FALL 2016 - CTS265 - CCNP ROUTE - Cisco Lrn. Labs Dis. #19: Policy Based Routing (PBR) - Week #7

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello good morning CTS 265 section 8 40 students for the fall 2016 semester at Anne Arundel Community College this is the ccnp route course and this morning's video tutorial is going to be on Cisco discovery or Cisco learning labs discovery activity number 19 where we're now going to be building on the conversation we had about Cisco express 14 or SEF when we looked at destination based routing and now we're going to talk about policy based routing or PBR now policy based routing isn't sort of a wholesale replacement of Cisco Express forwarding or fast switching or process switching but it's an enhancement that you can use and let me switch to web telnet here it's an enhancement that you can use when you want to override the cisco default which is destination based routing and what PBR really is is PBR is really source based routing where we're going to be overriding the routing table decision and so let's go ahead and jump in here so we've got you can see we've got this notebook and we've got a PC right here and they both sit out on this land segment and they both have to come through the branch router in order to get to the 192 168 dot 100 now notice here we're 110 is our VLAN over here 192 168 1 10 and this is 192 168 dot 100 and there is a loopback address over there something's configured over there with a dot one looks like the interface here on the HQ router so if I were to jump on to the notebook and go from user exact and again it says it's a notebook it's actually just a router that were that we're using here as simulating a notebook so if I was to trace over to 192 168 101 you'll see that my first hop is going to be to my default gateway which should be 110 1 and it is the first packet dropped we had to arp there so you can see we go to 192 168 1 10 dot 1 followed by 10 dot 1021 so if we come back here to the diagram and we take a look we can see that this is the 10 10 10 and here is the 10 10 20 and if this is dot 2 then this is going to be dot 1 so the notebook traffic flows to its default gateway that first dot 1 and then it flows up here to the LAN and then we reach our destination on the HQ router so you can see that the notebook again is going up through the LAN connection it's not coming across the serial connection and this is how the routing is set up in fact if I were to take a look here if we get on the branch router let's take a look and see if we get into privileged exec I'll say show IP route you can see that we are running a igrp and we are learning this 192 168 100 from 10 10 21 or this is our successor our next hop router to get to that Network and so we're doing exactly what the routing table and what eigrp is instructing us to do and that's when we are going to that destination when we're doing destination based routing we are going to take that next hop and remember when I say destination based routing what I'm talking about is when our traffic flows from the notebook here to this ingress interface on branch one remembers that traffic comes in right it's sort of bits on the wire electronic pulses that are on the wire and then we put pull those together and we see our layer to header information where we have our source and our destination MAC address make that a little larger there right and so this this these packets are show say these packets these bits show up at the interface the interface pulls them together it looks in at the layer to information and branch one says hey em I the destination MAC address on this request or on these packets or I should say on these frames and branch one says yep I see my Mac so then branch 1 and this is destination based routing looks in at the layer 3 header and we know that that's the IP packet and it sees a source and a destination IP address and what do we do when we're using seff switching right it looks at that destination IP and says ok what does the FIB entry have for the next hop layer 3 reach ability information which was this dot 1 address and what does the adjacency table have for my layer to rewrite information which means that's going to be my outgoing interface we know that because of the thin remember the fib is built from get the arrow right here the fib is built from the rib the rib is just kind of like a phone book right it's not really referenced anymore because we can do it way quicker by looking at the fib and picking out the adjacency table these two data structures right here these are the data structures that we're going to be referencing and so we see hey we've got our outgoing interface our next hop information and then we pair that with the adjacency table that's going to show me hey if you're going out this outgoing interface here is the source MAC and here is your destination MAC so let's clear the screen and let's confirm that when we come back on to branch one whoops sorry and we'll come back on to branch one here and let's go ahead and say show IP sorry show IP SEF and there it is so for the 192 168 dot 100 you can see there is our entry right there so here is our layer 3 reachability information we have the next hop IP address and the outgoing interface well now that I know that information all I need to do is say show adjacency detail and we have here it is right here and we have for the layer to rewrite information you can see that there's the next top IP and we know that from the fib but now we get the outgoing or I'm sorry the source and the destination MAC addresses and then we end up with a zero eight-hundred at the end which is in hex you would say 0x0 800 and that's IP so here is that information so the router is doing exactly what it's supposed to do it's doing destination based routing now let's take a look at the pc and let's see what direction the pc is going to go and we should see the exact same thing so let's get from user executive privilege exact and we're going to say trace 192 168 oops sorry 192 dot one sixty eight dot 100 dot one and we should see that we hit our default gateway which is the 110 one after we are pair we have little asterisk who via tarp and then we go to the 10 10 21 which is again that router up in the or I should say the cloud up here for our win so all of our traffic right now is traveling this direction right that's how we're getting there it's the same thing here for the PC oops sorry pcs going the same way so we're not using the serial link right now so let's go ahead and clear the screen and the serial link is kind of our backup if I was to get onto the branch router and going to global config and let me it's Ethernet 00 if I was to get on branch one and go into global config and go to ethernet 00 and shut that port down we can see that we lose that neighbor adjacency so now when I say do show IP route you can see that it does not appear let's say do show run section eigrp and see these are some of the things that we need to look at so you'll notice that we're passive on serial 20 so while we're advertising that it's a passive interface which means there will be no neighbor adjacency formed over the serial link so in a sense right this is kind of a little contrived in order to show us in order to allow us to use a source based routing or policy based routing because if we were running eigrp here you would think we would be running eigrp here and when this link went down well then instead of going this way the traffic would then automagically go this way but for whatever reason this link here we're not running uh I igrp maybe it's a super super slow link maybe we've got static routing right and that's a key point to remember about policy based routing is that it is static right policy based routing is a static approach to overriding the default based destination based routing and what I mean by static is that let's say that let me change colors ER because the lines are red let's say that the traffic was going this way that that was the primary path and then we set PBR up on the notebook and we tell the notebook yeah go this way right so we're going to create an ACL we're going to create a route map and then we're going to use that IP policy statement on the interface on the incoming interface on branch one to say if any of the notebook traffic shows up and again source based approach right we're basing our routing decision on the source on the notebooks traffic if we were to send it this way and let's say that link goes down or this link goes down right this route map that we have here the policy based routing that we have applied is going to continue to send the traffic that direction and so that's something to be aware of and that's where the conversation of coupling IP SLA or IP service level agreement with PBR comes into play is it in order to make it dynamic we need IP SLA but again right now kind of this introductory activity here they're just kind of walking through the concepts but these are some things to keep in mind as we continue our conversation with policy based routing so let's get back on the branch one and again we can see that it's clearly not running eigrp across that there's no adjacency to show IP route eigrp we can see that there's no eigrp routing information coming in because we are passive on that interface and again if we weren't then it would be eigrp s dynamism or dynamic capability that would rear out that traffic for us but since we don't have that for whatever the reason may be since we don't have that we need to go ahead and set up PBR because with that interface down on the notebook if i trace now what happens yeah I get to my default gateway my 192 168 1 10 dot 1 and then it dies out right it's unreachable so because we have a next hop or i should say we no longer have that next hop information if we were to say show IP seth and where is the 192 168 dot 100 in here right it's gone what about the show adjacency detail well show adjacency detail just shows the 110 but again it doesn't show the adjacency going up to the what what it used to show which was the I think it's 10 1021 out ethernet 00 so we don't see or ethernet 0 yeah even at 0-0 so we don't see that information and I'm sorry i was on the notebook there wanted to be on the branch router so do show IP SEF my apologies to show IP seth and again same thing right the 192 168 dot 100 is not there do show adjacency detail and we don't have any next top information for the 10 10 21 all right that interfaces down so our default destination based routing right is going to be broken it's going to be broken so now what we need to do is let's trace or actually what they're going to have us do let me bring that interface back up on the branch router so we'll say no shut and this will reestablish the eigrp adjacency with the when cloud and there it is let's allow that to settle down so now when we say do show IP SEF aha so now we've got this information back here right so there is the destination right destination IP and the next hop address out that interface so there's my layer 3 reach ability information for this destination based routing decision now when I say do show adjacency detail you can see here is my layer to rewrite information already done and very important here I didn't comment on this initially but remember the fib the forwarding information base is using the rib the global routing information database in order to populate its entries and so here's our fib right up your show IP SEF and this uses the rib to construct its information right to pull all that information together and to pre calculate that information and here the adjacency table uses what exactly the adjacency table uses the ARP cache or the ARP table in order to pull that information together if I said do show IP art there is my ARP information 10 10 21 right there's the outgoing interface and there is the mac address right so now I have that information if I were to say do show interface ethernet 00 you can see the burned in mac address ends in 21 or so this is the destination mac to get to this next hop IP out that ethernet 00 interface and so i already know my burned in mac address and therefore it's very easy for me to construct so if we came back up here you can see the 20 so yeah so this is the destination mac and then we have the source MAC inning and 2100 followed by well 0 let me see if I get that last keeps popping off there there we go so 0x0 800 which is IP ethernet alright so let's go ahead now and let's do some policy based routing so we're being asked if you're following along Warren step 2 you're being asked to define an ACL on branch one to match the notebooks incoming traffic so we're on branch one so let's go ahead and say and quick note with policy based routing we're matching packets and so you'll notice that you can't use prefix lists but again it's we're not filtering routing information or prefixes we're filtering packets which is why it's the access list and you can use a standard access list or you can use an extended access list so remember that but you cannot classify things or match using a prefix list can't do it because we're manipulating packets not prefix it so IP access-list host and 192 168 dot one sixty eight dot 110 dot and it should be 10 1 10 10 so we say 1 10 10 oops sorry I'm going to get that permit in their IP access-list extender I'm sorry the extended IP access-list extended host 192 are actually hold on a second a little rusty here on the ACLS so IP access-list extended we're going to say notebook and then i'm going to say permit IP host 192 168 1 10 dot 10 there we sorry any-to-any so we've just created this ACL and what we're doing here is it's a named ACL the name of the ACL is notebook and we are going to permit any IP packets from host 192 168 1 10 10 going anywhere so when I say permit and we talked about this last week what permit really means in this context is I'm allowed to match on that host IP right and so that's really what we're saying so permit really means I'm matching so if I see any packets that show up on the inside lan interface of branch router right and there's that segment where the notebook is out here and the pc is over here if any traffic shows up here and I see the source IP again this should really make clear why we call it source based routing because this ACL when we dump it into the route map is basically saying if you see any IP packets with a source host address of 192 168 1 10 10 then we're going to be setting the next hop right we're going to be overriding the default destination based routing and we're gonna do source-based round remember if this was destination based routing we would be looking at where the packets are going to make a routing decision but we're not we're looking at where the packets are coming from in order to make this routing decision again PBR overriding Cisco's default destination based routing so let's go ahead and clear the screen here so we have our ACL set up so traffic from the notebook going anywhere right going anywhere that when it hits the router now we're going to have a route map so we're simply going to say route map and I'll just call it notebook now if i hit enter remember the default is permit 10 so you don't have to say well we're not in the context sensitive area but you didn't don't have to say permit 10 you could leave that off if you wanted to so remember what the route maps last chapter last week we spent a lot of time talking about route maps and prefix lists and one of the things about the route maps was that we have an implicit deny any at the end right so we're permitting here ten which means we're trying to match and if we match we're going to be taking an action but what are we matching on so match IP address and remember if it was a prefix list we would have to say prefix list but you cannot use prefix lists with PBR because we're not filtering routes we're working on or what we're doing is we're matching on individual packets so again you can see here we can do a standard access list we can do a standard numbered extended numbered we can go with a named access list and that is what we use so this route map is going to try to match IP address notebook so in other words it's going to evaluate the ACL we created named notebook and we know that in that ACL what we're looking for is we're trying to match any source IP that is 192 168 1 10 10 now when we match that what do I want to do so we can set the IP next hop and actually let me come back here so we can set IP next hop we can set IP address we have the default option and we'll talk about the default option as we move on here but we're going to set IP next hop right because we're going to override the default next top of 10 10 21 and we're going to make it 10 10 10 dot 1 now remember there's an implicit deny any at the end but that's okay because we're not actually we're not actually trying to match on anything else so if I was to exit out here next let's just go end right if I was to say show route map you can see that there is my route map we have an access list and we have a set clause and so we can clearly see that we haven't matched any packets yet but that's because we haven't applied our route map to an interface yet so and this is the last step remember we define the ACL we match the source IP or say it could be an entire subnet for that matter let me make sure I'm clear on that that we're matching a single host in this instance but there's no reason it couldn't be more than a single host or it couldn't be an entire subnet for that for that matter right maybe our wireless traffic which is on its own subnet we want it to go over the serial link and not over the wind cloud for whatever reason we could match on an entire subnet because again we can use extended acl's to make that match okay so we're now going to go ahead and apply the route map to the inbound interface remember there's two ways we can do this we can match on ingress traffic right inbound traffic coming into the router on which we're going to make this decision and if I get the pin back here so from the perspective of the traffic flowing this way right from the perspective of branch one what would be the inbound interface for the traffic we're going to try to match it's going to be Ethernet 01 right we would not set the IP policy statement here on Ethernet 00 and we wouldn't set it here on serial 20 these are the outgoing interfaces we want to override the decision now if you think about it it logically makes sense is that those bits show up on the wire we look at the layer two frames say yes it's destined for branched one branch one because we're the default gateway for notebook and PC and then we peel back that layer to information we go a little deeper to the layer 3 and we see oh the source is notebook and that all that decision is being all the decisions are being made right here on this ingress interface we see the notebook is the source of the packets and so now we make that source based routing override if you will to say we're not going to go that way we're going to come this way so it's too late to make that decision when the traffic hits the outgoing interface right we wouldn't put you wouldn't put the policy statement here right you wouldn't do that because at this point it's too late we're at the outgoing interface already we want to catch the traffic early so that way we can say don't go that way come this way so let's go ahead now and put the where we out here let's go ahead and put our route map on interface ethernet 01 and let me double check that it is yes 01 so we go to the incoming interface right of where the traffic is coming from right that land segment out there and we say IP policy route map and then our route map name was just notebook so now that we've put that on there if I say do show route map what do you think we're gonna see well we still see that there's no packets right we haven't had any policy routing matches down here at the bottom how many policy routing matches have we had well we haven't had any and why is that exactly because we haven't generated any traffic yet if I were to say do show IP policy so there it is it interface ethernet 01 has a route map applied to it named notebook and therefore we need to make sure that we generate some traffic here to see what's going to take effect so let's pull up the notebook well first let's pull up the pc now remember the IP address of the pc show IP interface brief is 110 dot 20 so should this match the ACL no because remember in the ACL we're matching the notebook 1-10 10 so when I say trace to 192 168 dot whoops 100 dot one you'll see that we go to 192 168 1 10 10 we go to our default gateway which is branch 1 and then we go out to the LAN we go northbound right we're not going where would that be West I guess we're not going west we're going north and so we go up to that way n segments and so let's see now what happens when we go to the notebook how is the traffic for the notebook going to flow now that we've made that change let's trace to 192 168 101 and take a look at that we go to the default gateway that ingress interface on branch one where we have that IP policy route map statement defined and branch one looks at the layer 2 says yes this is destined for me I'm the default gateway for the notebook so my destination the destination MAC is me so I pull this off the wire I peel back the layer to frame information and I look at the source and destination and specifically in this case because we have a policy based routing decision being made on this ingress interface for this land I look at the source IP I see that the source IP matches my route map that it has an ACL in there that is identified the notebook and so then I override the destination based routing decision and I make a source based routing decision to 10 dot n dot to 10 10 10 dot 1 which is the serial interface alright so now let's take a couple let's take a look at a couple ways we can see what's going on here and one of those if I were to get onto the branch one router is we can do a debug now I need to be sure that I'm clear on this this is not this specifically this command is probably not one if you've got PBR running in your environment that you're going to want to kick off on a production router in the middle of the production day so and that command is debug IP policy debug IP packet is another one you do not want to turn that on in the middle of the production day so we've got our debug on again we see nothing because this is a simulated environment we need to generate some traffic so back to the notebook excuse me back to the notebook we could do trace route again right so let's run the trace and we'll see that we're going to see some information over here on branch one and there we go right so what did it pick up it looks at those icmp packets and you can see we have a policy route-map notebook and i love the d bugs because they really tell you you know you get to see the inside baseball so to speak right all what's going on behind the curtain so here it is we have a route map item number 10 says permit there is my source IP there's my destination IP right because this is the packet coming in off the wire it was destined to the default gateway the source was the notebook and take a look it says policy routed right so again we get this sort of echo here of the route map notebook permit 10 policy routed in it i'm when i say the echo it's because we're sending multiple packets right multiple icmp packets and again each packet that's showing up we are going out the serial 20 interface we came in the ethernet 01 interface but now it's being overridden because we're going to the serial 20 interface and we have a policy match right and then policy routed we have a policy match and what the PBR gets counted it looks like an increment of the counted so fib policy routed because of the IP policy this right here is telling us something very very important if it's telling me that it's using the fib to make the policy routing decision and this is again so critter i love the way they lay this chapter out we talk about stuff we talked about fast switching we talk about process switching then we go into the conversation on PBR because what is this telling me if it is fib policy routing am i doing process switching fast switching or is this actually still using SEF exactly if the fib is being used to make the routing decision excuse me this is seth based switching right and again fib policy routed so we are still using SEF switching to make our IP packet switching decisions inside the router and this is the default and most recent iOS's in earlier iOS as it was not the default but it isn't in the more recent iOS releases especially in the 15 x branch of code but again we're doing SEF switching and so that's important and again fib policy match again and that's important because it's not falling back to where we're doing process switching because that would be a nightmare right we've got every single packet going to the cpu and that is not a good thing ok so we see the whole story right here of exactly how PBR is working and how this is functioning so let's go ahead and recap and again this is the end of the activity so we're gonna go ahead and recap the highlights of everything that we covered right so remember policy based routing or PBR is a static solution right it's a static solution which means that traffic that we matched and that we're sending over the serial link that we're sending over the serial link here if we didn't have the igrp running to make a dynamic decision and that link went down the we would be black holing the traffic so keep that in mind right that PBR is static it doesn't know that an interface has gone down somewhere right it just knows that hey I'm matching this ingress traffic and I'm going to override the default destination based routing in order to do source based routing remember that you can't do a prefix list because we're talking about packets we're filtering packets were not filtering routes and so again I love the way that we covered you know that the book is laid out to talk about the route maps and the prefix lists and the ACLS because now we get to see this is an example of where you can't use a prefix list because we're not classifying the traffic based on prefixes or classified it based on packets um and then again remember you can for locally based traffic we could do it for locally based traffic or we can do it for ingress traffic this is PBR policy based routing so like locally based traffic would be 0 if I SSH from the branch router or if I telnet from the branch router and that would just simply be the same route map well I mean the same route map structure we would have an ACL on the source we would have the route map and then we would have our IP like the believe it's IP local policy or IP policy local let's take a look at that real quick to try to manipulate the locally generated traffic that's coming from the router so if I were to get in the global config interface ethernet 0 whoops sorry Ethan at 0 0 and say I p policy no its IP is it local policy no it's not local proxy arp I'm drawing a complete blank right now I can't remember the syntax and let's see IP policy it's not route map no that's not it it's IP policy but then no I cannot remember the command IP it's not local proxy arp I thought it was IP local policy but there's a way to do that and I apologize i am drawing a complete blank right now on that command and give me a second here let me pull up let me make sure that it's not that we're missing and i don't think it i don't think it's that we're missing here i think it's that I'm just unable to recall right now fast ethernet 00 so I p load sharing local no I am yeah no that's not it i apologize i can't remember the uh no it's not that yeah i can't remember the the local statement and I don't have anything in front of me here that I've written that down on them taking a peek real quick no I definitely do not so I apologize about that let's see so let's wrap this up then we can say do show IP policy is going to show me some information do show IP policy show IP policy see if we go there we go show IP policy and did I didn't have the show up there yeah so show IP policy i could say show route map to see the route map information I could say debug IP policy which we already did and now take a look right you can see that we have match 12 packets if i came over a notebook and I said thing to 192 168 101 and repeat a thousand times when that finishes and I come back to branch one here you can see that we're catching all of that information so if I say you all for undie bug all and actually it stopped because we're not actually generating any more traffic if I were to say show route map you would see that now we have a thousand and twelve packets that have been matched with our policy based routing decision excuse me ok alright well this is going to wrap up our our our conversation on policy based routing remember again it is a static solution right is a static solution this is not going to dynamically change things right so once we define it and give me a second here locally I'm going to search real quick locally switch PBR because I want to make sure I get you that command I'm trying to write yeah I can't remember for the life of me I can't remember the command I know that they even talk about it in the text so give me two seconds here IP policy route map right but the local PBR IP local yeah it's IP local but I didn't see that as an option so FA 0 0 so interim sorry interface ethernet 00 so IP local yeah I didn't see that as it as a possibility so it's maybe it's possible that it isn't on this platform so but there's I didn't see that here either IP local is local in here and we just went by it IP local policy around them yeah i do not see I see local proxy art but I don't see the local policy ok alright so I'm going to leave that as is and so that is going to wrap up our intro into policy based routing alright enjoy the rest of your weekend and I will see you all on monday

Info

Channel: Travis Bonfigli

Views: 557

Rating: undefined out of 5

Keywords: AACC, CCNA, CCNP, CCIE, Cisco, Networking, PBR, Policy Based Routing, Discovery #19, Cisco Networking Academy, Cisco Learning Labs, ip policy route-map, CTS265, Anne Arundel Community College

Id: si3phrYl3NY

Channel Id: undefined

Length: 38min 49sec (2329 seconds)

Published: Sun Oct 16 2016