Policy Routing

Lesson 6/13 | Study Time: 60 Min

Course: Routing Lab: Hands-On Networking

Task

● Configure IPv4 default routes on R4 and R6 pointing to R1's IPv4 address from the shared Ethernet segment.

● Configure IPv4 default route on R3 pointing to R1's IPv4 address from the shared Ethernet segment.

● Configure IPv4 default route on R5 pointing to R1's DMVPN cloud IPv4 address.

● Configure IPv4 static routes on R3 for R5’s Loopback0 prefix and on R5 for R3’s Loopback0 prefix through the DMVPN cloud.

● Configure IPv4 policy-routing on R1 so that traffic from R4 is routed through R3 over the Ethernet link, and traffic from R6 is routed through R5 over the DMVPN cloud.

● Create two extended access-lists on R1, named FROM_R4 and FROM_R6:

● Access-list FROM_R4 should match all IPv4 traffic sourced from R4's Ethernet segment.

● Access-list FROM_R6 should match all IPv4 traffic sourced from R6's Ethernet segment.

● Use traceroute on R4 and R6 for R3's and R5’s Loopback0 prefixes to verify your configuration.

Explanation

Policy routing allows the router to forward traffic based on user-defined criteria without even consulting the IP routing table. In this example, we can see that R1 does not have routing information for either of the Loopbacks of R3 and R5, so it cannot route locally originated traffic.

show ip route 10.1.3.3

% Subnet not in table

show ip route 10.1.5.5

% Subnet not in table

debug ip packet 

IP packet debugging is on

ping 10.1.3.3 repeat 1

Type escape sequence to abort.

Sending 1, 100-byte ICMP Echos to 10.1.3.3, timeout is 2 seconds:

Success rate is 0 percent (0/1)

IP: s=10.1.1.1 (local), d=10.1.3.3, len 100, local feature, feature skipped, Logical MN local(14), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=10.1.1.1 (local), d=10.1.3.3, len 100, unroutable.

ping 10.1.5.5 repeat 1

Type escape sequence to abort.

Sending 1, 100-byte ICMP Echos to 10.1.5.5, timeout is 2 seconds:

Success rate is 0 percent (0/1)

IP: s=10.1.1.1 (local), d=10.1.5.5, len 100, local feature, feature skipped, Logical MN local(14), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=10.1.1.1 (local), d=10.1.5.5, len 100, unroutable.

If traffic is received inbound on R1's VLAN 146 Ethernet segment and is sourced from R4's or R6’s IPv4 addresses attached to VLAN 146, it is policy-routed accordingly to the route-map attached to the interface:

traceroute 10.1.3.3

Type escape sequence to abort.

Tracing the route to 10.1.3.3

VRF info: (vrf in name/id, vrf out name/id)

  1 172.16.146.1 63 msec 40 msec 17 msec

  2 172.16.13.3 16 msec

traceroute 10.1.5.5

Type escape sequence to abort.

Tracing the route to 10.1.5.5

VRF info: (vrf in name/id, vrf out name/id)

  1 172.16.146.1 12 msec 3 msec 4 msec

  2 172.16.13.3 2 msec 4 msec 2 msec

  3 172.16.0.5 9 msec *  4 msec

traceroute 10.1.3.3

Type escape sequence to abort.

Tracing the route to 10.1.3.3

VRF info: (vrf in name/id, vrf out name/id)

  1 172.16.146.1 11 msec 4 msec 2 msec

  2 172.16.0.5 3 msec 1 msec 3 msec

  3 172.16.0.3 3 msec *  5 msec

traceroute 10.1.5.5

Type escape sequence to abort.

Tracing the route to 10.1.5.5

VRF info: (vrf in name/id, vrf out name/id)

  1 172.16.146.1 7 msec 2 msec 8 msec

  2 172.16.0.5 5 msec *  2 msec

Verify policy-routing configuration and that traffic has matched the ACL:

show ip policy

Interface Route map

Et0/0.146 POLICY_ROUTING

show ip interface GigabitEthernet0/0.146 | i Policy

  Policy routing is enabled, using route map POLICY_ROUTING

  BGP Policy Mapping is disabled

  Input features: Policy Routing, MCI Check

show route-map

route-map POLICY_ROUTING, permit, sequence 10

Match clauses:

ip address (access-lists): FROM_R4

Set clauses:

ip next-hop 172.16.13.3

Policy routing matches: 0 packets, 0 bytes

route-map POLICY_ROUTING, permit, sequence 20

Match clauses:

ip address (access-lists): FROM_R6

Set clauses:

ip next-hop 172.16.0.5

Policy routing matches: 0 packets, 0 bytes      

R1’s route-map used for policy routing does not match traffic sourced from other interfaces of R4 and R6, so this traffic is dropped when it is received by R1 inbound on its VLAN 146:

ping 10.1.5.5 source loopback0 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.5.5, timeout is 2 seconds:

Packet sent with a source address of 10.1.4.4 

.....

Success rate is 0 percent (0/5)

ping 10.1.5.5 source loopback0    

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.5.5, timeout is 2 seconds:

Packet sent with a source address of 10.1.6.6 

.....

Success rate is 0 percent (0/5)     

Configuration

ip access-list extended FROM_R4
permit ip host 172.16.146.4 any
!
ip access-list extended FROM_R6
permit ip host 172.16.146.6 any
!
route-map POLICY_ROUTING permit 10
match ip address FROM_R6
set ip next-hop 172.16.0.5
!
interface Eth0/0.146
ip policy route-map POLICY_ROUTING

R3:

ip route 0.0.0.0 0.0.0.0 172.16.13.1
ip route 10.1.5.5 255.255.255.255 172.16.0.5

ip route 0.0.0.0 0.0.0.0 172.16.146.1  

ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip route 10.1.3.3 255.255.255.255 172.16.0.3      

ip route 0.0.0.0 0.0.0.0 172.16.146.1     

Previous Lesson Next Lesson