全部博文(136)
分类: 系统运维
2006-11-23 11:52:52
You can use policy-based routing (PBR) to configure a defined policy for traffic flows. By using PBR, you can have more control over routing by reducing the reliance on routes derived from routing protocols. PBR can specify and implement routing policies that allow or deny paths based on:
•
Identity of a particular end system
•Application
•Protocol
You can use PBR to provide equal-access and source-sensitive routing, routing based on interactive versus batch traffic, or routing based on dedicated links. For example, you could transfer stock records to a corporate office on a high-bandwidth, high-cost link for a short time while transmitting routine application data such as e-mail over a low-bandwidth, low-cost link.
With PBR, you classify traffic using access control lists (ACLs) and then make traffic go through a different path. PBR is applied to incoming packets. All packets received on an interface with PBR enabled are passed through route maps. Based on the criteria defined in the route maps, packets are forwarded (routed) to the appropriate next hop.
•If packets do not match any route map statements, all set clauses are applied.
•If a statement is marked as deny, packets meeting the match criteria are sent through normal forwarding channels, and destination-based routing is performed.
•If a statement is marked as permit and the packets do not match any route-map statements, the packets are sent through the normal forwarding channels, and destination-based routing is performed.
For more information about configuring route maps, see the .
You can use standard IP ACLs to specify match criteria for a source address or extended IP ACLs to specify match criteria based on an application, a protocol type, or an end station. The process proceeds through the route map until a match is found. If no match is found, or if the route map is a deny, normal destination-based routing occurs. There is an implicit deny at the end of the list of match statements.
If match clauses are satisfied, you can use a set clause to specify the IP addresses identifying the next hop router in the path.
For details about PBR commands and keywords, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of PBR commands that are visible but not supported by the switch, see
Note This software release does not support Policy-Based Routing (PBR) when processing IPv4 and IPv6 traffic.
Before configuring PBR, you should be aware of this information:
•To use PBR, you must have the IP services image installed on the switch.
•Multicast traffic is not policy-routed. PBR applies to only to unicast traffic.
•You can enable PBR on a routed port or an SVI.
•You can apply a policy route map to an EtherChannel port channel in Layer 3 mode, but you cannot apply a policy route map to a physical interface that is a member of the EtherChannel. If you try to do so, the command is rejected. When a policy route map is applied to a physical interface, that interface cannot become a member of an EtherChannel.
•You can define a maximum of 246 IP policy route maps on the switch.
•You can define a maximum of 512 access control entries (ACEs) for PBR on the switch.
•To use PBR, you must first enable the routing template by using the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template. For more information on the SDM templates, see
•VRF and PBR are mutually-exclusive on a switch interface. You cannot enable VRF when PBR is enabled on an interface. In contrast, you cannot enable PBR when VRF is enabled on an interface.
•The number of TCAM entries used by PBR depends on the route map itself, the ACLs used, and the order of the ACLs and route-map entries.
•Policy-based routing based on packet length, IP precedence and TOS, set interface, set default next hop, or set default interface are not supported. Policy maps with no valid set actions or with set action set to Don't Fragment are not supported.
By default, PBR is disabled on the switch. To enable PBR, you must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. Then, you must enable PBR for that route map on an interface. All packets arriving on the specified interface matching the match clauses are subject to PBR.
PBR can be fast-switched or implemented at speeds that do not slow down the switch. Fast-switched PBR supports most match and set commands. PBR must be enabled before you enable fast-switched PBR. Fast-switched PBR is disabled by default.
Packets that are generated by the switch, or local packets, are not normally policy-routed. When you globally enable local PBR on the switch, all packets that originate on the switch are subject to local PBR. Local PBR is disabled by default.
Note To enable PBR, the switch must be running the IP services image.
Beginning in privileged EXEC mode, follow these steps to configure PBR:
|
Command |
Purpose | |
|---|---|---|
|
Step 1 |
configure terminal |
Enter global configuration mode. |
|
Step 2 |
route-map map-tag [permit | deny] [sequence number] |
Define any route maps used to control where packets are output, and enter route-map configuration mode. map-tag—A meaningful name for the route map. The ip policy route-map interface configuration command uses this name to reference the route map. Multiple route maps might share the same map tag name. (Optional) If permit is specified and the match criteria are met for this route map, the route is policy-routed as controlled by the set actions. If deny is specified, the route is not policy-routed. sequence number (Optional)— Number that shows the position of a new route map in the list of route maps already configured with the same name. |
|
Step 3 |
match ip address {access-list-number | access-list-name} [...access-list-number | ...access-list-name] |
Match the source and destination IP address that is permitted by one or more standard or extended access lists. If you do not specify a match command, the route map applies to all packets. |
|
Step 4 |
set ip next-hop ip-address [...ip-address] |
Specify the action to take on the packets that match the criteria. Set next hop to which to route the packet (the next hop must be adjacent). |
|
Step 5 |
exit |
Return to global configuration mode. |
|
Step 6 |
interface interface-id |
Enter interface configuration mode, and specify the interface to configure. |
|
Step 7 |
ip policy route-map map-tag |
Enable PBR on a Layer 3 interface, and identify the route map to use. You can configure only one route map on an interface. However, you can have multiple route map entries with different sequence numbers. These entries are evaluated in sequence number order until the first match. If there is no match, packets are routed as usual. |
|
Step 8 |
ip route-cache policy |
(Optional) Enable fast-switching PBR. You must first enable PBR before enabling fast-switching PBR. |
|
Step 9 |
exit |
Return to global configuration mode. |
|
Step 10 |
ip local policy route-map map-tag |
(Optional) Enable local PBR to perform policy-based routing on packets originating at the switch. This applies to packets generated by the switch and not to incoming packets. |
|
Step 11 |
end |
Return to privileged EXEC mode. |
|
Step 12 |
show route-map [map-name] |
(Optional) Display all route maps configured or only the one specified to verify configuration. |
|
Step 13 |
show ip policy |
(Optional) Display policy route maps attached to interfaces. |
|
Step 14 |
show ip local policy |
(Optional) Display whether or not local policy routing is enabled and, if so, the route map being used. |
|
Step 15 |
copy running-config startup-config |
(Optional) Save your entries in the configuration file. |
Use the no route-map map-tag global configuration command or the no match or no set route-map configuration commands to delete an entry. Use the no ip policy route-map map-tag interface configuration command to disable PBR on an interface. Use the no ip route-cache policy interface configuration command to disable fast-switching PBR. Use the no ip local policy route-map map-tag global configuration command to disable policy-based routing on packets originating on the switch.
You can filter routing protocol information by performing the tasks described in this section.
