So it's that time again for me to renew my Cisco Certifications. As a result, this is be based on my preparation for the CCNP Route Exam (300-101).
In this post I will be focusing on Configuring and Verifying Policy Based Routing
Why would you wish to use Policy Based Routing? Let's say you have two Internet links from your office. One can be used for Web based traffic (HTTP, DNS, etc) while the other can be used for management traffic to your remote networks (Telnet, SSH, SNMP, ICMP, etc)
For the purposes of this lab, I will send all Telnet, ICMP and SSH (Management Traffic) traffic through ISP2 and all HTTP and DNS (Web) traffic through ISP1
Topology
This topology consists of one 2 ISPs, 1 Internet and 1 local_site
Internet
- Interface e1/0 - connected to ISP1 - IP 1.0.0.1/24
- Interface e1/1 - connected to ISP2 - IP 2.0.0.1/24
- Interface lo3 - INTERNET ADDRESS - IP 3.0.0.1/32
ISP1
- Interface e1/0 - connected to ISP1 - IP 1.0.0.2/24
- Interface e1/1 - connected to ISP2 - IP 4.0.0.1/24
ISP2
- Interface e1/0 - connected to ISP1 - IP 2.0.0.2/24
- Interface e1/1 - connected to ISP2 - IP 5.0.0.2/24
LOCAL_SITE
- Interface e1/0 - connected to ISP2 - IP 4.0.0.2/24
- Interface e1/1 - connected to ISP1 - IP 5.0.0.2/24
- Interface fa0/0 - connected to LAN - IP 10.0.0.1/32
Kali Host on Branch
eth0 - 10.0.0.2.2/24
Default Gateway - 10.0.0.1
Interface Configuration:
Internet:
ISP-1:
ISP-2:
LOCAL_SITE:
Now that the interfaces are configured, it's time to configure the access lists.
Route Map config
Let's verify the route-map is assigned to an interface.
Excellent!!
Now that the configs are finished, time to verify if the system is working as expected.
Verification - ICMP
For ICMP, I will do a manual traceroute, to verify that ICMP traffic is going through ISP2.
Ping with TTL set to 1
From above, we've successfully hit our own gateway
Ping with TTL set to 2
As we can see above, ICMP traffic is going through ISP-2
Ping with TTL set to 3
As can be seen from above, ICMP traffic successfully got to 3.0.0.1 (Internet)
Let's Verify the rest of the traffic to pass through ISP-2 (Telnet, SSH)
Looks good, SSH traffic is going through ISP-2 (5.0.0.1)
Looks good too, Telnet traffic is going through ISP-2 (5.0.0.1)
Now let's look at HTTP and DNS for ISP-1
Niceee! Just what we wanted to see HTTP traffic is going through ISP-1 (4.0.0.1)
Yep! DNS traffic is also flowing through ISP-1 (4.0.0.1)
Now that we have all of that, let's go back to the router to see what is logged.
Above we see the Management Traffic (port 22) being permitted
Above we see the Web Traffic (port 80) being permitted
Checking the counters of the access lists
Above, we see statistics from the access-lists showing the amount of traffic being logged and or denied.
Checking the counters of the route-map
Above we see statistics which shows the traffic is being processed by the route-map
That's it for configuring and verifying policy based routing.
Hope you enjoyed.
References:
http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-3s/asr1000/iri-xe-3s-asr1000-book/iri-pbr-default-nexthop-route.html
No comments:
Post a Comment