Table of contents
policy routing
Features:
Policy-Based Routing (PBR: Policy-Based Routing) provides a data packet routing and forwarding mechanism that is more flexible than routing and forwarding based on destination addresses. Policy routing can flexibly select routes based on the source address, destination address, port, and packet length of IP/IPv6 packets.
Application scenario:
The enterprise has two egress lines, and it is necessary to enable some computers in the intranet to access the Internet through a certain egress line, and other computers to access the Internet through the other egress line. In this case, the policy routing function can be enabled on the router.
1. Networking requirements
The network topology is as follows, R1 has two exits R3 and R4 to the external network, it is necessary to implement the internal network 172.16.1.0/24 to access the external network through the R3 exit, and the internal network 172.16.2.0/24 to access the external network through the R4 exit.
2. Network topology
4. Configuration points
1. Basic ip address configuration
2. Basic ip routing configuration, making the whole network reachable
3. Configure ACL on R1 to match the intranet traffic
4. Configure policy routing
5. Application Policy Routing
5. Configuration steps
1. Basic ip address configuration
Ruijie(config)#hostname R1
R1(config)#interface gigabitEthernet 0/0
R1(config-GigabitEthernet 0/0)#ip address 192.168.1.1 255.255.255.0
R1(config-GigabitEthernet 0/0)#exit
R1(config)#interface gigabitEthernet 0/1
R1(config-GigabitEthernet 0/1)#ip address 192.168.2.1 255.255.255.0
R1(config-GigabitEthernet 0/1)#exit
R1(config)#interface gigabitEthernet 0/2
R1(config-GigabitEthernet 0/2)#ip address 192.168.3.1 255.255.255.0
R1(config-GigabitEthernet 0/2)#exit
Ruijie(config)#hostname R2
R2(config)#interface gigabitEthernet 0/0
R2(config-GigabitEthernet 0/0)#ip address 192.168.1.2 255.255.255.0
R2(config-GigabitEthernet 0/0)#exit
R2(config)#interface gigabitEthernet 0/1
R2(config-GigabitEthernet 0/1)#ip address 172.16.1.1 255.255.255.0
R2(config-GigabitEthernet 0/1)#exit
R2(config)#interface gigabitEthernet 0/2
R2(config-GigabitEthernet 0/2)#ip address 172.16.2.1 255.255.255.0
R2(config-GigabitEthernet 0/2)#exit
Ruijie(config)#hostname R3
R3(config)#interface fastEthernet 0/0
R3(config-if-FastEthernet 0/0)#ip address 192.168.2.2 255.255.255.0
R3(config-if-FastEthernet 0/0)#exit
Ruijie(config)#hostname R4
R4(config)#interface fastEthernet 0/0
R4(config-if-FastEthernet 0/0)#ip address 192.168.3.2 255.255.255.0
R4(config-if-FastEthernet 0/0)#exit
2. Basic ip routing configuration, making the whole network reachable
R1(config)#ip route 172.16.0.0 255.255.0.0 192.168.1.2
R2(config)#ip route 100.1.1.0 255.255.255.0 192.168.1.1
R3(config)#ip route 172.16.0.0 255.255.0.0 192.168.2.1
R4(config)#ip route 172.16.0.0 255.255.0.0 192.168.3.1
3. Configure ACL on R1 to match the intranet traffic
R1(config)#ip access-list standard 10 //Configure ACL 10 to match intranet 172.16.1.0/24
R1(config-std-nacl)#10 permit 172.16.1.0 0.0.0.255
R1(config-std-nacl)#exit
R1(config)#ip access-list standard 20 //Configure ACL 20 to match intranet 172.16.2.0/24
R1(config-std-nacl)#10 permit 172.16.2.0 0.0.0.255
R1(config-std-nacl)#exit
4. Configure policy routing
R1(config)#route-map ruijie permit 10 // configuration route-map ruijie
R1(config-route-map)#match ip address 10 //Match the traffic of intranet acl 10
R1(config-route-map)#set ip next-hop 192.168.2.2 //Forcibly set the next hop of the ip message to 192.168.2.2, take the R3 exit
R1(config-route-map)#exit
R1(config)#route-map ruijie permit 20
R1(config-route-map)#match ip address 20
R1(config-route-map)#set ip next-hop 192.168.3.2
R1(config-route-map)#exit
Notice:
1) The matching order of the route-map is from top to bottom. When the traffic matches the policy, the data will be forwarded according to the matching policy and will not continue to match downward.
2) At the end of the route-map, there is a deny all statement. For the traffic that does not match the policy routing, the intranet traffic will not be discarded, but the normal ip routing will be forwarded.
3) set ip next-hop can set the ip address of the next hop, and can also set the outbound interface of the data packet. It is recommended to set the ip address of the next hop.
5. Application Policy Routing
R1(config)#interface gigabitEthernet 0/0
R1(config-GigabitEthernet 0/0)#ip policy route-map ruijie //Apply policy routing
R1(config-GigabitEthernet 0/0)#exit
Notice:
Policy routing must be applied to the in-direction interface of the data packet, and cannot be applied to the out-direction interface of the data packet. Because the policy routing is actually when the data packet enters the router, it is mandatory to set the next hop of the data packet, the interface in the out direction. The router has completed the IP routing for the data packet and forwarded the data packet from the interface. Routing does not work.
6. Configuration Verification
Take the source address on R2 to the external network 100.1.1.0/24 for route tracking. If 172.16.1.0/24 accesses the external network through R3, and 172.16.2.0/24 accesses the external network through R4, the policy routing configuration is correct.
R2#traceroute 100.1.1.1 source 172.16.1.1
<press Ctrl+C to break >
Tracing the route to 100.1.1.1
1 192.168.1.1 0 msec 0 msec 0 msec
2 192.168.2.2 10 msec 0 msec 10 msec //172.16.1.0/24 Access the R3 exit of the external network
Other paths omitted
R2#traceroute 100.1.1.1 source 172.16.2.1
<press Ctrl+C to break >
Tracing the route to 100.1.1.1
1 192.168.1.1 0 msec 0 msec 0 msec
2 192.168.3.2 10 msec 0 msec 10 msec //172.16.2.0/24 Access the R4 exit of the external network
Other paths omitted