Policy Based Routing
A simple use case for Policy based routing
With the growth of networks and the added complexity of voice, data, applications and video, we need to be more flexible in the way our traffic moves within networks, the growth of cloud and mobility based applications has made this become more important than ever.
Policy based routing is a powerful tool in the arsenal of the network engineer.
With policy based routing we can forward and route packets based on policies or filters. These can be applied based on specific parameters such as source and destination, traffic type, protocols, destination ports or source ports and other criteria.
The question is why we even make use of policy based routing, well for one we can manipulate the traffic to best suit the needs of our network, thus benefit performance, resiliency, and availability of our network infrastructure.
A few things one can do with policy based routing is to prioritize traffic, certain traffic might be more important than other traffic, for example if we had two links to the internet, one link was lower bandwidth and higher latency for standard web browsing traffic and the other was a higher bandwidth and lower latency link that dealt with our high bandwidth applications. We could separate the traffic by classifying/marking it, and sending them towards the preferred paths.
In this demonstration below we will manipulate the preferred path of the desktop user so that an alternate path is taken to the destination network 192.168.0.0 /30.
All routers have been assigned IP addresses and a routing protocol (OSPF) are being advertised. All Routes can be pinged.
If we run a trace route to 192.168.1.2 on the desktop before implementing policy based routing we can see that the path is R3 – R2 – R1
Let’s get stuck in and change the path for this traffic.
We apply our routing based policy on R3 as it will be the one to make the routing decisions of which direction we manipulate the traffic.
- Define interesting traffic (In my case I used extended access-lists you may wish to do it differently – Standard IP access lists are used when you are routing based on source address only vs extended which is source and destination)
- access-list 100 permit ip host 192.168.3.2 host 192.168.1.2 (In this command we are highlighting the fact that we will permit the traffic if the host is 192.168.3.2 – Desktop user in our case and is forwarding traffic to destination of 192.168.1.2)
- access-list 101 permit ip any any (permitting any host to any destination)
- Next we configure our Route maps
- Each route map has a permit or deny statement and a sequence number
- We create our route map an allocate it a unique descriptive name (make sure its relevant ) and a permit or deny statement
In the case below we created a route map called Divert_192.168.3.2, we then stated in the next line to match our access list
In the first route map we specified if the source was coming from user 192.168.3.2 and going to destination 192.168.1.2 then we would send him along the following path R-3 – R-4 – R2 – R1
All other traffic would choose the preferred path to their destination.
Route-map Divert_192.168.3.2 permit 10
Match ip address 100
Set ip next-hop 192.168.5.1 192.168.5.2
In the second route map permit 20 statement we are calling up the second access list which specifies allowing any hosts to any destination
Route-map Divert_192.168.3.2 permit 20
Match ip address 101
- Last step is to apply our route map on the interface we want to take traffic from.
- R3 interface pointing to the network 192.168.3.0
- ip policy route-map Divert_192.168.3.2
Ip policy route-map Divert_192.168.3.2
Time to verify!
We can verify with a tracert on the user desktop.
After the Route map is applied, desktop user 192.168.3.2 route to 192.168.1.2
If I change the desktop user’s ip address to another address we can see the preferred path is the top path
As we can see Policy based Routing can be a powerful tool to be used and has many use cases!
Complete command line
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#access-list 100 permit ip host 192.168.3.2 host 192.168.1.2
R3(config)#access-list 101 permit ip any any
R3(config)#route-map Divert_192.168.3.2 permit 10
R3(config-route-map)#match ip address 100
R3(config-route-map)#set ip next-hop 192.168.5.2
R3(config)#route-map Divert_192.168.3.2 permit 20
R3(config-route-map)#match ip address 101
R3(config)#int fastethernet 1/1
R3(config-if)#ip policy route-map Divert_192.168.3.2