Home > Articles > Cisco > CCIE

  • Print
  • + Share This
This chapter is from the book

Lab 4: Configuring Policy-Based Routing—Part II

Lab Walkthrough

Configure the Frame Relay switch and attach the three routers in a back-to-back fashion to the frame switch. Use V.35 cables to connect the routers. Create the four Ethernet LANs by the use of switches or hubs, as illustrated in Figure 2-12.

After the physical connections are complete, assign IP addresses to all LAN and WAN interfaces as depicted in Figure 2-12. Configure a Frame Relay network as a single multipoint network between all routers on the WAN. Use the DLCIs from the diagram. Because the Frame Relay network is a multipoint, keep in mind that you will need to disable EIGRP split horizon at some point. At this time, you will also want to set the bandwidth statements so that EIGRP chooses the best possible path through the network. Example 2-49 lists the Frame Relay configuration of all the routers.

Example 2-49 Frame Relay Configurations for the wow, plains, and swamp Routers

hostname wow
!
interface Serial0
 bandwidth 1544          _BW for EIGRP
 ip address 192.168.1.7 255.255.255.0
 encapsulation frame-relay
 no ip split-horizon eigrp 65002      _used to disable split-horizons
 no ip mroute-cache
 frame-relay map ip 192.168.1.3 102 broadcast  _Map statement to plains
 frame-relay map ip 192.168.1.4 302 broadcast  _Map statement to swamp
 frame-relay lmi-type cisco
!
hostname plains
!
interface Serial1/0
 bandwidth 1544          _BW for EIGRP
 ip address 192.168.1.3 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 192.168.1.4 101 broadcast  _Map statement to swamp
 frame-relay map ip 192.168.1.7 101 broadcast  _Map statement to wow
 frame-relay lmi-type cisco
!

hostname swamp
!
interface Serial0/0
 bandwidth 64          _BW for EIGRP
 ip address 192.168.1.4 255.255.255.0
 encapsulation frame-relay
 no ip mroute-cache
 frame-relay map ip 192.168.1.3 206 broadcast  _Map statement to plains
 frame-relay map ip 192.168.1.7 206 broadcast  _Map statement to wow
 frame-relay lmi-type cisco
!

After configuring all the LAN and WAN interfaces, assign IP addresses and verify local connectivity. All routers should be able to ping their adjacent routers. For instance, plains, swamp, and forest should all be able to ping the others' Ethernet address. When local connectivity is verified, you can begin to configure routing protocols.

Begin by configuring the EIGRP domain between all the routers, starting with the wow router. On the wow router, you need two network statements, one for network 172.16.0.0 and one for 192.168.1.0. This router also needs to generate a default route for Internet traffic. To generate a default route, configure a default static route to the address 206.191.241.41 with the command ip route 0.0.0.0 0.0.0.0 206.191.241.41. For the wow router to advertise this route, it needs to be redistributed into EIGRP. Example 2-50 lists the configuration of EIGRP on the wow router.

Example 2-50 EIGRP Configuration for wisonsin_x

hostname wow
!
router eigrp 65002
 redistribute static      _redistribute the default route
 network 172.16.0.0
network 192.168.1.0
 default-metric 10000 100 254 1 1500  _default metric
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 206.191.241.41  _default route

NOTE

Packets will only follow a default route when ip classless is enabled.

Because the Frame Relay network is a multipoint, you should disable split horizon for EIGRP on the serial interface with the command no ip split-horizon eigrp 65002. Without disabling EIGRP split horizon, if the Ethernet link between the plains and swamp routers were broken, routes from the swamp router would not reach the plains router, and routing would be broken. Another important part of the EIGRP configuration, listed in the preceding example, is the configuration of the bandwidth statements on the serial interface. The configuration of the bandwidth statements will allow EIGRP to pick the best possible path for routing.

The EIGRP configurations on the plains and swamp routers resemble that of the wow router. Example 2-51 lists the configurations.

Example 2-51 EIGRP Configuration of the plains and swamp Routers

hostname plains
!
router eigrp 65002
 network 172.16.0.0
 network 192.168.1.0
 no auto-summary
!
hostname swamp
!
router eigrp 65002
 network 172.16.0.0
 network 192.168.1.0
 no auto-summary

The EIGRP configurations on the forest, mountain, and island routers are pretty straightforward, as shown in Example 2-52.

Example 2-52 EIGRP Configuration of the forest, mountain, and island Routers

hostname forest
!
router eigrp 65002
 network 172.16.0.0
 no auto-summary
!
hostname mountain
!
router eigrp 65002
 network 172.16.0.0
 no auto-summary
!
hostname island
!
router eigrp 65002
 network 172.16.0.0
 no auto-summary

After configuring all the routers for EIGRP, you should have IP end-to-end connectivity. The island and mountain routers should be able to reach the wow servers. A default route should also be advertised by EIGRP. Example 2-53 lists the route table of the island router.

Example 2-53 Route Table of the island Router

island# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
  D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
  N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
  E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
  i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
  U - per-user static route, o – ODR
Gateway of last resort is 172.16.2.6 to network 0.0.0.0
  172.16.0.0/24 is subnetted, 3 subnets
D  172.16.7.0 [90/2246656] via 172.16.2.6, 01:07:24, Ethernet0/0
D  172.16.1.0 [90/307200] via 172.16.2.6, 02:10:57, Ethernet0/0
C  172.16.2.0 is directly connected, Ethernet0/0
D 192.168.1.0/24 [90/2221056] via 172.16.2.6, 02:10:57, Ethernet0/0
D*EX 0.0.0.0/0 [170/2246656] via 172.16.2.6, 01:07:24, Ethernet0/0
island# 

The optional portion of this lab calls for you to configure NAT on the wow router for reachability to the Internet. Having actual IP hosts for testing will help you verify whether the route maps and policy routing are working properly. Actual IP hosts may be substituted by loopback interfaces and by enabling local policy routing. When configuring NAT, configure the serial 0 and E4 interfaces of the wow router as NAT inside interfaces. The E3 interface will be the NAT outside interface. Because you have only a single IP address, you will be using Port Address Translation (PAT), sometimes referred to as the Overload feature. The NAT/PAT configuration used in this model is listed in Example 2-54. For more detailed information on configuring NAT, refer to CCIE Practical Studies, Volume 1.

Example 2-54 NAT/PAT Configuration on the wow Router

hostname wow
!
interface Ethernet3
 ip address 206.191.241.43 255.255.255.248
 no ip directed-broadcast
 ip nat outside          _NAT outside interface/Internet
 media-type 10BaseT
!
interface Ethernet4
 ip address 172.16.7.7 255.255.255.0
 no ip directed-broadcast
 ip nat inside          _NAT inside interface
 media-type 10BaseT
!
interface Serial0
 bandwidth 1544
 ip address 192.168.1.7 255.255.255.0
 no ip directed-broadcast
 ip nat inside          _NAT inside interface
 encapsulation frame-relay
 no ip split-horizon eigrp 65002
 no ip mroute-cache
 frame-relay map ip 192.168.1.3 102 broadcast
 frame-relay map ip 192.168.1.4 302 broadcast
 frame-relay lmi-type cisco
!
ip nat inside source list 101 interface Ethernet3 overload _PAT enabled for E3
!
access-list 101 permit ip any any     _translate all traffic

To configure the routing policy specified by the lab, you need to configure policy routing on the forest routers. This lab does not require traffic to take the same return path as which it originated, however, for extra practice, you may want to configure PBR on the wow router, such that traffic does follow the same return path.

The lab objectives call for you to configure PBR with the following guidelines:

  • IP traffic from the mountain and island routers with a small packet size, 0 to 1199 bytes, destined for the wow servers should use the high-speed link between the plains and wow routers.

  • IP traffic from the mountain and island routers with a large packet size, 1200 to 1544 bytes, destined for the wow servers should use the low-speed link between the swamp and wow routers.

  • Internet traffic from the mountain router should use the high-speed link through the plains router.

  • Internet traffic from the island router should use the low-speed link through the swamp router.

  • Configure fast switching for PBR.

The route map for policy routing on the forest router will have four route map instances. The first instance will match traffic from the router mountain, 172.16.2.10, and island, 172.16.2.5. After traffic is verified from these sources, a match on small packet length, 0 to 1199, will be performed. Traffic that passes both of these criteria will have a next hop set to 172.16.1.3, to use the high-speed link of the plains router. The second route map instance will match the same addresses, but this instance will match large packet lengths, 1200 to 1544. Traffic that passes both of these matches will be forwarded to the next hop of 172.16.1.4, to the lower-speed link of the swamp router.

The final two route map instances are for Internet traffic. One instance will match traffic from the mountain router, 172.16.2.10, and set the IP default next hop to the plains router, 172.16.1.3. The other instance will match traffic from the island router, 172.16.2.5, and set the IP default next hop to the swamp router, 172.16.1.4. Recall that the IP default next-hop address will be used when the router does not have the destination address of the packet in its forwarding/route table.

Recalling the steps to configure PBR, you have the following:

Step 1

Configure ACLs.

Step 2

Configure route map instances.

Step 3

Configure match commands.

Step 4

Configure set commands.

Step 5

Configure PBR on the interface.

Step 6

Configure fast switching.

Step 7

(Optional) Configure local PBR.


Example 2-55 covers the configuration of Steps 1 through 4 on the forest router.

Example 2-55 Route Map and ACL Configuration on the forest Router

Hostname forest
!
access-list 110 permit ip host 172.16.2.10 172.16.7.0 0.0.0.255
access-list 110 permit ip host 172.16.2.5 172.16.7.0 0.0.0.255
!
access-list 130 deny ip any 172.16.0.0 0.0.255.255
access-list 130 deny ip any 192.168.1.0 0.0.0.255
access-list 130 permit ip host 172.16.2.10 any
!
access-list 140 deny ip any 172.16.0.0 0.0.255.255
access-list 140 deny ip any 192.168.1.0 0.0.0.255
access-list 140 permit ip host 172.16.2.5 any
!
route-map policy_1 permit 10   _PBR small packets
 match ip address 110
 match length 0 1199
 set ip next-hop 172.16.1.3
!
route-map policy_1 permit 20   _PBR large packets
 match ip address 110
 match length 1200 1544
 set ip next-hop 172.16.1.4
!
route-map policy_1 permit 30   _PBR for default routing
 match ip address 130
 set ip default next-hop 172.16.1.3
!
route-map policy_1 permit 40   _PBR for default routing
 match ip address 140
 set ip default next-hop 172.16.1.4
!

The last part of the configuration, Steps 5 and 6, calls for you to apply the PBR and to enable fast switching for PBR. This is accomplished with the interface commands ip policy route-map and ip route-cache policy. Example 2-56 lists the entire configuration of the forest router.

Example 2-56 Configuration of the forest Router

hostname forest
!
<<<text omitted>>>
!
interface Ethernet0/0
 ip address 172.16.1.6 255.255.255.0
!
interface Ethernet0/1
 ip address 172.16.2.6 255.255.255.0
 ip route-cache policy
 ip policy route-map policy_1
!
router eigrp 65002
 network 172.16.0.0
 no auto-summary
 no eigrp log-neighbor-changes
!
ip classless
no ip http server
!
access-list 110 permit ip host 172.16.2.10 172.16.7.0 0.0.0.255
access-list 110 permit ip host 172.16.2.5 172.16.7.0 0.0.0.255
access-list 130 deny ip any 172.16.0.0 0.0.255.255
access-list 130 deny ip any 192.168.1.0 0.0.0.255
access-list 130 permit ip host 172.16.2.10 any
access-list 140 deny ip any 172.16.0.0 0.0.255.255
access-list 140 deny ip any 192.168.1.0 0.0.0.255
access-list 140 permit ip host 172.16.2.5 any
route-map policy_1 permit 10
 match ip address 110
 match length 0 1199
 set ip next-hop 172.16.1.3
!
route-map policy_1 permit 20
 match ip address 110
 match length 1200 1544
 set ip next-hop 172.16.1.4
!
route-map policy_1 permit 30
 match ip address 130
 set ip default next-hop 172.16.1.3
!
route-map policy_1 permit 40
 match ip address 140
 set ip default next-hop 172.16.1.4

Example 2-57 lists the PBR configuration of the wow router.

Example 2-57 PBR Configuration of the wow Router

hostname wow
!
ip subnet-zero
ip name-server 206.191.193.1
!
<<<text omitted>>>
!
interface Ethernet3
 ip address 206.191.241.43 255.255.255.248
 no ip directed-broadcast
 ip nat outside
 media-type 10BaseT
!
interface Ethernet4
 ip address 172.16.7.7 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 media-type 10BaseT
!
interface Serial0
 bandwidth 1544
 ip address 192.168.1.7 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 encapsulation frame-relay
 no ip split-horizon eigrp 65002
 no ip mroute-cache
 frame-relay map ip 192.168.1.3 102 broadcast
 frame-relay map ip 192.168.1.4 302 broadcast
 frame-relay lmi-type cisco
!
router eigrp 65002
 redistribute static
 network 172.16.0.0
 network 192.168.1.0
 default-metric 10000 100 254 1 1500
 no auto-summary
!
ip nat inside source list 101 interface Ethernet3 overload
ip classless
ip route 0.0.0.0 0.0.0.0 206.191.241.41
no ip http server
!
access-list 101 permit ip any any

To test the policy, issue several extended pings from the mountain and island routers. By using the show route-map command on the forest router, you will be able to determine whether packets are being policy routed. Example 2-58 demonstrates two pings on the mountain router—one ping to the wow server and one to http://www.cisco.com (on the Internet).

Example 2-58 Testing and Verifying PBR

mountain# ping
Protocol [ip]:
Target IP address: 172.16.7.11
Repeat count [5]: 50
Datagram size [100]: 100
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 172.16.7.11, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 8/8/12 ms
mountain#
mountain# ping http://www.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.133.219.25, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/700/1116 ms
mountain#

forest# show route-map
route-map policy_1, permit, sequence 10   _small packets matched
 Match clauses:
 ip address (access-lists): 110
 length 0 1199
 Set clauses:
 ip next-hop 172.16.1.3
 Policy routing matches: 51 packets, 5814 bytes
route-map policy_1, permit, sequence 20
 Match clauses:
 ip address (access-lists): 110
 length 1200 1544
 Set clauses:
 ip next-hop 172.16.1.4
 Policy routing matches: 0 packets, 0 bytes
route-map policy_1, permit, sequence 30   _Internet traffic
 Match clauses:
 ip address (access-lists): 130
 Set clauses:
 ip default next-hop 172.16.1.3
 Policy routing matches: 10 packets, 1140 bytes
route-map policy_1, permit, sequence 40
 Match clauses:
 ip address (access-lists): 140
 Set clauses:
 ip default next-hop 172.16.1.4
 Policy routing matches: 0 packets, 0 bytes
forest#

By performing the same test on the island router, with the exception of making the ping packet size of 1500 bytes, you can observe the policy routing working on the forest router. Example 2-59 lists the output of the show route-map command performed on the forest router, after running the test from the island router.

Example 2-59show route-map Command on the wow and forest Routers

forest# show route-map
route-map policy_1, permit, sequence 10
 Match clauses:
 ip address (access-lists): 110
 length 0 1199
 Set clauses:
 ip next-hop 172.16.1.3
 Policy routing matches: 51 packets, 5814 bytes
route-map policy_1, permit, sequence 20   _Large packets matched
 Match clauses:
 ip address (access-lists): 110
 length 1200 1544
 Set clauses:
 ip next-hop 172.16.1.4
 Policy routing matches: 101 packets, 152914 bytes
route-map policy_1, permit, sequence 30
 Match clauses:
 ip address (access-lists): 130
 Set clauses:
 ip default next-hop 172.16.1.3
 Policy routing matches: 10 packets, 1140 bytes
route-map policy_1, permit, sequence 40   _Internet traffic
 Match clauses:
 ip address (access-lists): 140
 Set clauses:
 ip default next-hop 172.16.1.4
 Policy routing matches: 12 packets, 1286 bytes
forest#
  • + Share This
  • 🔖 Save To Your Account