Policy Routing

This section demonstrates how policy routing can be used to direct the traffic based on the source IP address rather than the destination IP address. Figure 12-12 shows a router, RTA, that is running BGP with two providers, AS1 and AS2. Internal routers such as RTG and RTF are running IGP only (OSPF) and are following a default route toward RTA.

Figure 12-12. Policy Routing Scenario


RTA wants to set policy routing in such a way that traffic coming over the serial line S1 from RTG is directed toward AS2 if the source is network 172.16.10.0/24. Traffic coming from RTG with source 172.16.112.0/24 is to be directed toward AS1; in case of a link failure to AS1, the traffic will go to AS2. For all other source IP addresses, follow normal routing.

Example 12-63 shows the configuration for RTA to satisfy the criteria of this policy routing setup.

Example 12-63. Policy Routing: RTA Configuration
interface Ethernet0
 ip address 172.16.80.1 255.255.255.0

interface Serial1
 ip address 172.16.70.1 255.255.255.0
 ip policy route-map CHECK_SOURCE

router ospf 10
 passive-interface Serial0
 passive-interface Ethernet0
 network 172.16.0.0 0.0.255.255 area 0
 default-information originate always

router bgp 3
 network 172.16.50.0 mask 255.255.255.0
 network 172.16.70.0 mask 255.255.255.0
 network 172.16.10.0 mask 255.255.255.0
 network 172.16.112.0 mask 255.255.255.0
 neighbor 172.16.20.1 remote-as 1
 neighbor 172.16.20.1 filter-list 10 out
 neighbor 172.16.80.2 remote-as 2
 neighbor 172.16.80.2 filter-list 10 out
 no auto-summary

ip as-path access-list 10 permit ^$

access-list 1 permit 172.16.10.0 0.0.0.255
access-list 2 permit 172.16.112.0 0.0.0.255

route-map CHECK_SOURCE permit 10
 match ip address 1
 set ip next-hop 172.16.80.2

route-map CHECK_SOURCE permit 20
 match ip address 2
 set ip next-hop 172.16.20.1 172.16.80.2

Policy routing is always applied to the incoming interface. Serial 1 is configured with the interface command ip policy route-map map-name. This will apply route map CHECK_SOURCE to all Serial 1 incoming traffic. The explanation of the route map follows:

  • Instance 10: For all source IP addresses that come from 172.16.10.0/24, set the next hop to 172.16.80.2. If next hop 172.16.80.2 is unreachable, drop the packet.

  • Instance 20: For all source IP addresses that come from 172.16.112.0/24, set the next hop to 172.16.20.1. If next hop 172.16.20.1 is unreachable, try sending the traffic to next hop 172.16.80.2.

  • For all other source IP addresses, follow normal routing.

The policy routing route maps give you the option of choosing multiple next hops. This is necessary to always have a backup path. For all traffic that does not match the route maps, the router will follow normal routing. To illustrate, a traceroute will be done from RTG to 192.68.10.1 from source IP address 172.16.112.1. Example 12-64 shows RTA's IP routing table.

Example 12-64. Policy Routing: RTA IP Routing Table
RTA#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
          * - candidate default U - per-user static route, o - ODR

Gateway of last resort is not set

B  192.68.10.0/24 [20/0] via 172.16.80.2, 00:30:09
B  192.68.11.0/24 [20/0] via 172.16.20.1, 00:30:14
   172.16.0.0/16 is subnetted, 5 subnets
O     172.16.50.0/24 [110/69] via 172.16.70.2, 00:27:27, Serial1
C     172.16.20.0/24 is directly connected, Serial0
C     172.16.80.0/24 is directly connected, Ethernet0
C     172.16.70.0/24 is directly connected, Serial1

Example 12-65 demonstrates a traceroute from RTG with a source of 172.16.112.1 and a destination of 192.68.10.1.

Example 12-65. Policy Routing: RTG traceroute
RTG#traceroute
Protocol [ip]:
Target IP address: 192.68.10.1
Source address: 172.16.112.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to gateway.aeg-aas.de (192.68.10.1)

 1 172.16.70.1 4 msec 4 msec 0 msec
 2 172.16.20.1 4 msec 4 msec 4 msec
 3 192.68.6.1 4 msec 4 msec 4 msec

Notice how RTA has taken next hop 172.16.20.1 (the second line in the traceroute output) to reach 192.68.10.0/24, even though RTA's routing table indicates that 192.68.10.0/24 should be reached with next hop 172.16.80.2.

This second attempt shows what will happen if Serial 0 is down and next hop 172.16.20.1 is unreachable. The next step is to perform a traceroute from RTG with a source of 172.16.112.1 and a destination of 192.68.10.1 while Serial 0 is down, as demonstrated in Example 12-66.

Example 12-66. Policy Routing: RTG traceroute
RTG#traceroute
Protocol [ip]:
Target IP address: 192.68.10.1
Source address: 172.16.112.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to gateway.aeg-aas.de (192.68.10.1)

 1 172.16.70.1 0 msec 4 msec 4 msec
 2 172.16.80.2 8 msec 4 msec 4 msec

The output in Example 12-66 reveals that RTA has taken the alternative next hop 172.16.80.2.

Before implementing any policy-based routing solutions, it's important that you understand the policy routing support and performance implications of the version of IOS and platform you're using. For additional information, consult the appropriate Cisco Command Reference, Configuration Guidelines, and Release Notes for your specific hardware and software versions.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
54.224.43.79