For some reason (and for quite a long time) policy routing seemed a bit of a scary subject. I’ve noticed other people don’t like it very much either, but it is actually not all that bad.
Standard routing in IP networks is done based on the destination address of a packet. The router receives a packet, checks the routing table and decides where to forward the packet next.
Policy-routing is simply a way of overriding what the routing table says. By using policy routing, you can route packets from a certain source or host to a different next-hop than the one in the routing table. Policy routing happens before standard routing, so if there is a hit on the policy, the normal routing-table isn’t even referred to.
It is a ‘swiss army knife’ kind of tool – if you know how to use it, it can be really helpful for those cases where you need to achieve something without major network changes.
Here’s a really simple example. The configuration below is based on this diagram:
As you can see, R1 is connected to an internetwork which has (somewhere in the cloud) subnets 10.1.1.0 and 10.2.2.0. R1 has a default static route via R2 – so traffic bound for the Internet will go that way. What I need to do is make sure that traffic from subnet 10.2.2.0 goes via R3 instead.
First write an ACL to match the source address of the traffic we are interested in:
R1(config)# access-list 10 permit 10.2.2.0
Now, write a route-map called NET-2. It matches on the address from ACL 10, and sets an IP next-hop of 192.168.0.1 (R3):
R1(config)# route-map NET-2 R1(config-route-map)# match ip address 10 R1(config-route-map)# set ip next-hop 192.168.0.1
This won’t work on its own though – you need to put the policy on interface e0/0:
R1(config)# int e0/0 R1(config-if)# ip policy route-map NET-2
What will happen now is this:
1. Packet arrives on e0/0
2. The ‘ip policy’ statement tells the router to look at route-map ‘NET-2’
3. Route-map NET-2 uses ACL 10 to match on a source-address from 10.2.2.0
4. If there is a match, the next-hop is set to 192.168.0.1
5. If there is no match, a normal routing-table lookup occurs and the default route (via 172.16.0.1) is chosen.
This can be made even simpler if the networks are directly attached to the router. Within a route-map, do a “match interface w/x” and then a “set interface y/z” to direct traffic – doing it this way, you don’t even need an access-list!