Using Policy-Based Routing to Route Based on Application Type

Using Policy-Based Routing to Route Based on Application Type

Problem

You want different applications to use different network links.

Solution

This example is similar to the previous one, except that instead of looking at the source address of the incoming IP packet, it looks at other protocol information such as TCP or UDP port number. The example redirects HTTP traffic (TCP port 80) for certain source addresses.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 101 deny tcp 10.15.25.0 0.0.0.255 any eq www
Router(config)#access-list 101 permit tcp any any eq www
Router(config)#interface Ethernet0
Router(config-if)#ip address 10.15.22.7 255.255.255.0
Router(config-if)#ip policy route-map Websurfers
Router(config-if)#ip route-cache policy
Router(config-if)#exit
Router(config)#route-map Websurfers permit 10
Router(config-route-map)#match ip address 101
Router(config-route-map)#set ip next-hop 10.15.27.1
Router(config-route-map)#exit
Router(config)#route-map Websurfers permit 20
Router(config-route-map)#set ip default next-hop 10.15.26.1
Router(config-route-map)#end
Router#

This second example looks instead at the IP TOS field:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 102 permit ip any any tos 4
Router(config)#interface Serial0
Router(config-if)#ip address 10.15.23.6 255.255.255.252
Router(config-if)#ip policy route-map High-priority
Router(config-if)#ip route-cache policy
Router(config-if)#exit
Router(config)#route-map High-priority permit 10
Router(config-route-map)#match ip address 102
Router(config-route-map)#set ip next-hop 10.15.27.1
Router(config-route-map)#end
Router#

This third example shows how to use Policy-Based Routing for traffic that originates on the router itself:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip local policy route-map dlswtraffic
Router(config)#access-list 103 permit tcp any any eq 2065
Router(config)#access-list 103 permit tcp any eq 2065 any
Router(config)#route-map dlswtraffic permit 10
Router(config-route-map)#match ip address 103
Router(config-route-map)#set ip next-hop 10.15.27.3
Router(config-route-map)#end
Router#

Discussion

These examples show how to route traffic based on protocol information rather than address information. The first example redirects HTTP packets that originate on any device in the range from 10.15.25.0 to 10.15.25.255. Access list 101 has two lines:

Router(config)#access-list 101 deny tcp 10.15.25.0 0.0.0.255 any eq www
Router(config)#access-list 101 permit tcp any any eq www

The second line matches any TCP packets with any source or destination IP address, and with a destination TCP port number of 80 (HTTP). The first line excludes from the match any packets with the specified range of address and with a destination TCP port number of 80.

When the client makes the initial TCP connection, it places a request to the target IP address by using a particular port number as the destination. The packet also contains the client's IP address as the source of the packet, and it specifies a source port number, which is usually a random number greater than 1023.

The first clause in the route map then redirects the traffic matched by this access list to the specified next hop router:

Router(config)#route-map Websurfers permit 10
Router(config-route-map)#match ip address 101
Router(config-route-map)#set ip next-hop 10.15.27.1

The second clause in this route-map shows how to handle a default next hop:

Router(config)#route-map Websurfers permit 20
Router(config-route-map)#set ip default next-hop 10.15.26.1

This is invoked as a catch-all in case the packet doesn't match the first clause, and it doesn't have an appropriate routing table entry to allow the router to direct it. This can be used to prevent the router from dropping packets with unknown destinations, in case you have some other use for them, such as sending them to a proxy server. Note that this default next-hop command specifies the route to be used only if there is no explicit route in the routing table. If there is a route, this clause will not be used.

As we mentioned in Recipe 5.5, using the set ip default next-hop command means that the processing of this clause must be done at the process level. So this type of command can be very CPU intensive if a large number of packets are involved. If you require this command, it is a good practice to put this clause at the end of the list of policy clauses, as we have done here. This way, hopefully most of the packets will be handled by one of the previous clauses where they can be fast switched.

The second example shows how to route based on the IP TOS field. Once again, the match is made based on an extended access-list:

Router(config)#access-list 102 permit ip any any tos 4

Please refer to Chapter 11 or Appendix B for a more detailed discussion of TOS, IP Precedence, and prioritization in general.

The third example shows how to use policy-based routing when traffic originates on the router itself. There are many types of traffic for which the router itself is the source. This includes several obvious applications such as SNMP network management traffic, telnet communication with the router's virtual TTY for configuration, and logging. But there are also some less obvious cases in which the router is engaged in protocol translation, as in DLSw (Data Link Switching) and XOT (X.25 over TCP). So this example shows how to use policy-based routing to affect DLSw packets that originate with this router. We discuss DLSw in more detail in Chapter 15.

The only important difference between local policy-based routing and the earlier examples that were tied to particular interfaces is the global configuration command ip local policy route-map:

Router(config)#ip local policy route-map dlswtraffic

This command applies the policy called dlswtraffic to all locally generated traffic.

See Also