Pages

Tuesday, January 4, 2011

Policy Based Routing (PBR)

Policy Based Routing (Local Traffic)

Policy based routing is one of the ways to manipulate routing decision of the router. It uses access-list to specify what traffic it considered. The traffic information such as source/destination address, protocol, length can be used to match in access-list. Then, we use route-map to direct the traffic to wherever we preferred. The set command in the route map are as followings.



There are 2 ways of applying PBR: interface sub-command and global command. For the interface sub-command, the policy will be apply to the interface itself. However, for the global command, the policy will be applied to the router traffic.

Below is an example of how th PBR works and also the configuration of the router. Here are the tasks in this scenario.

  • Configure interface address and OSPF routing protocol area 0 to all of the routers.
  • Configure OSPF route from R1 getting to 10.10.10.10 at R4 to prefer path through R3 only - configure ospf cost at f0/0 on R1 to 1000.
  • Create access-list at R4, blocking telnet traffic from R1 coming in through R3 and apply to interface f0/1 of R4 ( telnet traffic need to use other path (via R2) in order to get to R4 
  • apply policy to local router to use path R2 if doing telnet to R4.
  • Verify the telnet connectivity.

Here is the diagram


Configure OSPF route from R1 getting to 10.10.10.10 at R4 to prefer path through R3 only - configure ospf cost at f0/0 on R1 to 1000.

interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip ospf cost 1000

After applying the cost, router will have only 1 route to 10.10.10.10 through R3
R1 routing table is shown below

Gateway of last resort is not set

O    192.168.4.0/24 [110/20] via 192.168.3.2, 00:23:29, FastEthernet0/1
     10.0.0.0/32 is subnetted, 1 subnets
O       10.10.10.10 [110/21] via 192.168.3.2, 00:22:21, FastEthernet0/1
C    192.168.1.0/24 is directly connected, FastEthernet0/0
O    192.168.2.0/24 [110/30] via 192.168.3.2, 00:22:21, FastEthernet0/1
C    192.168.3.0/24 is directly connected, FastEthernet0/1
R1#

Because there is an access list blocking telnet packet on f0/1 at R4. We cannot establish the telnet connection to R4.

R1#
R1#telnet 10.10.10.10
Trying 10.10.10.10 ...
% Destination unreachable; gateway or host down

R1#

Apply policy to local router to use path R2 if doing telnet to R4.

**Configure route map matching telnet and set next hop for telnet traffic to R2 instead of R3**
route-map telnet-10 permit 10
 match ip address telnet-10
 set ip next-hop 192.168.1.2


**create access-list match telnet packet**
ip access-list extended telnet-packet
 permit tcp any any eq telnet
 deny   ip any any

**apply on global command**
ip local policy route-map telnet-10
!

Verify telnet connectivity


R1#telnet 10.10.10.10
Trying 10.10.10.10 ... Open

User Access Verification
Password:
R4>


From the example below, PBR can manipulate traffic from using R1->R3->R4 to R1->R2->R4.



Posted by BBru at 3:10 PM
Labels:

1 comment:

  1. NitinJuly 29, 2013 at 1:09 PM

    what will happen if the next-hop 192.168.1.2 is down, were will the traffic will go or it will just drop the traffic

    ReplyDelete

Subscribe to: Post Comments (Atom)