Articles from Plain Tutorials
Policy-based Routing in Cisco Routers
2012- 10- 25 09:10:29 Hao Nguyen
As I said in my previous art icle, Policy-based Rout ing on Fort igat e Firewall, I
now publish t his art icle about policy-based rout ing on Cisco rout ers. Normally,
rout ing is based on dest inat ion net work/host t o rout e t he t raf f ic t o next -hop
rout er. In some cases, you will need t o def ine a smaller set of rules, such as
t raf f ic originat ed f rom cert ain source network will go t his way, and t he rest
goes anot her way (in case you have mult iple out going connect ions). In t he
f ollowing diagram, I have two outgoing interf aces on Rout er R2.
I want t raf f ic f rom t he Of f ice net work t o rout e t o t he DSL rout er, and t he rest
goes t o leased-line rout er. I could accomplish t he t ask using policy-based
rout ing by def ining - source network and incoming interf ace, traf f ic t ype,
and destination network and outgoing int erf ace. Source/Dest inat ion
net work and t raf f ic are def ine by an access list on Cisco rout ers. Out going
int erf ace and next -hop address are conf igured in a route-map policy, and t he
last part , incoming int erf ace is conf igured by interf ace-conf igurat ion.
Defining access list
Access-list is t he main part of t he game by def ining t raf f ic t ype, source, and
dest inat ion net work. My Of f ice net work is 192.168.2.0/0 and everything means
0.0.0.0 0.0.0.0 in Cisco rout ers. My f ollowing access-list def ine every t raf f ic
f rom 192.168.2.0/24. [st ext box id="grey"]access-list 105 permit ip 192.168.2.0
0.0.0.255 0.0.0.0 0.0.0.0[/st ext box] For more examples, I want t he IP address
192.168.1.5 (a Server in my Server net work) t o 4.2.2.2 (public DNS server) using
DSL line, I would creat e an access-list as [st ext box id="grey"]access-list 105
permit ip host 192.168.1.5 host 4.2.2.2[/st ext box]
Creating Route-map Policy
Next st ep is t o def ine a rout e-map policy. This rout e-map policy includes t he
usage of t he previous access-list , next -hop rout er IP, and out going int erf ace.
[st ext box id="grey"]route-map Of f iceNet permit 10 match ip address 105
set ip next-hop 192.168.5.254 set interf ace FastEthernet 0/1 ! route-map
Of f iceNet permit 20 ![/st ext box] In t hat conf igurat ion, 105 is t he access-list
number t hat I just def ined in st ep 1, Fast Et hernet 0/1 is t he int erf ace of Cisco
Rout er 2 t hat is connect ing t o t he DSL rout er. This int erf ace is used f or
out going. [st ext box id="warning" capt ion="Do not f orget next -hop
address"]Do not f orget t o put t he set ip next-hop address because t he
rout er will not know where t o send t he t raf f ic t o. You could omit t his line if
you're using a point -t o-point connect ion.[/st ext box]
Determining Incoming Interface
The rout e-map policy is t riggered when t he right int erf ace receives t he def ine
t raf f ic f rom t he rout e map. In t his st ep, we will def ine which int erf ace will
handle t he previous rout e-map policy. Look at t he diagram, t he t raf f ic f rom
Of f ice net work will hit Rout er R2 -Fast Et hernet 0/2 int erf ace; t heref ore, Fa0/2
is t he incoming int erf ace. [st ext box id="grey"]interf ace FastEthernet 0/2 ip
policy route-map Of f iceNet[/st ext box] When t he int erf ace Fast Et hernet 0/2
on Rout er R2 receives t raf f ic as def ined in access-list 105, it will f ollow t he
inst ruct ions in t he rout e-map Of f iceNet t o redirect t he t raf f ic out by Fast 0/1
and t o t he address 192.168.5.254. You could int erpret a policy-based rout ing
policy as "if t his t raf f ic t ype is f rom t his source net work and goes t o t hat
dest inat ion, and is mat ched my policy by ent ering t o t he right incoming
int erf ace, I will rout e it t his way.
