Tuesday, March 24, 2015

1 comment

Policy-Based Routing {Part-1 CCNP}

Policy-Based Routing


Introduction:-
Ø  Is a most powerful feature you have available to you to direct traffic moving to your cisco router
Ø  Process applied to ingress interface of a router which override’s the normal routing process

Objectives:-
Ø  PC1 surfs the internet all day doing nothing productive. All traffic from this PC should route out ISP, which is a slower internet connection. If ISP2 is down, PC1 should not be able to access the internet
Ø  PC2 handles sophisticated transactions. Both Telnet and HTTPS traffic should route towards ISP1, which is the more reliable connections. All other traffic from PC2 should router out ISP2
Ø  Traffic from other clients (not shown in this diagram) should route out ISP2.

Testing:-
Ø  Telnet from PC1 to ISP2 (200.200.200.5). This session should be connect to the ISP Router
Ø  Verify the traffic by using “show route-map” command on the R1.
Ø  Performing the telnet session to ISP1(200.200.200.1) should fail (Simply because ISP1 and ISP2 have no knowledge of each other)
Ø  Telnet from PC2 to ISP1 (200.200.200.1} .Both session should connect

v  Router1 interfaces Configuration
Ø  interface FastEthernet0/0
Ø   description CONNECTED WITH SW1
Ø   ip address 192.168.2.1 255.255.255.0
Ø  no shut

Ø  interface Serial1/0
Ø   description CONNECTED WITH ISP1
Ø   ip address 200.200.200.2 255.255.255.252
Ø  no shut

Ø  interface Serial1/1
Ø   description CONNECTED WITH ISP2
Ø   ip address 200.200.200.6 255.255.255.252
Ø  no shut

ISP1 (actually a routers} interfaces configuration
Ø  interface Serial1/0
Ø   description CONNECTED WITH R1
Ø   ip address 200.200.200.1 255.255.255.252
Ø  clock rate 64000
Ø  no shut

Ø  ip route 192.168.2.0 255.255.255.0 200.200.200.2         {for connecting R1 internal network}

ISP2 (actually a routers} interfaces configuration
Ø  interface Serial1/1
Ø   description CONNECTED WITH R1
Ø   ip address 200.200.200.5 255.255.255.252
Ø  clock rate 64000
Ø  no shut

Ø  ip route 192.168.2.0 255.255.255.0 200.200.200.6                  {for connecting R1 internal network}
First all the Devices ping each other But ISP1 and ISP2 do not ping each other

Create an access-list for permit PC1 and PC2 traffic
Ø  access-list 10 permit 192.168.2.50                                                      {Permit PC1}
Ø  access-list 120 permit tcp host 192.168.2.100 any eq 443             {Permit PC2 https}
Ø  access-list 120 permit tcp host 192.168.2.100 any eq telnet          {Permit PC2 telnet}

Now Implement the ACL into Route-map
Ø  route-map POLICY-DEMO permit 10     {POLICY-DEMO:- route-map name}
Ø   match ip address 10                                 {Match PC1 ACL 10}
Ø   set ip next-hop 200.200.200.5               {Set ISP2}

Ø  route-map POLICY-DEMO permit 20      
Ø   match ip address 120                                  {Match PC2 ACL 120}
Ø   set ip next-hop 200.200.200.1                  {Set ISP2 for Telnet & https}

Ø  route-map POLICY-DEMO permit 30        
Ø   set ip next-hop 200.200.200.5                 {Permit PC2 and All Traffic to ISP2}

Apply Route-map into R1 Fastethernet interface
Ø  interface FastEthernet0/0
Ø   description CONNECTED WITH SW1
Ø   ip policy route-map POLICY-DEMO            {filter the incoming traffic from internal networks}

Troubleshooting & Verification Commands
Ø  Show ip route
Ø  Show ip interface brief
Ø  Show access-list
Ø  Show route-map
Ø  Debug ip policy


Now Test




Click Here To Download The PDF File

1 comment:

  1. Great Article
    Cyber Security Projects

    projects for cse

    Networking Security Projects

    JavaScript Training in Chennai

    JavaScript

    Training in Chennai


    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals,

    Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer.

    Angular Training

    ReplyDelete