09-17-2012 05:52 AM - edited 03-01-2019 04:51 PM
Policy Based Routing (PBR) provides a flexible means of routing packets by configuring defined policy for traffic flows. PBR gives more control over routing, for example in case of high-cost link; you can specify a path for certain traffic as priority traffic. Normal routing is destination based but PBR gives you flexibility in the terms of routing packets by extending and complementing the existing mechanisms provided by routing protocols.
PBR routing can be based on
1) Source IPv6 address
2) Destination IPv6 address
3) Input interface
4) Protocols types (FTP, TFTP, http...Etc)
5) Port based (source and destination) or can be length of packets.
This document explains with an example how to do IPV6 policy routing to control traffic in internetwork.
Understanding of route-map
Understanding of IPv6 Addressing
Understanding of IPv6 Unicast Routing
A) Traffic criteria in PBR are defined by route-map by using "match" statement.
“route-map” is used to identify interesting traffic passing through or generated by router.
It is similar like if.....then statement, if certain condition gets true then we does something.
1) Permit means packets are policy route.
2) Deny means packets needs to be normal route.
Example:
Match ipv6 address/prefix-list.. (Matching of IPV6 packet based on access-list or prefix-list)
Match length.. (We can also match the based on its length in bytes)
B) Action is taken by route-map set statement.
Set ipv6 next-hop ..(global-ipv6 address)
Set interface …….. (Use only when you have point to point interface)
C) Apply this route-map to incoming interface
Ipv6 policy route-map (route-map-name)
D) (Optional) configure local PBR; Packets generated by router are not policy routed. If you want to policy route traffic generated by router, you must globally use the following command.
Ipv6 local policy route-map
E) CEF PBR for IPV6……No special configuration is required to enable cef PBR for IPv6 it will enable default once we enable cef and PBR on the router.
In this network setup a policy route is configured on R1 to control prefixes that exist on SW1 (i.e. vlan2 and vlan3).
We have 2 route-map instances.
1) In First instance match the packet from the VLAN2 of SW1 and set the next hop to be R2 global address 2222::2
2) In second instance match the packet from the VLAN3 of SW1 and set the next hop to be R3 global address 2222::3
Note: Rest of the traffic from SW1 will be normal routing
Routing table of R1:
The routing table on R1 shows there are two paths for R1 to reach the prefix present on R4 end (2001::1, 2001::2).
R1#sh ipv6 route
IPv6 Routing Table - 12 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
O 2001::1/128 [110/74]
via FE80::2, FastEthernet0/0
via FE80::3, FastEthernet0/0
O 2001::2/128 [110/74]
via FE80::2, FastEthernet0/0
via FE80::3, FastEthernet0/0
O 2001::3/128 [110/74]
via FE80::2, FastEthernet0/0
via FE80::3, FastEthernet0/0
O 2012:0:0:1::/64 [110/11]
via FE80::C204:12FF:FE48:0, FastEthernet0/1
O 2012:0:0:2::/64 [110/11]
via FE80::C204:12FF:FE48:0, FastEthernet0/1
O 2012:0:0:3::/64 [110/11]
via FE80::C204:12FF:FE48:0, FastEthernet0/1
O 2012:0:0:4::/64 [110/11]
via FE80::C204:12FF:FE48:0, FastEthernet0/1
Traceroute from R1 (2222::1) to subnets of R4 (2001::1)
R1#traceroute 2001::1
Type escape sequence to abort.
Tracing the route to 2001::1
1 2222::3 48 msec
2222::2 36 msec
2222::3 20 msec
2 2001::1 48 msec 40 msec 72 msec
Policy based configuration on R1:
First configure ipv6 access-list to match ipv6 source subnets i.e vlan 2 and vlan 3, and then configure route-map with 2 instances, where first will match vlan 2 traffic and send it to R2 and second matches vlan 3 traffic send to R3.Once you create route-map you need to apply this to incoming interface, In our case it's fa0/1.
R1(config)#ipv6 access-list VLAN2_PBR
R1(config-ipv6-acl)# permit ipv6 2012:0:0:1::/64 any
R1(config-ipv6-acl)#ipv6 access-list VLAN3_PBR
R1(config-ipv6-acl)# permit ipv6 2012:0:0:2::/64 any
R1(config-ipv6-acl)#exit
R1(config)#
R1(config)#
R1(config)#route-map IPV6_PBR permit 10
R1(config-route-map)# match ipv6 address VLAN2_PBR
R1(config-route-map)# set ipv6 next-hop 2222::2
R1(config-route-map)#route-map IPV6_PBR permit 20
R1(config-route-map)# match ipv6 address VLAN3_PBR
R1(config-route-map)# set ipv6 next-hop 2222::3
R1(config-route-map)#exit
R1(config)#
R1(config)#
R1(config)#int fa0/1
R1(config-if)#ipv6 policy route-map IPV6_PBR
R1(config-if)#
To test new policy, issue extended traceroute commands on SW1 for VLAN2 having source address 2012:0:0:1::1 and destination address as 2001::1 (which is the subnet present on R router 4 (). The below output shows traffic passing through R2 (2222::2)
Similarly, issue extended traceroute commands on SW1 for VLAN3 having source address 2012:0:0:2::1and destination address as 2001::1 (which is the subnet present on R router 4. The below output shows traffic passing through R3 (2222::3)
R1#sh ipv6 access-list
IPv6 access list VLAN2_PBR
permit ipv6 host 2012:0:0:1::/64 any (27 matches) sequence 10
IPv6 access list VLAN3_PBR
permit ipv6 2012:0:0:2::/64 any (9 matches) sequence 10
R1#sh route-map
route-map IPV6_PBR, permit, sequence 10
Match clauses:
ipv6 address VLAN2_PBR
Set clauses:
ipv6 next-hop 2222::2
Policy routing matches: 153 packets, 7604 bytes
route-map IPV6_PBR, permit, sequence 20
Match clauses:
ipv6 address VLAN3_PBR
Set clauses:
ipv6 next-hop 2222::3
Policy routing matches: 72 packets, 3456 bytes
R1#
Good Explanation
Hello,
Thanks for your feedback
Regards,
Ashish Shirkar
Excellent............
Nice Document Ashish. An Older version is also available at
http://www.cisco.com/en/US/tech/tk872/technologies_configuration_example09186a0080b5e90e.shtml
Dear Sunil,
Thank you for your positive feedback.
Keep on sharing your views and knowledge on community.
Regards,
Ashish Shirkar
Technical community manager (Network Infrastructure)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: