Policy-based routing (I)

 

Currently, the main data stream technologies are used, including the access control list and policy-based routing.

The access control list controls data streams, while policy-based routing controls routes. As there are many policy-based routing methods, here we will introduce the most flexible and extensive Route Map.

What is the difference between the Route Map statement and the access control list:

1. Different application purposes

The access control list filters data packets based on the conditions in the data packets. It considers whether to allow or disable data packets.

The purpose of the Route Map statement is to control the transmission direction of the data packet based on the conditions in the data packet, and consider the Route from which the data packet should be routed.

2. Flexible modification of the Route Map statement

Modifying the access control list is troublesome.

Because the Route Map statement has a serial number defined, you can directly specify the serial number of the Route Map statement to be modified when you need to modify it, so that it is very convenient and flexible to modify.

3. Different operations on data packets that completely do not meet any conditions

If a packet does not meet the conditions of all statements in the access control list, the packet is discarded by the router.

If a data packet does not meet the conditions of all statements in Route Map, the data packet is routed according to the Route table of the router.

Application source-basedIPAddress Policy Routing

Network Topology

Background and requirements

An enterprise's headquarters has two office buildings, namely, a and B. There is a data center for the enterprise. Many office data flows of the enterprise need to access the servers in the data center-192.168.1.1 and 192.168.1.2.

The enterprise is located in two office buildings. | the connection between the and B is composed of two optical fibers, which are connected by routers A and B respectively.

As there is a lot of traffic from the office staff in the seat to access the two servers in the data center, the two servers need to transmit a large amount of data to the seat every day.

To prevent data congestion caused by the data of the two servers occupying the same line, enterprise network management is required to make some policies on vrob B, so that the data sent from the two servers to the-seat can be fixed separately on the two lines, while the data routing of others should be normal and not affected.

Case Solution

We should define a Route Map statement for Policy Routing Based on the source IP address on router B, apply this statement to the Ethernet interface (that is, the interface is connected to two servers and other hosts) of vrob B to route the data streams from the Ethernet interface based on the source IP address, let the packets sent by the server 192.168.1.1 be transmitted from the S0 interface, while the packets sent by the server 192.168.1.2 are transmitted from the S1 interface, thus sharing the burden on the network.

Here we use two routers to build a simulated environment and test the Route Map statement to be applied.

Case implementation: configuration steps and instance Configuration

1. Define the Route Map statement

First, define the Route Map statement to specify the source IP address and data packet operations.

Router (config) # route-map-name [permit | deny] [sequence-number]

Router (config-route-map) # match ip {source-address}

Router (config-route-map) # set interface number

In the policy routing statement based on the source IP address, the condition can be used to directly write the source IP address of the data packet. If there are multiple source IP addresses of the data packet, you can use the access control list to pre-define multiple addresses, then, nest the access control list in the condition sub-command of the Route Map statement.

2. Apply the Route Map Statement on the Interface

After the Policy Routing statement based on the source IP address is defined, the Route Map statement should be applied to the inbound interface of the data stream.

Router (config-if) # ip policy route-map-name

After this command is applied on the interface, all data packets entering the vro through this interface will be forcibly compared to find the data packets that require policy routing.

3. The data packets generated by the vro are also managed based on the policy route of the source IP address.

Generally, the data packets generated by the vro are not controlled by the policy route statement. In order to allow the data packets generated by the vro itself to be managed by the policy route, use the following command in global mode:

Router (config) # ip local policy route-map-name

The configuration examples in this case are given below for your reference. The key configuration steps are in bold.

Vroa A is configured as follows:

Interface Loopback1 Ip address 152.1.1.1 255.255.255.0 ! Interface Ethernet0/0 Ip address 150.1.1.1 255.255.255.0 ! Interface Ethernet0/1 Ip address 151.1.1.1 255.255.255.0 ! Router rip Version 2 Network 150.1.0.0 Network 151.1.0.0 Network 152.1.0.0 No auto-summary !

 

Vrob B configuration is as follows:

Interface Ethernet0/0 Ip address 150.1.1.2 255.255.255.0 ! Interface Ethernet0/1 Ip address 151.1.1.2 255.255.255.0 ! Interface Ethernet0/2 Ip address 192.168.1.2 255.255.255.0 secondary Ip address 192.168.1.10 255.255.255.0 secondary Ip address 192.168.1.1 255.255.255.0 Ip policy route-map lable1 ! Router rip Version 2 Network 150.1.0.0 Network 151.1.0.0 Network 192.168.1.0 No auto-summary ! Ip local policy route-map lable1 ! Access-list 1 permit 192.168.1.1 Access-list 2 permit 192.168.1.2 ! Route-map lable1 permit 10 Match ip address 1 Set interface Ethernet0/0 ! Route-map lable1 permit 20 Match ip address 2 Set interface Ethernet0/1

 

Monitor the Routing Status of a policy

Use the debug ip policy command to monitor policy routing on vrob B

Method 1: use the extended traceroute command to specify the source address and target address to test the path of the data packet from router B to router. 192.168.1.1 -- 152.1.1.1

RB # traceroute ip Target IP address: 152.1.1.1 Source address: 192.168.1.1 Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose [none]: Type escape sequence to abort. Tracing the route to 152.1.1.1 1 150.1.1.1 40 msec * Mar 1 00:17:21. 095: IP: s = 192.168.1.1 (local), d = 152.1.1.1, len 28, policy match * Mar 1 00:17:21. 099: IP: route map lable1, item 10, permit * Mar 1 00:17:21. 099: IP: s = 192.168.1.1 (local), d = 152.1.1.1 (Ethernet0/0), len 28, policy routed * Mar 1 00:17:21. 099: IP: local to Ethernet0/0 150.1.1.1 RB #

 

The table above shows that the data packet has passed150.1.1.1Interface.192.168.1.1FromE0/0The line of the interface has passed, based on the sourceIPThe policy routing of the address takes effect.

Use the extended traceroute command to specify the source address and target address to test the path of the data packet from router B to router. 192.168.1.2 -- 152.1.1.1

RB # traceroute ip Target IP address: 152.1.1.1 Source address: 192.168.1.2 Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose [none]: Type escape sequence to abort. Tracing the route to 152.1.1.1 1 151.1.1.1 36 msec * Mar 1 00:21:05. 839: IP: s = 192.168.1.2 (local), d = 152.1.1.1, len 28, policy match * Mar 1 00:21:05. 843: IP: route map lable1, item 20, permit * Mar 1 00:21:05. 843: IP: s = 192.168.1.2 (local), d = 152.1.1.1 (Ethernet0/1), len28, policy routed * Mar 1 00:21:05. 843: IP: local to Ethernet0/1 151.1.1.1 RB #

 

The table above shows that the data packet has passed151.1.1.1Interface, that is, from192.168.1.2FromE0/1The line of the interface has passed, based on the sourceIPThe policy routing of the address takes effect.

Use the extended traceroute command to specify the source address and target address to test the path of the data packet from router B to router. 192.168.1.10 -- 152.1.1.1

RB # traceroute ip Target IP address: 152.1.1.1 Source address: 192.168.1.10 Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose [none]: Type escape sequence to abort. Tracing the route to 152.1.1.1 1 150.1.1.1 68 msec 151.1.1.1 40 msec * Mar 1 00:23:31. 367: IP: s = 192.168.1.10 (local), d = 152.1.1.1, len 28, policy rejected -- normal forwarding RB #

 

The table above shows:Policy rejected -- normal forwardingThis indicates that the data packet does not meet any routing condition of the policy. The data packet is processed according to the route in the route table.

Method 2: use the extended ping command to specify the source address and target address to test the path of the data packet from router B to router. 192.168.1.1 -- 152.1.1.1

RB # ping Protocol [ip]: Target IP address: 152.1.1.1 Repeat count [5]: Datemedisize [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.1.1 Type of service [0]: Set DF bit in IP header? [No]: Validate reply data? [No]: Data pattern [0 xABCD]: Loose, Strict, Record, Timestamp, Verbose [none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 152.1.1.1, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/24/56 MS RB # * Mar 1 00:32:52. 743: IP: s = 192.168.1.1 (local), d = 152.1.1.1, len 100, policy match * Mar 1 00:32:52. 743: IP: route map lable1, item 10, permit * Mar 1 00:32:52. 743: IP: s = 192.168.1.1 (local), d = 152.1.1.1 (Ethernet0/0), len100, policy routed * Mar 1 00:32:52. 747: IP: local to Ethernet0/0 150.1.1.1 RB #

 

The table above shows:"Policy match"Indicates that the data packet meets the condition of a Policy Routing statement."Lable1, item 10 "indicates that the data packet conforms to Route Map lable1.The condition of the first statement in,"Policy routed"Indicates that the data packet is sent according to the Policy Routing rules, and its path goes through150.1.1.1.

Use the extended ping command to specify the source address and target address to test the path of the data packet from router B to router. 192.168.1.2 -- 152.1.1.1

RB # ping Protocol [ip]: Target IP address: 152.1.1.1 Repeat count [5]: Datemedisize [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.1.2 Type of service [0]: Set DF bit in IP header? [No]: Validate reply data? [No]: Data pattern [0 xABCD]: Loose, Strict, Record, Timestamp, Verbose [none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 152.1.1.1, timeout is 2 seconds: Packet sent with a source address of 192.168.1.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/68/124 MS RB # * Mar 1 00:36:22. 707: IP: s = 192.168.1.2 (local), d = 152.1.1.1, len 100, policy match * Mar 1 00:36:22. 707: IP: route map lable1, item 20, permit * Mar 1 00:36:22. 707: IP: s = 192.168.1.2 (local), d = 152.1.1.1 (Ethernet0/1), len100, policy routed * Mar 1 00:36:22. 711: IP: local to Ethernet0/1 151.1.1.1 RB #

 

The table above shows:"Policy match"Indicates that the data packet meets the condition of a Policy Routing statement."Lable1, item 20 "indicates that the data packet conforms to Route Map lable1.The condition of the first statement in,"Policy routed"Indicates that the data packet is sent according to the Policy Routing rules, and its path goes through151.1.1.1.

Use the extended ping command to specify the source address and target address to test the path of the data packet from router B to router. 192.168.1.10 -- 152.1.1.1

RB # ping Protocol [ip]: Target IP address: 152.1.1.1 Repeat count [5]: Datemedisize [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.1.10 Type of service [0]: Set DF bit in IP header? [No]: Validate reply data? [No]: Data pattern [0 xABCD]: Loose, Strict, Record, Timestamp, Verbose [none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 152.1.1.1, timeout is 2 seconds: Packet sent with a source address of 192.168.1.10 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/59/88 MS RB # * Mar 1 00:38:21. 719: IP: s = 192.168.1.10 (local), d = 152.1.1.1, len 100, policy rejected -- normal forwarding RB #

The table above shows: policy rejected -- normal forwarding indicates that the data packet does not meet the conditions of any policy route statement. The data packet is processed according to the route table.

From: Liu Wenbin 3313's BLOG