Introduction to Policy-based Routing (PBR)

policy-based Routing (PBR) is a flexible packet routing and forwarding mechanism. By applying the policy route on the router, the router determines how the router's packets are handled based on the routing map (ROUTE-MAP). A routing map determines the next hop forwarding router for a packet.

To apply Policy routing on a router, you must specify the route map (ROUTE-MAP) to use for Policy routing, and you want to create a route map. A routing map consists of a number of policies, each of which defines 1 or more matching rules and corresponding actions. When a policy route is applied to an interface, all packets received by the interface are checked, and packets that do not conform to the definition in the route map are processed according to the normal route forwarding, and the packets that conform to the policy in the route map are processed according to the actions defined in the policy.

Policy routing is mainly applied in cases where the enterprise routing table is complex or where routing control is required. Especially when the enterprise network export has two, need to different services and applications or different clients of the routing control, of course, the enterprise internal running two network or more network often use the routing strategy; In addition to being applied to an unhealthy routing route, policy routing can also be used to prevent attacks by viruses or hackers, match the signature of a virus or attack using conditional statements, and then specify a security policy, such as using a black hole route, to block the attack.

Black hole Routing is a supplement to the dynamic routing protocol. Black hole routing can forward unwanted traffic to an interface called Null0. We can set up one or more static routes to discard the traffic that exactly matches those routes. Unlike ACLs, all Cisco iOS switching processes, including CEF, can handle black hole routing without reducing performance. It is to be noted that PBR technology does not support the configuration of PBR router originating traffic and traffic arriving at the router.

PBR (policy-based routing) Instance resolution

Below we will use a test to describe the function of blocking traffic for policy routing. The router's e0/0 port serves as the gateway to the internal network, The address is 200.1.1.1, the internal network has a WWW server, the address is 200.1.1.100, and www the same network segment has a common user pc, in the external network has a remote user, IP address of 199.1 1.100, allow remote users to access the WWW server, while not allowed to access the internal user's PC, use PBR to fulfill requirements.

Configure the associated address on the router and test connectivity with 200.1.1.100,200.1.1.10 and 199.1.1.100. Configure a routing map (ROUTE-MAP) that matches the traffic from the remote user to the internal user and pulls it into the Null0 interface and configures the Null0 interface to not return unreachable information. Other traffic that does not match the route map is forwarded normally.

The initial configuration of the router is as follows:

Router (config) #interface ethernet0/0

Router (config-if) #ip address 200.1.1.1 255.255.255.0

Router (config-if) #exit Router (config) #interface ETHERNET0/1

Router (config-if) #ip address 199.1.1.1 255.255.255.0

Router (config-if) #exit

Test connectivity:

Router#ping 200.1.1.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.1.1.100, timeout is 2 seconds:

！！！！！

Success rate is percent (5/5),

Round-trip Min/avg/max = 1/3/4 ms Router #ping 200.1.1.10

Type escape sequence to abort. Sending 5,

100-byte ICMP Echos to 200.1.1.10, timeout is 2 seconds:

！！！！！

Success rate is percent (5/5),

Round-trip Min/avg/max = 1/2/4 ms Router #ping 199.1.1.100 Type escape sequence to abort.

More Wonderful content: http://www.bianceng.cnhttp://www.bianceng.cn/Network/lyjs/

Sending 5, 100-byte ICMP Echos to 199.1.1.100, timeout is 2 seconds:

！！！！！

Success rate is percent (5/5),

Round-trip Min/avg/max = 1/3/4 ms

To configure ACLs that match sensitive traffic:

Router (config) #access-list permit IP host 199.1.1.1 host 200.1.1.10 Configure the Null0 interface:

Router (config) #interface null 0

Router (config-if) establishes routing mappings #no IP unreachables:

Router (config) #route-map PBR

Router (config-route-map) #match IP address 100

Router (CONFIG-ROUTE-MAP) #set interface null 0 turns on the NetFlow switch on the E0/1 interface of the export router to allow us to view the results and invoke PBR on the interface:

Router (config) #interface ETHERNET0/1

Router (config-if) #ip Route-cache Flow

Router (config-if) # IP policy route-map PBR

Router (config-if) #exit

Connectivity testing of devices on a remote host on the intranet:

C:>ping 200.1.1.100

Pinging 200.1.1.100 with bytes of data:

Reply from 200.1.1.100:

Bytes=32 time<1ms ttl=128 Reply from 200.1.1.100:

Bytes=32 time<1ms ttl=128 Reply from 200.1.1.100:

Bytes=32 time<1ms ttl=128 Reply from 200.1.1.100:

bytes=32 time<1ms ttl=128 Ping statistics for 200.1.1.100:

Packets:sent = 4,

Received = 4, Lost = 0 (0% loss),

Approximate round trips times in Milli-seconds:

Minimum = 0ms,

Maximum = 0ms,

Average = 0ms c:>ping 200.1.1.10 Pinging 200.1.1.10 with bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 200.1.1.10:

Packets:sent = 4,

Received = 0,

Lost = 4 (100% loss), you may find that the remote user of the external network has been unable to ping the internal user, but can still ping the WWW server. To view the status of a border router:

Router#show access-lists

Extended IP Access list permit IP host 199.1.1.100 host 200.1.1.10 (matches)

Router#show IP Cache flow IP packet size distribution (total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384.416 448.480.000.000.000.1.00.000 0 544 576 1024 1536 2048 2560 3072 3584 4096-4608-A-A-V-A-v-A-V Flow switching Cache,

278544 bytes

1 active, 4095 inactive,

3 Added Ager polls,

0 Flow Alloc Failures

Active flows timeout in minutes

Inactive flows timeout in seconds

Last clearing of statistics never

Protocol

Total

Flows

Packets Bytes Packets Active (sec) Idle (sec)--

Flows

/sec

/flow/pkt

/sec

/flow

/flow ICMP

2

0.0

5

100

0.0

4.0

15.3 Total:

2

0.0

5

100

0.0

4.0

15.3 Srcif

Srcipaddress

Dstif

Dstipaddress

Pr SRCP DSTP pkts ET0/1

199.1.1.100

Null

200.1.1.10

01 0000 0800

18 through the effect chart we found that 18 packets matched the ACL, and were PBR to the Null0 interface and discarded.

PBR of the relevant knowledge for everyone to introduce finished, I hope we have mastered.