Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
When a packet arrives at the incoming interface of a router, the router’s data plane processing
logic takes several steps to process the packet. The incoming packet actually arrives
encapsulated inside a data link layer frame, so the router must check the incoming
frame’s Frame Check Sequence (FCS) and discard the frame if errors occurred in transmission.
If the FCS check passes, the router discards the incoming frame’s data link header
and trailer, leaving the Layer 3 packet. Finally, the router does the equivalent of comparing
the destination IP address of the packet with the IP routing table, matching the longestprefix
route that matches the destination IP address.
Note: Most routers today default to use Cisco Express Forwarding (CEF), which causes
the router to match the destination of IP packets with the CEF table, instead of the IP routing
table. IOS derives the CEF table from the information in the IP routing table, with
much faster table lookup as compared with using the routing table directly.
Policy-Based Routing (PBR) overrides the router’s natural destination-based forwarding
logic. PBR intercepts the packet after de-encapsulation on the incoming interface, before
the router performs the CEF table lookup. PBR then chooses how to forward the packet
using criteria other than the usual matching of the packet’s destination address with the
CEF table.
PBR chooses how to forward the packet by using matching logic defined through a route
map, which in turn typically refers to an IP ACL. That same route map also defines the
forwarding instructions–the next-hop IP address or outgoing interface–for packets
matched by the route map. Figure 11-1 shows the general concept, with PBR on interface
F0/0 overriding the usual routing logic, forwarding packets out three different outgoing
interfaces.
www.CareerCert.info
Chapter 11: Policy-Based Routing and IP Service Level Agreement 367
To perform the actions shown in Figure 11-1, the engineer configures two general steps:
Step 1. Create a route map with the logic to match packets, and choose the route, as
shown on the left side of the figure.
Step 2. Enable the route map for use with PBR, on an interface, for packets entering
the interface.
The rest of this section focuses on the configuration and verification of PBR.
Matching the Packet and Setting the Route
To match packets with a route map enabled for PBR, you use the familiar route-map match
command. However, you have two match command options to use:
match ip address
match length min max
The match ip address command uses the same familiar logic as seen in several other chapters
of this book. This command can reference standard and extended ACLs. Any item
matchable by an ACL can be matched in the route map. The match length command allows
you to specify a range of lengths, in bytes.
When a route map clause (with a permit action) matches a packet, the set command defines
the action to take regarding how to forward the packet. The four set command options
define either the outgoing interface or the next-hop IP address, just like routes in the
IP routing table. Table 11-2 lists the options, with some explanations.
Note that two of the commands allow the definition of a next-hop router, and two allow
the definition of an outgoing interface. The other difference in the commands relates to
whether the command includes the default keyword. The section “How the default Keyword
Impacts Logic Ordering” later in this chapter describes the meaning of the default
keyword.
route-map command listed a deny action, IOS would simply route the packet as normal–it
would not filter the packet.) Finally, for packets matched with a permit action, the router
forwards the packet based on the set ip next-hop 10.1.14.4 command, which tells R1 to
forward the packet to R4 next.
Note that for each packet entering F0/0, PBR either matches the packet with a route map
permit clause, or matches the packet with a route map deny clause. All route maps have an
implicit deny clause at the end that matches all packets not already matched by the route
map. PBR processes packets that match a permit clause using the defined set command.
For packets matched by a deny clause, PBR lets the packet go through to the normal IP
routing process.
To verify the results of the policy routing, Example 11-2 shows two traceroute commands:
one from PC1 and one from PC2. Each shows the different paths. (Note that the
output actually comes from a couple of routers configured to act as hosts PC1 and PC2
for this example.)
Example 11-2 Confirming PBR Results Using traceroute
! First, from PC1 (actually, a router acting as PC1):
PC1# trace 10.1.3.99
Type escape sequence to abort.
Tracing the route to 10.1.3.99
1 10.1.1.9 4 msec 0 msec 4 msec
2 10.1.12.2 0 msec 4 msec 4 msec
3 10.1.234.3 0 msec 4 msec 4 msec
4 10.1.3.99 0 msec * 0 msec
! Next, from PC2
PC2# trace 10.1.3.99
Type escape sequence to abort.
Tracing the route to 10.1.3.99
1 10.1.1.9 4 msec 0 msec 4 msec
2 10.1.14.4 8 msec 4 msec 8 msec
3 10.1.234.3 8 msec 8 msec 4 msec
4 10.1.3.99 4 msec * 4 msec
The output differs only in the second router in the end-to-end path–R2’s 10.1.12.2 address
as seen for PC1’s packet and 10.1.14.4 as seen for PC2’s packet.
The verification commands on the router doing the PBR function list relatively sparse information.
The show ip policy command just shows the interfaces on which PBR is enabled
and the route map used. The show ip route-map command shows overall statistics
for the number of packets matching the route map for PBR purposes. The only way to verify
the types of packets that are policy routed is to use the debug ip policy command,
which can be dangerous on production routers, given its multiple lines of output per
www.CareerCert.info
370 CCNP ROUTE 642-902 Official Certification Guide
packet, or to use traceroute. Example 11-3 lists the output of the show and debug commands
on Router R1 with the debug output being for a single policy routed packet.
Example 11-3 Verifying PBR on Router R1
R1# show ip policy
Interface Route map
Fa0/0 PC2-over-low-route
R1# show route-map
route-map PC2-over-low-route, permit, sequence 10
Match clauses:
ip address (access-lists): 101
Set clauses:
ip next-hop 10.1.14.4
Policy routing matches: 12 packets, 720 bytes
R1# debug ip policy
*Sep 14 16:57:51.675: IP: s=10.1.1.2 (FastEthernet0/0), d=10.1.3.99, len 28,
policy match
*Sep 14 16:57:51.675: IP: route map PC2-over-low-route, item 10, permit
*Sep 14 16:57:51.675: IP: s=10.1.1.2 (FastEthernet0/0), d=10.1.3.99 (Serial0/0/1),
len 28, policy routed
*Sep 14 16:57:51.675: IP: FastEthernet0/0 to Serial0/0/1 10.1.14.4
How the default Keyword Impacts PBR Logic Ordering
The example in the previous section showed a set command that did not use the default
keyword. However, the inclusion or omission of this keyword significantly impacts how
PBR works. This parameter in effect tells IOS whether to apply PBR logic before trying to
use normal destination-based routing, or whether to first try to use the normal destination-
based routing, relying on PBR’s logic only if the destination-based routing logic fails
to match a nondefault route.
First, consider the case in which the set command omits the default parameter. When IOS
matches the associated PBR route map permit clause, IOS applies the PBR logic first. If
the set command identifies an outgoing interface that is up, or a next-hop router that is
reachable, IOS uses the PBR-defined route. However, if the PBR route (as defined in the
set command) is not working–because the outgoing interface is down or the next hop is
unreachable using a connected route–then IOS next tries to route the packet using the
normal destination-based IP routing process.
Next, consider the case in which the set command includes the default parameter. When
IOS matches the associated PBR route map permit clause, IOS applies the normal destination-
based routing logic first, with one small exception: it ignores any default routes. So,
the router first tries to route the packet as normal, but if no nondefault route matches the
packet’s destination address, then the router forwards the packet as directed in the set
command.
www.CareerCert.info
Chapter 11: Policy-Based Routing and IP Service Level Agreement 371
For example, for the configuration shown in Example 11-1, by changing the set command
to set ip default next-hop 10.1.14.4, R1 would have first looked for (and found) a working
route through R2, and forwarded packets sent by PC2 over the link to R2. Summarizing:
■ Omitting the default parameter gives you logic like this: “Try PBR first, and if PBR’s
route does not work, try to route as usual.”
■ Including the default parameter gives you logic like this: “Try to route as usual while
ignoring any default routes, but if normal routing fails, use PBR.”
Additional PBR Functions
Primarily, PBR routes packets received on an interface, but using logic other than matching
the destination IP address and the CEF table. This section briefly examines three additional
PBR functions.
Applying PBR to Locally Created Packets
In some cases, it may be useful to use PBR to process packets generated by the router itself.
However, PBR normally processes packets that enter the interface(s) on which the ip
policy route-map command has been configured, and packets generated by the router itself
do not actually enter the router through some interface. To make IOS process locally
created packets using PBR logic, configure the ip local policy route-map name global
command, referring to the PBR route map at the end of the command.
The section “Configuring and Verifying IP SLA” later in this chapter shows an example
use of this command. IP SLA causes a router to create packets, so applying PBR to such
packets can influence the path taken by the packets.
Setting IP Precedence
Quality of service (QoS) refers to the entire process of how the network infrastructure
can choose to apply different levels of service to different packets. For example, a router
may need to keep delay and jitter (delay variation) low for VoIP and Video over IP packets,
because these interactive voice and video calls only work well when the delay and jitter
are held very low. So, the router might let VoIP packets bypass a long queue of data packets
that might be waiting to exit an interface, giving the voice packet better (lower) delay
and jitter.
Most QoS designs mark each packet with a different value inside the IP header, for the
purpose of identifying groups of packets–a service class–that should get a particular QoS
treatment. For instance, all VoIP packets could be marked with a particular value so that
the router can then find those marked bits, know that the packet is a VoIP packet due to
that marking, and apply QoS accordingly.
Although the most commonly used QoS marking tool today is Class-Based Marking, in
the past, PBR was one of the few tools that could be used for this important QoS function
of marking packets. PBR still supports marking; however, most modern QoS designs ignore
PBR’s marking capabilities.
Before discussing PBR’s marking features, a little background about the historical view of
the IP header’s type of service (ToS) byte is needed. The IP header originally defined a ToS
Key
Topic
www.CareerCert.info
372 CCNP ROUTE 642-902 Official Certification Guide
byte whose individual bits have been defined in a couple of ways over the years. One such
definition used the first three bits in the ToS byte as a three-bit IP Precedence (IPP) field,
which could be used for generic QoS marking, with the higher values generally implying a
better QoS treatment. Back in the 1990s, the ToS byte was redefined as the Differentiated
Services (DS) byte, with the first six bits defined as the Differentiated Service Code Point
(DSCP). Most QoS implementations today revolve around setting the DSCP field.
PBR supports setting the older QoS marking fields—the IP Precedence (IPP) and the entire
ToS byte—using commands set ip precedence value and set ip tos value, respectively,
in the route map. To configure packet marking, configure PBR as normal, but add a
set command that defines the field to be marked and the value.
PBR with IP SLA
Besides matching a packet’s length, or matching a packet with an ACL, PBR can also react
to some dynamic measurements of the health of the IP network. To do so, PBR relies on
the IP Service-Level Agreement (IP SLA) tool. In short, if the IP SLA tool measures the
network’s current performance, and the performance does not meet the defined threshold,
PBR chooses to not use a particular route. The second half of this chapter discusses IP
SLA, with the section “Configuring and Verifying IP SLA” demonstrating how PBR works
with IP SLA.
No comments:
Post a Comment