Table Of Contents
The Need to Define Routing Policy
In today's high performance internetworks, organizations need the freedom to implement packet forwarding and routing according to their own defined policies in a way that goes beyond traditional routing protocol concerns. Where administrative issues dictate that traffic be routed through specific paths, policy-based routing, introduced in Cisco Internetwork Operating System (Cisco IOS™) Software Release 11.0, can provide the solution. By using policy-based routing, customers can implement policies that selectively cause packets to take different paths.
Policy routing also provides a mechanism to mark packets so that certain kinds of traffic receive differentiated, preferential service when used in combination with queuing techniques enabled through the Cisco IOS software. These queuing techniques provide an extremely powerful, simple, and flexible tool to network managers who implement routing policies in their networks.
This paper discusses the Cisco IOS software policy-based routing feature and addresses policy-based routing and its functionality. In addition, the issues related to managing an internetwork with policy-based routing implemented are described. And finally, the applications of policy-based routing in internetworks are presented.
The Benefits of Policy-Based Routing
The benefits that can be achieved by implementing policy-based routing in the networks include:
•Source-Based Transit Provider Selection—Internet service providers and other organizations can use policy-based routing to route traffic originating from different sets of users through different Internet connections across the policy routers.
•Quality of Service (QOS)—Organizations can provide QOS to differentiated traffic by setting the precedence or type of service (TOS) values in the IP packet headers at the periphery of the network and leveraging queuing mechanisms to prioritize traffic in the core or backbone of the network.
•Cost Savings—Organizations can achieve cost savings by distributing interactive and batch traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost, switched paths.
•Load Sharing—In addition to the dynamic load-sharing capabilities offered by destination-based routing that the Cisco IOS software has always supported, network managers can now implement policies to distribute traffic among multiple paths based on the traffic characteristics.
Policy-Based Routing Data Forwarding
Policy-based routing (PBR) provides a mechanism for expressing and implementing forwarding/routing of data packets based on the policies defined by the network administrators. It provides a more flexible mechanism for routing packets through routers, complementing the existing mechanism provided by routing protocols.
Routers forward packets to the destination addresses based on information from static routes or dynamic routing protocols such as Routing Information Protocol (RIP), Open Shortest Path First (OSPF), or Enhanced Interior Gateway Routing Protocol (Enhanced IGRP®). Instead of routing by the destination address, policy-based routing allows network administrators to determine and implement routing policies to allow or deny paths based on the following:
•Identity of a particular end system
•Size of packets
Policies can be defined as simply as "my network will not carry traffic from the engineering department" or as complex as "traffic originating within my network with the following characteristics will take path A, while other traffic will take path B."
Tagging Network Traffic
Policy-based routing allows the network administrator to classify traffic using access control lists1 (ACLs) and then set the IP precedence or TOS values, thereby tagging the packets with the defined classification.
Classification of traffic through policy-based routing allows the network administrator to identify traffic for different classes of service at the perimeter of the network and then implement QOS defined for each class of service in the core of the network using priority, custom, or weighted fair queuing techniques. This process saves having to classify the traffic explicitly at each WAN interface in the core/backbone network.
Applying Policy-Based Routing
Policy-based routing is applied to incoming packets. All packets received on an interface with policy-based routing enabled are considered for policy-based routing. The router passes the packets through enhanced packet filters called route maps. Based on the criteria defined in the route maps, packets are forwarded/routed to the appropriate next hop.
Policy Route Maps
Each entry in a route map statement contains a combination of match and set clauses/commands. The match clauses define the criteria for whether appropriate packets meet the particular policy (that is, the conditions to be met). The set clauses than explain how the packets should be routed once they have met the match criteria.
For each combination of match and set commands in a route map statement, all sequential match clauses must be met simultaneously by the packet for the set clauses to be applied. There may be multiple sets of combinations of match and set commands in a full route map statement.
The route map statements can also be marked as permit or deny. If the statement is marked as a deny, the packets meeting the match criteria are sent back through the normal forwarding channels (in other words, destination-based routing is performed). Only if the statement is marked as permit and the packets meet the match criteria are all the set clauses applied. If the statement is marked as permit and the packets do not meet the match criteria, then those packets are also forwarded through the normal routing channel.
Note: Policy routing is specified on the interface that receives the packets, not on the interface from which the packets are sent.
Match Clauses—Defining the Criteria
The IP standard or extended ACLs can be used to establish the match criteria. The standard IP access lists can be used to specify the match criteria for source address; extended access lists can be used to specify the match criteria based on application, protocol type, TOS, and precedence.
The match clause feature has been extended to include matching packet length between specified minimum and maximum values. The network administrator can then use the match length as the criterion that distinguishes between interactive and bulk traffic (bulk traffic usually has larger packet sizes).
The policy routing process proceeds through the route map until a match is found. If no match is found in the route map, or the route map entry is made a deny instead of a permit, then normal destination-based routing of the traffic ensues.
Note: There is an implicit deny at the end of the list of match statements.
Set Clauses—Defining the Route
If the match clauses are satisfied, one of the following set clauses can be used to specify the criteria for forwarding packets through the router; they are evaluated in the order listed:
1 List of interfaces through which the packets can be routed—If more than one interface is specified, then the first interface that is found to be up will be used for forwarding the packets.
2 List of specified IP addresses—The IP address can specify the adjacent next hop router in the path toward the destination to which the packets should be forwarded. The first IP address associated with a currently "up" connected interface will be used to route the packets.
3 List of default interfaces—If there is no explicit route available to the destination address of the packet being considered for policy routing, then route it to the first up interface in the list of specified default interfaces.
4 List of default next hop IP addresses—Route to the interface or the next hop specified by this set clause only if there is no explicit route for the destination address of the packet in the routing table.
5 IP TOS—A value or keyword can be specified to set the type of service in the IP packets.
6 IP precedence—A value or keyword can be specified to set the precedence in the IP packets.
The set commands can be used in conjunction with each other.
The next hop router specified in the set clauses must be adjacent to the policy router, sharing a subnetwork with the policy router.
If the packets do not meet any of the defined match criteria (that is, if the packets fall off the end of a route map), then those packets are routed through the normal destination-based routing process. If it is desired not to revert to normal forwarding and to drop the packets that do not match the specified criteria, then interface Null 0 should be specified as the last interface in the list by using the set clause.
The route specified by configured policies might differ from the best route as determined by the routing protocols, enabling packets to take different routes depending on their source, length, and content. As a result, packet forwarding based on configured policies will override packet forwarding based on the routing entries in the routing tables to the same destination. For example, the management applications might discover a path that will pertain to the path discovered by a dynamic routing protocol or specified by static route mapping, whereas the actual traffic might not follow that path, based on the configured policies.
Similarly, the traceroute command might generate a path that is a different from the route taken by the packets generated by the user application. For example, in Figure 1, the best path between X and Y is through the T1 line, but policy routing can be used to send some traffic over the Frame Relay link.
Because the added flexibility to route traffic on user-defined paths rather than the paths determined by routing protocols may make the environment more difficult to manage and might cause routing loops, policies should be defined in a deterministic manner to keep the environment simple and manageable.
The following sections list applications of policy routing.
Equal-Access and Source-Sensitive Routing
Policy routing enables the network administrator to provide equal-access and source-sensitive routing. (See Figure 2.)
In Figure 2, Organization X has directed that traffic from address range A go through Internet Service Provider (ISP) 1 and traffic from address range B go through ISP2.
Figure 1. Best Path and Configured Path
Figure 2. Source-Sensitive Routing
Quality of Service
By tagging packets with policy routing, network administrators can classify the network traffic at the perimeter of the network for various classes of service and then implement those classes of service in the core of the network using priority, custom or weighted fair queuing. This setup improves network performance by eliminating the need to classify the traffic explicitly at each WAN interface in the core or backbone network. (See Figure 3.)
An organization can direct the bulk traffic associated with a specific activity to use a higher bandwidth, high-cost link for a short time, and continue basic connectivity over a lower bandwidth, low-cost link for interactive traffic. For example, Figureþ 4 shows a dial-on-demand Integrated Services Digital Network (ISDN) line brought up in response to traffic to the finance server for file transfers selected by policy routing.
Figure 3. Type of Service Prioritization
Figure 4. Dial-on-Demand ISDN Line Responding to Traffic
In addition to the dynamic load-sharing capabilities offered by destination-based routing that the Cisco IOS software has always supported, network managers can now implement policies to distribute traffic among multiple paths based on the traffic characteristics.
The Cisco Commitment to Policy-Based Routing
Policy-based routing offers significant benefits in terms of implementing user-defined policies to control traffic in the internetworks and can provide solutions where legal, contractual, or political constraints dictate that traffic be routed through specific paths. Policy routing also provides a mechanism to mark packets so that differentiated preferential service can be provided to types of traffic in combination with queuing techniques available in the Cisco IOS software. Policy-based routing adds flexibility in a difficult-to-manage environment, providing the network administrator the ability to route traffic based on user defined concerns. For network managers who implement routing policies in their networks, the Cisco IOS software provides an extremely powerful, simple, and flexible tool.
Cisco is committed to providing its customers with value-added implementations that give superior traffic prioritization, Internet access, security, cost optimizing data compression, and integrated LAN/WAN software support. Cisco continues to build on these defining characteristics of the Cisco IOS software as network traffic queuing techniques become a necessary technology in networks worldwide.
0896R1 Access control lists, enabled by the Cisco IOS software, provide packet-filtering capability.