Home > Policy Based Routing Lab

Policy Based Routing Lab

March 24th, 2014 in Basic Labs Go to comments

In this lab we will learn how to use Policy Based Routing to send traffic via the route we want.

Policy_Based_Routing_Topology.jpg

IOS used: c3640-jk9s-mz.124-16.bin

Tasks
+ Enable OSPF on all interfaces of R2, R3, R4, R5 using only one command on each router.
+ Create Policy Based Routing on R2 so that traffic from R1 to the Loopback interface of R5 (5.5.5.5) must go through R3 (the less optimal path).

You can download the Initial Config Lab here: http://www.digitaltut.com/download/Policy_Based_Routing_Lab_Initial.zip.

Initial Config

In the initial config we will configure IP addresses on all interfaces and run OSPF on R2, R3, R4, R5. For R1 we only need a default route to R2.

R1
interface FastEthernet0/0
  ip address 12.12.12.1 255.255.255.0
  no shut
ip route 0.0.0.0 0.0.0.0 12.12.12.2
R2
interface FastEthernet0/0
  ip address 12.12.12.2 255.255.255.0
  no shut
interface FastEthernet1/0
  ip address 24.24.24.2 255.255.255.0
  no shut
interface Serial2/0
  ip address 23.23.23.2 255.255.255.0
  no shut
router ospf 1
  network 0.0.0.0 255.255.255.255 area 0
R3
interface Serial0/0
  ip address 23.23.23.3 255.255.255.0
  no shut
interface FastEthernet1/0
  ip address 35.35.35.3 255.255.255.0
  no shut
router ospf 1
  network 0.0.0.0 255.255.255.255 area 0
R4
interface FastEthernet0/0
  ip address 24.24.24.4 255.255.255.0
  no shut
interface FastEthernet1/0
  ip address 45.45.45.4 255.255.255.0
  no shut
router ospf 1
  network 0.0.0.0 255.255.255.255 area 0
R5
interface Loopback0
  ip address 5.5.5.5 255.255.255.255
interface FastEthernet0/0
  ip address 35.35.35.5 255.255.255.0
  no shut
interface FastEthernet1/0
  ip address 45.45.45.5 255.255.255.0
  no shut
router ospf 1
  network 0.0.0.0 255.255.255.255 area 0

FastEthernet link has higher bandwidth (lower cost) than Serial link so traffic from R1 to R5 will surely go through R4 to R5:

Policy_Based_Routing_Init_Traceroute.jpg

Now we will create a Policy Based Routing on R2 so that all traffic destined for 5.5.5.5 (R5 Loopback0) goes through R3:

R2
access-list 100 permit ip any host 5.5.5.5
route-map OUT_R5 permit 10
  match ip address 100
  set ip next-hop 23.23.23.3
//Apply this route-map to Fa0/0
interface FastEthernet0/0
  ip policy route-map OUT_R5

The traffic now goes through R3:

Policy_Based_Routing_Traceroute.jpg

We can turn on “debug ip policy” on R2 to have a closer look at the policy match. We should also disable CEF routing so that you can see the detailed match (use “no ip cef” command in global config mode)

Policy_Based_Routing_R2_debug_ip_policy.jpg

Verify the traffic has been matched with the access list:
Policy_Based_Routing_R2_show_route_map.jpg

And that is all of Policy Based Routing on this lab. But what will happen to traffic that is not matched with the access-list? Will they be dropped? We will test this by replacing our access-list with an unmatched traffic like TCP.

R2
no access-list 100
access-list 100 permit tcp any host 5.5.5.5

Notice that traceroute sends UDP traffic so it will not match with the above access-list.

Policy_Based_Routing_Traceroute_not_matched_acl.jpg

We see the unmatched traffic is not dropped, it is routed through the normal destination-based routing process.

Other notice that I want to say is normal Policy Based Routing is only applied for traffic transiting to it. It cannot match traffic originating from R2 itself. For example traceroute from R2 still goes through R4:

Policy_Based_Routing_R2_traceroute.jpg

Luckily we can also match traffic originating from R2 with the Local Policy Based Routing by adding this command in global configuration mode (not interface mode):

R2(config)#ip local policy route-map OUT_R5

Now both traffic from R1 and R2 go through R3

Policy_Based_Routing_R2_traceroute_local_policy_based_routing.jpg

You can download the final configuration of this lab here: http://www.digitaltut.com/download/Policy_Based_Routing_Lab_Final.zip.

Comments
  1. Anonymous
    May 14th, 2016

    Good Lab

  2. next-gen
    May 26th, 2016

    wow great lab i enjoyed it

  3. Tej Bahadur
    May 28th, 2016

    how to make PBR to send traffic from R5 to R1 via R3>R2>R1 for example that serial link has bandwidth 128K only.

    i have tried but the problem is it goes to next hop R3 and again return traffic to R5 and goes to R4 and R2 and R1

    how to tweak this

    Regard

  4. Isazu
    August 16th, 2016

    @Tej Bahdur
    You can add another PBR in R3 to make this work
    R3#sh ip access-lists
    Extended IP access list 101
    10 permit ip any host 12.12.12.1 (18 matches)

    R3#sh route-map
    route-map BPI, permit, sequence 10
    Match clauses:
    ip address (access-lists): 101
    Set clauses:
    ip next-hop 23.23.23.2
    Nexthop tracking current: 0.0.0.0
    23.23.23.2, fib_nh:0,oce:0,status:0

  5. Isazu
    August 16th, 2016

    @Tej pls see traceroute below
    R5#traceroute 12.12.12.1
    Type escape sequence to abort.
    Tracing the route to 12.12.12.1
    VRF info: (vrf in name/id, vrf out name/id)
    1 35.35.35.3 32 msec 24 msec 24 msec
    2 23.23.23.2 64 msec 56 msec 64 msec
    3 12.12.12.1 76 msec 80 msec 56 msec

  6. oronyaniv
    December 3rd, 2016

    hi All,
    if i have only CFG and topology files,
    how i loading them on GNS3?

  7. irfi
    December 17th, 2016

    @oronyaniv Following link will help you, shows older version but implies same settings, don’t open GNS3, open Topology Directly by right click and open and select GNS3 from List.
    https://www.youtube.com/watch?v=4DK1GYfywjQ

  8. irfi
    December 17th, 2016

    First of all, many many thanks to the folks who are doing that awesome dude, and plus think also about CCNA and CCNP Service Provider LABS and Material, it would be awesome for us to get some help on that.

    Last but not the least.
    we can also change access-list 100 or 101 to the following that matches only matches telnet traffic from R1 and then policy routing wll happen,
    R1#Telnet 5.5.5.5
    *Mar 1 00:14:03.323: IP: route map pbr, item 10, permit
    *Mar 1 00:14:03.323: IP: s=12.12.12.1 (FastEthernet0/0), d=5.5.5.5 (Serial2/0), len 44, policy routed
    and check debug ip policy on term mon of R2
    and when we will generate icmp traffic, it will go through via normal forwarding
    R2#
    *Mar 1 00:13:41.479: IP: s=12.12.12.1 (FastEthernet0/0), d=5.5.5.5 (FastEtherne t1/0), len 28, policy rejected — normal forwarding
    R2# Tracert 5.5.5.5

    conf t
    R2# no ip cef
    R2# debug ip policy
    !
    R2#sh ip access-lists 101
    Extended IP access list 101
    10 permit tcp any host 5.5.5.5 eq telnet (20 matches)

  9. Rocky
    February 9th, 2017

    Hi, can someone advise how to run these labs under GNS3? Which GNS3 version?
    Thanks

  10. shalev
    May 7th, 2017

    it can’t run in packet tracer? if it can, which version?

  11. IntroVoys
    June 3rd, 2017

    Is this lab is also part of the exam?

  12. K
    July 3rd, 2017
  1. No trackbacks yet.