Policy Based Routing

From cwhite's wiki
Jump to: navigation, search

Normal IP routing is destination based, policy based routing (PBR) may be based on source, destination, protocol type, incoming interface, etc. Traffic criteria defined by a route-map match. Permit means to policy route, deny means to use the normal forwarding process. A deny in the route-map does not mean the traffic will be dropped. The action is defined by route-map set, either "set ip [default] next-hop" or "set [default] interface". The policy can be troubleshot by using "debup ip policy" (do not run this in a production network as it causes every packets on the PBR interface to get punted to the CPU).

PBR can apply to two types of traffic; incoming traffic and locally originated traffic. For incoming traffic, PBR is applied at a link level with the interface command "ip policy route-map $MAP". The policy will only apply to inbound traffic, you may not perform PBR on outbound traffic. For locally generated traffic, PBR is applied globally with the command "ip local policy route-map $MAP". This may be useful if you want to reply to an ICMP packet with a certain IP address.

One of the biggest issues with PBR is that most platforms can't hardware accelerate it. Generally the lower end platforms such as the 2800 will not be able to hardware accelerate PBR but higher end platforms like the 6500 can. If you enable PBR on a lower end platform and have high CPU utilization, look for the IP Input process as this is what handles PBR.