rip Version 2 Network 150.1.0.0 Network 151.1.0.0 Network 152.1.0.0 No auto-summary ! Ip local policy route-map lable1 ! Route-map lable1 permit 1 Match length 64 100 Set ip next-hop 150.1.1.1/set interface e0/0 ! Route-map lable1 permit 2 Matches length 101 1000 Set ip next-hop 151.1.1.1/set interface e0/1 !

 

Monitor the Routing Status of a policy

Use the debug ip policy command to monitor policy routing on vrob B

Use extended ping to specify the source address and target address to test the packet size to 80. Observe the packet direction

RB # RB # ping Protocol [ip]: Target IP address: 192.168.1.1 Repeat count [5]: Datemedisize [100]: 80 Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 152.1.1.1 Type of service [0]: Set DF bit in IP header? [No]: Validate reply data? [No]: Data pattern [0 xABCD]: Loose, Strict, Record, Timestamp, Verbose [none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 80-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: Packet sent with a source address of 152.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/39/92 MS RB # * Mar 1 00:11:12. 179: IP: s = 152.1.1.1 (local), d = 192.168.1.1, len 80, policy match * Mar 1 00:11:12. 179: IP: route map lable1, item 1, permit * Mar 1 00:11:12. 179: IP: s = 152.1.1.1 (local), d = 192.168.1.1 (Ethernet0/0), len80, policy routed * Mar 1 00:11:12. 183: IP: local to Ethernet0/0 150.1.1.1 RB #

 

The table above shows:"Policy match"Indicates that the data packet meets the condition of a Policy Routing statement."Lable1, item 1 "indicates that the data packet conforms to Route Map lable1.The condition of the first statement in,"Policy routed"Indicates that the data packet is sent according to the Policy Routing rules, and its path goes through150.1.1.1.

 

Use extended ping to specify the source address and target address to test the data packet size as 800. Observe the data packet trend.

RB # RB # ping Protocol [ip]: Target IP address: 192.168.1.1 Repeat count [5]: Datemedisize [100]: 800 Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 152.1.1.1 Type of service [0]: Set DF bit in IP header? [No]: Validate reply data? [No]: Data pattern [0 xABCD]: Loose, Strict, Record, Timestamp, Verbose [none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 800-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: Packet sent with a source address of 152.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/28/80 MS RB # * Mar 1 00:16:28. 651: IP: s = 152.1.1.1 (local), d = 192.168.1.1, len 800, policy match * Mar 1 00:16:28. 651: IP: route map lable1, item 2, permit * Mar 1 00:16:28. 651: IP: s = 152.1.1.1 (local), d = 192.168.1.1 (Ethernet0/1), len800, policy routed * Mar 1 00:16:28. 655: IP: local to Ethernet0/1 151.1.1.1 RB #

 

The table above shows:"Policy match"Indicates that the data packet meets the condition of a Policy Routing statement."Lable1, item 2 "indicates that the data packet conforms to Route Map lable1.The condition of the second statement in,"Policy routed"Indicates that the data packet is sent according to the Policy Routing rules, and its path goes through151.1.1.1.

 

Use extended ping to specify the source address and target address to test the data packet size of 1200. Observe the data packet trend.

RB # RB # ping Protocol [ip]: Target IP address: 192.168.1.1 Repeat count [5]: Datemedisize [100]: 1200 Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 152.1.1.1 Type of service [0]: Set DF bit in IP header? [No]: Validate reply data? [No]: Data pattern [0 xABCD]: Loose, Strict, Record, Timestamp, Verbose [none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 1200-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: Packet sent with a source address of 152.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/27/60 MS RB # * Mar 1 00:19:31. 579: IP: s = 152.1.1.1 (local), d = 192.168.1.1, len 1200, policy rejected -- normal forwarding * Mar 1 00:19:31. 607: IP: s = 152.1.1.1 (local), d = 192.168.1.1, len 1200, policy rejected -- normal forwarding * Mar 1 00:19:31. 667: IP: s = 152.1.1.1 (local), d = 192.168.1.1, len 1200, policy rejected -- normal forwarding * Mar 1 00:19:31. 687: IP: s = 152.1.1.1 (local), d = 192.168.1.1, len 1200, policy rejected -- normal forwarding * Mar 1 00:19:31. 699: IP: s = 152.1.1.1 (local), d = 192.168.1.1, len 1200, policy rejected -- normal forwarding RB #

The table above shows: policy rejected -- normal forwarding indicates that the data packet does not meet the conditions of any policy route statement. The data packet is processed according to the route table.

 

From: Liu Wenbin 3313's BLOG