Why write about this?
I once worked with a colleague1, and he didn’t know there was a difference between Policy-Routing and Routing-Policy. Given his senior position, I was surprised at the initial confusion this created as we collaborated with a vendor. His view was both concepts of Routing-Policy and Policy-Routing had the same meaning, that being of Routing-Policy.
Policy-Routing is not the same thing as Routing-Policy. They are distinctly different approaches to manipulate packet flow.
The concepts in short
Policy-Routing
Policy-Routing is making a forwarding decision based upon the IP header attributes. It does not use routing protocols2.
The Policy-Based Routing feature is a process whereby a device puts packets through a route map before routing the packets. The route map determines which packets are routed next to which device. Policy-based routing is a more flexible mechanism for routing packets than destination routing.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-3e/iri-xe-3e-book/iri-pbr.html
Policy-based routing (PBR) is a technique that forwards and routes data packets based on policies or filters. Network administrators can selectively apply policies based on specific parameters such as source and destination IP address, source or destination port, traffic type, protocols, access list, packet size, or other criteria and then route the packets on user-defined routes.
https://www.juniper.net/us/en/research-topics/what-is-policy-based-routing.html
Routing-Policy
Routing-Policy is making a forwarding decision based upon routing protocol attributes.
A routing policy instructs the router to inspect routes, filter them, and potentially modify their attributes as they are accepted from a peer, advertised to a peer, or redistributed from one routing protocol to another.
https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-6/routing/configuration/guide/b-routing-cg-asr9000-76x/implementing-routing-policy.html
Routing policies allow you to control the routing information between the routing protocols and the routing tables and between the routing tables and the forwarding table.
https://www.juniper.net/documentation/us/en/software/junos/routing-policy/index.html
How does Cisco refer to these concepts?
Policy-Routing
Cisco refers to Policy-Routing by several names
- PBR (Policy Based Routing)
- ePBR (Enhanced Policy Based Routing)
- ABF (ACL Based Forwarding)
I’ve only linked to the PBR docs below.
Operating system references
- IOS-XE: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-3e/iri-xe-3e-book/iri-pbr.html
- IOS-XR: https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-6/b-ip-addresses-cg-asr9000-76x/Implementing-policy-based-routing.html
- NX-OS: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/unicast/configuration/guide/b-cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-93x/b-cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-93x_chapter_010001.html
IOS-XR comparison
The following table illustrates the match/set criteria that is supported by ABF, ePBR/Flowspec, and PBR:
match/set criteria | ABF | ePBR/Flowspec | PBR |
---|---|---|---|
source ip | match | match | match |
destination ip | match | match | match |
source protocol/port | match | match | match |
destination protocol/port | match | match | match |
nexthop ip | set | set | set |
nexthop vrf | set | set | set |
nexthop ip+vrf | set | NA | set |
dscp | NA | match/set | NA |
forward-class | NA | NA | set |
police | NA | set | NA |
access-group | NA | NA | match |
flow-tag | NA | NA | match |
fragment-type | NA | match | NA |
packet length | NA | match | NA |
ip protocol | match | match | match |
tcp-flag | match | match | match |
ipv4/ipv6 icmp-type | NA | match | NA |
ipv4/ipv6 icmp-code | NA | match | NA |
port | NA | match | NA |
port-range | match | match | match |
Routing-Policy
- IOS-XE: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-3e/irg-iproute-bgp-xe-3e-book/irg-bgp4.html
- IOS-XR: https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-6/routing/configuration/guide/b-routing-cg-asr9000-76x/implementing-routing-policy.html
- NX-OS: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/unicast/configuration/guide/b-cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-93x/m-n9k-configuring-route-policy-manager-93x.html#topic_BC12066193F94420A40BF34D8D86A81D
How does Juniper refer to these concepts?
Policy-Routing
Juniper refers to Policy-Routing by several names
- FBF (Filter Based Forwarding)
- APBR (Advanced policy-based routing)
JUNOS: Filter Based Forwarding (FBF) https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-option-filter-based-forwarding-overview.html
For IPv4 or IPv6 traffic only, you can use stateless firewall filters in conjunction with forwarding classes and routing instances to control how packets travel in a network. This is called filter-based forwarding (FBF).
Filters That Classify Packets or Direct Them to Routing Instances
JUNOS: Advanced Policy-Based Routing
Advanced policy-based routing (APBR) also known as application-based routing, a new addition to Juniper Networks suite, provides the ability to forward traffic based on applications.
https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-application-advanced-policy-based-routing.html
Routing-Policy
How does Linux refer to these concepts?
The following is used by Linux to enable policy based routing. The software package used is called iproute2. The CLI command tool is called ip
.
- Policy routing table
- Policy routing rule
Red Hat Enterprise 7 example4: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/configuring-policy-based-routing-to-define-alternative-routes
Online reference book for Linux policy routing, http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html
Footnotes and Sources
- This colleague was from a different team and not someone I worked with every day.[↩]
- Not to be confused with Segment Routing. https://www.cisco.com/c/en/us/solutions/segment-routing.html[↩]
- https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-6/b-ip-addresses-cg-asr9000-76x/Implementing-policy-based-routing.html#id_84172[↩]
- at first this example uses the
nmcli
command and further down uses theip
command.[↩]
Comments