Policy-Based Routing
Introduction:-
Ø Is
a most powerful feature you have available to you to direct traffic moving to
your cisco router
Ø Process
applied to ingress interface of a router which override’s the normal routing
process
Objectives:-
Ø
PC1
surfs the internet all day doing nothing productive. All traffic from this PC
should route out ISP, which is a slower internet connection. If ISP2 is down,
PC1 should not be able to access the internet
Ø
PC2
handles sophisticated transactions. Both Telnet and HTTPS traffic should route
towards ISP1, which is the more reliable connections. All other traffic from
PC2 should router out ISP2
Ø
Traffic
from other clients (not shown in this diagram) should route out ISP2.
Testing:-
Ø Telnet from PC1 to ISP2 (200.200.200.5).
This session should be connect to the ISP Router
Ø
Verify the traffic by using “show route-map” command on the R1.
Ø
Performing the telnet session to ISP1(200.200.200.1) should fail
(Simply because ISP1 and ISP2 have no knowledge of each other)
Ø
Telnet from PC2 to ISP1 (200.200.200.1} .Both session should connect
v
Router1 interfaces
Configuration
Ø
interface
FastEthernet0/0
Ø
description CONNECTED
WITH SW1
Ø
ip address 192.168.2.1 255.255.255.0
Ø
no
shut
Ø
interface
Serial1/0
Ø
description CONNECTED
WITH ISP1
Ø
ip address 200.200.200.2 255.255.255.252
Ø
no
shut
Ø
interface
Serial1/1
Ø
description CONNECTED
WITH ISP2
Ø
ip address 200.200.200.6 255.255.255.252
Ø
no
shut
ISP1 (actually a routers}
interfaces configuration
Ø
interface
Serial1/0
Ø
description CONNECTED
WITH R1
Ø
ip address 200.200.200.1 255.255.255.252
Ø
clock
rate 64000
Ø
no
shut
Ø
ip
route 192.168.2.0 255.255.255.0 200.200.200.2 {for
connecting R1 internal network}
ISP2 (actually a routers}
interfaces configuration
Ø
interface
Serial1/1
Ø
description CONNECTED
WITH R1
Ø
ip address 200.200.200.5 255.255.255.252
Ø
clock
rate 64000
Ø
no
shut
Ø
ip
route 192.168.2.0 255.255.255.0 200.200.200.6 {for
connecting R1 internal network}
First all the Devices
ping each other But ISP1 and ISP2 do not ping each other
Create an access-list for
permit PC1 and PC2 traffic
Ø
access-list
10 permit 192.168.2.50 {Permit PC1}
Ø
access-list
120 permit tcp host 192.168.2.100 any eq 443 {Permit
PC2 https}
Ø
access-list
120 permit tcp host 192.168.2.100 any eq telnet {Permit PC2
telnet}
Now Implement the ACL
into Route-map
Ø
route-map
POLICY-DEMO permit 10 {POLICY-DEMO:- route-map name}
Ø
match ip address 10 {Match PC1 ACL 10}
Ø
set ip next-hop 200.200.200.5 {Set ISP2}
Ø
route-map
POLICY-DEMO permit 20
Ø
match ip address 120 {Match PC2 ACL 120}
Ø
set ip next-hop 200.200.200.1 {Set
ISP2 for Telnet & https}
Ø
route-map
POLICY-DEMO permit 30
Ø
set ip next-hop 200.200.200.5 {Permit
PC2 and All Traffic to ISP2}
Apply Route-map into R1
Fastethernet interface
Ø
interface
FastEthernet0/0
Ø
description CONNECTED WITH SW1
Ø
ip policy route-map POLICY-DEMO {filter the
incoming traffic from internal networks}
Troubleshooting &
Verification Commands
Ø
Show
ip route
Ø
Show
ip interface brief
Ø
Show
access-list
Ø
Show
route-map
Ø
Debug
ip policy
Now Test
Click Here To Download The PDF File
Great Article
ReplyDeleteCyber Security Projects
projects for cse
Networking Security Projects
JavaScript Training in Chennai
JavaScript
Training in Chennai
The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals,
Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer.
Angular Training