Policy-based Routing (PBR), as the main purpose (Part 1)
What is Policy-based Routing (PBR)? Policy-based
routing (PBR) translation of this phrase makes sense such as routing based on certain policies (rules, conditions), which are relatively flexible and are set by the Administrator. In other words, this technology provides flexible routing conditions (if you look at the technology from its primary task), by the source or destination of the packet.
Where applicable
The use of this technology is very often used to organize redundancy in small offices, with several communication channels with the "outside world", it is "googled" by approximately such a request (PBR 2 ISP). Well, or other similar ones. If you google, then for redundancy you will need, in addition to PBR, such things as Tracking, SLA, I will not focus much attention on them, both now and in the rest of the article.
Briefly about SLA and tracking - these are two technologies, more precisely, a combination of two technologies (in our case) that generate various kinds of icmp traffic (under given conditions), this is me about SLA, and they monitor this generator, and this is about tracking.
PBR also finds application in the settings of dynamic routing protocols (for example, BGP; OSPF; EIGRP) for filtering and redistributions (redirection) of routes, well, and little things like changing the metric of routes, etc., and in static routing (will be described below), B building mechanisms to improve the quality of services (QoS). Perhaps I forgot something, do not blame me. In the future, in the article, I will not discuss the topic of using PBR in BGP, QoS, OSPF.
Basics of the design The
actual map looks like this:
Route-map namemap permit 5
match int fa0 / 0
set ip default next-hop 10.10.10.1
Let's analyze in order:
The first line ( route-map namemap [ permit | deny] [ sequence-number ]) contains directly the command that opens our map ( route -map ), then the name of the map ( namemap ), for further application to the policy of this map then goes permit (since we want traffic to be fulfilled under the condition described below performed the action). Those. packets are being forwarded to the gateway 10.10.10.1 . Instead of the permit parameter, the deny parameter may appear , but it is not so often used. To a greater extent, it is used only with redistributions (redirects), in dynamic routing protocols, and to be more precise, on the contrary, with deny do not produce redistributions(redirects). For the card condition below, the last parameter is sequence-number , we have 5 i.e. serial number of the card, it is convenient for the logical presentation of cards with the same name. Also for the convenience of administering the card (removal in particular).
The second line ( match interface fa0 / 0 ) contains the condition for which traffic to use our map. In our case, we will use all traffic passing through the interface of the fastethernet0 / 0 router . Here you can select according to various criteria, as a rule, everyone draws a map according to access-lists (access lists) i.e. draw an access-list with parameters for which networks to use the card. Examplesaccess-lists with easy comments are presented below. I also want to add that the match parameter is repeated, i.e. You can select according to several criteria. For example, we mark by access-lists , and in parallel by the size of the packet, match length min max , where min max is the range of the packet size from and to). And a small addition to this parameter is optional. In other words, if you do not select according to the criteria, then the map will be applied to all packets passing through the interface to which we will apply our routing map. Going to the next parameter, I will say that if you execute the set subcommand ?
then help will show you a lot of meanings, basically these meanings are again directed to dynamic routing protocols. At the moment, I decided not to touch them (I plan to write articles about dynamic routing, and we will return to them there). And let’s go straight to set ip.
We took set ip as an example default next-hop 10.10.10.1
Here we again look at the default keyword , it means that if there are no routes in the global routing table of information about the destination network of the packet, then our the card and package will be sent to the next step in this case 10.10.10.1 .
You can write an explicit set ip next-hop 10.10.10.1and then the package, regardless of the global table, will be redirected to our next-hop , i.e. a packet falling into the criterion that it came to the fa0 / 0 interface will be sent on 10.10.10.1 and it will already decide what to do with this package.
Further, considering the set ip parameter , you can set the next step (next-hop) as a specific ip address, for subsequent routing, so directly the interface. For example, set ip next-hop interface Dialer1), it’s convenient when, for example, you do not have a static address on the next hop, but a dynamic one and you cannot explicitly register a 3rd level address, well, or if you forgot what IP address you have on the interface and you are too lazy to look . As noted in the comments below, you should not specify the interfaces on which the network with a large number of hosts on the network is registered, in other words, should be used with point to point networks (with 30 prefixes). Other set ip parameters are used to change the ip packet settings. Setting packet priority marking in QoS ( set ip precedence 3 ), or resetting the packet parameter don't fragments ( set ip df 0 ), which allows you to set the packet size that routers need for further transmission over communication channels.
It remains a trifle to hang route-map on the interface through which packets needing redirection of packets come in contrast to the default route of the global routing table. And such a listing will turn out. Please note that this configuration is not entirely correct in our case, although it is working. Then think for yourself why it is not correct, and what conditions need to be changed. Afterword: In this part I tried to discover the basics of PBR and how it works with packages. If I didn’t get it clearly, please point out the errors. I would really appreciate it. In Part 2, I will describe a few more points regarding PBR, and give examples of routing construction for specific cases. UPD that's actually an attempt to continue part 2
The material for the article was taken from my head, so I can’t specify the literature, except maybe www.
PS This article was in the sandbox, someone gave me an invitation to the Habr, but since I was offline for a long time the invitation lost its strength. I want to say thanks to the friend who gave the invite. Now I am invited by smartov , we are familiar with him on another resource on the network. Thanks to him for the invitation.
Posted by Mario
routing (PBR) translation of this phrase makes sense such as routing based on certain policies (rules, conditions), which are relatively flexible and are set by the Administrator. In other words, this technology provides flexible routing conditions (if you look at the technology from its primary task), by the source or destination of the packet.
Where applicable
The use of this technology is very often used to organize redundancy in small offices, with several communication channels with the "outside world", it is "googled" by approximately such a request (PBR 2 ISP). Well, or other similar ones. If you google, then for redundancy you will need, in addition to PBR, such things as Tracking, SLA, I will not focus much attention on them, both now and in the rest of the article.
Briefly about SLA and tracking - these are two technologies, more precisely, a combination of two technologies (in our case) that generate various kinds of icmp traffic (under given conditions), this is me about SLA, and they monitor this generator, and this is about tracking.
PBR also finds application in the settings of dynamic routing protocols (for example, BGP; OSPF; EIGRP) for filtering and redistributions (redirection) of routes, well, and little things like changing the metric of routes, etc., and in static routing (will be described below), B building mechanisms to improve the quality of services (QoS). Perhaps I forgot something, do not blame me. In the future, in the article, I will not discuss the topic of using PBR in BGP, QoS, OSPF.
Basics of the design The
actual map looks like this:
Route-map namemap permit 5
match int fa0 / 0
set ip default next-hop 10.10.10.1
Let's analyze in order:
The first line ( route-map namemap [ permit | deny] [ sequence-number ]) contains directly the command that opens our map ( route -map ), then the name of the map ( namemap ), for further application to the policy of this map then goes permit (since we want traffic to be fulfilled under the condition described below performed the action). Those. packets are being forwarded to the gateway 10.10.10.1 . Instead of the permit parameter, the deny parameter may appear , but it is not so often used. To a greater extent, it is used only with redistributions (redirects), in dynamic routing protocols, and to be more precise, on the contrary, with deny do not produce redistributions(redirects). For the card condition below, the last parameter is sequence-number , we have 5 i.e. serial number of the card, it is convenient for the logical presentation of cards with the same name. Also for the convenience of administering the card (removal in particular).
The second line ( match interface fa0 / 0 ) contains the condition for which traffic to use our map. In our case, we will use all traffic passing through the interface of the fastethernet0 / 0 router . Here you can select according to various criteria, as a rule, everyone draws a map according to access-lists (access lists) i.e. draw an access-list with parameters for which networks to use the card. Examplesaccess-lists with easy comments are presented below. I also want to add that the match parameter is repeated, i.e. You can select according to several criteria. For example, we mark by access-lists , and in parallel by the size of the packet, match length min max , where min max is the range of the packet size from and to). And a small addition to this parameter is optional. In other words, if you do not select according to the criteria, then the map will be applied to all packets passing through the interface to which we will apply our routing map. Going to the next parameter, I will say that if you execute the set subcommand ?
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
### этот access-list примененный к route-maps будет выбирать трафик сети 192.168.0.0/24
до любого назначения.
А при применении такого access-lists
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.2.44
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.31
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
### в первой строчке не будет перенаправлять трафик до хоста 192.168.2.44
### по второй строке так же не будет перенаправлять на сеть 192.168.1.0/27
### ну и по третьей строке будет применять для всего остального трафика, сети 192.168.0.0/24.then help will show you a lot of meanings, basically these meanings are again directed to dynamic routing protocols. At the moment, I decided not to touch them (I plan to write articles about dynamic routing, and we will return to them there). And let’s go straight to set ip.
We took set ip as an example default next-hop 10.10.10.1
Here we again look at the default keyword , it means that if there are no routes in the global routing table of information about the destination network of the packet, then our the card and package will be sent to the next step in this case 10.10.10.1 .
You can write an explicit set ip next-hop 10.10.10.1and then the package, regardless of the global table, will be redirected to our next-hop , i.e. a packet falling into the criterion that it came to the fa0 / 0 interface will be sent on 10.10.10.1 and it will already decide what to do with this package.
Further, considering the set ip parameter , you can set the next step (next-hop) as a specific ip address, for subsequent routing, so directly the interface. For example, set ip next-hop interface Dialer1), it’s convenient when, for example, you do not have a static address on the next hop, but a dynamic one and you cannot explicitly register a 3rd level address, well, or if you forgot what IP address you have on the interface and you are too lazy to look . As noted in the comments below, you should not specify the interfaces on which the network with a large number of hosts on the network is registered, in other words, should be used with point to point networks (with 30 prefixes). Other set ip parameters are used to change the ip packet settings. Setting packet priority marking in QoS ( set ip precedence 3 ), or resetting the packet parameter don't fragments ( set ip df 0 ), which allows you to set the packet size that routers need for further transmission over communication channels.
It remains a trifle to hang route-map on the interface through which packets needing redirection of packets come in contrast to the default route of the global routing table. And such a listing will turn out. Please note that this configuration is not entirely correct in our case, although it is working. Then think for yourself why it is not correct, and what conditions need to be changed. Afterword: In this part I tried to discover the basics of PBR and how it works with packages. If I didn’t get it clearly, please point out the errors. I would really appreciate it. In Part 2, I will describe a few more points regarding PBR, and give examples of routing construction for specific cases. UPD that's actually an attempt to continue part 2
Route-map namemap permit 5
match int fa0/0
set ip default next-hop 10.10.10.1
interface FastEthernet0/0
encapsulation dot1Q 20
ip address 192.168.0.1 255.255.255.0
ip policy route-map namemap
The material for the article was taken from my head, so I can’t specify the literature, except maybe www.
PS This article was in the sandbox, someone gave me an invitation to the Habr, but since I was offline for a long time the invitation lost its strength. I want to say thanks to the friend who gave the invite. Now I am invited by smartov , we are familiar with him on another resource on the network. Thanks to him for the invitation.
Posted by Mario