In today's high performance internetworks, organizations need the freedom to implement packet forwarding and routing according to their own defined policies in a way that goes beyond traditional routing protocol concerns. Where administrative issues dictate that traffic be routed through specific paths, policy-based routing, introduced in Cisco Internetwork Operating System (Cisco IOSTM) Software Release 11.0, can provide the solution. By using policy-based routing, customers can implement policies that selectively cause packets to take different paths.
Policy routing also provides a mechanism to mark packets so that certain kinds of traffic receive differentiated, preferential service when used in combination with queuing techniques enabled through the Cisco IOS software. These queuing techniques provide an extremely powerful, simple, and flexible tool to network managers who implement routing policies in their networks.
This paper discusses the Cisco IOS software policy-based routing feature and addresses policy-based routing and its functionality. In addition, the issues related to managing an internetwork with policy-based routing implemented are described. And finally, the applications of policy-based routing in internetworks are presented.
The benefits that can be achieved by implementing policy-based routing in the networks include:
Policy-based routing (PBR) provides a mechanism for expressing and implementing forwarding/routing of data packets based on the policies defined by the network administrators. It provides a more flexible mechanism for routing packets through routers, complementing the existing mechanism provided by routing protocols.
Routers forward packets to the destination addresses based on information from static routes or dynamic routing protocols such as Routing Information Protocol (RIP), Open Shortest Path First (OSPF), or Enhanced Interior Gateway Routing Protocol (Enhanced IGRP®). Instead of routing by the destination address, policy-based routing allows network administrators to determine and implement routing policies to allow or deny paths based on the following:
Policies can be defined as simply as "my network will not carry traffic from the engineering department" or as complex as "traffic originating within my network with the following characteristics will take path A, while other traffic will take path B."
Policy-based routing allows the network administrator to classify traffic using access control lists1 (ACLs) and then set the IP precedence or TOS values, thereby tagging the packets with the defined classification.
Classification of traffic through policy-based routing allows the network administrator to identify traffic for different classes of service at the perimeter of the network and then implement QOS defined for each class of service in the core of the network using priority, custom, or weighted fair queuing techniques. This process saves having to classify the traffic explicitly at each WAN interface in the core/backbone network.
Policy-based routing is applied to incoming packets. All packets received on an interface with policy-based routing enabled are considered for policy-based routing. The router passes the packets through enhanced packet filters called route maps. Based on the criteria defined in the route maps, packets are forwarded/routed to the appropriate next hop.
Each entry in a route map statement contains a combination of match and set clauses/commands. The match clauses define the criteria for whether appropriate packets meet the particular policy (that is, the conditions to be met). The set clauses than explain how the packets should be routed once they have met the match criteria.
For each combination of match and set commands in a route map statement, all sequential match clauses must be met simultaneously by the packet for the set clauses to be applied. There may be multiple sets of combinations of match and set commands in a full route map statement.
The route map statements can also be marked as permit or deny. If the statement is marked as a deny, the packets meeting the match criteria are sent back through the normal forwarding channels (in other words, destination-based routing is performed). Only if the statement is marked as permit and the packets meet the match criteria are all the set clauses applied. If the statement is marked as permit and the packets do not meet the match criteria, then those packets are also forwarded through the normal routing channel.
Note: Policy routing is specified on the interface that receives the packets, not on the interface from which the packets are sent.
The IP standard or extended ACLs can be used to establish the match criteria. The standard IP access lists can be used to specify the match criteria for source address; extended access lists can be used to specify the match criteria based on application, protocol type, TOS, and precedence.
The match clause feature has been extended to include matching packet length between specified minimum and maximum values. The network administrator can then use the match length as the criterion that distinguishes between interactive and bulk traffic (bulk traffic usually has larger packet sizes).
The policy routing process proceeds through the route map until a match is found. If no match is found in the route map, or the route map entry is made a deny instead of a permit, then normal destination-based routing of the traffic ensues.
Note: There is an implicit deny at the end of the list of match statements.
If the match clauses are satisfied, one of the following set clauses can be used to specify the criteria for forwarding packets through the router; they are evaluated in the order listed:
The set commands can be used in conjunction with each other.
The next hop router specified in the set clauses must be adjacent to the policy router, sharing a subnetwork with the policy router.
If the packets do not meet any of the defined match criteria (that is, if the packets fall off the end of a route map), then those packets are routed through the normal destination-based routing process. If it is desired not to revert to normal forwarding and to drop the packets that do not match the specified criteria, then interface Null 0 should be specified as the last interface in the list by using the set clause.
The route specified by configured policies might differ from the best route as determined by the routing protocols, enabling packets to take different routes depending on their source, length, and content. As a result, packet forwarding based on configured policies will override packet forwarding based on the routing entries in the routing tables to the same destination. For example, the management applications might discover a path that will pertain to the path discovered by a dynamic routing protocol or specified by static route mapping, whereas the actual traffic might not follow that path, based on the configured policies.
Similarly, the traceroute command might generate a path that is a different from the route taken by the packets generated by the user application. For example, in Figure 1, the best path between X and Y is through the T1 line, but policy routing can be used to send some traffic over the Frame Relay link.
Because the added flexibility to route traffic on user-defined paths rather than the paths determined by routing protocols may make the environment more difficult to manage and might cause routing loops, policies should be defined in a deterministic manner to keep the environment simple and manageable.
The following sections list applications of policy routing.
Policy routing enables the network administrator to provide equal-access and source-sensitive routing. (See Figure 2.)
In Figure 2, Organization X has directed that traffic from address range A go through Internet Service Provider (ISP) 1 and traffic from address range B go through ISP2.
Figure 1: Best Path and Configured Path
Figure 2: Source-Sensitive Routing
By tagging packets with policy routing, network administrators can classify the network traffic at the perimeter of the network for various classes of service and then implement those classes of service in the core of the network using priority, custom or weighted fair queuing. This setup improves network performance by eliminating the need to classify the traffic explicitly at each WAN interface in the core or backbone network. (See Figure 3.)
An organization can direct the bulk traffic associated with a specific activity to use a higher bandwidth, high-cost link for a short time, and continue basic connectivity over a lower bandwidth, low-cost link for interactive traffic. For example, Figure 4 shows a dial-on-demand Integrated Services Digital Network (ISDN) line brought up in response to traffic to the finance server for file transfers selected by policy routing.
Figure 3: Type of Service Prioritization
Figure 4: Dial-on-Demand ISDN Line Responding to Traffic
In addition to the dynamic load-sharing capabilities offered by destination-based routing that the Cisco IOS software has always supported, network managers can now implement policies to distribute traffic among multiple paths based on the traffic characteristics.
Policy-based routing offers significant benefits in terms of implementing user-defined policies to control traffic in the internetworks and can provide solutions where legal, contractual, or political constraints dictate that traffic be routed through specific paths. Policy routing also provides a mechanism to mark packets so that differentiated preferential service can be provided to types of traffic in combination with queuing techniques available in the Cisco IOS software. Policy-based routing adds flexibility in a difficult-to-manage environment, providing the network administrator the ability to route traffic based on user defined concerns. For network managers who implement routing policies in their networks, the Cisco IOS software provides an extremely powerful, simple, and flexible tool.
Cisco is committed to providing its customers with value-added implementations that give superior traffic prioritization, Internet access, security, cost optimizing data compression, and integrated LAN/WAN software support. Cisco continues to build on these defining characteristics of the Cisco IOS software as network traffic queuing techniques become a necessary technology in networks worldwide.
Posted: Thurs. 9/12/96 11:34:00 PDT