Test driving Policy Based Routing on Linux

Policy Based Routing allows the network admin to apply different forwarding  rules to a packets based on some of its attributes. For example source address, QoS or firewall marks can be used as a packet classification policy.

Policy routing can help in meeting the requirements of differentiated services like QoS, security Policy etc where the traffic from customer paying for a better or more secure service is allowed to use a different network route that the regular traffic.

On Linux Policy Based Routing can be enabled in the following manner

  • The first step is to classify the traffic into different categories based of conditions like source address, destination address, QoS or firewall mark etc.
  • Then use different routing tables to forward traffic from different categories that was created in the first step

Slide2

In this post we will setup a Linux based router with policy routing. For the purpose of our experiment, we will implement Policy based routing using source address as the classifier. The following topology describes the setup for our test

Slide1

Topology:

  • We have 4 networks connecting host1, host2 and server to the router
Network Address Gateway (Router) Host Address
Net1 10.0.10.0/24 10.0.10.1 (router-eth1) 10.0.10.2 (host1-eth0)
Net2 10.0.11.0/24 10.0.11.1 (router-eth2) 10.0.11.2 (host2-eth0)
Net3 10.0.12.0/24 10.0.12.1 (router-eth3) 10.0.12.2 (server-eth0)
Net4 10.0.13.0/24 10.0.13.1 (router-eth4) 10.0.13.2 (server-eth1)
  • The server holds the IP 11.0.14.1/24, which is the destination the hosts are trying to reach.
  • The router has two paths to forward the packets arriving from host1 and host2 to destination 11.0.14.1, either using the 10.0.12.0/24 or 10.0.13.0/24 network.
  • To begin with the server and the router is configured with static routes to use only one link (router-eth3 <-> server-eth0 i.e. 10.0.12.0/24 network) to forward traffic between router and server

pr4

The topology is implemented using mininet network simulator. The code for the topology is available here.

Start the simulated topology using the following command(using the policy_routing_disabled.py file from the repository).

sudo python policy_routing_disabled.py

We will start with a topology with disabled policy routing and learn the steps need to enable policy routing. (if you want a ready made mininet topology with policy routing look at policy_routing_enabled.py file that implements this)

The mininet configuration implements the hosts, server nodes as network namespaces, and the router is implemented by using the Linux host itself.

Once the topology is ready try to ping the IP 11.0.14.1 located on the server from the hosts.

Note: In the mininet CLI, a command can be started on a node by providing the node name followed by the command like in the form “<node_name> <command> <argument1> <argument2> …”

mininet> host1 ping 11.0.14.1
mininet> host2 ping 11.0.14.1

Without the policy routing in place the packets are forwarded using one of the path(10.0.12.0/24 network, net3). You can verify this by running the following command on the router (as the Linux host is acting as the router the following command can be started on another terminal).

$ watch "egrep router-eth.* /proc/net/dev"

pr5

Note the interface statistics of router-eth4 does not change when ping packets are transmitted either from host1 or host2 to server.

Lets remove the static route setting on the router and modify the one on server as shown below


mininet> router route del -net 11.0.14.0/24 dev router-eth3
mininet> server ip route del 10.0.11.0/24 via 10.0.12.1
mininet> server ip route add 10.0.11.0/24 via 10.0.13.1

We can now proceed to enable policy routing.

Enabling policy routing

Lets now start configuring the policy routing

  1. Classify the traffic arriving on the router based on source network to use different routing table. The following commands add classification policy on the router, which in this case is the source network.
mininet> router ip rule add from 10.0.10.0/24 lookup net1_table
mininet> router ip rule add from 10.0.11.0/24 lookup net2_table
  1. Add the routing tables
mininet> router echo "101 net1_table">> /etc/iproute2/rt_tables
mininet> router echo "102 net2_table">> /etc/iproute2/rt_tables
  1. Add routes to the individual table. The following routes add different path to reach destination network 11.0.14.0/24
mininet> router ip route add 11.0.14.0/24 via 10.0.12.2 table net1_table
mininet> router ip route add 11.0.14.0/24 via 10.0.13.2 table net2_table

With the above settings in place, the routing rules from net1_table are applied to packets arriving from network 10.0.10.0/24 (net1) and  rules from net2_table are applied to packets arriving from network 10.0.11.0/24 (net2).

Verifying the result

Use the following command on the mininet prompt to start a xterm connected to router.

mininet> xterm router

Use the xterm to start a watch command on all interfaces of the router

(router xterm) $ watch "egrep router-eth.* /proc/net/dev"

Now start a ping from host1 to 11.0.14.1 and check the output to verify that the packets are forwarded using eth3 interface on the router

mininet> host1 ping 11.0.14.1

The same steps can be used to verify that if the ping is started from host2 to 10.0.14.1 eth4 interface on the router

Here are the example output.

Initial stats:

pr1

Send 10 Ping packets from Host1:

pr2

Send 10 Ping packets from Host2:

pr3

The results show that the traffic from host1 which arrives on the router interface router-eth1 is forwarded using 10.0.12.0/24 network through router interface router-eth3 and traffic from host2 which arrives on the router interface router-eth2 is forwarded using 10.0.13.0/24 network through router interface router-eth4

The following figure shows the change in traffic flow due to policy based routing configuration

polocy-routing

The final settings with policy routing enabled is also available as a mininet configuration as policy_routing_enabled.py in the repository.

Conclusion

In this experiment we started with a setup where the router had two paths to the destination server but was using only one to forward traffic. With the help of policy routing we were able to utilize both the path to communicate with the server.

The traffic was distributed based on the source address. i.e. packets coming from net1(10.0.10.0/24) is forwarded over net3(10.0.12.0/24) while that from net2(10.0.11.0/24) is forwarded over net4(10.0.13.0/24).

Advertisements

Published by

Chandan Dutta Chowdhury

Software Engineer

One thought on “Test driving Policy Based Routing on Linux”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s