Home > Articles > Cisco Certification > CCIE > CCIE Practical Studies: Configuring Route-Maps and Policy-based Routing

CCIE Practical Studies: Configuring Route-Maps and Policy-based Routing

  • Sample Chapter is provided courtesy of Cisco Press.
  • Date: Nov 26, 2003.

Chapter Description

Route maps are like duct tape for the network—they can be applied to numerous situations to address many issues. At times, they may not be the most "pretty solutions," but they will be very effective. Karl Solie and Leah Lynch show you how to configure and use route maps.

Lab 4: Configuring Policy-Based Routing—Part II

Lab Walkthrough

Configure the Frame Relay switch and attach the three routers in a back-to-back fashion to the frame switch. Use V.35 cables to connect the routers. Create the four Ethernet LANs by the use of switches or hubs, as illustrated in Figure 2-12.

After the physical connections are complete, assign IP addresses to all LAN and WAN interfaces as depicted in Figure 2-12. Configure a Frame Relay network as a single multipoint network between all routers on the WAN. Use the DLCIs from the diagram. Because the Frame Relay network is a multipoint, keep in mind that you will need to disable EIGRP split horizon at some point. At this time, you will also want to set the bandwidth statements so that EIGRP chooses the best possible path through the network. Example 2-49 lists the Frame Relay configuration of all the routers.

Example 2-49 Frame Relay Configurations for the wow, plains, and swamp Routers

hostname wow
!
interface Serial0
 bandwidth 1544          _BW for EIGRP
 ip address 192.168.1.7 255.255.255.0
 encapsulation frame-relay
 no ip split-horizon eigrp 65002      _used to disable split-horizons
 no ip mroute-cache
 frame-relay map ip 192.168.1.3 102 broadcast  _Map statement to plains
 frame-relay map ip 192.168.1.4 302 broadcast  _Map statement to swamp
 frame-relay lmi-type cisco
!
hostname plains
!
interface Serial1/0
 bandwidth 1544          _BW for EIGRP
 ip address 192.168.1.3 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 192.168.1.4 101 broadcast  _Map statement to swamp
 frame-relay map ip 192.168.1.7 101 broadcast  _Map statement to wow
 frame-relay lmi-type cisco
!

hostname swamp
!
interface Serial0/0
 bandwidth 64          _BW for EIGRP
 ip address 192.168.1.4 255.255.255.0
 encapsulation frame-relay
 no ip mroute-cache
 frame-relay map ip 192.168.1.3 206 broadcast  _Map statement to plains
 frame-relay map ip 192.168.1.7 206 broadcast  _Map statement to wow
 frame-relay lmi-type cisco
!

After configuring all the LAN and WAN interfaces, assign IP addresses and verify local connectivity. All routers should be able to ping their adjacent routers. For instance, plains, swamp, and forest should all be able to ping the others' Ethernet address. When local connectivity is verified, you can begin to configure routing protocols.

Begin by configuring the EIGRP domain between all the routers, starting with the wow router. On the wow router, you need two network statements, one for network 172.16.0.0 and one for 192.168.1.0. This router also needs to generate a default route for Internet traffic. To generate a default route, configure a default static route to the address 206.191.241.41 with the command ip route 0.0.0.0 0.0.0.0 206.191.241.41. For the wow router to advertise this route, it needs to be redistributed into EIGRP. Example 2-50 lists the configuration of EIGRP on the wow router.

Example 2-50 EIGRP Configuration for wisonsin_x

hostname wow
!
router eigrp 65002
 redistribute static      _redistribute the default route
 network 172.16.0.0
network 192.168.1.0
 default-metric 10000 100 254 1 1500  _default metric
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 206.191.241.41  _default route

NOTE

Packets will only follow a default route when ip classless is enabled.

Because the Frame Relay network is a multipoint, you should disable split horizon for EIGRP on the serial interface with the command no ip split-horizon eigrp 65002. Without disabling EIGRP split horizon, if the Ethernet link between the plains and swamp routers were broken, routes from the swamp router would not reach the plains router, and routing would be broken. Another important part of the EIGRP configuration, listed in the preceding example, is the configuration of the bandwidth statements on the serial interface. The configuration of the bandwidth statements will allow EIGRP to pick the best possible path for routing.

The EIGRP configurations on the plains and swamp routers resemble that of the wow router. Example 2-51 lists the configurations.

Example 2-51 EIGRP Configuration of the plains and swamp Routers

hostname plains
!
router eigrp 65002
 network 172.16.0.0
 network 192.168.1.0
 no auto-summary
!
hostname swamp
!
router eigrp 65002
 network 172.16.0.0
 network 192.168.1.0
 no auto-summary

The EIGRP configurations on the forest, mountain, and island routers are pretty straightforward, as shown in Example 2-52.

Example 2-52 EIGRP Configuration of the forest, mountain, and island Routers

hostname forest
!
router eigrp 65002
 network 172.16.0.0
 no auto-summary
!
hostname mountain
!
router eigrp 65002
 network 172.16.0.0
 no auto-summary
!
hostname island
!
router eigrp 65002
 network 172.16.0.0
 no auto-summary

After configuring all the routers for EIGRP, you should have IP end-to-end connectivity. The island and mountain routers should be able to reach the wow servers. A default route should also be advertised by EIGRP. Example 2-53 lists the route table of the island router.

Example 2-53 Route Table of the island Router

island# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
  D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
  N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
  E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
  i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
  U - per-user static route, o – ODR
Gateway of last resort is 172.16.2.6 to network 0.0.0.0
  172.16.0.0/24 is subnetted, 3 subnets
D  172.16.7.0 [90/2246656] via 172.16.2.6, 01:07:24, Ethernet0/0
D  172.16.1.0 [90/307200] via 172.16.2.6, 02:10:57, Ethernet0/0
C  172.16.2.0 is directly connected, Ethernet0/0
D 192.168.1.0/24 [90/2221056] via 172.16.2.6, 02:10:57, Ethernet0/0
D*EX 0.0.0.0/0 [170/2246656] via 172.16.2.6, 01:07:24, Ethernet0/0
island# 

The optional portion of this lab calls for you to configure NAT on the wow router for reachability to the Internet. Having actual IP hosts for testing will help you verify whether the route maps and policy routing are working properly. Actual IP hosts may be substituted by loopback interfaces and by enabling local policy routing. When configuring NAT, configure the serial 0 and E4 interfaces of the wow router as NAT inside interfaces. The E3 interface will be the NAT outside interface. Because you have only a single IP address, you will be using Port Address Translation (PAT), sometimes referred to as the Overload feature. The NAT/PAT configuration used in this model is listed in Example 2-54. For more detailed information on configuring NAT, refer to CCIE Practical Studies, Volume 1.

Example 2-54 NAT/PAT Configuration on the wow Router

hostname wow
!
interface Ethernet3
 ip address 206.191.241.43 255.255.255.248
 no ip directed-broadcast
 ip nat outside          _NAT outside interface/Internet
 media-type 10BaseT
!
interface Ethernet4
 ip address 172.16.7.7 255.255.255.0
 no ip directed-broadcast
 ip nat inside          _NAT inside interface
 media-type 10BaseT
!
interface Serial0
 bandwidth 1544
 ip address 192.168.1.7 255.255.255.0
 no ip directed-broadcast
 ip nat inside          _NAT inside interface
 encapsulation frame-relay
 no ip split-horizon eigrp 65002
 no ip mroute-cache
 frame-relay map ip 192.168.1.3 102 broadcast
 frame-relay map ip 192.168.1.4 302 broadcast
 frame-relay lmi-type cisco
!
ip nat inside source list 101 interface Ethernet3 overload _PAT enabled for E3
!
access-list 101 permit ip any any     _translate all traffic

To configure the routing policy specified by the lab, you need to configure policy routing on the forest routers. This lab does not require traffic to take the same return path as which it originated, however, for extra practice, you may want to configure PBR on the wow router, such that traffic does follow the same return path.

The lab objectives call for you to configure PBR with the following guidelines:

  • IP traffic from the mountain and island routers with a small packet size, 0 to 1199 bytes, destined for the wow servers should use the high-speed link between the plains and wow routers.

  • IP traffic from the mountain and island routers with a large packet size, 1200 to 1544 bytes, destined for the wow servers should use the low-speed link between the swamp and wow routers.

  • Internet traffic from the mountain router should use the high-speed link through the plains router.

  • Internet traffic from the island router should use the low-speed link through the swamp router.

  • Configure fast switching for PBR.

The route map for policy routing on the forest router will have four route map instances. The first instance will match traffic from the router mountain, 172.16.2.10, and island, 172.16.2.5. After traffic is verified from these sources, a match on small packet length, 0 to 1199, will be performed. Traffic that passes both of these criteria will have a next hop set to 172.16.1.3, to use the high-speed link of the plains router. The second route map instance will match the same addresses, but this instance will match large packet lengths, 1200 to 1544. Traffic that passes both of these matches will be forwarded to the next hop of 172.16.1.4, to the lower-speed link of the swamp router.

The final two route map instances are for Internet traffic. One instance will match traffic from the mountain router, 172.16.2.10, and set the IP default next hop to the plains router, 172.16.1.3. The other instance will match traffic from the island router, 172.16.2.5, and set the IP default next hop to the swamp router, 172.16.1.4. Recall that the IP default next-hop address will be used when the router does not have the destination address of the packet in its forwarding/route table.

Recalling the steps to configure PBR, you have the following:

Step 1

Configure ACLs.

Step 2

Configure route map instances.

Step 3

Configure match commands.

Step 4

Configure set commands.

Step 5

Configure PBR on the interface.

Step 6

Configure fast switching.

Step 7

(Optional) Configure local PBR.


Example 2-55 covers the configuration of Steps 1 through 4 on the forest router.

Example 2-55 Route Map and ACL Configuration on the forest Router

Hostname forest
!
access-list 110 permit ip host 172.16.2.10 172.16.7.0 0.0.0.255
access-list 110 permit ip host 172.16.2.5 172.16.7.0 0.0.0.255
!
access-list 130 deny ip any 172.16.0.0 0.0.255.255
access-list 130 deny ip any 192.168.1.0 0.0.0.255
access-list 130 permit ip host 172.16.2.10 any
!
access-list 140 deny ip any 172.16.0.0 0.0.255.255
access-list 140 deny ip any 192.168.1.0 0.0.0.255
access-list 140 permit ip host 172.16.2.5 any
!
route-map policy_1 permit 10   _PBR small packets
 match ip address 110
 match length 0 1199
 set ip next-hop 172.16.1.3
!
route-map policy_1 permit 20   _PBR large packets
 match ip address 110
 match length 1200 1544
 set ip next-hop 172.16.1.4
!
route-map policy_1 permit 30   _PBR for default routing
 match ip address 130
 set ip default next-hop 172.16.1.3
!
route-map policy_1 permit 40   _PBR for default routing
 match ip address 140
 set ip default next-hop 172.16.1.4
!

The last part of the configuration, Steps 5 and 6, calls for you to apply the PBR and to enable fast switching for PBR. This is accomplished with the interface commands ip policy route-map and ip route-cache policy. Example 2-56 lists the entire configuration of the forest router.

Example 2-56 Configuration of the forest Router

hostname forest
!
<<<text omitted>>>
!
interface Ethernet0/0
 ip address 172.16.1.6 255.255.255.0
!
interface Ethernet0/1
 ip address 172.16.2.6 255.255.255.0
 ip route-cache policy
 ip policy route-map policy_1
!
router eigrp 65002
 network 172.16.0.0
 no auto-summary
 no eigrp log-neighbor-changes
!
ip classless
no ip http server
!
access-list 110 permit ip host 172.16.2.10 172.16.7.0 0.0.0.255
access-list 110 permit ip host 172.16.2.5 172.16.7.0 0.0.0.255
access-list 130 deny ip any 172.16.0.0 0.0.255.255
access-list 130 deny ip any 192.168.1.0 0.0.0.255
access-list 130 permit ip host 172.16.2.10 any
access-list 140 deny ip any 172.16.0.0 0.0.255.255
access-list 140 deny ip any 192.168.1.0 0.0.0.255
access-list 140 permit ip host 172.16.2.5 any
route-map policy_1 permit 10
 match ip address 110
 match length 0 1199
 set ip next-hop 172.16.1.3
!
route-map policy_1 permit 20
 match ip address 110
 match length 1200 1544
 set ip next-hop 172.16.1.4
!
route-map policy_1 permit 30
 match ip address 130
 set ip default next-hop 172.16.1.3
!
route-map policy_1 permit 40
 match ip address 140
 set ip default next-hop 172.16.1.4

Example 2-57 lists the PBR configuration of the wow router.

Example 2-57 PBR Configuration of the wow Router

hostname wow
!
ip subnet-zero
ip name-server 206.191.193.1
!
<<<text omitted>>>
!
interface Ethernet3
 ip address 206.191.241.43 255.255.255.248
 no ip directed-broadcast
 ip nat outside
 media-type 10BaseT
!
interface Ethernet4
 ip address 172.16.7.7 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 media-type 10BaseT
!
interface Serial0
 bandwidth 1544
 ip address 192.168.1.7 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 encapsulation frame-relay
 no ip split-horizon eigrp 65002
 no ip mroute-cache
 frame-relay map ip 192.168.1.3 102 broadcast
 frame-relay map ip 192.168.1.4 302 broadcast
 frame-relay lmi-type cisco
!
router eigrp 65002
 redistribute static
 network 172.16.0.0
 network 192.168.1.0
 default-metric 10000 100 254 1 1500
 no auto-summary
!
ip nat inside source list 101 interface Ethernet3 overload
ip classless
ip route 0.0.0.0 0.0.0.0 206.191.241.41
no ip http server
!
access-list 101 permit ip any any

To test the policy, issue several extended pings from the mountain and island routers. By using the show route-map command on the forest router, you will be able to determine whether packets are being policy routed. Example 2-58 demonstrates two pings on the mountain router—one ping to the wow server and one to http://www.cisco.com (on the Internet).

Example 2-58 Testing and Verifying PBR

mountain# ping
Protocol [ip]:
Target IP address: 172.16.7.11
Repeat count [5]: 50
Datagram size [100]: 100
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 172.16.7.11, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 8/8/12 ms
mountain#
mountain# ping http://www.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.133.219.25, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/700/1116 ms
mountain#

forest# show route-map
route-map policy_1, permit, sequence 10   _small packets matched
 Match clauses:
 ip address (access-lists): 110
 length 0 1199
 Set clauses:
 ip next-hop 172.16.1.3
 Policy routing matches: 51 packets, 5814 bytes
route-map policy_1, permit, sequence 20
 Match clauses:
 ip address (access-lists): 110
 length 1200 1544
 Set clauses:
 ip next-hop 172.16.1.4
 Policy routing matches: 0 packets, 0 bytes
route-map policy_1, permit, sequence 30   _Internet traffic
 Match clauses:
 ip address (access-lists): 130
 Set clauses:
 ip default next-hop 172.16.1.3
 Policy routing matches: 10 packets, 1140 bytes
route-map policy_1, permit, sequence 40
 Match clauses:
 ip address (access-lists): 140
 Set clauses:
 ip default next-hop 172.16.1.4
 Policy routing matches: 0 packets, 0 bytes
forest#

By performing the same test on the island router, with the exception of making the ping packet size of 1500 bytes, you can observe the policy routing working on the forest router. Example 2-59 lists the output of the show route-map command performed on the forest router, after running the test from the island router.

Example 2-59show route-map Command on the wow and forest Routers

forest# show route-map
route-map policy_1, permit, sequence 10
 Match clauses:
 ip address (access-lists): 110
 length 0 1199
 Set clauses:
 ip next-hop 172.16.1.3
 Policy routing matches: 51 packets, 5814 bytes
route-map policy_1, permit, sequence 20   _Large packets matched
 Match clauses:
 ip address (access-lists): 110
 length 1200 1544
 Set clauses:
 ip next-hop 172.16.1.4
 Policy routing matches: 101 packets, 152914 bytes
route-map policy_1, permit, sequence 30
 Match clauses:
 ip address (access-lists): 130
 Set clauses:
 ip default next-hop 172.16.1.3
 Policy routing matches: 10 packets, 1140 bytes
route-map policy_1, permit, sequence 40   _Internet traffic
 Match clauses:
 ip address (access-lists): 140
 Set clauses:
 ip default next-hop 172.16.1.4
 Policy routing matches: 12 packets, 1286 bytes
forest#

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020