Using Policy Based Routing and Access Control Lists in a Virtualized Network A deployment guide for Dell Networking switches Victor Teeter Dell Engineering December 2013 A Dell Deployment and Configuration Guide
Revisions Date Description January 2014 Initial release ©2013 Dell Inc., All rights reserved. Except as stated below, no part of this document may be reproduced, distributed or transmitted in any form or by any means, without express permission of Dell. You may distribute this document within your company or organization only, without alteration of its contents. THIS DOCUMENT IS PROVIDED “AS-IS”, AND WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED.
Table of Contents Revisions ...................................................................................................................................................................................................... 2 Executive Summary................................................................................................................................................................................... 4 1 2 Introduction..................................................................
Executive Summary Administrators who manage internetworks within an organization can implement packet routing based on the organization's policies using the Policy Based Routing (PBR) feature. PBR provides a flexible mechanism to implement solutions in cases where organizational constraints dictate that traffic be routed through specific network paths.
1 Introduction Enterprise networks which are typically used by several departments within an organization are often divided into VLANs to increase efficiency. Administrators can join multiple physical switches into one virtual switch to make interdepartmental traffic flow more efficiently. Members of each department who communicate frequently reap the benefits of increased traffic flow despite the constraints of geographical distances.
1.2 Dell Networking Switches Supporting PBR The following Dell Networking N-series switches support PBR and may be used in building the configurations in this guide: N2024 N3024 N4032 N2024P N3024P N4032F N2048 N3024F N4064 N2048P N3048 N4064F N3048P Note: In the examples it is assumed that traditional routing is already enabled. At minimum, the “ip routing” global command is configured on the switch with static routes in place.
2 Example 1 – Traffic Isolation Route one IP address range (or subnet) to ISP A, and a second IP address range (or subnet) to ISP B. In this example, it is assumed that traditional routing is already enabled and configured. Consider the network of the company below which is comprised of several groups including Human Resources (HR) and Accounting. Each group has a different IP address range within the same subnet.
The following commands are used on the switch or switch stack. Enable routing… console(config)#ip routing Create three Access-Lists… console(config)#ip access-list accounting console(config-ip-acl)#permit ip 10.1.5.0 0.0.0.255 console(config-ip-acl)#exit console(config)#ip access-list hr console(config-ip-acl)#permit ip 10.1.6.0 0.0.0.255 console(config-ip-acl)#exit console(config)#ip access-list inter-communications console(config-ip-acl)#permit ip 10.1.5.0 0.0.0.255 console(config-ip-acl)#permit ip 10.1.
console(config)#interface vlan 111 console(config-if-vlan111)#ip address 10.1.5.1 255.255.0.0 console(config-if-vlan111)#ip policy route-map equal-access console(config-if-vlan111)# exit Assign interfaces to VLAN… console(config)#interface range gigabitethernet all console(config-if)#switchport access vlan 111 console(config-if)#switchport mode access The ip policy route-map “equal-access” is applied to all HR and Accounting interfaces. All packets ingressing these interfaces are policy-routed.
Match clauses: ip address (access-lists) : hr Set clauses: ip default next-hop 172.16.7.7 Policy routing matches: 67 packets, 5226 bytes Note: To see policy routing match counters, issue an ICMP echo request (ping) packet from an HR host to ISP B, or from an Accounting host to ISP A.
3 Example 2 – Server Priority Ensure server traffic is routed across a higher bandwidth and given the highest priority. Consider the following example where it is assumed traditional routing is already enabled and configured. It is critical that an organization’s primary database server on VLAN 30 is backed up across the network every Thursday morning at 1:00 AM, while using only the larger bandwidth path on the network (Figure 2). The switch that routes this traffic for the server can use PBR.
Use the following commands in creating Figure 2… 1G Routing interface configuration… console#config console(config)#vlan 10 console(config-vlan10)#exit console(config)#interface vlan 10 console(config-if-vlan10)#ip address 192.151.3.5 255.255.255.
Create a Route-Map to set the servers next-hop… console(config)#route-map database-path permit console(route-map)#match ip address db-backup-cos console(route-map)#set ip next-hop 192.150.2.1 console(route-map)#exit Assign Route-Map to VLAN… console(config)#interface vlan 30 console(config-if-vlan30)#ip policy route-map database-path console(config-if-vlan30)#exit The IP policy route-map “database-path” is applied to the server interface.
console#show vlan VLAN ----1 10 20 30 Name --------------default VLAN0010 VLAN0020 VLAN0030 Ports ---------Po1-128, Gi1/0/2-48, Gi2/0/1-48, Te2/0/1-2, Gi3/0/1-48, Te3/0/1-2 Gi1/0/1 Te1/0/2 Te1/0/1 Type -------------Default Static Static Static console#show ip policy Interface Route-Map ------------------------------------------------------------Vl30 database-path 14 Using Policy Based Routing and Access Control Lists in a Virtualized Network
4 Example 3 – VLAN Traffic Redirection Match packets on one VLAN, then route them to egress another VLAN to get to their destination. Consider the following example where it is assumed traditional routing is already enabled and configured. Remote servers X, Y, and Z are cached hourly to local servers A, B, and C. Users on VLAN 10 use the local cache servers 99% of the time but periodically need to access the most current data from servers X, Y, and Z located in another city (Figure 3).
VLAN 20 VLAN 10 N3048 (VLAN 10, 20) Servers A, B, C Servers X, Y, Z Figure 4. Using Policy Based Routing to redirect VLAN traffic Two access lists are created. The first access list contains the source IP addresses of servers A, B, and C to filter out these packets, since it is undesirable to reroute any server traffic. This traffic continues to be routed using traditional routing.
1.1.1.x 1.1.1.x Any VLAN 20 2.2.2.1 VLAN 10 1.1.1.1 N3048 2.2.2.2 3.3.3.3 Servers A, B, C 1.1.1.50–52 Servers X, Y, Z 3.3.3.3-5 Figure 5. IP addresses on network The following commands are used to configure the Dell Networking N3048. Create Access-list with source IP addresses of servers ABC… console(config)#ip access-list servers-ABC console(config-ip-acl)#permit ip host 1.1.1.50 any console(config-ip-acl)#permit ip host 1.1.1.51 any console(config-ip-acl)#permit ip host 1.1.1.
console(route-map)#exit console(config)#route-map clients-to-XYZ permit 20 console(route-map)#match ip address allow-1-1-1-clients console(route-map)#set ip next-hop 2.2.2.2 console(route-map)#exit Note: Matches on deny route-maps automatically reverts packets to traditional routing and the policy routing is ignored. For this reason there is no SET statement for the first MATCH statement above.
4.1 Validation Use the commands below to validate or help troubleshoot the Example 3 configuration.
5 Dropping Packets Unlike a “deny” statement in an access list, a Route-Map “deny” statement does not drop a packet when the criteria matches the packet. Instead the Route-Map simply turns all control of the packet back over to traditional routing and ignores all Policy Based Routing rules. In other words, when a “deny” sequence is matched, the packet is treated as if no PBR exists. PBR does however provide a way to drop a packet if desired.
6 Rerouting Remaining Packets on an Interface If there is a need to route any remaining packets on an incoming interface, it can be done with PBR. This is achieved simply by not specifying a match statement in the route-map sequence. If used by itself without other sequences, this can also be used to re-route all incoming traffic. Note: In a route-map sequence, all packets match by default if no match statement is specified.
7 Other Resources This document only provides a few examples of the many ways PBR can be used to route traffic based on organizational policies or contraints. The User Guide for the Dell N-series switches contains additional details on configuring this feature. The Command Line (CLI) Reference Guide also contains details on each command used in this document. Download the latest User Guide and CLI Reference Guide at http://www.dell.com/support.
Appendix A: Packet Process flow through a Route-map INCOMING PACKET NETWORK ROUTE FOLLOW NORMAL ROUTING PROCEDURES (OSPF, RIP, STATIC) NO IS THERE A MATCHING ROUTE-MAP YES DENY PERMIT OR DENY? PERMIT PERFORM ACTIONS SPECIFIED IN SET STATEMENTS DROP DROP PACKET (INTERFACE NULL0) ROUTE OUTGOING PACKET 23 Using Policy Based Routing and Access Control Lists in a Virtualized Network NETWORK
