CCNP ENARSI - 1.2 Troubleshoot Route Map (attributes, tagging, filtering) - LAB 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello again to those that have joined from the previous video and to all others welcome this is your it explained and this video is a demonstration in a lab environment of the route map technologies from the cisco and nasi exam so what we have in front of us is a gns3 lab that i'm hosting on my home computer and i'm just running intra area ospf routes between these five devices and then an external internet connection feel free to pause the video if you need to digest exactly what is configured here otherwise we'll get started straight away with the route map configuration so first what we're going to try and achieve here is we want to filter telnet traffic from router 9 destined for this interface over here so router 5 basically on router 5 we want to filter it so that it only takes a particular path so i want it so that well actually it prefers a particular path so i want the telnet traffic that comes through here to go this way through router 4 and right now it actually has the option to go via router 2 3 or 4. so let's just verify what that looks like on router 1 at the moment so you can right click and go console or double click on it and then i'll just expand out this window so you can see it a little bit easier right so i'm on router 1 which is that device in the middle so just to show you what's running i'm going to do a show ip route and we'll see we've actually got a fair bit going on here there's many routes including up the top we have a default route coming through ospf and it's an external rspf type 2 route and it has three parts as we can see here 14 13 and 12. so the way that the addressing works is 12 so sorry we'll say the second octet matches the lspf area number the third octet it matches the router numbers so router 1 to router 2 is 12 1-3-13 and then the last octet matches the individual router number so this interface there would be 0.2 that would be dot 2 that's 5.5.5.5 etc okay so now that we understand that we can see we've got these connected directly connected connections obviously all going through router one but then we have that default route which has been distributed through spf and we also have these two here so it definitely knows about the 192.168.1 24 network and it's got those three paths to reach it so it goes out any of these three parts so right now if router 9 telnets through it will basically choose whatever the path the best path is available at that time because they've all got the same metric uh sorry the same admin distance and the same metric and i'll just open up a connection on router 9 so you can see what its route table looks like before we test that out so show iprout and now we can see on router 9 it's also learning that same default route but we go down to the bottom and it's also learning the ospf external type 2 route 2 this is going straight to that next hop address so that dot one indicating router one between router nine and one being there so it obviously just sends everything there as its only real connection and then once router one receives it it sends it there there or there whichever way it wants to at the time so we want to manipulate it so that telnet traffic going through is going to only take this path down here to go to there now is that achievable in a route map it certainly is and let's have a look at how we configure that so make sure we're on the right device i'm on router 1 now this is where you configure the route map so noting we're looking for this traffic where the configuration on router one so i'll just quickly show that we don't have any route maps running so show route map returns nothing and if i do show access lists nothing excellent so we're just going to go to configure terminal and now i'm going to specify or define our wrap map so i'm going to call it rm1 and i can leave this blank and press enter and that is going to just because i didn't specify anything here it's going to use the defaults of permit and the default sequence number of 10. if you want to change that you have to specify it we'll verify that in a moment's time but now we remember we have to set the match command and the set command so you don't have to set either of those either so i could just press exit now and that's that's done so what's actually going to happen if i do show oops if i can spell route if i can spell we can see it's created route map rm1 as i said default behavior is permit default sequence is 10. um default match and set is it says left blank but the actual behavior of this is because we didn't specify anything in this match clause the default behavior of the match clause is to match all prefixes so right now this will match every bit of traffic that goes through but we haven't associated this route map with anything so it's not actually going to route any traffic as of yet so just so you have to understand that this is like the default behavior because it's potentially going to be something that you're going to be tested on when it comes to the exam that deeper level understanding of route maps so i'll go back into the route map so route map rm1 and i'll make sure we're going to the right place permit 10 and i'm going to match ip address and you can see here these are the options i'm going to use an extended ip access list and to use the extended range it's actually within so an extended access list is between the numbers 100 and 199 are the our extended access list numbers as well so this is a little bit confusing because there is a slight difference between an ip access list and an access list they're defined differently and they behave a little bit differently but you can just use an access list number here so if i put in match ip address 199 we'll come back to that in a second when i define it but what behavior do we want to do with this traffic this telnet traffic remember we wanted to set it so that it uses this as the next hop so to specify that you do set ip next hop and then the actual address and that's it so that's all well and good we've defined that part of the route map but remember we also need to now define that access list so what i was getting at before is you can do access list and define it this way and you can see here 100 to 199 is the extent one of the extended ranges and one to 99 is standard or you do ip access list all right and it's it's actually different it's a little bit different so here that now you type in standard or extended so if i were to type in extended you can then see it now refers to those numbers correctly so you just try not to get too confused on it and i'm using just a regular access list definition here i'm using that same number as before and i am going to permit this traffic and now you can start to get a little bit more nitty gritty into the details so we want to filter for telnet traffic from this network so it doesn't specifically have to be this host i'm just going to say from that network so for that i'm going to say tcp because toner is tcp traffic now you specify a source address so i'm going to use that network of 10.10.91.0 now you have to specify the wildcard mask for that so i'm going to specify this as a slash 24. and now you choose the destination and i'm actually not going to specify this as a destination i'm just going to say any traffic from here 10 traffic from here going through this device to anywhere i want filtered to this next hop because at the moment this is the only device that is configured to accept telnet anyway so for me this works i'm just going to say any now you have to specify eq we'll say equals and now you can put in the port number 23 or you can type in telnet and that's it so press enter and now it's defined i'll show you what this looks like with the show first we'll do show route map actually i'll show you the access list first so show access lists we can see we have this extended ip access list 199 defined because i didn't specify any sequence use sequence 10 it's permitting tcp from this address to any address equaling telnet and now we'll have a look at the route map and we'll see that route map rm1 as we look before is still permitting sequence 10 it's matching that access list that we've just created and if it matches an ip range in that access list and the type of traffic is telnet then it will perform the set clause so it will then set the next hop address to this okay if it does not match this then it will move on to the next sequence in the route map that's how route maps behave all right so we've defined all that the issue now is we haven't done that final step we haven't associated the route map with anything we've defined the route map but it's not associated with an interface or a routing protocol so what i'm going to do is i'm actually going to associate it with this ingress interface you might think to put it on this egress interface but that would be incorrect because we're going through here and by the time the router receives the traffic and it has to decide what to do with it to process it it might decide i'm going to look at my routing table and then i'm going to look at what the best path is okay i see the best path is this way and send it there and when it hits this interface there is no route map so it just goes because you put it here it needs to check it as it enters the device before it looks at anything else at the routing table on the ingress interface and so for router 1 this interface is you can see it's a serial link so this is serial 2 0 and that's where i'm going to put the route map so i'm going to go back into configure terminal and interface 2 0 now to associate the route map you type in ip policy route map and then the name of your route map now you don't specify in or out here it's not like associating a an acl or an access group you can only specify the name so you press question mark there is no option to say in or out so it's just in any direction through that interface and now we are done we've created the route map we have created the access list and we have associated the route map so let's have a look i'm going to again run the show route map so we can see it's all as it was before and now pay attention to this bottom line here let me move it more centrally policy routing matches zero packets and zero bytes okay now i'm going to go to router nine and i'm going to telnet to this address let's see what happens so on router 9 i'm going to tell nets to 192.168.1.5 and we can see it's prompting for a username excellent i'll put in the username and the password and i'm in router 5. so telnet success and now i'm back into router 9. if i go to router 1 and i refresh this command show route map we can now see we have matched on this route map 40 packets so it was evaluated all right so it has successfully evaluated this sequence for 40 packets and therefore we assume it's used this set clause of setting it to the next next hop ip of this address now this is where you have to really understand the proper use of route maps this is kind of poor practice if you're trying to filter it so that you only want this next hop and if this isn't available don't use these that's not really the purpose of a route map that's where you'd go into uh access lists and that down that path so the issue is if this next hop ip address is not available so if this is down or this is down this is not available what will happen is it will run through this sequence it will match it will set the next hop address to that address even though it's not available it will try to send it there but it will realize that that next hop is not available so what it does is it reverts to default routing behavior it looks up the routing table and then sends it out whatever the next best path is so if this isn't available it still will route and still will go via one of these other destinations so let's actually test that to prove it so if i go into configure terminal i go into the relevant interface that i want to turn off so i'm in router 1 and i want to shut down this interface which is from r1 ethernet 0 2. so i'm going to interface e 0 2 and i'm going to shut it down just wait a moment and i will go back to back out of the configure terminal and let's just do a show ip route now if we look here at our default route and our route to 192.168.1 zero network we can see we now only have two paths we no longer have the 14 path because that interface is down so it's definitely not available it's not possible to go down this direction anymore that interface is down i know it looks it looks green there but we can't we can't route that in that direction right so noting we haven't changed the route map and we can still do show route map and it's still got that next hop set so and notice it's got 40 packets that have been evaluated if i go to router 9 and i telnet through again success it's reached the device okay let me just exit out yep go back to router 1 refresh the route map and it has evaluated it again so it did go through here it did match that ip address it set the next hop address to that despite it being unavailable or it tried to and because it's not available it does default router behavior so it looks up that route in the routing table and sends it to either of these two destinations so it's important you understand how these route maps behave with all the complex things that you could manipulate and change there's many different things that a route map can do and i can't cover all of them in one video or you'll be here all day trying to learn about route maps but that covers off on some of the basics but let's say that for argument's sake you really want to set it so that it only uses this as the next hop and if it then isn't available tries to reach these destinations it drops the packets or it doesn't route is that possible with route maps yes it is possible and i'm going to show you how we can do that all right so what we're actually going to do is we're going to make use of something else you need to understand with route maps and that's tagging tagging the traffic so we're going to add another set clause here not only are we going to set the next hop address we're also going to tag the traffic to a particular number it's going to choose a number to tag it with and then on these two interfaces the other two choices that are available we're going to match that tag and send the traffic to null zero okay so we're going to match the tag that we set in this sequence and then we're going to send the traffic to null 0 effectively meaning if it doesn't go here and it's trying to send it out one of these interfaces instead then traffic's going nowhere it's going to null zero which is effectively nowhere that is how you could do it and let's have a look at how we can figure this okay so we're going to go back in here and we're going to go to the same line in the route map sorry route map rm1 and we're going to go to permit 10 we can leave the match statement but we're going to add another set statement so set tag and i'm going to choose the same number as the acl to make it easy so 199 and that's it now if we i'll just do a do show route map and we can see i now have two set clauses under that same sequence so it's going to do both of these things so right now will that change anything i wouldn't anticipate anything to change if we go to router 9 it still works no issue there why does it still work well because we haven't done anything with this tag remember we have to associate with those interfaces so what we're going to do is we're going to associate this route map with those interfaces and we have to now do something with that tag and that's going to involve the next sequence in this same route map so if i go to route map i go rm1 permit on sequence 20 this time i'm going to match and if you do a question mark you'll see there's many things you can match not just ip addresses one of the options is tag so i'm going to match the tag of 199 and so as long as the traffic has been tagged with 199 now i'm going to set the exit interface to null 0. okay so are we done yet not quite still got to associate it now you might be asking yourself how do i associate just that one sequence with an interface how do i associate both of these interfaces with just this sequence here well that's not what you need to do that's not how route maps work remember route maps go through things sequentially and check the the sequences one by one and so we're actually just going to associate it with the same route map and the route map will be checked when traffic is leaving and what will happen is hopefully it's going to evaluate sequence 20 because it's going to match this and therefore set this all right so we can see it's got zero packets that have been evaluated so far and again if i telnet on router nine and now go back to router 1 we refresh that we see that this hasn't increased at all but this went from 74 to 92 packets so it's still evaluating on that first sequence second sequence is not being used so now i'm just going to check what these interfaces are on r1 ethernet 00 and ethernet 0 1. now i'm going to go to interface ethernet 0 0 to 1 this is going to sorry in interface range so now i'm in both of them just to make it a little bit easier and now i'm going to do ip policy route map rm1 done okay so noting that this interface is still down on r1 what do we think is going to happen when i try to telnet through an r9 now what do we think is going to happen let's see hopefully you come up with an answer it's trying noticing before it was it was working instantly and now we've got a connection timeout remote host not responding let's try again trying trying it's trying and not no dice sorry mate let's have a look at the route map so we can see that we now have four packets that have been evaluated by sequence 20. so four packets that have matched and therefore have been set to interface null zero so it would have been two packets per attempt let's just double check that i'll go back to router 9 run it again it's going to try for a few seconds and then it's going to time out and fail there we go let's re check yep it went up by two also um noting that the first sequence has gone up by two now why is that going up by two as well well that's because this has been performed this has matched as it's entered router 1 through serial interface serial 2 0 and then the second sequence has matched as it's tried to leave either interface ethernet 0 0 or internet sorry interface ethernet 0 1. so we have now effectively using route maps manipulated traffic so that it'll only use this one next hop address not good practice this is not best practice you should be using just access control lists if that's what you want to achieve normally or there'd be other there's other options available to you route maps are not the best option to achieve this goal so let's just go into that last interface and bring it back online just to verify everything's working the way we want it to okay so it's going to come back up we'll just give it a little bit of time for the ospf neighbor adjacencies to come back up there we go hopefully everything is working again so if i go out of this and we do a show route map we'll just double check we've got 98 packets on the first sequence and six packets on the second one now if i try to telnet boom prompted for username again and i'm back into router 5. excellent now if i go to router 1 or you double check this has had plenty more packets go through it in the first sequence but we look at sequence 20 it was previously on 6 it's still on 6. so what happened when it came through router 1 is it went through that interface it matched this so because that interface has this route map associated with it it checks starting at the first sequence it found that it does match telnet traffic as per the access list here it sets the tag to 199 on the traffic and the next hop to this address so it doesn't matter that it set the tag to 199 because the the device isn't looking on this exit interface on ethernet 0 2 for that tag there is no route map configured on that interface it doesn't care for it so the tag is there on the traffic but the device just goes okay i see the tag there and just sends it on the next device router 4 will receive the traffic see it's got a tag but it hasn't been told to do anything with that tag either so it just sends it on treats it like normal that's why this sequence hasn't been evaluated because we have not associated this route map with this final interface so hopefully you've learned a fair bit about route maps and their strengths and weaknesses so they all fall under policy-based routing and it's meant to be used to manipulate the the way that we utilize um traffic connections especially in this like redundant sense but the biggest and most common use for these route maps is when it comes to distributing between different route pro um routing protocols and also just between like intra areas as well so we've covered off the first part of the use of rouse route maps and now we'll follow with a little bit more detail into how we can use route maps with routing protocols [Music] for people that want to learn a little bit extra and get a little bit more in depth into the route map so i've got some bonus material to cover off on and some people some real eagle-eyed viewers may have noticed that there's potentially an easier way to do this but let's just see if we're both thinking about the same thing so you might be asking yourself why bother with this tagging and sending it to a null interface and everything when you could just do a routemap rm1 deny instead of permit wouldn't that just achieve exactly what you wanted you won't have to bother with this uh sending it out interface null zero if you just change it to a deny sequence instead right surely well let's see let's see what happens so i go conf t i love saying let's see i love just going into an actual demonstration so you can actually see how everything works hopefully it's not too annoying when i say that so round map rm1 we're going to go to permit 20 and we're actually going to just do no on the start and that's going to remove that entire sequence so i'm going to do show a route map you can see there's only sequence 10. so this time we're going to basically do the same thing i'll just do up arrow here and i'll get rid of the no on the start so the same thing route map rm1 but we're going to replace permit with deny on sequence 20. so we're going to deny on sequence 20. let's match the same thing we had before so match that tag of 199 so any traffic that has been tagged with 199 is going to be denied by the sequence and that means we don't have to set anything right so if we hit exit done let's just do a do show of the route map and we can see we have uh rap map rm1 permit sequence 10 and then route map rm1 deny sequence 20 and it's matching this tag traffic now you might be wondering well isn't that a concern isn't legitimate traffic now going to be denied no because a route map if you remember from the theory lesson is once it matches a particular sequence it performs whatever it's been told to do and then it breaks out it doesn't do the next sequence so as long as it matches as long as it is genuine telnet traffic from that network it sets the tag to 199 and the next hop but it will not perform sequence 20 because it has matched it does that one sequence and then breaks out of the route map if it doesn't match in this then it moves on to sequence 20. that's how that's how it works so now if we think about what's going to happen is when the traffic is trying to go so we'll shut down this other interface so shutdown interface e02 so again we're now going to be forced to go via r3 or r2 for that telnet traffic but for so i'm just scrolling up a little bit for the talent traffic now going through r 2 and r 3. it's going to have the tag on the traffic already as it came in on the egress interface on s20 it's um then going to go to sequence 20 and it's going to have this deny sequence 20 for the traffic that's tagged 199. let's have a look what happens so in router 9 i'm now going to telnet through to router 5 it works it does not deny okay so it doesn't just deny it on its own that is not how the route maps work it will not so try not to think of that deny option in the route map as something that you can use here because when you're associating it with the interfaces like we're doing in this example that's not how the route map operates you can use that deny function more when you go into using route maps with routing protocols but as we're associating it with interfaces it doesn't behave that way so just do a double check of the route map and we can see it has not evaluated that sequence at all okay so it has not actually run through that sequence at all even if we add in this set clause let's have a look so we go to route map rm1 we go to deny 20. so we're in the same sequence and now let's do a set the exit interface uh let's get rid of that interface to null zero so now we basically have the exact same thing we had previously except we have the word deny instead of permit here so the same thing we had before we're matching sending it to null 0 it's still associated with interfaces e 0 0 and zero one route map one that is but let's have a look is it going to do the same thing telnet no telnet still works and if i refresh this it hasn't matched it's not matching let's make and let's just show you how it does work again if i go to route map and is the same name rm1 and i'm going to permit like we did before and now i'm going to go to sequence 30 and just do the same thing match tag 199 and set interface to null zero so what does it look like show [Music] route map and now we can see we have sequence 10 which is permitting we have sequence 20 which is deny and sequence 30 which is permit so sequence 30 and 20 are the exact same they're matching on 199 and they're setting exit interface to null zero but um the first one sequence 20 is deny and the second one is permit okay so let's have a look what happens when that that match goes through the router ah of course i was confused there for a second so what it's doing is it's going through and hitting this sequence here and as soon as it hits this deny it's then breaking out of the the route map right so it's it's basically going through this deny sequence here and that's it it doesn't do anything it once it hits that tonight it's gone because if this is the weird behavior of how the route maps work when you're associating the route map with an interface so if i remove this sequence altogether we should see a bit of better performance because what's happening is it's hitting this basically doing it or ignoring it and then breaking out of the route map so it's not going it's no longer going through to sequence 30 because it's essentially matched this deny which it does nothing for so if i go back into configure terminal and let's do a no route map rm1 deny on sequence 20 and that should be it so now we have a sequence 10 and the sequence 30 right as we had it before initially except this is on sequence 30 now instead of 20. now if we go back to router 9 and telnet it's going to fail all right connection timed out just double check again now to timeout once more and then if we refresh this show route map we are seeing it's now evaluating sequence 30 again okay so before if i scroll up a bit when we had the three sequences and we had sequence 10 um sorry 10 20 or 30. let me just move this so i can try and move the screen a little bit slower up a little bit okay so sequence 10 and then 20 and 30 it was not getting through to this sequence when it was going through the first two interfaces so ethernet zero zero and zero one router one it was only reaching the sequence twenty deny and then leaving it was not performing anything at all which basically means that the traffic is allowed through so it's quite confusing and can be very hard to wrap your head around but that is why you don't use route maps for this sort of route manipulation not route manipulation but traffic manipulation that's not the purpose for them okay so this bonus material it's a little bit more complicated but if you now fully understand it you now understand some of the limitations of route maps and why you wouldn't use them for this sort of network behavior okay hopefully you've learned a lot and i will see you in the next one

Info

Channel: Your IT Explained

Views: 40

Rating: undefined out of 5

Keywords: Ccnp, enarsi, cisco, exam, topics, troubleshoot, tshoot, aus, aussie, 1.2, route maps, route-map, certified, lab

Id: XKHF4aVXZa4

Channel Id: undefined

Length: 40min 27sec (2427 seconds)

Published: Mon Oct 04 2021