Policy-based Routing (PBR), as the main purpose (Part 1)
What is Policy-based Routing (PBR)
Policy-based routing (PBR) translation of this phrase has a meaning such as routing based on certain policies (rules, conditions) that are relatively flexible and are set by the Administrator. In other words, this technology provides flexible routing conditions (if you look at the technology from its first priority), according to the source or destination of the packet.
Where applicable
The use of this technology is very often used to organize redundancy in small offices, with several channels of communication with the "vernal world", "googled" about such a request (PBR 2 ISP). Well, or other similar. If you “google”, then for redundancy, in addition to PBR, there will still be such things as Tracking, SLA, I will not focus much on them, as now and in the next part of the article.
Briefly about SLA and tracking are two technologies, more precisely a bunch of two technologies (in our case) that generate various kinds of icmp traffic (under given conditions), this is me about SLA, and they monitor this generator, and this is about tracking.
PBR is also used in the settings of dynamic routing protocols (for example, BGP; OSPF; EIGRP) for filtering and redistributions (redirection) of routes and of trivialities such as changing route metrics, etc., and in static routing (it will be revealed below), B building mechanisms to improve the quality of services (QoS). Perhaps I forgot something, do not blame me. In the future, in the article, I will not disclose the topic of the use of PBR in BGP, QoS, OSPF.
Design Basics
The actual map looks like this:
Route-map namemap permit 5
match int fa0 / 0
set ip default next-hop 10.10.10.1
')
We analyze in order:
The first line ( route-map namemap [ permit | deny ] [ sequence-number ]) directly contains the command that opens our map ( route -map ), then comes the name of the map ( namemap ), for further application to the policy of this map then goes to permit ( because we want the traffic if the following conditions are met to perform the action). Those. packets are being redirected to the gateway 10.10.10.1 . Instead of the parameter to permit , the parameter deny may appear, but it is not often used. To a greater extent, it is used only with redistributions (redirections), in dynamic routing protocols, and to be more precise, on the contrary, with deny, do not produce redistributions (redirections). For the following card condition, the last parameter is the sequence-number , we have it 5 ie serial number of the card, it is convenient for the logical representation of maps with the same name. Also for the convenience of administering the card (deletion in particular).
The second line ( match interface fa0 / 0 ) contains the condition for which traffic to use our card. In our case, we will use all traffic passing through the fastethernet0 / 0 router interface. Here, according to various criteria, you can make a selection, as a rule, everyone draws a map according to access-lists (i.e. access lists), i.e. draw access-list with parameters for which networks to use the map. Examples of access-lists with easy commentary are presented below.
You also want to add that the match parameter is repeating, i.e. Sampling can be done according to several criteria. For example, we mark by access-lists , and in parallel by the size of the packet match length min max , where min max is the range of the packet size from and to). And a small addition to this parameter, it is not mandatory. In other words, if you do not make a selection by criteria, the map will be applied to all packets passing through the interface to which we apply our routing map.
Moving on to the next parameter, I’ll say that if you issue the set subcommand ? then the help will show you a lot of values, basically these values are directed to dynamic routing protocols again. At the moment I decided not to touch them (I plan to write articles about dynamic routing, and there we go back to them). And go straight to set ip
We took as an example set ip default next-hop 10.10.10.1
Here again we will consider the default keyword, it means that if there are no routes in the global routing table of the destination network information packet, then our map will work and the packet will be sent to the next step in this case 10.10.10.1 .
You can write an explicit set ip next-hop 10.10.10.1 and then the package, regardless of the global table, will be redirected to our next-hop , i.e. the package that fell into the criterion that it came to the fa0 / 0 interface, will go to 10.10.10.1 and it will already decide what to do with this package.
Further, considering the set ip parameter, you can set the next step (next-hop) as a specific ip address, for subsequent routing, or the interface itself. For example, set ip next-hop interface Dialer1 ), this is convenient when you have, for example, not a static address on the next-hop, but a dynamic one and you cannot explicitly specify the address of the 3rd level, well, or if you forgot what ip the address you have on the interface and you are too lazy to look. As noted below in the comments, it is not necessary to specify interfaces on which a network with a large number of hosts on the network is registered, in other words, it is worth using networks with point to point (from prefixes 30). Other set ip parameters are used to change the ip parameters of the packet. Setting the packet priority marking in QoS ( set ip precedence 3 ), or dropping the packet parameter don't fragments ( set ip df 0 ), which allows you to set the packet size that routers need for further transmission over communication channels.
It remains a trifle to hang the route-map on the interface through which the packets need to be forwarded, as opposed to the default route of the global routing table. And get such a listing
Please note that this configuration is not entirely correct in our case, although it is working. Then think for yourself what it is not correct, and what conditions need to be changed.
Afterword:
In this part I tried to discover the basics of PBR and how it works with packages. If I got it not clearly, please indicate errors. I would be very grateful. In Part 2, I will describe a few more points regarding PBR, and give examples of building routing, for specific cases.
UPD is actually an attempt to continue part 2
The material for the article was taken from the head, so I can not specify the literature, except that www.
PS This article was in the sandbox, someone gave me an invitation to Habr, but since I was offline for a long time the invitation has lost its strength. I want to say thank you to someone who gave an invite. I am now at the invitation of smartov , we are familiar with it from another resource on the network. He also thanks for the invitation.
Posted by Mario
Policy-based routing (PBR) translation of this phrase has a meaning such as routing based on certain policies (rules, conditions) that are relatively flexible and are set by the Administrator. In other words, this technology provides flexible routing conditions (if you look at the technology from its first priority), according to the source or destination of the packet.
Where applicable
The use of this technology is very often used to organize redundancy in small offices, with several channels of communication with the "vernal world", "googled" about such a request (PBR 2 ISP). Well, or other similar. If you “google”, then for redundancy, in addition to PBR, there will still be such things as Tracking, SLA, I will not focus much on them, as now and in the next part of the article.
Briefly about SLA and tracking are two technologies, more precisely a bunch of two technologies (in our case) that generate various kinds of icmp traffic (under given conditions), this is me about SLA, and they monitor this generator, and this is about tracking.
PBR is also used in the settings of dynamic routing protocols (for example, BGP; OSPF; EIGRP) for filtering and redistributions (redirection) of routes and of trivialities such as changing route metrics, etc., and in static routing (it will be revealed below), B building mechanisms to improve the quality of services (QoS). Perhaps I forgot something, do not blame me. In the future, in the article, I will not disclose the topic of the use of PBR in BGP, QoS, OSPF.
Design Basics
The actual map looks like this:
Route-map namemap permit 5
match int fa0 / 0
set ip default next-hop 10.10.10.1
')
We analyze in order:
The first line ( route-map namemap [ permit | deny ] [ sequence-number ]) directly contains the command that opens our map ( route -map ), then comes the name of the map ( namemap ), for further application to the policy of this map then goes to permit ( because we want the traffic if the following conditions are met to perform the action). Those. packets are being redirected to the gateway 10.10.10.1 . Instead of the parameter to permit , the parameter deny may appear, but it is not often used. To a greater extent, it is used only with redistributions (redirections), in dynamic routing protocols, and to be more precise, on the contrary, with deny, do not produce redistributions (redirections). For the following card condition, the last parameter is the sequence-number , we have it 5 ie serial number of the card, it is convenient for the logical representation of maps with the same name. Also for the convenience of administering the card (deletion in particular).
The second line ( match interface fa0 / 0 ) contains the condition for which traffic to use our card. In our case, we will use all traffic passing through the fastethernet0 / 0 router interface. Here, according to various criteria, you can make a selection, as a rule, everyone draws a map according to access-lists (i.e. access lists), i.e. draw access-list with parameters for which networks to use the map. Examples of access-lists with easy commentary are presented below.
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
### access-list route-maps 192.168.0.0/24
.
access-lists
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.2.44
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.31
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
### 192.168.2.44
### 192.168.1.0/27
### , 192.168.0.0/24.You also want to add that the match parameter is repeating, i.e. Sampling can be done according to several criteria. For example, we mark by access-lists , and in parallel by the size of the packet match length min max , where min max is the range of the packet size from and to). And a small addition to this parameter, it is not mandatory. In other words, if you do not make a selection by criteria, the map will be applied to all packets passing through the interface to which we apply our routing map.
Moving on to the next parameter, I’ll say that if you issue the set subcommand ? then the help will show you a lot of values, basically these values are directed to dynamic routing protocols again. At the moment I decided not to touch them (I plan to write articles about dynamic routing, and there we go back to them). And go straight to set ip
We took as an example set ip default next-hop 10.10.10.1
Here again we will consider the default keyword, it means that if there are no routes in the global routing table of the destination network information packet, then our map will work and the packet will be sent to the next step in this case 10.10.10.1 .
You can write an explicit set ip next-hop 10.10.10.1 and then the package, regardless of the global table, will be redirected to our next-hop , i.e. the package that fell into the criterion that it came to the fa0 / 0 interface, will go to 10.10.10.1 and it will already decide what to do with this package.
Further, considering the set ip parameter, you can set the next step (next-hop) as a specific ip address, for subsequent routing, or the interface itself. For example, set ip next-hop interface Dialer1 ), this is convenient when you have, for example, not a static address on the next-hop, but a dynamic one and you cannot explicitly specify the address of the 3rd level, well, or if you forgot what ip the address you have on the interface and you are too lazy to look. As noted below in the comments, it is not necessary to specify interfaces on which a network with a large number of hosts on the network is registered, in other words, it is worth using networks with point to point (from prefixes 30). Other set ip parameters are used to change the ip parameters of the packet. Setting the packet priority marking in QoS ( set ip precedence 3 ), or dropping the packet parameter don't fragments ( set ip df 0 ), which allows you to set the packet size that routers need for further transmission over communication channels.
It remains a trifle to hang the route-map on the interface through which the packets need to be forwarded, as opposed to the default route of the global routing table. And get such a listing
Route-map namemap permit 5
match int fa0/0
set ip default next-hop 10.10.10.1
interface FastEthernet0/0
encapsulation dot1Q 20
ip address 192.168.0.1 255.255.255.0
ip policy route-map namemap
Please note that this configuration is not entirely correct in our case, although it is working. Then think for yourself what it is not correct, and what conditions need to be changed.
Afterword:
In this part I tried to discover the basics of PBR and how it works with packages. If I got it not clearly, please indicate errors. I would be very grateful. In Part 2, I will describe a few more points regarding PBR, and give examples of building routing, for specific cases.
UPD is actually an attempt to continue part 2
The material for the article was taken from the head, so I can not specify the literature, except that www.
PS This article was in the sandbox, someone gave me an invitation to Habr, but since I was offline for a long time the invitation has lost its strength. I want to say thank you to someone who gave an invite. I am now at the invitation of smartov , we are familiar with it from another resource on the network. He also thanks for the invitation.
Posted by Mario
Source: https://habr.com/ru/post/101796/
All Articles