[Top] [Prev] [Next] [Bottom]

Using Policy Routing

This document describes policy routing, a method of routing IP traffic using proprietary Nx Networks packet tags. Policy routing is available in OpenROUTE 5.6 and above.

Routing of IP traffic is normally based on the destination IP address in the packet (see Using IP). Policy routing increases your control by allowing routers to route traffic based on a Nx Networks packet tag. Because these tags are proprietary to our routers, routing protocols that are based on IP addresses (such as RIP, OSPF, BGFP) do not propagate them. The tag is an internal attribute of the packet and it never leaves the router.

The following topics are included:

Policy Routing Overview

Policy Routing Strategies and Applications

Configuring Policy Routing

Testing Policy Routing Configuration

Removing All Policy Routing Configuration

Entering Policy Routing Commands

Policy Routing Commands

Policy Routing Overview

Policy routing uses IP filters and policy profiles to decide where to send a packet. The routes are static, which means the route never changes. Static routes persist across power downs, restarts, and software reloads.

CAUTION:

As with all static routes, it is possible to configure routing loops, or other types of nonsense routing using policy routing. To avoid these results, plan carefully and test the routing as described in Testing Policy Routing Configuration.

To implement policy routing, you set up IP filters to tag certain types of packets and then create static routes for the tagged packets using policy routing. Each route specifies the next hop for any packet with a specific tag. Then you add these routes to a policy profile and attach the profile to a specific incoming interface.

Tagging Packets Using IP Filter

The IP filter can assign a tag to various attributes of a packet; for example, source address, destination address, packet type, packet length, and protocol, to name just a few. Some examples of applications are:

Define one tag for each priority in the DSCP field. Use these tags in policy routing to route higher-priority DSCP traffic through a faster interface.
Define a tag for the UDP or TCP port number (port 80) that handles HTTP traffic. Use the tag to route all HTTP packets to a specific HTTP proxy server.
Define tags for specific source IP addresses. Use these tags to route traffic from specific machines through a faster interface. Or use the tags to route traffic from different IP subnets over different PPPoE virtual interfaces.
Define tags for packets of specific lengths. Use the tags to route larger bulk-data packets through a slower interface.
Define tags for packets sent at a specific time of day. Use the tags to route traffic to more expensive leased lines only during peak traffic periods.

Using Dynamic IP Filters provides detailed information about creating IP filters.

Planning Policy Routing with BRS

IP filters allow only one tag per packet, and policy routing uses the same tag that BRS uses. Therefore, it is normally necessary to consider the tagging scheme for BRS when you are planning the tagging scheme for policy routing. The two tagging plans must be integrated.

However, there is an exception to this requirement. If IP filters modifies the tag value in a packet before BRS uses the tag, the tag that policy routing uses is not the same tag that BRS uses. In this case, the two tagging plans do not have to be integrated.

How Policy Routes Work

Policy routing definitions are in profiles for flexibility and sharing. You can attach a given routing policy profile to none, one, some, or all router interfaces. In addition, you can also attach more than one policy routing profile to an interface. You can enable or disable policy routing for an interface to quickly turn policy routing on or off.

When policy routing is in effect for an interface, this is how a packet is processed:

1. When an incoming packet arrives at the interface, IP receives the packet and reads the tag in the packet header.

2. The router compares the tag in the packet with tags configured in the policy routing table.

3. If a route is configured for the tag, the router sends the packet to the specified next hop address or interface as follows.

: a. If the packet is destined for this router, the destination can be an IP address or a specific interface. Further routing is not necessary and IP hands the packet to the appropriate internal software module or interface.
: b. If the packet is destined for a host on a directly connected network segment, IP matches the next hop address with the appropriate physical address in the Address Resolution Protocol (ARP) table. IP then hands the packet to the appropriate lower-level protocol module for transmission directly to the destination node.

4. If no route is specified for the tag, the router determines the next hop using normal IP routing (see Using IP).

Policy Routing Strategies and Applications

In general, you should only attach policy routing profiles on interfaces that need the special policies. If your policy routing only affects the traffic arriving on interface one, then you should only have policy routing running on interface one and not the other interfaces. Several examples in this section illustrate applications for policy routing.

There is no policy route for a packet with no tag. So you may want to configure IP Filters to always tag every packet by putting in a default IP Filter first that initially tags the packet with your default tag value. This way every input packet is tagged with your default tag value or with another tag value of yours.

A Discard Next Hop Route

A discard nexthop route is useful if you want certain traffic to be routed a certain way unless the associated interface goes down, AND if the interface goes down, you do not want the traffic routed at all. For example, if the associated outgoing interface goes down, you just want the traffic discarded. You do not want IP forwarding to route by the default route over some other router interface. The profile would look like this:

Policy      
Name          Cost        Tag              Nexthop
--------------------------------------------------
low.bulkdata     1         10          192.168.1.4
                                   255.255.255.255

In this example, traffic with tag=10 is routed to nexthop=192.168.1.4, but if the 192.168.1.4 is unreachable because the router interface having nexthop 192.168.1.4 goes down, you want the traffic discarded. You can do this by adding the discard nexthop route of 255.255.255.255 to the policy.

Primary and Backup Routes Based on Cost

This configuration is useful if you want high-priority traffic to be sent over a  particular high-speed interface, but if this interface is down, then you want the high-priority traffic to go over another interface. The profile would look like this:
Policy      
Name              Cost        Tag          Nexthop
--------------------------------------------------
high.primary        1         10          0.0.0.1
high.secondary      2         10          0.0.0.2

In this example, high priority traffic has tag=10. Policy routing prefers nexthop 0.0.0.1 over nexthop 0.0.0.2 because nexthop 0.0.0.1 has a lower cost.

If interface 1 and 2 were down, then there would not be a policy route for tag=10. Since a discard nexthop is not specified for tag=10, IP forwarding would now consult the normal routing table to route the packet.

Load Sharing Routes

Load sharing routes are useful if you wish to send traffic to two or more specific interfaces rather than overloading one interface. The profile would look like this:

Policy      
Name              Cost        Tag          Nexthop
---------------------------------------------------
low.primary        1           10           0.0.0.1
                                            0.0.0.2

IP multi-path load-sharing takes place because multiple nexthops of the same cost are specified for one policy.

Configuring Policy Routing

This section shows the basic steps to create a policy route profile. For more information on each command, see Policy Routing Commands.

1. Display either the PolicyRt Config> prompt or the PolicyRt> prompt as described in Displaying Policy Routing Prompts. This example uses the PolicyRt Config> prompt.

2. Create IP filters that attach tags to the packets you are going to route using policy routing profiles (see Using Dynamic IP Filters).

3. Create a policy routing profile.

PolicyRt Config>add profile IfSpeed

4. Attach the policy routing profile to an incoming interface.

PolicyRt Config>set interface 1 profile=IfSpeed

Note: Attaching empty profiles to an interface sends all traffic to the normal IP routing mechanism until you add routing policies.

5. Create one or more routing policies in the profile.

PolicyRt Config>add policy Ifspeed.high

6. Set the properties of each routing policy.

PolicyRt Config>set policy IfSpeed.high tag=7 cost=1 nexthop=0.0.0.1

7. While you are building a profile, you can list it to see its current policies.

PolicyRt Config>list policy IfSpeed
PolicyRt Config> list policy 

Policy      
Name                Cost  Tag       Nexthop
-----------------------------------------------------------------------high               1     7         0.0.0.1
low                2     10-11     192.168.1.4

8. If you set up the profiles at the configuration prompt, restart the router for your configuration to take effect.

PolicyRt Config>exit
IP config>exit
Config> CTRL P
*restart

If you set up the filters at the monitoring prompt, the filters take effect immediately. Use the save command to make the changes permanent.

PolicyRt>save

Note: You can avoid restarting the router if you have done the configuration under PolicyRt Config>. Go to the PolicyRt menu and execute the revert command. The run-time configuration is refreshed from the permanent configuration, which reflects the changes that you made.

Testing Policy Routing Configuration

To test the policy routing setup, you can use the show command in the PolicyRt menu.

To display the active policies in the policy routing table, execute the show policies command. If you think you defined a policy and it does not display in this listing, then something is wrong. It could be because your outgoing interface is down, because you configured the policy incorrectly, or because you did not attach the policy.

If you see the policy in the listing, you can check the usage count to determine if the policy is being used. If the usage count does not increment, then the route is not being used. This can happen if you did not tag the packet with an input filter.

All the existing IP ELS concerning routing messages, such as IP_7 and IP_6, display when the packet is routed through policy routing, so you can check these as described in Testing and Troubleshooting IP Filters.

Removing All Policy Routing Configuration

Some aspects of policy routing are visible and controllable from the top level Config menu.

The clear PolicyRt command at the Config> prompt deletes all policy routing configuration; that is, all the configuration described in this section. The command sets the policy routing configuration back to its original default values.
Policy routing information is included in the show all listing from the Config> prompt. This listing is the same as that produced by the list all command at the PolicyRt Config> prompt.

Entering Policy Routing Commands

Displaying Policy Routing Prompts

Policy routing commands are available at the IP Config> prompt and the IP> prompt. This section explains the differences between these two prompts.

At the IP Config> prompt, changes that you make to the configuration are saved in the router's configuration memory. These changes do not take effect until you restart the router.

Display the PolicyRt Config> prompt as follows:

*config

Config>PROTOCOL ip
Internet protocol user configuration

IP config>PolicyRt

PolicyRt Config>

At the IP > prompt, changes that you make to the filter configuration take effect immediately. Unless you explicitly save your changes using the save command, they are not saved when you restart the router.

Display the IP PolicyRt> prompt as follows:

*monitor

Monitor>PROTOCOL ip

IP>PolicyRt

PolicyRt>

Entering Profile and Policy Names

When you assign names to profiles and policies, choose names that are meaningful to you. Profile names and policy are local to your network. Use the following rules as you enter profile and policy names:

Names are case sensitive. Try to establish a convention for capitalization in profile and policy names.
Names that you enter without double quotation marks can consist of any printable character except a hyphen, space, tab, period, question mark, asterisk, comma, or double quotation marks.
Specify names by entering the profile name followed by the policy name. When you enter a policy name, you must first specify the profile name. Separate the names using a period. For example:
```
PolicyRt Config>add policy IfSpeed.high
```
In this example, IfSpeed is the profile name, high is the policy name.

Policy Routing Commands

This section describes the policy routing configuration and monitoring commands.

Press Space twice after you type a command to display the available options for each command. Enter help for information about using the command line interface.

[C] means the command is available at the PolicyRt Config> prompt.

[M] means the command is available at the PolicyRt> prompt.

Table 39 Policy Routing Commands

Command Function

Add Policy [C] [M] Adds policies to profiles.

Add Profile [C] [M] Adds profiles to interfaces.

Delete [C] [M] Deletes a policy or profile that you entered with the add command.

Exit [C] [M] Exits the policy routing configuration or monitoring process.

List [C] [M] Displays configured policies or profiles.

Set Interface [C] [M] Sets parameters for a an interface.

Set Policy [C] [M] Sets parameters for a policy.

Set Profile [C] [M] Sets parameters for a profile.

Show [M] Displays statistics and information on existing policies.

Table 39 Policy Routing Commands
Command	Function
Add Policy [C] [M]	Adds policies to profiles.
Add Profile [C] [M]	Adds profiles to interfaces.
Delete [C] [M]	Deletes a policy or profile that you entered with the add command.
Exit [C] [M]	Exits the policy routing configuration or monitoring process.
List [C] [M]	Displays configured policies or profiles.
Set Interface [C] [M]	Sets parameters for a an interface.
Set Policy [C] [M]	Sets parameters for a policy.
Set Profile [C] [M]	Sets parameters for a profile.
Show [M]	Displays statistics and information on existing policies.

Add Policy [C] [M]

Creates a new policy within a profile and lets you define the properties of the policy. You must specify one or more tag values, a cost value, and one or more next hops for each routing policy. Before using this command, you need to add a profile.

Syntax: add policy profilename.policyname

cost
nexthop
rename
tag

Specify policy names and profile names that conform to the rules in Entering Profile and Policy Names. Use the following options with either the add policy command or the set policy command. You can enter the options in any order.

Example: add policy IfSpeed.high

cost

Specifies the cost for this policy. Possible values are integers in the range 0 to 15, and the default is 1. When the policy routing table is created, a policy with a lower cost has priority over a policy with a higher cost. In most cases, the default cost value is adequate.

Syntax: cost=value

Example: add policy IfSpeed.high cost=1

nexthop

Each policy route has one or more next hop values. The value for this parameter is an individual address or a list of comma-separated addresses. Normally a policy route has only one next hop; however, you can define more than one next hop if you are setting up a load-sharing policy. Possible addresses are:

Router IP address

The individual IP address of the next-hop router.

0.0.0.<interface-number>

A specific interface on this router. Use this when the interface is a point-to-point interface. It has the advantage of not using a specific IP address.

255.255.255.255

A special value that means the DISCARD route. The packet is discarded and the sender receives an ICMP unreachable. The discard route is only used when there is no other eligible route but the discard route.

Router IP address	The individual IP address of the next-hop router.
0.0.0.<interface-number>	A specific interface on this router. Use this when the interface is a point-to-point interface. It has the advantage of not using a specific IP address.
255.255.255.255	A special value that means the DISCARD route. The packet is discarded and the sender receives an ICMP unreachable. The discard route is only used when there is no other eligible route but the discard route.

Syntax: nexthop=address
nexthop+=
nexthop-=

 



Entry

Description


nexthop=

Replaces the next hop address that is already defined for this policy. 

nexthop+=

Adds an additional nexthop address to the policy.   

nexthop-=

Removes aa nexthop address from the policy.

Entry	Description
nexthop=	Replaces the next hop address that is already defined for this policy.
nexthop+=	Adds an additional nexthop address to the policy.
nexthop-=	Removes aa nexthop address from the policy.

Example: add policy IfSpeed.high nexthop=255.255.255.255

rename

Renames the policy. You can rename a profile or policy at any time. When you rename a profile or policy, references to the profile or policy are updated automatically.

Syntax: rename=newname

It is unlikely that you would rename a policy when you initially create it. See set policy for a realistic example.

tag

Defines the tags for this policy. Possible values for tag are integers in the range 1-64. You can also specify a range of tags using <min>-<max> or a list of comma-separated individual values or ranges.

Syntax: tag=tag#
tag+=
tag-=

Example: add policy IfSpeed.high tag=7

  



Entry

Description


tag=

Replaces tags that are already used for this policy. 

tag+=

Adds an additional tag, tag range, or tag list to the policy. The new tag names go to the end of the list.  

tag-=

Removes a tag, tag range, or list of tags from the policy. The remaining tags remain where they are, and the list closes up the empty spaces.

Entry	Description
tag=	Replaces tags that are already used for this policy.
tag+=	Adds an additional tag, tag range, or tag list to the policy. The new tag names go to the end of the list.
tag-=	Removes a tag, tag range, or list of tags from the policy. The remaining tags remain where they are, and the list closes up the empty spaces.

Add Profile [C] [M]

Creates a new profile.

Syntax: add profile profilename

Example: add profile IfSpeed

Delete [C] [M]

Deletes a policy or profile that you added with the add command.

Syntax: delete

policy
profile

policy

Deletes the specified policy from a profile. The profile from which you deleted the policy is not deleted.

Syntax: delete policy profilename.policyname

Example: delete policy IFSpeed.low

profile

Deletes a profile and all policies within the profile.

Note: You cannot delete a profile that is currently attached to an interface.

Syntax: delete profile profilename

Example: delete profile IfSpeed

Exit [C] [M]

Returns to the previous prompt level.

Syntax: exit

Example: exit

List [C] [M]

Displays various pieces of the IP configuration.

Syntax: list

all
interface
policy
profile

all

Lists the entire policy routing configuration.

Syntax: list all

interface

Displays a list of the profiles that are attached to each interface. If you specify an interface number, you can list the only the profiles that are attached to a specific interface.

Syntax: list interface [interface#]

Example: list interface

PolicyRt  Enable   
Ifc       Status   Attached Profiles
-------------------------------------
0         On       ceo_home 
                   headquarters_high_priority

policy

Lists policies in a configuration. The default is to list all policies. If you specify the profile name, only the policies in the specified profile are displayed. If you specify the policy name, too, only the specific policy is displayed.

Syntax: list policy [profilename.policyname]

Example: list policy

Policy      
Name              Cost  Tag       Nexthop
----------------------------------------------------------------------high.ceo          1     7         0.0.0.1
low.bulkdata      2     10-11     192.168.1.4

profile

List all profiles names.

Syntax: list profile

Example: list profile

Policy Routing     
profile           
-----------------------------------------
accounting                  
highpriority

Set Interface [C] [M]

Sets parameters for an interface within your policy routing configuration.

Syntax: set interface interface#

profile
enable_PolicyRt
Interface# The number of an interface in your router.

Interface#	The number of an interface in your router.

profile

Attaches one or more profiles to an interface. You can also remove a profile from an interface.

Enter . . . To . . .

profile= Replace profiles that are already attached to the interface.

profile+= Attach an additional profile or list of profiles to the interface. The new profile names go to the end of the list.

profile-= Detach profiles or list of profiles from an interface. The remaining profile names remain where they are, and the list closes up the empty spaces.

Enter . . .	To . . .
profile=	Replace profiles that are already attached to the interface.
profile+=	Attach an additional profile or list of profiles to the interface. The new profile names go to the end of the list.
profile-=	Detach profiles or list of profiles from an interface. The remaining profile names remain where they are, and the list closes up the empty spaces.

Syntax: profile=profilenames

Example: set interface 2 profiles=a,b,c,d

This example attaches profiles a, b, c, and d to interface 2.

Example: set interface 2 profiles+=a,x,c

This example adds profiles a, x, and c to the end of the list of profiles attached to this interface. It replaces old entries that are duplicates of the new entries. The previous list a,b,c,d now becomes list b,d,a,x,c.

Example: set interface 2 profiles-=c,a

This example removes profiles c and a, and results in the list

enable_PolicyRt

Turns policy routing off or on for this interface without disturbing configured profiles. By default, policy routing is on.

Syntax: enable_PolicyRt=on|off

Example: set interface 0 enable_PolicyRt=off

This example disables policy routing on interface 0.

Set Policy [C] [M]

Sets policy parameters within your policy routing configuration.

Syntax: set policy

cost
nexthop
rename
tag

These parameters are the same as those for the add policy command

Example: set policy IfSpeed.low tag=10 cost=2 nexthop=192.168.1.4

This example replaces any existing tags in the low route with 10, sets the cost for the route to 2, and replaces any next hops in the route with 192.168.1.4.

Example: set policy IfSpeed.low tag+=11

This example adds tag 11 to the low route.

Example: set policy IfSpeed.high tag=7 cost=1 nexthop=0.0.0.1

This example replaces any existing tags in the high route with 7, sets the cost for the route to 1, and replaces any next hops in the route with 0.0.0.1. Because the cost of this route is 1, it has higher priority than the low route. The next hop is router interface 1, which is a point-to-point type interface.

Set Profile [C] [M]

Changes the name of a profile. When you rename a profile, any references in the configuration are automatically changed.

Syntax: set profile

profilename
rename=newname

Example: set profile IfSpeed rename=priority

Show [M]

Displays the configured sizes of specific IP parameters.

Syntax: show

all
policies

all

Displays the output for all policy routing show commands.

Example: show all

    INTERFACE 2:Policy routes
Tag Cost               Next hop(s)       Usage Policy
  7    1                    PPP/0          212 high.ceo
 10    1       192.168.1.3 (Eth/1)        5000 low.loadshare
               192.168.1.4 (Eth/1)         
 11    1       192.168.1.3 (Eth/1)       54417 low.bulkdata
 33    1 255.255.255.255 (Discard)         322 discard.roquepackets
 43 none   NONE-use normal routing          42

policies

Displays the active routes for all interfaces and tags or for specified interfaces and tags. Normally, you do not need to specify an interface or tag. However, this can help to limit the amount of information displayed if the command results in a very long listing. If you do not see a configured policy route in the listing, there could be several reasons:

The interface that is associated with the nexthop in your route is down or does not exist.
Another policy route that is lower cost has superseded your route.
Policy routing was disabled, your profile was detached, etc.

Syntax: policies

interface=
tag=


Enter . . .	To . . .
interface=	Display routes for this interface. You can specify a single interface or a range, a range of interfaces using <min>-<max>, or a list of comma-separated individual values or ranges.
tag=	Display routes for this tag,.

Example: show policies interface=2

    INTERFACE 2:Policy routes
Tag Cost               Next hop(s)       Usage Policy
  7    1                    PPP/0          212 high.ceo
 10    1       192.168.1.3 (Eth/1)        5000 low.loadshare
               192.168.1.4 (Eth/1)         
 11    1       192.168.1.3 (Eth/1)       54417 low.bulkdata
 33    1 255.255.255.255 (Discard)         322 discard.roquepackets
 43 none   NONE-use normal routing          42

This example shows the active policy routes for interface 2.

Tag

The route's tag value.

Cost

The routes's cost. None indicates that no policy route is configured for the associated tag, but packets for the tag are coming through policy routing. Since there is no policy for this tag, normal IP routing is used to route the packets.

Next hop(s)

The next hop address or interface for the tag. None indicates that the route is discarding packets with this tag.

Usage

The count of packets forwarded using this policy route. The routes are recalculated each time an interface comes up or down or when policy routing configuration changes are made at the PolicyRt> prompt. You can clear the usage counters by entering the clear command at the Monitor> prompt.

Policy

The policy name associated with this tag.

Tag	The route's tag value.
Cost	The routes's cost. None indicates that no policy route is configured for the associated tag, but packets for the tag are coming through policy routing. Since there is no policy for this tag, normal IP routing is used to route the packets.
Next hop(s)	The next hop address or interface for the tag. None indicates that the route is discarding packets with this tag.
Usage	The count of packets forwarded using this policy route. The routes are recalculated each time an interface comes up or down or when policy routing configuration changes are made at the `PolicyRt>` prompt. You can clear the usage counters by entering the clear command at the `Monitor>` prompt.
Policy	The policy name associated with this tag.

[Top] [Prev] [Next] [Bottom]