Scribd
Upload
339 views12 pages

CCNP ENCOR Exam Notes

Uploaded by

valderamadurkheim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
339 views12 pages

CCNP ENCOR Exam Notes

Uploaded by

valderamadurkheim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

POLICY-BASED ROUTING

CCNP ENCOR Exam

By Justin O. OLANGI
(view my LinkedIn)
II. TOPOLOGY
Policy-based routing (PBR) is a technique to route packets in a network based on policies or filters that we
can selectively apply to override the default routing behavior.

This post explains how to configure and verify policy-based routing (PBR) on Cisco routers. This post covers
CCNP ENCOR 350-401 exam topic 3.2.d Describe policy-based routing, and CCNP ENARSI 300-410 exam
topic 1.6 Configure and verify policy-based routing.

The purpose of this lab is to test and describe some common PBR concepts and configurations such as:

▪ Typical IP routing
▪ Policy-based routing (PBR)
▪ Route map
▪ Policy-based routing configuration
▪ Verifications
▪ Key references

For more details about Policy Based, see the Cisco CCNP ENCOR and ENARSI course. For the routing
part, we're going to use my old lab on EIGRP.

2 By Justin O. OLANGI
II. EIGRP CONFIG
EIGRP overcomes the deficiencies of other distance vector routing protocols like RIP with features such as
unequal-cost load balancing, support for networks 255 hops away, and rapid convergence features. EIGRP
uses a diffusing update algorithm (DUAL) to identify network paths and enable fast convergence using
precalculated loop-free backup paths.

Most distance vector routing protocols use hop count as the metric for routing decisions. However, using hop
count for path selection does not take into account link speed and total delay. EIGRP adds to the route
selection algorithm logic that uses factors outside hop count.

II.1 Interface Configuration

a. R1
R1(config)# interface g0/0
R1(config-if)# description LINK_TO_R2
R1(config-if)# ip address 172.16.1.1 255.255.255.252
R1(config-if)# ipv6 address 201:db8:ff0a:1::1/64
R1(config-if)# bandwidth 900
R1(config-if)# no shutdown

R1(config)# interface g0/1


R1(config-if)# description LINK_TO_R3
R1(config-if)# ip address 172.16.2.1 255.255.255.252
R1(config-if)# ipv6 address 201:db8:ff0a:2::1/64
R1(config-if)# bandwidth 1000
R1(config-if)# no shutdown

R1(config)# interface g0/2


R1(config-if)# description LINK_TO_LAN
R1(config-if)# ip address 172.16.10.1 255.255.255.0
R1(config-if)# ipv6 address 201:db8:ff0a:10::1/64
R1(config-if)# no shutdown

b. R2
R2(config)# interface g0/0
R2(config-if)# description LINK_TO_R1
R2(config-if)# ip address 172.16.1.2 255.255.255.252
R2(config-if)# ipv6 address 201:db8:ff0a:1::2/64
R1(config-if)# bandwidth 900
R2(config-if)# no shutdown

R2(config)# interface g0/1


R2(config-if)# description LINK_TO_R4
R2(config-if)# ip address 172.16.3.1 255.255.255.252
R2(config-if)# ipv6 address 201:db8:ff0a:3::1/64
R1(config-if)# bandwidth 900

3 By Justin O. OLANGI
R2(config-if)# no shutdown

R2(config)# interface g0/2


R2(config-if)# description LINK_TO_ISP
R2(config-if)# ip address dhcp
R2(config-if)# no shutdown

c. R3
R3(config)# interface g0/0
R3(config-if)# description LINK_TO_R4
R3(config-if)# ip address 172.16.4.1 255.255.255.252
R3(config-if)# ipv6 address 201:db8:ff0a:4::1/64
R3(config-if)# bandwidth 1000
R3(config-if)# no shutdown

R3(config)# interface g0/1


R3(config-if)# description LINK_TO_R1
R3(config-if)# ip address 172.16.2.2 255.255.255.252
R3(config-if)# ipv6 address 201:db8:ff0a:2::2/64
R3(config-if)# bandwidth 1000
R3(config-if)# no shutdown

d. R4
R4(config)# interface g0/0
R4(config-if)# description LINK_TO_R3
R4(config-if)# ip address 172.16.4.2 255.255.255.252
R4(config-if)# ipv6 address 201:db8:ff0a:4::2/64
R1(config-if)# bandwidth 1000
R4(config-if)# no shutdown

R4(config)# interface g0/1


R4(config-if)# description LINK_TO_R2
R4(config-if)# ip address 172.16.3.2 255.255.255.252
R4(config-if)# ipv6 address 201:db8:ff0a:3::2/64
R1(config-if)# bandwidth 900
R4(config-if)# no shutdown

R4(config)# interface g0/2


R4(config-if)# description LINK_TO_LAN
R4(config-if)# ip address 172.16.50.1 255.255.255.0
R4(config-if)# ipv6 address 201:db8:ff0a:50::1/64
R4(config-if)# no shutdown

II.2 EIGRP Dual Stack Basic Configuration

a. R1
R1(config)# ipv6 unicast-routing
R1(config)# router eigrp ENCOR
R1(config-router)# address-family ipv6 unicast autonomous-system 100
R1(config-router-af)# address-family ipv4 unicast autonomous-system 100

4 By Justin O. OLANGI
R1(config-router-af)# eigrp router-id 1.1.1.1
R1(config-router-af)# network 172.16.1.1 0.0.0.0
R1(config-router-af)# network 172.16.2.1 0.0.0.0
R1(config-router-af)# network 172.16.10.1 0.0.0.0

b. R2
R2(config)# ipv6 unicast-routing
R2(config)# router eigrp ENCOR
R2(config-router)# address-family ipv6 unicast autonomous-system 100
R2(config-router-af)# address-family ipv4 unicast autonomous-system 100
R2(config-router-af)# eigrp router-id 2.2.2.2
R2(config-router-af)# network 172.16.1.2 0.0.0.0
R2(config-router-af)# network 172.16.3.1 0.0.0.0

c. R3
R3(config)# ipv6 unicast-routing
R3(config)# router eigrp ENCOR
R3(config-router)# address-family ipv6 unicast autonomous-system 100
R3(config-router-af)# address-family ipv4 unicast autonomous-system 100
R3(config-router-af)# eigrp router-id 3.3.3.3
R3(config-router-af)# network 172.16.4.1 0.0.0.0
R3(config-router-af)# network 172.16.2.2 0.0.0.0

d. R4
R1(config)# ipv6 unicast-routing
R4(config)# router eigrp ENCOR
R4(config-router)# address-family ipv6 unicast autonomous-system 100
R4(config-router-af)# address-family ipv4 unicast autonomous-system 100
R4(config-router-af)# eigrp router-id 4.4.4.4
R4(config-router-af)# network 172.16.3.2 0.0.0.0
R4(config-router-af)# network 172.16.4.2 0.0.0.0
R4(config-router-af)# network 172.16.50.1 0.0.0.0

II.4 EIGRP Passive Interface Configuration

a. R1
R1(config)# router eigrp ENCOR
R1(config-router)# address-family ipv4 unicast autonomous-system 100

R1(config-router-af)# af-interface g0/2


R1(config-router-af-interface)# passive-interface

R1(config-router-af)# address-family ipv6 unicast autonomous-system 100

R1(config-router-af)# af-interface g0/2


R1(config-router-af-interface)# passive-interface

b. R4

5 By Justin O. OLANGI
R4(config)# router eigrp ENCOR
R4(config-router)# address-family ipv4 unicast autonomous-system 100

R4(config-router-af)# af-interface g0/2


R4(config-router-af-interface)# passive-interface

R4(config-router-af)# address-family ipv6 unicast autonomous-system 100

R4(config-router-af)# af-interface g0/2


R4(config-router-af-interface)# passive-interface

II.6 PAT for IPv4

a. PAT for IPv4

R2(config)# access-list 1 permit 172.16.0.0 0.0.255.255


R2(config)# ip nat inside source list 1 interface g0/2 overload

R2(config)# interface g0/0


R2(config-if)# ip nat inside
R2(config-if)# exit

R2(config)# interface g0/1


R2(config-if)# ip nat inside
R2(config-if)# exit

R2(config)# interface g0/2


R2(config-if)# ip nat outside
R2(config-if)# exit

6 By Justin O. OLANGI
II.7 EIGRP Verification

a. Routing Table
➢ IPv4 Routing Table

R1#show ip rou
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 9 subnets, 3 masks


C 172.16.1.0/30 is directly connected, GigabitEthernet0/0
L 172.16.1.1/32 is directly connected, GigabitEthernet0/0
C 172.16.2.0/30 is directly connected, GigabitEthernet0/1
L 172.16.2.1/32 is directly connected, GigabitEthernet0/1
D 172.16.3.0/30
[90/5699128] via 172.16.1.2, 00:00:47, GigabitEthernet0/0
D 172.16.4.0/30
[90/5130240] via 172.16.2.2, 00:00:47, GigabitEthernet0/1
C 172.16.10.0/24 is directly connected, GigabitEthernet0/2
L 172.16.10.1/32 is directly connected, GigabitEthernet0/2
D 172.16.50.0/24
[90/5135360] via 172.16.2.2, 00:00:47, GigabitEthernet0/1
R1#

The 171.16.50.0/24 network is reachable by GigabitEthernet0/1 in normal routing.

7 By Justin O. OLANGI
III. POLICY-BASED ROUTING CONFIG
Policy-Based Routing (PBR) is used to provide additional flexibility and control over the routing of packets
in a network. Here are a few reasons why it is useful:

▪ Prioritisation of applications: PBR allows you to prioritise certain applications by selecting high
bandwidth, low latency links for critical applications. For example, business data can be sent over a
fast link, while Internet browsing can use a slower link.

▪ Redundancy and resilience: It can create back-up links for important traffic if the main link fails. This
improves network availability and resilience.

▪ Traffic isolation and analysis: PBR can isolate traffic for in-depth analysis and inspection, which can
be useful for network security and management.

▪ Bandwidth optimisation: By defining policies based on application attributes, PBR enables granular
traffic management, optimising bandwidth utilisation.

In short, PBR offers more flexible and efficient management of network traffic, according to the specific needs
of the business.

III.1 Common IP Routing

First let's discuss how normal routing works under normal circumstances.

▪ L2 frame check sequence (FCS)


▪ L2 header removed
▪ IP routing table is referenced for forwarding

When a packet enters the ingress interface of a router, the router first performs a L2 FCS to ensure that the
packet has not been corrupted.

If the packet passes the FCS then the router will remove the L2 header. Then the router references its
routing table to determine how to forward the packet based on the L3 destination IP address information of
the packet.

If the router finds a path to the destination then the packet is re-encapsulated with a new L2 header and is
forwarded out of the correct egress interface.

III.2 Policy-based routing (PBR) Concepts

We can influence this default router behavior using PBR.

▪ L2 frame check sequence (FCS)


8 By Justin O. OLANGI
▪ L2 header removed
▪ Route map determines forwarding decisions

PBR allows us to override the default routing behavior. The router still performs a L2 FCS. It still removes
the L2 header. But rather than basing its forwarding decision on a destination IP address the router bases
its routing decisions on instructions found within a route map.

Route maps act like decision trees, specifying conditions (like source IP, destination IP, protocol type) that a
packet must meet. Packets are evaluated against the MATCH criteria in the route map. If a packet matches,
the route map defines actions, such as setting the next-hop IP address or interface for that packet.

Route maps offer more control over routing decisions compared to traditional destination-based routing.
This allows for:

▪ Traffic prioritization: Route critical traffic over specific paths for better performance.
▪ Load balancing: Distribute traffic across multiple links for efficient network performance.
▪ Security policies: Implement access control rules based on traffic characteristics.

III.3 Policy-based routing (PBR) Configuration

In this lab, we are going to set up a policy enabling the following routing:

▪ Direct all voice traffic on router R1 coming from LAN to GigabitEthernet port 0/1;
▪ Direct all SSH traffic on router R1 coming from LAN to GigabitEthernet port 0/0;
▪ For all normal traffic, follow the initial routing table.

a. R1
SIP (port 5060)
R1(config)# ip access-list extended VoIP-traffic
R1(config-)# permit udp any any range 5060 5060
R1(config-)# permit udp any any range 10000 20000
R1(config-if)# exit
RTP (port 10000-20000)
R1(config)# ip access-list extended SSH-traffic
R1(config-)# permit tcp any any eq 22
R1(config-if)# exit

R1(config)# route-map POLICY1 permit 10


R1(config-)# match ip address VoIP-traffic
R1(config-)# set ip next-hop 172.16.2.2
R1(config-)# exit

R1(config)# route-map POLICY1 permit 20


R1(config-)# match ip address SSH-traffic
R1(config-)# set ip next-hop 172.16.1.2
R1(config-)# exit

9 By Justin O. OLANGI
R1(config)# interface g0/2
R1(config-if)# ip policy route-map POLICY1
R1(config-if)# exit

III.4 Policy-based routing (PBR) Verification

a. Ping Traffic Test

VPCS> ip 172.16.10.10 24 172.16.10.1


Checking for duplicate address...
VPCS : 172.16.10.10 255.255.255.0 gateway 172.16.10.1

VPCS> ping 172.16.50.1

84 bytes from 172.16.50.1 icmp_seq=1 ttl=253 time=64.218 ms


84 bytes from 172.16.50.1 icmp_seq=2 ttl=253 time=13.976 ms
84 bytes from 172.16.50.1 icmp_seq=3 ttl=253 time=77.044 ms
84 bytes from 172.16.50.1 icmp_seq=4 ttl=253 time=17.024 ms
84 bytes from 172.16.50.1 icmp_seq=5 ttl=253 time=29.151 ms

VPCS> trace 172.16.50.1


trace to 172.16.50.1, 8 hops max, press Ctrl+C to stop
1 172.16.10.1 19.982 ms 15.078 ms 11.750 ms
2 172.16.2.2 31.456 ms 23.170 ms 19.839 ms
3 *172.16.4.2 29.861 ms (ICMP type:3, code:3, Destination port unreachable) *

VPCS>

b. Normal Forwarding

R1#debug ip policy
Policy routing debugging is on
R1#
*Nov 6 14:58:31.493: IP: s=172.16.10.10 (GigabitEthernet0/2), d=172.16.50.1, len 84,
FIB policy rejected(no match) - normal forwarding
*Nov 6 14:58:32.427: IP: s=172.16.10.10 (GigabitEthernet0/2), d=172.16.50.1, len 84,
FIB policy rejected(no match) - normal forwarding
*Nov 6 14:58:33.332: IP: s=172.16.10.10 (GigabitEthernet0/2), d=172.16.50.1, len 84,
FIB policy rejected(no match) - normal forwarding
*Nov 6 14:58:34.182: IP: s=172.16.10.10 (GigabitEthernet0/2), d=172.16.50.1, len 84,
FIB policy rejected(no match) - normal forwarding
*Nov 6 14:58:35.098: IP: s=172.16.10.10 (GigabitEthernet0/2), d=172.16.50.1, len 84,
FIB policy rejected(no match) - normal forwarding
R1#

10 By Justin O. OLANGI
c. Ping Traffic Test

VPCS> ip 172.16.10.10 24 172.16.10.1


Checking for duplicate address...
VPCS : 172.16.10.10 255.255.255.0 gateway 172.16.10.1

VPCS> ping 172.16.50.1 -3 -p 22

Connect [email protected] RST returned


Connect [email protected] RST returned
Connect [email protected] RST returned
Connect [email protected] RST returned
Connect [email protected] RST returned

VPCS> ping 172.16.50.1 -2 -p 5060

*172.16.4.2 udp_seq=1 ttl=253 time=29.280 ms (ICMP type:3, code:3, Destination port


unreachable)
*172.16.4.2 udp_seq=2 ttl=253 time=23.325 ms (ICMP type:3, code:3, Destination port
unreachable)
*172.16.4.2 udp_seq=3 ttl=253 time=35.931 ms (ICMP type:3, code:3, Destination port
unreachable)
*172.16.4.2 udp_seq=4 ttl=253 time=14.957 ms (ICMP type:3, code:3, Destination port
unreachable)
*172.16.4.2 udp_seq=5 ttl=253 time=35.857 ms (ICMP type:3, code:3, Destination port
unreachable)

VPCS>

d. Verify with debug ip policy

R1#debug ip policy
Policy routing debugging is on
R1#
*Nov 6 15:36:23.297: IP: s=172.16.10.10 (GigabitEthernet0/2), d=172.16.50.1, len 60,
FIB policy match
*Nov 6 15:36:23.297: IP: s=172.16.10.10 (GigabitEthernet0/2), d=172.16.50.1, len 60,
PBR Counted
*Nov 6 15:36:23.297: IP: s=172.16.10.10 (GigabitEthernet0/2), d=172.16.50.1,
g=172.16.1.2, len 60, FIB policy routed
*Nov 6 15:36:24.242: IP: s=172.16.10.10 (GigabitEthernet0/2), d=172.16.50.1, len 60,
FIB policy match
*Nov 6 15:36:24.242: IP: s=172.16.10.10 (GigabitEthernet0/2), d=172.16.50.1, len 60,
PBR Counted
*Nov 6 15:36:24.242: IP: s=172.16.10.10 (GigabitEthernet0/2), d=172.16.50.1,
g=172.16.1.2, len 60, FIB policy routed

R1#

11 By Justin O. OLANGI
e. Details about route-map packets

R1#show route-map
route-map POLICY1, permit, sequence 10
Match clauses:
ip address (access-lists): VoIP-traffic
Set clauses:
ip next-hop 172.16.2.2
Policy routing matches: 5 packets, 490 bytes
route-map POLICY1, permit, sequence 20
Match clauses:
ip address (access-lists): SSH-traffic
Set clauses:
ip next-hop 172.16.1.2
Policy routing matches: 10 packets, 740 bytes
R1#

12 By Justin O. OLANGI

You might also like