It had been a sizzling minute since I final put collectively a weblog, and I used to be enthusiastic about what is perhaps an fascinating matter. Well, as is typical, I thought of what I’d not too long ago run throughout, or labored on, in my “day job” as a part of the engineering workforce that builds and helps the lab environments for all of the Learning at Cisco coaching supplies.
On this specific day, I used to be reviewing the present configurations of the core community routers (layer 3 switches actually) in our information facilities. I’m pretty new to this a part of the workforce, and I used to be to find that we have been leveraging Policy Based Routing to control the forwarding conduct for various kinds of site visitors. I’m positive lots of you studying this weblog are acquainted with the truth that there are all the time a number of methods to perform a activity in networking (life actually, however undoubtedly in networking). As such, policy-based routing is a device within the community engineer’s toolkit that may usually be leveraged to deal with “odd business requirements.”
And with that, I had a subject to make use of for this weblog and an accompanying video to kick off a brief video sequence referred to as “Technically Speaking… with Hank Preston” on the Cisco U. by Learning and Certifications YouTube channel. Specifically, we’re going to take a look at how to configure policy-based routing to affect forwarding conduct. The why I’ll go away for an additional submit. 🙂
Also, for anybody learning for the CCNP Enterprise certification, policy-based routing is on the ENARSI – Implementing Cisco Enterprise Advanced Routing and Services blueprint – “1.6 Configure and verify policy-based routing.” 300-410 ENARSI is a focus examination that earns you the Cisco Certified Specialist – Enterprise Advanced Infrastructure Implementation certification. So, it’s undoubtedly an amazing matter for the Cisco Learning weblog. Let’s dive proper in!
Setting the Stage
Before we take a look at altering the everyday routing and forwarding conduct, let’s begin with the essential forwarding conduct. For this exploration, I put the beneath community collectively in a Cisco Modeling Labs simulation. (You can discover the topology file right here.)
This community has two small LANs separated by a fundamental, single space OSPF community within the center. The prices within the OSPF community have been configured to make the perfect path from R1 to R5 via R3. We can see that in a pair methods.
First, let’s take a look at the interface prices on R1.
R1#present ip ospf interface transient Interface PID Area IP Address/Mask Cost State Nbrs F/C Gi0/1.200 1 0 192.168.200.1/24 1 DR 0/0 Gi0/1.100 1 0 192.168.100.1/24 1 DR 0/0 Gi0/4 1 0 10.14.14.1/24 110 DR 1/1 Gi0/3 1 0 10.13.13.1/24 1 DR 1/1 Gi0/2 1 0 10.12.12.1/24 100 DR 1/1
Notice the prices for interface G0/2 and G0/4 (in the direction of R2 and R4) have a price of 100 and 110 respectively, whereas the price of G0/3 (in the direction of R3) is only one.
And now, we’ll confirm the routing desk entry for host H3 on R1.
R1#present ip route 172.16.10.11
Routing entry for 172.16.10.0/24
Known through "ospf 1", distance 110, metric 3, sort intra space
Last replace from 10.13.13.3 on GigabitEthernet0/3, 00:23:02 in the past
Routing Descriptor Blocks:
* 10.13.13.3, from 5.5.5.5, 00:23:02 in the past, through GigabitEthernet0/3
Route metric is 3, site visitors share rely is 1
The routing desk lists the route as in the direction of R3 out interface G0/3 — precisely as we’d anticipate.
The remaining verify will probably be a hint route from host H1.
H1:~$ traceroute -n 172.16.10.11
traceroute to 172.16.10.11 (172.16.10.11), 30 hops max, 46 byte packets
1 192.168.100.1 5.534 ms 5.004 ms 3.038 ms
2 10.13.13.3 5.528 ms 5.531 ms 4.137 ms <- R3's G0/1 interface
3 10.35.35.5 5.533 ms 5.656 ms 6.339 ms
4 172.16.10.11 14.180 ms 9.787 ms 7.908 ms
And no huge shocker right here, the second hop within the hint is certainly R3.
Let’s shake issues up slightly bit.
Suppose there was some cause that you simply needed to direct site visitors acquired at router R1 from host H1 destined for H3 to go via R2 . Maybe there was some site visitors evaluation that occurred on that router. Or maybe that hyperlink is extra dependable, even when slower. There are any variety of causes this would possibly come up in a community design. The key half is that you simply don’t wish to change ALL forwarding conduct, simply a few of it. You have a “policy,” so to talk, that identifies some site visitors you wish to modify. This is the place coverage primarily based routing, sometimes called PBR, is available in.
Policy primarily based routing can appear sophisticated. To be truthful, if overused, it may make networks very sophisticated and exhausting to take care of. However, the technical fundamentals of PBR are fairly easy.
First, you want a option to establish the site visitors that you simply wish to apply the coverage to. Like many “matching” use circumstances in networking, that is usually accomplished with an access-list. So, right here’s the entry listing that I’ll use to match the site visitors I’m excited by.
ip access-list prolonged H1-to-H3 10 allow ip host 192.168.100.11 host 172.16.10.11
This single line prolonged ACL is all that’s wanted. I’m matching all IP site visitors from H1 to H3, however I may very well be extra particular, to a particular port as properly. Maybe simply internet site visitors (tcp/80 & tcp/443) for instance.
Next, a route-map is used to describe the coverage that we wish to configure. The “policy” is made up of “match” circumstances to establish the site visitors and “set” circumstances to make the “policy based changes” to the site visitors that was matched.
Here is the route-map for my coverage instance.
route-map POLICY-BASED-ROUTING allow 10 description Traffic from H1 -> H3 route via R2 match ip handle H1-to-H3 set ip next-hop 10.12.12.2
I’ve used the access-list I created in my “match ip address” command. And, I’ve indicated that when site visitors “matches” this coverage, I wish to “set” the next-hop to be 10.12.12.2.
And discover the primary line within the configuration instance. It ends with the quantity “10.” This quantity identifies the place within the route map that this specific coverage entry holds. A route-map could be made up of many coverage units – every with a “match” and “set” assertion. In this manner, community engineers can have very granular management over how site visitors is forwarded within the community. Pretty useful proper!
Before I’m going a lot farther it’s undoubtedly necessary to notice that route-maps are used for extra than simply coverage primarily based routing. The route-map assemble can also be used as a part of high quality of service (QoS) configurations, routing protocol filtering, and BGP path manipulations. So should you discover the configuration choices obtainable for match and set you will discover a number of different choices. Most of those are used to be used circumstances apart from coverage primarily based routing.
The final step to finish the configuration of my coverage is to use it to the router interface. Since this coverage is about controlling site visitors from the LAN related to interface Gig0/1 on R1, that’s the place I’ll apply it.
interface Gig0/1.100 ip coverage route-map POLICY-BASED-ROUTING
That’s it, we’ve configured coverage primarily based routing. Let’s check to see if it’s working.
We’ll begin by rerunning the identical hint route command as earlier than and evaluating the outcomes.
1:~$ traceroute -n 172.16.10.11
traceroute to 172.16.10.11 (172.16.10.11), 30 hops max, 46 byte packets
1 192.168.100.1 7.306 ms 3.017 ms 3.337 ms
2 10.12.12.2 3.844 ms 4.335 ms 3.688 ms <- R2's G0/1 interface
3 10.25.25.5 7.906 ms 5.125 ms 5.962 ms
4 172.16.10.11 8.951 ms 8.912 ms 7.348 ms
Look at that, site visitors is certainly going via R2 now. But let’s confirm that it’s only for site visitors to H3 by hint routing the site visitors to H4.
H1:~$ traceroute -n 172.16.10.21
traceroute to 172.16.10.21 (172.16.10.21), 30 hops max, 46 byte packets
1 192.168.100.1 3.681 ms 3.153 ms 2.563 ms
2 10.13.13.3 3.613 ms 3.185 ms 3.747 ms <- R3's G0/1 interface
3 10.35.35.5 5.957 ms 7.555 ms 5.040 ms
4 172.16.10.21 14.915 ms 7.157 ms 7.853 ms
Yep, site visitors from H1 to H4 is certainly nonetheless following the “standard path” via R3. But what about site visitors from H2 -> H3? Will it’s redirected via R2?
H2:~$ traceroute -n 172.16.10.11
traceroute to 172.16.10.11 (172.16.10.11), 30 hops max, 46 byte packets
1 192.168.200.1 7.284 ms 2.840 ms 3.173 ms
2 10.13.13.3 3.526 ms 4.514 ms 3.498 ms <- R3's G0/1 interface
3 10.35.35.5 6.375 ms 7.212 ms 4.900 ms
4 172.16.10.11 6.642 ms 6.270 ms 5.884 ms
Nope, solely site visitors from H1 -> H3 is being redirected.
If we take a look at the routing desk on R1, we’ll see nothing has modified.
R1#present ip route 172.16.10.11
Routing entry for 172.16.10.0/24
Known through "ospf 1", distance 110, metric 3, sort intra space
Last replace from 10.13.13.3 on GigabitEthernet0/3, 00:23:02 in the past
Routing Descriptor Blocks:
* 10.13.13.3, from 5.5.5.5, 00:23:02 in the past, through GigabitEthernet0/3
Route metric is 3, site visitors share rely is 1
There are a couple of helpful instructions on the router to verify the standing of coverage primarily based routing.
First up, a fundamental “show” command value noting.
R1#present route-map
route-map POLICY-BASED-ROUTING, allow, sequence 10
Match clauses:
ip handle (access-lists): H1-to-H3
Set clauses:
ip next-hop 10.12.12.2
Policy routing matches: 12 packets, 756 bytes
This command offers “policy match” statistics. We can see that after I ran this command there have been 12 matches up to now.
Another command that’s helpful is the “debug ip policy” command. It offers helpful particulars in regards to the processing of the coverage as site visitors flows via the router. But as with all “debug” command, watch out utilizing it on a manufacturing machine as it may put a heavy load on community gadgets if there may be a number of site visitors flowing via.
I’ll activate the debugging after which ship a single ICMP (ping) packet from H1 -> H3.
R1#debug ip coverage Policy routing debugging is on R1# *Apr 26 00:29:58.282: IP: s=192.168.100.11 (GigabitEthernet0/1.100), d=172.16.10.11, len 84, FIB coverage match *Apr 26 00:29:58.282: IP: s=192.168.100.11 (GigabitEthernet0/1.100), d=172.16.10.11, len 84, PBR Counted *Apr 26 00:29:58.282: IP: s=192.168.100.11 (GigabitEthernet0/1.100), d=172.16.10.11, g=10.12.12.2, len 84, FIB coverage routed
Compare the above output to the debug output after I ping H1 -> H4.
*Apr 26 00:31:00.294: IP: s=192.168.100.11 (GigabitEthernet0/1.100), d=172.16.10.21, len 84, FIB coverage rejected(no match) - regular forwarding
In the primary instance, “FIB policy match” signifies that the PRB coverage was triggered. And a following debug line reveals that the site visitors was “FIB policy routed.” That’s the PBR in motion. Compare that to the output from the second ping that’s “FIB policy rejected (no match) – normal forwarding.” That output is fairly descriptive.
And with that, we’ve come to the tip of this submit. I hope this brief take a look at coverage primarily based routing helped break it down and introduce you to a brand new expertise device you can put into your toolkit. Maybe it’ll show you how to clear up a enterprise problem sometime. Or possibly it’ll show you how to in your preparation for the ENARSI examination or different research. Either means, thanks for hanging out with me at the moment.
Got a subject you’d like me to breakdown? Let me know within the feedback.
Resources
Join the Cisco Learning Network at the moment at no cost.
Follow Cisco Learning & Certifications
Twitter | Facebook | LinkedIn | Instagram | YouTube
Use #CiscoCert to hitch the dialog.
Share: