Sunday, February 1, 2015

Cisco CCNP - 300-101 - Configuring and Verifying Policy Based Routing

So it's that time again for me to renew my Cisco Certifications. As a result, this is be based on my preparation for the CCNP Route Exam (300-101).

In this post I will be focusing on Configuring and Verifying Policy Based Routing

Why would you wish to use Policy Based Routing? Let's say you have two Internet links from your office. One can be used for Web based traffic (HTTP, DNS, etc) while the other can be used for management traffic to your remote networks (Telnet, SSH, SNMP, ICMP, etc)

For the purposes of this lab, I will send all Telnet, ICMP and SSH (Management Traffic) traffic through ISP2 and all HTTP and DNS (Web) traffic through ISP1

Topology

This topology consists of one 2 ISPs, 1 Internet and 1 local_site

Internet
    - Interface e1/0 - connected to ISP1 - IP 1.0.0.1/24
    - Interface e1/1 - connected to ISP2 - IP 2.0.0.1/24
    - Interface lo3 - INTERNET ADDRESS - IP 3.0.0.1/32
       
       
ISP1
    - Interface e1/0 - connected to ISP1 - IP 1.0.0.2/24
    - Interface e1/1 - connected to ISP2 - IP 4.0.0.1/24
       
           
ISP2
    - Interface e1/0 - connected to ISP1 - IP 2.0.0.2/24
    - Interface e1/1 - connected to ISP2 - IP 5.0.0.2/24        
       
       
LOCAL_SITE
    - Interface e1/0 - connected to ISP2 - IP 4.0.0.2/24
    - Interface e1/1 - connected to ISP1 - IP 5.0.0.2/24
    - Interface fa0/0 - connected to LAN - IP 10.0.0.1/32
           
    Kali Host on Branch
        eth0 - 10.0.0.2.2/24
        Default Gateway - 10.0.0.1
   
























Interface Configuration:
Internet:



















ISP-1:













ISP-2:











LOCAL_SITE:

















Now that the interfaces are configured, it's time to configure the access lists.

















Route Map config













Let's verify the route-map is assigned to an interface.






Excellent!!


Now that the configs are finished, time to verify if the system is working as expected.


Verification - ICMP
For ICMP, I will do a manual traceroute, to verify that ICMP traffic is going through ISP2.

Ping with TTL set to 1






From above, we've successfully hit our own gateway


Ping with TTL set to 2








As we can see above, ICMP traffic is going through ISP-2

Ping with TTL set to 3








As can be seen from above, ICMP traffic successfully got to 3.0.0.1 (Internet)


Let's Verify the rest of the traffic to pass through ISP-2 (Telnet, SSH)



Looks good, SSH traffic is going through ISP-2 (5.0.0.1)

Looks good too, Telnet traffic is going through ISP-2 (5.0.0.1)


Now let's look at HTTP and DNS for ISP-1





Niceee! Just what we wanted to see HTTP traffic is going through ISP-1 (4.0.0.1)



Yep! DNS traffic is also flowing through ISP-1 (4.0.0.1)


Now that we have all of that, let's go back to the router to see what is logged.
Above we see the Management Traffic (port 22) being permitted

Above we see the Web Traffic (port 80) being permitted

Checking the counters of the access lists















Above, we see statistics from the access-lists showing the amount of traffic being logged and or denied.



Checking the counters of the route-map















Above we see statistics which shows the traffic is being processed by the route-map



That's it for configuring and verifying policy based routing.

Hope you enjoyed.

References:
http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-3s/asr1000/iri-xe-3s-asr1000-book/iri-pbr-default-nexthop-route.html

No comments:

Post a Comment