Policy-Based Routing (PBR)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this nugget you and I get to lab up and verify PBR policy-based routing let's begin you know it's interesting that routers have a routing table and they route based on the best information that they have so in this topology right here if the PC was sending packets to a device on the 10.23 Network and if we were using a EIGRP as a routing protocol for our network our one would have the best path to get to that network going through the faster link on serial 2/2 going through our three to get there well what if we wanted to retrain the router for specific traffic and have that specific traffic take a different next top for example through the interface 2/1 up to r2 well the good news is we can do that with policy-based routing and to lab it up which is our focus in this nugget we are going to create an access list that identifies the interesting traffic that we want to treat differently we're going to create a route map that refers to the access control list and then that route map will specify the next hop that the packet should take and then we'll apply that as an IP policy on the inbound interface where that traffic is coming in we're going to build our topology here in gns3 and if you're looking at this diagram and thinking hey this looks really familiar to the network topology that we used for EIG RP summarization if that's your thinking it's absolutely true the only addition we have here is we're adding an f800 interface and a Virtual PC hanging off of r1 so we'll bring out some routers we'll bring out router one we'll bring out router two we'll bring out router three and we'll bring out our Virtual PC from the Virtual PC simulator well click on the connector tool and we'll connect these together we'll go from the PC up to our ones fa 0 0 I'll turn on the labeling tool so we can see those interfaces and from R 1 we're going to go from serial 2/1 up to r2 on its serial 2/1 and back on r1 we're going to use serial 2 / 2 to go out to our threes serial 2 / 2 again matching our topology and our last connection is the connection between R 2 and R 3 using gigabit 1 / 0 for that connection on both sides so we'll turn off our connector tool and then we can drag the labels around so we can see them a little bit better and that looks great then of course we'll start our topology by clicking on the start icon in the toolbar and then we'll click on the console icon to get console access to these four devices let's begin by putting our basic topology in place we'll start on router r1 and on router r1 will go into configuration mode and in interface FA 0 0 will give it the IP address of 1011 0.1 with a 24-bit mask now FA 0 0 is the interface that's facing the PC on the far left next we'll configure the serial 2/1 interface that's between r1 and r2 we'll go into that interface interface serial 2/1 give it the IP address of 1012 0.1 with a 24-bit mask and we're going to give an artificially low bandwidth of 256 and we'll bring it up with the command no shutdown next we'll configure the serial 2/2 interface between r1 and r3 will go into interface serial to slash to give it the IP address of 10.13 0.1 give it a bandwidth of 512 and we'll bring it up with the command no shutdown next let's enable a eigrp for autonomous system number one and we'll use network zero zero zero zero and that pulls in every interface that's running IP version 4 into that routing process next we'll make a road trip up to our good buddy r2 and on r2 we'll go into configuration mode will go into interface config for serial 2/1 and we'll give it the IP address of 10.12 zero two with a 24-bit mask we'll give it the bandwidth of 256 and a no shutdown to bring it up we'll also configure the gigabit 1/0 interface between r2 and r3 by going into interface config giving it the IP address of 10.20 3.0.2 with a 24-bit mask and bringing that one up with a no shutdown and while we're here let's enable router EA GRP autonomous system number one and we'll use network zero zero zero zero which brings all the interfaces in and we have a message indicating we have a neighbor ship between us r2 and r1 that's fantastic next let's go to r3 and on router r3 will go into configuration mode for interface serial 2/2 we'll give it the IP address of 10 13 0.3 with a 24-bit mask will specify the bandwidth of 512 and we will bring it up with command no shutdown and our final interface on our three is the gigabit 1/0 so we'll go into interface gig 1 slash 0 and give the IP address of 10.23 0.3 with a 24-bit mask and bring it up with the command no shutdown we also want to enable EA GRP for a ton of the system number 1 so we'll do that with router eag RP 1 and network 0 0 0 0 and we have to adjacencies that's great 1 between us and r1 and one between us and r2 next let's go to our Virtual PC simulator which is PC number 1 and we'll give it the IP address of 1011 0.50 with a 24-bit mask and tell it that its default gateway is 10 11 . 0.1 which is the IP address of our ones FA 0/0 interface now what I'd like to do with you is play a little guessing game and guess if PC if this PC pinged an IP address on the 10.23 network which path would it be forwarded across so PC one would use the default gateway of r1 and then r1 would look at this routing table and then it would use the path based on its routing table and because we're running EA ARP and both r2 and r3 are both directly connected to that Network it's very likely the traffic is going to go over serial 2/2 because as bandwidth comes in to the metric calculation the lower bandwidth of the serial 2/1 link is going to make that appear as a worse or larger metric and we can verify that here on PC 1 by doing a trace out to 10 dot 2303 the first hop was our default gateway that's r1 and the second hop was r3 based on that last octet of 3 and if we went over to router 1 and on router 1 if we issue the command show IP route ei GRP to see the EAG ARP learned routes here showing us the 10.23 subnet that was learned via EIGRP and the next top sure enough is 10.13 0.3 going out serial 2 / 2 and that just can is the path that the PCs traffic just took as it went out to the 10.23 Network so what you and I get to do right now is setup policy-based routing and let's have our plan be this any UDP traffic that the router sees coming in on fa 0/0 let's go ahead and have that be policy based routed and have it sent over this link using the next top of our to instead of its default path which would normally be across this bottom link so to do that we're going to create an access control list that's going to identify UDP traffic that'll be our interesting traffic will create a route map which calls on the access control list and says if traffic matches that ACL set the next top to be our two's address right here and then we'll go to interface configuration mode on fa 0 0 and r1 and we'll apply that using the IP policy command so here on r1 let's go into configuration mode and let's create an extended access list and we'll call it match - UDP - ACL and our single entry in there is going to say permit UDP if it's coming from anywhere going to anywhere and that's it now in our example we're using UDP going from anywhere to anywhere however we could be very granular if we wanted to for example we could say if it's TCP traffic coming from a certain source network or certain host and going to a certain destination and if the destination port number for that TCP traffic is port for example 443 for SSL or port 80 for web traffic the key is we could be very granular with what we identify as part of this access control list the second piece that we're going to do is to create a route map that is going to call upon or utilize the access control as we just created so the syntax route - map then the name of our route map which we're going to call use - r2 and then the keyword permit and then 10 so 10 is a sequence number for this entry that we're creating in this route map and a route map is processed by these sequence numbers starting from the lower going higher so you might have sequence 10 sequence 20 sequence 30 sequence 35 and so forth and then for this sequence number 10 we are going to set up an if then statement and the syntax match IP address and then we'll put the name of our access control list that's our if statement so if traffic matches the access control is called match - UDP - ACL then what do we want to have happen and a route map has lots of options that we could do but in our case in our topology what we want to do is we want to set the IP next - hop - 10.12 zero - which is the IP address of our two's serial 2/1 interface and then we can exit out of route map configuration we have created an access control list we've created a route map that utilizes that access control list and our third step is to apply this to our router policy-based routing is applied to any traffic that's coming in to an interface ingress traffic so when we apply this we are going to apply this on the FA 0 0 interface so any traffic that PC sends in it will be compared against the policy based routing once we apply it and then act it on anything that matches our access control list as part of the PBR configuration will be forwarded based on those rules and anything that doesn't match the PBR will be routed normally so to apply this we're going to go into interface FA 0/0 and use the syntax IP policy route - map and the name of our route map and Dada we've just applied policy-based routing for inbound traffic that's coming in on FA 0 0 now I always like to verify that what we think is happening is really happening and one way of doing that on a Cisco router is using a debug and in this case we're going to use debug IP policy which effectively is saying I want to do debugging on any policy based routing then we'll go back to our PC PC one and I'm something to use the up arrow key and we're going to issue the trace to 10 dot 2303 once again and press ENTER and notice here the second hop it used to be 10.13 dot 0 dot 3 but now it's 10.12 0.2 why because r1 when that traffic came in on that FA 0 0 interface that traffic was policy based routed because it was UDP so our one set up I'm going to override the default behavior of my routing table and I'm going to set the next top to be our two's IP address and that's why it chose to use the serial 2/1 interface so if we go back to our one back to the console here's our messages indicating that we had a policy match and that policy based routing occurred one other element I think would be very interesting to see is if we go back to PC one and on PC one if we do a just a ping out to 10.23 0.3 that traffic is not being policy based routed and that's because the trace inside of the Virtual PC simulator it uses UDP so that matched the access control list that was in the route map and that triggered policy based routing on our trace route traffic however ping is just using ICMP which doesn't match the access control list so it's going to be routed normally and if we go back to our debug messages on r1 and let me drag this over so you can see the full message we have this policy rejected message no match and then it indicates that it is doing normal forwarding and that G is on the far left hand side so it didn't match the policy it wasn't policy based routed but it was forwarded normally so the pings were still successful and they were forwarded based on the routing table information on r1 in this nugget you and I have loud up and verified the results of using policy based routing I have had a lot of fun in this nugget I'm so glad that you joined me for it I hope this has been informative for you and I'd like to thank you for viewing
Info
Channel: CBT Nuggets
Views: 68,945
Rating: 4.949367 out of 5
Keywords: policy based routing, policy based routing pfsense, policy based routing fortigate, policy based routing palo alto, policy based routing sim, policy based routing configuration example, how policy based routing works, policy based routing and route-maps, policy based routing cisco asa, policy based routing noa, policy based routing explained, policy based routing ccnp
Id: 3Ie5MBmmg48
Channel Id: undefined
Length: 12min 43sec (763 seconds)
Published: Fri Dec 19 2014
Related Videos
Policy Based Routing and Route-maps
Doug Suida
81K
Fortigate - How to configure Policy Based Routing - Eve-NG lab
Networld
4.1K
MicroNuggets: Policy-Based Routing (PBR) Explained
CBT Nuggets
18K
Networking basics (2020) | What is a switch, router, gateway, subnet, gateway, firewall & DMZ
IT k Funde
1.7M
'Just Read It, Read It Yourself!': Ted Cruz Uses Nominee's Document To Discredit Her
Forbes Breaking News
1.7M
Topology Change with STP
Keith Barker
12K
What is a SWITCH? // FREE CCNA // Day 1
NetworkChuck
527K
Subnet Mask - Explained
PowerCert Animated Videos
89K
CompTIA Network+ Certification Video Course
PowerCert Animated Videos
3.5M
Network Security 101: Full Workshop
SecureSet
1.6M
OSPF Route Filtering
Kevin Wallace Training, LLC
56K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.