Policy Based Routing and Route-maps

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
today I thought we'd take a look at some basics of policy based routing policy based routing and then we're also going to take a look along with that the foundation to policy based routing in the Cisco world which is a route map and we'll go through a little bit of troubleshooting and some of the caveats around route maps but let's take a look at policy based routing first a quick definition for for the purpose of this video and for a lot of purposes of policy based routing really is when you want to route traffic based on a policy rather than on the normal routing mechanisms that the router or the layer 3 switch might employ in a nutshell you want to route traffic and you want to override what's in the routing table might be a good way to start looking at that so you have your routing table but you have a policy in your policy needs to route traffic different than what's in the routing table no matter how the routing table gets its updates it can be you know networks that are advertised it can be used dynamic routing protocols whatever we want to route traffic based on a policy rather than on the routing table so here's a quick scenario that I drew up so that we can start looking at this let me explain this to you rather quickly router 1 down here in the middle is going to be our core router that's where most of the action is going to take place router 5 if we look at router 5 we're going to think of that as a client computer on router 1 we've created a layer 3 VLAN it's ten one three zero slash 24 is the layer 3 VLAN that's going to be like our client VLAN on router one I've also created a layer 3 VLAN interface in SVI and I've assigned that the IP address 10.1 3.1 / 24 out of that network our client router 5 is connected to fast 1 1 but fast 1 1 is not a routed port on this broader it's actually a layer 2 port and it's been assigned to VLAN 10 ok router 1 also has another connection that goes up to router 3 router 3 is going to be like a lab router beyond router 3 on the other side our router 3 we have a lab network one five five six five one zero / 24 raaaarrh one has a default route that points it to router two as is default route so if it doesn't know what to do with traffic it sends it on to router two in this case router one I've set it up to only have a single default route pointing to this router it does not know about this network so let me bring up router one quickly here and we can take a look at its routing table so here's actually I got the right router router one show I right show IP route okay so here's our routing table it's got those three connected interfaces that we saw 1 2 R 2 1 2 R 5 and 1 2 R 3 and a static default route pointing it to router to fasten 0 0 on router 2 for its default route so I don't have any dynamic routing protocols or any other static route set up in in this environment so here is the policy that we have to base our our route policy on here's the written policy in a nutshell what it says is any traffic that comes from VLAN 10 that's sourced from VLAN 10 and is destined specifically to this lab network I want you router 1 to send it to router 3 and do not send it to your default route that that's what it says in a nutshell so here we are traffic source from VLAN 10 down here the 10 + 1 3 0 & destined for the lab send it to router 3 now the next part of that is if rotor 3 is not available then I want you r1 not to send it to router 3 because it's not there send it out your default route like you would any other traffic ok any other traffic comes out of VLAN 10 which is our client Network again any traffic that comes out of VLAN 10 that's not destined for this network that isn't going to go here I want you to send it out your default row so again only traffic out of VLAN 10 that is specifically sent to this lab network needs to be routed via our policy the rest of it can fall back to the routing table any other traffic on router 1 should take the default route so again just another statement that only source from VLAN 10 and destined to the lab network should follow that path if it's let's say we had another VLAN 20 down here if someone from VLAN 20 was trying to get to the lab that doesn't match our criteria because our criteria says only from VLAN 10 so VLAN 20 trying to get to this network they should still take the default route our policy should not include anyone except those users that are on VLAN 10 okay we looked at the route map we saw that in this scenario we're not accomplishing that with routing this is because we want to look at what we can do with road maps not necessarily how we would solve this problem properly there might be security reasons that we can't advertise this network in your router one or maybe there's a firewall here I don't know but for the stake the sake of this video we're going to use route maps to accomplish this so let me bring up router 1 that's where most of the action is going to happen and we'll get started creating our our route map now a route map is very similar to an if-then statement is probably the easiest way to look at it if you're familiar with you know older programming languages they all have some equivalent to an if-then statement our route map works basically as if this is true or if this is false if this if some criteria is met then do this and a route map is based off of one or more and policy based routing terms specifically is based off of one or more access lists so the first step in accomplishing our policy based routing for this scenario is to devise an access list that defines our goal here so when you start to think about this you got to think about what's the best way to write my access list to meet my match criteria and now again it could be a series of permits and denies to meet your criteria it's an access list you can make it as long as you want whatever it takes to finally encapsulate your final goal is how you would write your access list in this case we're going to use an access list with a permit statement because this can be accomplished in a one-liner on a permit statement so let's bring up router 1 we're going to go into config mode and we're going to create an access list IP excess list we're going to make an extended one because we got to specify a source and destination I'm going to give it a name ACL wrote to lab and I've gotten in the habit just recently it's taken me a long time to figure this out to put prefixes on a lot of the things I create anymore so an access list I'll prefix it with ACL a route map I might prefix with RM class map I might prefix with cm the problem is that I tend to name things very similar to each other when they perform the same function so I might call this ACL route to lab and then when I go to create my route map I might name it something very familiar and then when I may be trying to troubleshoot or tweak it I can't remember by the name was this the ACL or is this the actual route map so what I tend to do now is prefix these so I can find so I can I know what I'm looking at so again to encapsulate our traffic or to define our traffic pattern we're going to say it's a permit IP coming from VLAN 10 so coming from ten dot one dot dot zero zero not my goodness I'm having trouble 0 dot 0 dot 0 dot 255 so that's our VLAN 10 that defines our VLAN 10 from a layer 3 perspective going to the lab 1 5 5.6 5.10 0 dot 0 dot 0 dot 255 again our wildcard mask okay that defines our traffic coming from VLAN 10 this IP space the / 24 Network going to this the lab space on this 24 network so coming from 10 1 3 make sure that's right 10 1 3 0 / 24 okay so that's our access list this is just a one-liner to meet our criteria so let's get out of there now the next thing we need to do now that we have an access list that our route map can refer to we need to create our route map so let's go ahead and do that route that wrote map and we've got to give it a name and I'm going to use our M of the prefix the same thing that I had mentioned before and I call this to lab now very much like an access list a route map can have multiple pieces to it it's got permits and denies and sequence numbers so in this case we're going to use another permit but again depending on what you're trying to accomplish you may have a series of permits and denies and then after the permit we give it our sequence number I'm just going to go with ten first one in our sequence character all right so we have our route map we have the route map name we've got it sequence number and our route map is going to permit something to happen so what we want to do next is our if/then Clause like I had mentioned before so our if statement or our criteria is the match and then when it matches we want to set some action so let's look at our match options most of the options have to do with BGP and MPLS we are going to look at IP specific options for our policy route so we want to go into IP we're using IP for not ipv6 but we could do some of this under ipv6 if we had such a setup under IP we have where we specify an address next hop or outsource we're going to go address and in this case what it really wants for an address is an access list now if we were really looking for a single address our access list could contain a single host entry so the word address is a little bit misleading in there in my opinion but now we specify an access list the access list that we defined for our route map was up here ACL wrote map to lab that was the name of our access list that we want our route map to use as its criteria now we could specify another criteria another match if you put match statements on the same line it becomes a logical or if you put match statements on separate lines it becomes a logical and so we only have one match statement here we're not going to make an or statement or an and statement so we're just going to hit enter so our first statement our match statement is match based on this ACL so let's go back and take a look again now we're going to do a set in our set statement we're going to be working with IP specific again so set IP let me just back up real quick and show you a question mark here when you look at the set again there's a tremendous amount of things you can do on the set clause because we're limiting it to policy based routing a lot of this doesn't apply specifically for IP routing a lot of it is BGP and MPLS but there's some of the things that you could you could do here in a policy map so take a look through here depending on what you're trying to do some of this may be useful to you some of it may not for example in addition to IP we can we can force an interface what's something else that we might want to do you can you can you know you can specify a metric you can override a metric you could you know specify a vrf or again this is vgp which you could specify a weight so under the set we can do a lot of things we're going to work with set IP and what we want to do is we're going to set the next hop so there's a few of the options that we have we're going to do next hop now here's what we can do under next hop we can specify the next hop and the other one that we're really interested in is the verify availability so let's specify our next hop first we want the net when our condition is true the set statement we want it to set the next hop to be this interface on router three one ten one two one so next hop is going to be ten dot one dot two dot one okay and then after that we're going to say set IP next hop verify availability now we can hit carriage return here or we can expand it a bit if we expand it a bit and keep going we get into tracking where we can it gives us even more flexibility in our route map because we can track certain events and when events are true or false certain things happen I'm thinking of putting together another video to go over tracking not necessarily in route maps but tracking in general so at this point we're just going to hit enter all right let's get out of our Road map and let's do a show route so here is our route map here's the name of it route map to lab it's a per minute we got sequence 10 this for this example we are only going to use the one our match Clause is it has to match a CL route to lab and our ACLs our permit and it permits that the traffic from VLAN 10 up to the lab space when that's true we're going to set the next hop to ten one two one and before we force it to that next hop we want to verify that 10 1 2 1 is still there so those are our criteria ok so that takes care of the creation of our route map now we need to apply our route map our route map is very similar to an ACL has to be applied to an interface so that it captures the inbound traffic so when we look at our network map and just like an ACL we want the statement to be applied on the interface generally that's closest to the source so in this case our source is VLAN 10 so we're going to apply the policy to VLAN 10 now in this case VLAN 10 layer 3 interface because we're dealing with routing it's got to be layer 3 B lam tens layer 3 interface is actually this s bi it's not this interface this interface is a layer 2 interface that's a member of VLAN 10 we need to actually apply it to the SVI so what we're going to do go back in the config of router 1 and apply the route map that we just created on to this logical interface for VLAN 10 so let me bring router 1 back into the picture show IP interface brief so we know that VLAN 10 right down here s VI 10 is our interface that we want to apply our route map on show run interface VLAN 10 very simple interface right now for an example and we're just going to add one more statement to it VLAN 10 we're going to say IP policy the only option we have is a route map and then it wants the name of our route map and right up here we had our name of our route map was our m2 lab so that is the route map policy that we want applied to VLAN 10 when traffic hits it so what's going to happen as traffic comes into VLAN 10 it's going to process this route map first because we told it to on the interface before it's before the router consults the routing table to see what to do with that traffic so if we put this together right if our logic is right with our permits and our denied we should when we do our trace route from VLAN 10 sourcing it from VLAN 10 because remember it has to come from VLAN 10 we should see it route 2 what we specified as the next hop address which was router 3 so let's get out of here and see what happens so let's source the trace route from from VLAN 10 and see where it goes so we are going to trace route we are going to do it to the lab because that's part of one of the definitions is it has to come from VLAN 10 and go to the lab so 1.1.1 is a valid host in the lab back this up by P and then 15.6 5.1.1 a valid host we want to source it from VLAN 10 VLAN 10 so that it matches our access list criteria so let's see what happens with our trace route okay we can see right here it did not behave as we expected it still sent it to ten one one now ten one one doesn't know what to do with it because right now 10 one one really has no route into the lab so that's why we're getting the drops here but it sent it to 10 one one when our policy told it to send it to ten one two one so let's do some troubleshooting here see if we can figure out what happened let's take a look at our access list okay ten one three zero slash twenty four one five five six five one one okay we have no hits against our our access list so our access list was never consulted let's make sure show run interface VLAN 10 now our policy map is applied to the proper interface so let's do the show route map so using that access list and setting the next hop to ten one two one next thing we might want to look at if you're trying to shovel troubleshoot this because it appears to be a routing issue you might do a show out show IP route again our rope map in no way affects the actual routing table or the Ceph table or the adjacency table so according to what we have here we're still only have one route the routing table has not been adjusted by our policy map so let's try doing this from a host that is not on the switch let's try doing this from a host that's still on VLAN 10 but it's not the router itself let's just hop down to router 5 let's just hop down to router 5 and and try and do the same thing source our ping from router 5 going into the lab and let's see what happens so let me bring up router 5 which is right here pull this into the window and let's take a show IP interface brief this just has one IP address that's in the network range for VLAN 10 is connected to a switch port on router 1 that's a member of VLAN 10 so if we do a trace route IP let's do that same address 1 5 5.65 that 1.1 source it from let's say fast 0/0 okay so here we go it sent it to its default gateway 3.1 which is the SVI right here the SVI on router one because it's a member of VLAN 10 its layer 3 next hop is the SVI on on that interface and then it sent it to 10 1 to 1 which is our lab router right where we wanted it to go if it came from this network the 10 VLAN and is destined for the lab network we wanted router 1 to send it to router 3 so let's take a look back at router 1 and see what's going on here let's do a show IP access list ok we see now that we have matches against our access list so our if we do a show route which is short for show route map we see that we have matches on our route map right down here so our route map is working the reason it's not working when we source it from router 1 cisco routers and switches will not apply a policy map to a locally originated packet so in this case when we source the traceroute from router 1 it was locally originated on router 1 it will ignore it as far as a as a realm a pizz is concerned so to override that behavior we go back into our config and we just tell it IP local on option here that we want to choose as policy only option we have under that is a route map we have tell it the name of the route map that we want it to process locally originated packets for so here's the name of our route map route map to lab enter that should be it so now we're telling router 1 hey even if you do originate it because I originated it with my trace route I still want you to process it on that route map now we had to specify the route map if we had more than one route map applied to this router created on this router as it stands right now only packets originally located would be processed in this road map any other route maps would still ignore them unless you specified them as well so let me hit the up arrow a couple times so we can go right back to our trace route all right let's see if it works this time let's see if a locally originated packet firm router one will actually get routed properly okay and there we see it did because we put that command in there it processed it locally and it sent it on to router 3 which is what exactly what we wanted it to do all right so we have we have the first goal accomplished we traffic coming from the lab going to sorry traffic coming from VLAN 10 going to the lab network is being routed directly to router 3 if Fratto 3 is not available then the default route should be used ok so let's do this when we created our route map we put a line in there that I told you was specifically to add some modicum of redundancy to our routing because the route the routing table is not consulted in a route map so let's do a show route again and it was this line right here remember the verify availability so let's do a test here let's take down this interface let's go to 10 1 2 1 actually shut that interface down perform our same trace route and see what happens so let me bring up router 3 right here pull this into the window let's go show IP interface brief we're going to this is the loopback that we've been testing in the lab that's been our lab loopback this is the interface we're going to shut down so interface fast 0/0 we're going to interface fast 0/0 we're going to shut it down ok it's shut down there we go so went to state down now we know that route map router 1 is still going to process this packet 1 region 8 it locally is being told to send it to router 2 to this IP address this IP address isn't available any longer so let's see if router 1 uses that verify command that next op verify command that we we put in our route map finds that this is down and sends it to r2 so this time when we issue that same command we should see it going out the default route let's see if that's what the app should happens and so I'm going to up arrow a couple times here get back - our traceroute and there we go again it did the verify that we told it to do right here us it verified it was told to send it but it can't because the verify failed so let's make sure that it actually processed it okay six packets here let's do a show route again we should see that number increase and we do it's gone up so the the route map was run it wanted to send it here it couldn't because that next hop was not available alright that takes care the first two bullets all of the traffic okay let's go back into router of three first and turn that interface back on so we're going to do a no shot just want to make sure we have that back up so that the rest of our testing is valid show IP interface all right it's back up let's go back to router one again real quick if we do that test now we should see it routing to 2.1 because the interface is available again it should be able to verify the next hop there we go so it sent it to 2.1 okay so what's our next criteria that we have to match all traffic source from VLAN 10 that is not destined to the lab okay let's just do a quick let's send this to that is source from VLAN 10 that's not destined to the lab so let's just change that to it too because our lab network our route map says 10 5 5 6 5 1.1 / 24 so we're going to put this in a different network space and let's run this and see what we get okay it didn't match the criteria it sent it out to its default route just like it was supposed to do all other network traffic should take the default path okay so that's uh that's kind of built in if it's not in our roadmap if it's not doesn't meet the criteria of our roadmap it should be completely ignored and fall through the to the routing table to handle so again to do that we're just going to remove the source statement let's make this backup a valid network state segment that we know exists but we're not going to tell to source it from VLAN 10 this time and again there we go it sends it on its default roped it doesn't match the the policy it consults the routing table and sends it on to its default row one thing I did not mention our or sure what happened is when we do not include the verify next-hop command in our roadmap without that verify command what would happen is the router router one would send that traffic to a black hole it's being told to send it to a next top 10 2.1 it doesn't check to see if that exists it just does it so it would not fall through to our routing table normally to send it to the default route instead the traffic gets dropped hopefully this information on policy based routing and most specifically route maps was useful to you and I will talk to you later
Info
Channel: Doug Suida
Views: 81,668
Rating: 4.9359999 out of 5
Keywords: how-to routing router, Cisco, how-to, PBR, policy-based routing, router, routing, route-map, IOS, config, configure
Id: BfEuzEH8ADg
Channel Id: undefined
Length: 26min 29sec (1589 seconds)
Published: Sun Jul 10 2011
Related Videos
Policy-Based Routing (PBR)
CBT Nuggets
68K
PT Lab NAT/PAT and Troubleshooting | Cisco CCNA 200-301
Keith Barker
10K
Configuring DMVP with mGRE, IPSec and NHRP
Doug Suida
37K
Policy Routing and IP SLA tracking
Rob Riker's Tech Channel
15K
009 Examining Class Maps, Policy Maps, and Service Policies
Việt Nguyễn Hoàng
2.4K
Subnet Mask - Explained
PowerCert Animated Videos
88K
90 IPExpert Native VLAN
CCIEORDIE.COM
4.3K
Understanding Access Control Lists | Network Fundamentals Part 14
Network Direction
58K
TCP/IP and Subnet Masking
Eli the Computer Guy
3.5M
Netdev 0x12 - Introduction to FRRouting - Tutorial
netdevconf
8.6K
Configuring Load Balancing Using J Web
JuniperNetworks
899
OSPF Explained | Step by Step
CertBros
540K
Networking basics (2020) | What is a switch, router, gateway, subnet, gateway, firewall & DMZ
IT k Funde
1.7M
CompTIA Network+ Certification Video Course
PowerCert Animated Videos
3.5M
BGP Next hop self
Network Beats
4.8K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.