Controlling Network Traffic with Route Maps and Policy-Based Routing

15 Mar

This chapter covers the following topics, which you need to understand to
pass the CCNP/CCDP/CCIP BSCI exam:
■ Understanding route maps
■ Understanding policy-based routing
■ The operation of route maps and policybased routing
■ Configuring route maps for policy-based routing
■ Configuring fast switching with policy-based routing
■ Configuring route maps for redistribution
■ Monitoring the configuration of route maps, policy-based routing, and redistribution

Controlling Network Traffic with Route Maps and Policy-Based Routing
The topics in this chapter deal with controlling both routed and routing traffic with route maps, which are more sophisticated than access lists. This is an advanced topic that deals with programming the router to match criteria against assigned lists and to perform tasks based on the result of the match.

The chapter deals with why route maps are needed and how they work. This chapter also provides the configuration syntax with working examples.

Route maps are rather intimidating if you are not familiar with access lists. Access lists are dealt with in depth in the CCNA course materials. The books CCNA Self-Study: Interconnecting Cisco Network Devices (ICND) and the CCNA ICND Exam Certification Guide, both from Cisco Press, deal with these subjects in more depth.

”Do I Know This Already?” Quiz
The purpose of the “Do I Know This Already?” quiz is to help you to decide what parts of this chapter to use. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.

The 17-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you to determine how to spend your limited study time.

Table 18-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.

Table 18-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping

CAUTION The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

1. In what ways are route maps more sophisticated than access lists?
a. Access lists can change the destination address of the outbound data packet.
b. Route maps take less CPU because of streamlined processing.
c. Access lists either exclude or include, whereas route maps can change the characteristics of the path.
d. Access lists can only be applied on inbound updates.

2. Route maps can be used for which of the following applications?
a. NAT
b. BGP
c. Summarization
d. Redistribution

3. Which of the following best describe a match statement?
a. The means by which a route is selected
b. A list of selection criteria
c. The method of discarding unwanted packets
d. A list of network prefixes

4. Which of the following best describe a set statement?
a. The method used to determine the best metric
b. The means of choosing the next hop
c. A list of conditions to apply to chosen routes
d. The means of changing routes or packets that are matched

5. Many match statements can be used in a route map. How many match statements must be matched for the set to be applied?
a. At least one
b. All of the criteria
c. None of them
d. At least 50 percent of the criteria

6. What are some of the benefits of policy-based routing?
a. The ability to link extended access lists
b. Easy administration
c. QoS
d. Load balancing

7. What is the relationship between route maps and policy-based routing?
a. Route maps use policy-based routing.
b. Route maps and policy-based routing are interchangeable terms.
c. Policy-based routing uses route maps.
d. Policy-based routing works with access lists, whereas route maps use a programming language.

8. Policy-based routing is applied to what type of traffic?
a. Inbound and routed traffic dependent on the configuration
b. Incoming packets
c. The routing process
d. Transiting traffic

9. If no match is made in a policy-based routing list of criteria, what action is taken?
a. The packet is sent to null interface 0.
b. The packet is dropped and no ICMP packet is sent to the source.
c. The packet is dropped and an ICMP packet is sent to the source.
d. The packet is sent to the routing process.

10. What additional configuration is required to ensure that packets are dropped when matched to
a deny statement?
a. The set command at the end of the route map should be a static route to null 0.
b. The deny statement should be set to 0.0.0.0 0.0.0.0.
c. The last set command should be configured to the no-forward parameter.
d. No extra configuration is required, because packets that are denied are automatically dropped.

11. What command is used to match a packet based on its size?
a. match length
b. match size
c. match MTU
d. match ip length

12. Which set command is used only when there is no route found in the routing table?
a. set ip next hop
b. set default next hop
c. set ip default next-hop
d. set default gateway

13. What command is used to configure fast switching for route maps?
a. No command is required, because fast switching is on by default
b. Router(config-route-map)#set fast-switch on
c. Router(config-if)#ip route-cache policy
d. router#enable fast-switching

14. When using route maps for redistribution when there is a match and the deny statement is configured, what action will be taken by the route map?
a. The packet is dropped.
b. The route is not redistributed.
c. An ICMP packet is sent to the sender.
d. The packet is sent to the normal routing process.

15. How are the services of the route map for redistribution called?
a. The route map command
b. Under the incoming interface
c. The redistribution command
d. As a global configuration command

16. Which command is useful for validating the path to the destination with a specified packet size?
a. Extended ping
b. show ip protocol
c. show ip route
d. show redistribution

17. Which command is used to show the configured route maps?
a. show ip route map
b. show route-map
c. show ip map
d. show ip policy

The answers to this quiz are found in Appendix A, “Answers to Chapter ‘Do I Know This Already?’ Quizzes and Q&A Sections.” The suggested choices for your next step are as follows:

■ 9 or less overall score —Read the entire chapter. This includes the “Foundation Topics” and “Foundation Summary” sections, the “Q&A” section, and the “Scenarios” at the end of the chapter.
■ 10–14 overall score —Begin with the “Foundation Summary” section, and then go to the “Q&A” section and the “Scenarios” at the end of the chapter. If you have trouble with these exercises, read the appropriate sections in “Foundation Topics.”
■ 15 or more overall score —If you want more review on these topics, skip to the “Foundation Summary” section, and then go to the “Q&A” section and the “Scenarios” at the end of the chapter. Otherwise, move to the next chapter.

Foundation Topics
Understanding Route Maps

Route maps are the means by which sophisticated “if/then logic” can be applied to a router. Route maps are the programming tools that are used to control redistribution, to implement policy-based routing, to control NAT translation, and to implement BGP policy.

You can use route maps for the following purposes:

■ To control redistribution —Route maps allow a higher level of sophistication than distribute lists. They do not simply block or include networks like a distribute list will when a match is found, but are capable of setting the metrics on the matching route.

■ To control and modify routing information —Route maps are used to modify routing information by setting the metrics on the matching route.

■ To define policies in policy-based routing —Route maps make decisions based on the destination address. Once a match is found in an access list, the action is that of inclusion or exclusion. Policy-based routing allows clear decisions to be implemented on more sophisticated criteria.

■ To add granularity in the configuration of Network Address Translation (NAT) —Route maps define pools of public and private addressing in address translation. There are additional show commands available by which to monitor and manage the NAT implementation.

■ To implement BGP policy-based routing —One of the main strengths of the routing protocol BGP is its ability to perform policy-based routing. Inherent in the protocol are attributes used to affect the path taken by traffic. These are often implemented using route maps: if this match is made, then apply this attribute. This is achieved by using the set command to change the attributes or metric of the BGP path. In very large networks, it is important to be able to determine traffic paths. This is because of both resource and security restraints. Route maps are the main method used by BGP to define BGP routing policy.

Route maps are very similar to access lists. They both perform if/then programming, in that they state criteria that is used to determine whether specific packets are to be permitted or denied. The main difference is that the route map has the additional capability of adding a set action to the match criterion. In an access list, the match criterion is implicit; in a route map, it is a keyword. This means that if a packet is matched to the criterion given in the route map, some action can be taken to change the packet, whereas access lists can simply permit or deny the matched packet.

Until recently, you could configure a router to route traffic and place some checks and controls on the router processes or interfaces to control overhead on both the router and the network. Now, it is possible to control the nature of traffic traversing your networks. The industry has not quite achieved the full benefits of traffic engineering, but route maps provide a means by which your networks can be managed with sophistication, allowing for stable, flexible networks to grow in both size and
complexity.

The characteristics of route maps are summarized in the following list:

■ A route map has a list of criteria, stated with the match statement.
■ A route map can change packets or routes that are matched by using the set statement.
■ A collection of route map statements that have the same route map name are considered one route map.
■ The route map will stop as soon as a match is made, just like an access list does.
■ Within a route map, each route map statement is numbered with sequence numbers and, therefore, can be edited individually.
■ The sequence number is used to specify the order in which conditions are checked. Thus, if there are two statements in a route map named BESTEST, one with sequence 5 and the other with sequence 15, sequence 5 is checked first. If there is no match for the conditions in sequence 5, then sequence 15 will be checked.
■ Route maps can use IP standard or extended access lists to establish policy-based routing.

— A standard IP access list can be used to specify match criteria for the source address of a packet.
— Extended access lists can be used to specify match criteria based on source and destination addresses, application, protocol type, TOS, and precedence.

■ The match route map configuration commands are used to define the conditions to be checked.
■ The set route map configuration commands are used to define the actions to be followed if there is a match.
■ A route map can contain logical AND and logical OR Boolean operations.

Like an access list, there is an implicit deny any at the end of a route map. The consequences of this deny depend on how the route map is being used.

To understand this properly, you need to see exactly how route maps operate. The following list explains the process, or logic, by which route maps work:

■ The route map statements used for policy-based routing can be marked as permit or deny.
■ Only if the statement is marked as permit and the packet meets the match criteria will the set commands be applied.

■ The statements in a route map correspond to the lines of an access list. Specifying the match conditions in a route map is similar to specifying the source and destination addresses and masks in an access list.
■ The statements in the route map are compared to the route or packet to see if there is a match. The statements are examined in turn from the top, as in an access list.
■ The single match statement can contain multiple conditions. At least one condition in the match statement must be true. This is a logical OR.
■ A route map statement can contain multiple match statements. All match statements in the route map statement must be considered true for the route map statement to be considered matched. This is a logical AND.

Obviously, a simple network is easier to manage and troubleshoot. Using route maps adds complexity to network management and should be handled with caution. You will learn how to configure route maps in the section “Configuring Route Maps for Policy-Based Routing,” later in this chapter.

Understanding Policy-Based Routing
Route maps are used in the configuration of policy-based routing, allowing the selection of criteria such as IP address, application, protocol, or size of packet. Once selected, the policy-based routing commands implement the policy on the selected routes.

Policy-based routes and static routes have a lot in common. However, static routes forward packets based on the destination network address, whereas a policy route forwards packets based on the source address. If access lists are used with the route map, the parameters in an extended access list can be used to route traffic based on such criteria as the destination address, length, IP protocol field, precedence, or port numbers. This gives a greater granularity and scope to the criteria by which the
next-hop router is decided.

The rules that define policy-based routing are as follows:

■ Traffic can be directed on either the source address or both the source and destination addresses.
■ Policy-based routing affects only the routing of the router on which it is configured in determining the next hop in the path to the destination.
■ Policy-based routing does not affect the destination of the packet, but it can affect the path that is taken, by setting the next hop, for example.
■ Policy-based routing does not allow traffic sent into another autonomous system to take a different path from the one that would have been chosen by that autonomous system.
■ It is possible to influence only how traffic will get to a neighboring router.
■ As policy-based routing examines the source address, it is configured on the inbound interface.

■ If there is no match made, the packet is denied policy-based routing and routed normally by destination.
■ The use of route maps for policy-based routing is a little different than other applications of route maps. When used for policy-based routing, if a packet does not match the criteria specified in the route map or a matched route map statement specifies deny, then the packet is not dropped. It is sent to the routing process and routed normally, by destination, as if it had never encountered a route map. If your intention is to drop packets that do not match the criteria, it is necessary to use the set command to route packets to the null interface as the last entry in the route map.

Route maps were introduced in Cisco IOS Software Release 11.0, allowing policies that defined different paths for different packets based on specified criteria.

Policy-based routing also provides a mechanism to mark packets with different types of service (ToS). This feature can be used in conjunction with Cisco IOS queuing techniques so that certain kinds of traffic receive preferential service.

Instead of routing by the destination address, policy-based routing allows you to determine and implement routing policies to allow or deny paths based on the following:

■ The identity of a particular end system
■ The application being run
■ The protocol in use
■ The size of packets

The ability to program the path your network traffic takes adds sophistication to the routing process and the network as a whole. However, it is important to understand the benefits and disadvantages of policy-based routing, as discussed in the next sections.

Benefits of Policy-Based Routing
The benefits of implementing policy-based routing in networks include the following:

■ Source-based transit provider selection —ISPs in particular use policy-based routing to make routing decisions based on the source address. This allows traffic belonging to different customers to be routed through different Internet connections, across the policy routers in accordance with whatever company policy needs to be adhered to.
■ Quality of service (QoS) —By setting the precedence or type of service (TOS) values in the IP packet headers in routers at the edge of the network, organizations can provide QoS. In this way, the traffic can be differentiated, and queuing mechanisms can be implemented to prioritize traffic based on the QoS in the core or backbone of the network. This improves network performance because the configuration is done only at the edge of the network.

■ Cost savings—The bulk traffic generated by a specific activity can be diverted to use a higherbandwidth, high-cost link for a short time. Meanwhile, interactive traffic is provided basic connectivity over a lower-bandwidth, low-cost link. For example, a dial-on-demand ISDN line might be raised in response to traffic to a finance server for file transfers selected by policybased routing.
■ Load balancing —This allows the implementation of policies to distribute traffic among multiple paths based on the traffic characteristics. This does not detract from the dynamic loadsharing capabilities offered by destination-based routing that the Cisco IOS software has always supported.

Disadvantages of Policy-Based Routing
Consider the following disadvantages before deciding to implement policy-based routing:

■ A backup path should be in place in case the defined next-hop router goes down. If there is no alternative defined, policy-based routing uses the IP routing table.
■ Additional CPU is required to examine every source address to effect the defined policy.
■ Extra configuration is required.
■ The possibility exists that other traffic will be disrupted.

Now that you understand the features of route maps and policy-based routing, the next section explains how these technologies operate together.

The Operation of Route Maps and Policy-Based Routing
As explained in the section “Understanding Route Maps,” access lists work on a simple permit and deny basis, whereas route maps can alter the characteristics of the packet or its path. For example, an access list could state something similar to this logic: If the cupcake is lemon flavored, keep it, but if it is not lemon flavored, throw it away.

Along the same lines, a route map could specify logic such as this: If it is a lemon-flavored cupcake, ice it with lemon butter frosting. If it has walnuts, then ice it with melted chocolate. If it has neither a lemon flavor nor walnuts, leave it alone. The route map is obviously more powerful than the access list because it can change the entity.

Now to show the additional complexity of route maps, add a logical AND and a logical OR. For example, if the cupcake is lemon-flavored AND it contains poppy seeds, ice it with lemon butter frosting. If it has walnuts OR it was baked today, then ice it with melted chocolate. If it does not have a lemon flavor, poppy seeds, or walnuts, leave it alone.

The route map would look something like Example 18-1.
Example 18-1 Route Map Logic

For the mathematicians among you, this could be written as follows:

If {(a and b) match} then set c
Else
If {(x or y) match} then set z
Else
Set nothing

Route maps are used by policy-based routing to select the packets that policy-based routing wishes to effect.

Policy-based routing is applied to incoming packets or packets generated by the router, if configured to do so. When a packet is received on an interface with policy-based routing enabled, it goes through this procedure:

■ If there is a match and the action is to permit the route, then the packet is policy-routed in accordance to the set command.
■ If there is a match and the action is to deny the packet, then the packet is not policy-routed but is passed back to the forwarding engine for dynamic routing.
■ If there is no match and there is no configuration for what to do in this event, the default is to deny the packet, which would return it to the routing process for normal routing.
■ To block packets that find no match, you need to prevent them from being returned to normal forwarding. Normal routing is prevented by specifying a set statement to route the packets to interface null 0 as the last entry in the route map. This will route the packets to nowhere, effectively dropping them.

Configuring Route Maps for Policy-Based Routing
This section deals with the implementation and configuration of route maps and policy-based routing. Make sure to check the Cisco documentation set for your software version before configuring a live network.

The route-map command is shown here:

Router(config)#route-map map-tag [{permit | deny} sequence-number]

Table 18-2 describes the syntax options available for the route-map command.
Table 18-2 The route-map Command Options

The following commands are summarized here into groups: the match commands that can be configured for policy-based routing, and the set commands that can be applied if the packet matches the criteria stated.

The match Commands for Policy-Based Routing with Route Maps
The match commands used in policy-based routing are summarized in Table 18-3. These match commands are used to determine whether the packet is to be policy-routed, as opposed to being forwarded simply by destination. If it is to be policy-routed, the packet is sent down a different path, typically one less traveled.

Table 18-3 The match Commands Used in Policy-Based Routing

The set Commands for Policy-Based Routing with Route Maps
The set commands used in policy-based routing are summarized in Table 18-4. These set commands are used after the match criteria has been satisfied. Whereas the match parameter determines whether the packet will be policy-routed, the set parameter determines how the packet is to be policy-routed.

Table 18-4 The set Commands Used in Policy-Based Routing

Table 18-4 The set Commands Used in Policy-Based Routing (Continued)

The set commands can be used in conjunction with each other.

Once configured, the route map must be called into service. Until it is called, it has no power. The command used to recruit the services of the route map to an incoming interface follows:

Router(config-if)#ip policy route-map map-tag

map-tag is the name of the route map to use for policy-based routing. This must match a map tag specified by a route-map command.

Policy-based routing is configured on the incoming interface that receives the packets and performs policy-based routing on incoming packets, determining the path of the packet to the destination.

With the appropriate configuration, you can apply policy-based routing on packets generated by the router. The command is configured globally, using the following syntax:

Router(config)# ip local policy route-map

Example 18-2 shows a sample configuration.
Example 18-2 Calling a Route Map into Service

There are many things to be aware of when configuring a router that is directing the network traffic. When configuring policy-based routing or route maps, pay very careful attention to the logic and rules by which they operate.

CAUTION When editing a route map statement with the no version of the existing command line, if you forget to type in the sequence number, you will delete the entire route map.

Configuring Fast Switching with Policy-Based Routing
Speed through the network is influenced by the capability of the network devices to process traffic. Cisco is continually striving to enhance the features of its products, while at the same time reducing the resources consumed and the time it takes to provide those features.

Cisco made a major achievement in Cisco IOS Software Release 11.2F. In this version of IOS, IP policy-based routing is fast-switched. The previous versions’ process-switch policy-routed traffic, allowing for an output of approximately 1000 to 10,000 packets per second, resulted in application timeouts.

Fast switching of policy-based routing is disabled by default. You must configure it manually. To do so, complete the following steps:

Step 1 Configure policy-based routing before you configure fast-switched policybased routing.
Step 2 When policy-based routing is configured, turn on the fast switching with this interface command:

Router(config-if)#ip route-cache policy

Fast-switched policy-based routing supports all of the match commands and most of the set commands, except for the following restrictions:

■ The set ip default command is not supported.
■ The set interface command is supported only over point-to-point links, unless a route-cache entry exists using the same interface specified in the set interface command in the route map. The route cache is the portion of memory assigned to the product of routing decisions. In addition, when process switching, the routing table is consulted to determine a path to the destination. During fast switching, the software does not make this check because fast switching is a cache of the process switch lookup. Instead, if the packet matches, the software blindly forwards the packet to the specified interface. This is a similar situation to the one described in reference to load balancing earlier in the section “Benefits of Policy-Based Routing.”

Next section expands the discussion of route maps to include redistribution.


No comments yet

Leave a Reply

You must be logged in to post a comment.