Manualshelf

White Papers

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N2000 Series
12345678910
5 Using Policy Based Routing and Access Control Lists in a Virtualized Network
1 Introduction
Enterprise networks which are typically used by several departments within an organization are often
divided into VLANs to increase efficiency. Administrators can join multiple physical switches into one
virtual switch to make interdepartmental traffic flow more efficiently. Members of each department who
communicate frequently reap the benefits of increased traffic flow despite the constraints of geographical
distances. With the use of PBR, another layer of control is introduced allowing administrators to evaluate
incoming traffic on a switch and apply rules to each packet. These rules, or SET statements, can change
the path a packet takes along the network.
Configuring PBR involves constructing a route-map with match and set commands and then applying the
corresponding route-map to the interface. IP routing must be enabled on the interfaces for PBR to
operate. PBR can only be applied to inbound traffic on these interfaces.
Enabling PBR on a VLAN interface causes the router to compare all incoming packets on the interface
against a route-map to match certain criteria in that route-map. An interface can only have one route-
map policy assigned to it, but each policy can have multiple route-maps, each with a sequence number to
determine its priority. If a single entrys criterion matches the incoming packet, then the entry is chosen
and its SET statements are performed. If two or more entries match the criteria, the one with the lowest
sequence number is chosen and its SET statements are performed. If there is no match, packets are
routed as usual.
Each route-map statement that is used for PBR is configured as permit or deny. If the statement is
marked as deny, traditional destination-based routing is performed on the packet that meets the match
criteria. If the statement is marked as permit, and if the packet meets all the match criteria, then SET
commands in the route-map statement are applied. If no match is found in the route-map, the packet is
not dropped, but instead is forwarded using the routing decision taken by performing destination-based
routing. If the network administrator does not want to revert to normal forwarding but instead wants to
drop a packet that does not match the specified criteria, a SET statement needs to be configured to route
packets to interface null 0 as the last entry in the route-map.
See Appendix A for a flow chart of the packet process.
1.1 User Scenarios
Using PBR and ACLs (access lists) have a wide assortment of uses for any organization. Network
Administrators can use PBR when load sharing needs to be done for the incoming traffic across multiple
paths based on packet entities in the incoming traffic. To boost network performance of an organization,
bulk traffic may need to use a higher bandwidth and high-cost link while basic connectivity continues over
a lower bandwidth and low-cost link. For such applications, PBR is the right fit. This document provides
three very diverse examples:
Example 1 Traffic Isolation is applied on groups of people.
Example 2 Server Priority has emphasis on server traffic.
Example 3 VLAN Traffic Redirection focuses around VLANs.