Policy-Based Routing {Part-1 CCNP}

Policy-Based Routing

Introduction:-

Ø  Is a most powerful feature you have available to you to direct traffic moving to your cisco router

Ø  Process applied to ingress interface of a router which override’s the normal routing process

Objectives:-

Ø  PC1 surfs the internet all day doing nothing productive. All traffic from this PC should route out ISP, which is a slower internet connection. If ISP2 is down, PC1 should not be able to access the internet

Ø  PC2 handles sophisticated transactions. Both Telnet and HTTPS traffic should route towards ISP1, which is the more reliable connections. All other traffic from PC2 should router out ISP2

Ø  Traffic from other clients (not shown in this diagram) should route out ISP2.

Testing:-

Ø  Telnet from PC1 to ISP2 (200.200.200.5). This session should be connect to the ISP Router

Ø  Verify the traffic by using “show route-map” command on the R1.

Ø  Performing the telnet session to ISP1(200.200.200.1) should fail (Simply because ISP1 and ISP2 have no knowledge of each other)

Ø  Telnet from PC2 to ISP1 (200.200.200.1} .Both session should connect

v  Router1 interfaces Configuration

Ø  interface FastEthernet0/0

Ø   description CONNECTED WITH SW1

Ø   ip address 192.168.2.1 255.255.255.0

Ø  no shut

Ø  interface Serial1/0

Ø   description CONNECTED WITH ISP1

Ø   ip address 200.200.200.2 255.255.255.252

Ø  no shut

Ø  interface Serial1/1

Ø   description CONNECTED WITH ISP2

Ø   ip address 200.200.200.6 255.255.255.252

Ø  no shut

ISP1 (actually a routers} interfaces configuration

Ø  interface Serial1/0

Ø   description CONNECTED WITH R1

Ø   ip address 200.200.200.1 255.255.255.252

Ø  clock rate 64000

Ø  no shut

Ø  ip route 192.168.2.0 255.255.255.0 200.200.200.2         {for connecting R1 internal network}

ISP2 (actually a routers} interfaces configuration

Ø  interface Serial1/1

Ø   description CONNECTED WITH R1

Ø   ip address 200.200.200.5 255.255.255.252

Ø  clock rate 64000

Ø  no shut

Ø  ip route 192.168.2.0 255.255.255.0 200.200.200.6                  {for connecting R1 internal network}

First all the Devices ping each other But ISP1 and ISP2 do not ping each other

Create an access-list for permit PC1 and PC2 traffic

Ø  access-list 10 permit 192.168.2.50                                                      {Permit PC1}

Ø  access-list 120 permit tcp host 192.168.2.100 any eq 443             {Permit PC2 https}

Ø  access-list 120 permit tcp host 192.168.2.100 any eq telnet          {Permit PC2 telnet}

Now Implement the ACL into Route-map

Ø  route-map POLICY-DEMO permit 10     {POLICY-DEMO:- route-map name}

Ø   match ip address 10                                 {Match PC1 ACL 10}

Ø   set ip next-hop 200.200.200.5               {Set ISP2}

Ø  route-map POLICY-DEMO permit 20      

Ø   match ip address 120                                  {Match PC2 ACL 120}

Ø   set ip next-hop 200.200.200.1                  {Set ISP2 for Telnet & https}

Ø  route-map POLICY-DEMO permit 30        

Ø   set ip next-hop 200.200.200.5                 {Permit PC2 and All Traffic to ISP2}

Apply Route-map into R1 Fastethernet interface

Ø  interface FastEthernet0/0

Ø   description CONNECTED WITH SW1

Ø   ip policy route-map POLICY-DEMO            {filter the incoming traffic from internal networks}

Troubleshooting & Verification Commands

Ø  Show ip route

Ø  Show ip interface brief

Ø  Show access-list

Ø  Show route-map

Ø  Debug ip policy

Now Test

Click Here To Download The PDF File