On this post, I will be going through some depth details of Policy-Based Routing and mainly be focusing on important applications which is Next Hop. Although, there were several applications of PBR, this post will be mainly focusing on this important topic.
My laboratory will be consisting of 5 routers which is running via EIGRP. As we know EIGRP characteristics is it offers equal path load balancing. On my topology, I have three equal paths and by using PBR, I wanted to explore and perform route selection towards the destinations.
Important Concepts about Policy-Based Routing:
Here will be my topology for this laboratory,
Laboratory objective:
1. Configure EIGRP based on the topology and verify that EIGRP adjacency were formed.
2. Verify that the destination address 50.50.50./24 and 60.60.60.0/24 have equally reachable via Tokyo, Hongkong and Singapore routers from Manila.
3. Enable Policy-Based Routing on Manila for the network 50.50.50.0/24 & 60.60.60.0/24 and select Hongkong as the path from Manila network. Verify the results via “debug ip policy” and traceroutes.
4. Add two more networks on Melbourne and advertise into EIGRP. The network 70.70.70.0/24 should be reachable from Manila router via Tokyo router while the network 80.80.80.0/24 should be reachable via Singapore router. Verify the configurations and ensure that PBR is working through traceroutes.
I will be using the following for the the PBR and Access-List.
PBR Name: CCIE-RM
Extended Access-List names: NextHopRouterTK, NextHopRouterSG,. NextHopRouterTK
Below are my configurations for all the routers:
Manila#sh run | sec eigrp
router eigrp 100
network 10.10.10.0 0.0.0.255
network 192.168.12.0
network 192.168.13.0
network 192.168.14.0
Manila#
Tokyo#sh run | sec eigrp
router eigrp 100
network 192.168.12.0
network 192.168.25.0
Tokyo#
Hongkong#sh run | sec eigrp
router eigrp 100
network 192.168.13.0
network 192.168.35.0
Hongkong#
Singapore#sh run | sec eigrp
router eigrp 100
network 192.168.14.0
network 192.168.45.0
Singapore#
Melbourne#sh run | sec eigrp
router eigrp 100
network 192.168.25.0
network 192.168.35.0
network 192.168.45.0
Melbourne#
Verification:
Note: As notice, even though I have enable “no auto-summary”under the EIGRP process, it does not show in the configurations.
1. Let’s check whether the EIGRP adjacency/neighbors were formed. (Actually in the background, I can see all them coming up with the logs below)
*Aug 6 09:50:17.855: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.35.3 (Serial2/3) is up: new adjacency
Anyway, I just wanted to check from Manila and Melbourne as they would completely show whether adjacencies were formed.
Manila#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 192.168.14.4 Se2/1 10 00:06:48 60 360 0 12
1 192.168.13.3 Se2/3 9 00:07:59 63 378 0 12
0 192.168.12.2 Se2/0 9 00:10:02 72 432 0 13
Melbourne#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 192.168.35.3 Se2/3 14 00:00:27 89 534 0 13
1 192.168.45.4 Se2/2 10 00:02:26 58 348 0 11
0 192.168.25.2 Se2/1 11 00:02:35 61 366 0 14
2. Now, Let’s check the routing table of Manila for 50.50.50.0/24 and 60.60.60.0/24.
Manila#show ip route 50.50.50.0
Routing entry for 50.50.50.0/24
Known via “eigrp 100”, distance 90, metric 2809856, type internal
Redistributing via eigrp 100
Last update from 192.168.12.2 on Serial2/0, 00:00:12 ago
Routing Descriptor Blocks:
* 192.168.14.4, from 192.168.14.4, 00:00:12 ago, via Serial2/1
Route metric is 2809856, traffic share count is 1
Total delay is 45000 microseconds, minimum bandwidth is 1544 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 2
192.168.13.3, from 192.168.13.3, 00:00:12 ago, via Serial2/3
Route metric is 2809856, traffic share count is 1
Total delay is 45000 microseconds, minimum bandwidth is 1544 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 2
192.168.12.2, from 192.168.12.2, 00:00:12 ago, via Serial2/0
Route metric is 2809856, traffic share count is 1
Total delay is 45000 microseconds, minimum bandwidth is 1544 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 2
Manila#show ip route 60.60.60.0
Routing entry for 60.60.60.0/24
Known via “eigrp 100”, distance 90, metric 2809856, type internal
Redistributing via eigrp 100
Last update from 192.168.12.2 on Serial2/0, 00:02:09 ago
Routing Descriptor Blocks:
192.168.14.4, from 192.168.14.4, 00:02:09 ago, via Serial2/1
Route metric is 2809856, traffic share count is 1
Total delay is 45000 microseconds, minimum bandwidth is 1544 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 2
* 192.168.13.3, from 192.168.13.3, 00:02:09 ago, via Serial2/3
Route metric is 2809856, traffic share count is 1
Total delay is 45000 microseconds, minimum bandwidth is 1544 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 2
192.168.12.2, from 192.168.12.2, 00:02:09 ago, via Serial2/0
Route metric is 2809856, traffic share count is 1
Total delay is 45000 microseconds, minimum bandwidth is 1544 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 2
Observation:
a. We have proven one important concepts in EIGRP. Load balancing is automatic if we have a multiple paths towards a destination. But we can alter this by modifying the metrics. Traceroutes also shows that equal load balancing happens to reach the network 50.50.50.0/24.
Manila#traceroute 50.50.50.1
Type escape sequence to abort.
Tracing the route to 50.50.50.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.12.2 56 msec
192.168.13.3 56 msec
192.168.14.4 56 msec
2 192.168.25.5 84 msec
192.168.35.5 52 msec
192.168.45.5 84 msec
3. The objective of this lab is to enable PBR such that 50.50.50.0/24 and 60.60.60.0/24 should pass through Hongkong from Manila router.
Let me configured the PBR on Manila router for the network 50.50.50.0/24 and 60.60.60.0/24.
Step 1.
Manila(config)#ip access-list extended NextHopRouterHK
Manila(config-ext-nacl)#10 permit ip any 50.50.50.0 0.0.0.255
Manila(config-ext-nacl)#20 permit ip any 60.60.60.0 0.0.0.255
Step 2.
Manila(config)#route-map CCIE-RM permit 100
Manila(config)#route-map CCIE-RM permit ?
Sequence to insert to/delete from existing route-map entry
Step 3.
Manila(config-route-map)#match ip address NextHopRouterHK
Step 4.
Manila(config-route-map)#set ip next-hop 192.168.13.1
( I’m telling the router that it has to exit to its Interface Serial 3/2 if there’s a match on my pre-define access-list name NextHopRouterHK )
Step 5.
Manila(config)#ip local policy route-map CCIE-RM
( I have to apply the “ïp local policy” as the traffic is originating from Manila router. You will see later that my traffic source is the loopback address of Manila.
4. Let’s verify the configuration and the results.
Manila#sho ip access-lists
Extended IP access list NextHopRouter
10 permit ip any 50.50.50.0 0.0.0.255 (26 matches)
20 permit ip any 60.60.60.0 0.0.0.255
Manila#show route-map
route-map CCIE-RM, permit, sequence 100
Match clauses:
ip address (access-lists): NextHopRouterHK
Set clauses:
ip next-hop 192.168.13.1
Policy routing matches: 131 packets, 8550 bytes
What does the routing table of Manila tells us? Sweet right! We can see that 50.50.50.0/24 and 60.60.60.0/24 next hop address is via Hongkong.
Manila#show ip route eigrp
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override
Gateway of last resort is not set
50.0.0.0/24 is subnetted, 1 subnets
D 50.50.50.0 [90/2809856] via 192.168.13.3, 00:00:10, Serial2/3
60.0.0.0/24 is subnetted, 1 subnets
D 60.60.60.0 [90/2809856] via 192.168.13.3, 00:00:10, Serial2/3
D 192.168.25.0/24 [90/3193856] via 192.168.13.3, 00:00:09, Serial2/3
D 192.168.35.0/24 [90/2681856] via 192.168.13.3, 00:55:00, Serial2/3
D 192.168.45.0/24 [90/3193856] via 192.168.13.3, 00:00:09, Serial2/3
I have enabled “debug ip policy”on Manila to check further the traffic flow.
Manila#debug ip policy
Policy routing debugging is on
Then I have to generate traffic from 10.10.0.1 (Loopback Interface of Manila) towards Melbourne Loopback Interface.
Manila#ping 50.50.50.1 source 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.50.50.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/68/72 ms
Manila#
*Aug 6 10:42:07.255: IP: s=10.10.10.1 (local), d=50.50.50.1, len 100, policy match
*Aug 6 10:42:07.259: IP: route map CCIE-RM, item 10, permit
*Aug 6 10:42:07.259: IP: s=10.10.10.1 (local), d=50.50.50.1 (Serial2/3), len 100, policy routed
*Aug 6 10:42:07.263: IP: local to Serial2/3 192.168.13.1
*Aug 6 10:42:07.327: IP: s=10.10.10.1 (local), d=50.50.50.1, len 100, policy match
*Aug 6 10:42:07.331: IP: route map CCIE-RM, item 10, permit
*Aug 6 10:42:07.331: IP: s=10.10.10.1 (local), d=50.50.50.1 (Serial2/3), len 100, policy routed
*Aug 6 10:42:07.335: IP: local to Serial2/3 192.168.13.1
*Aug 6 10:42:07.399: IP: s=10.10.10.1 (local), d=50.50.50.1, len 100, policy match
*Aug 6 10:42:07.399: IP: route map CCIE-RM, item 10, permit
*Aug 6 10:42:07.399: IP: s=10.10.10.1 (local), d=50.50.50.1 (Serial2/3), len 100, policy routed
*Aug 6 10:42:07.403: IP: local to Serial2/3 192.168.13.1
Observation:
a. As seen above, we have seen the source address of 10.10.10.1 towards 50.50.50.1 and matching the route-map CCIE-RM and it does allow and exit via 192.168.13.1 (which is Manila’s EIGRP interface towards Hongkong).
b. Another way to check is via traceroutes. So it tells that the traffic now is via Hongkong router.
Manila#traceroute 50.50.50.1
Type escape sequence to abort.
Tracing the route to 50.50.50.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.13.3 56 msec 56 msec 56 msec
2 192.168.35.5 60 msec 52 msec 60 msec
Manila#
I would see the same results for 60.60.60.0/24 as they are on the same Route-Map.
Manila#traceroute 60.60.60.1
Type escape sequence to abort.
Tracing the route to 60.60.60.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.13.3 32 msec 28 msec 128 msec
2 192.168.35.5 56 msec 52 msec 52 msec
Manila#
5. Now, I want to explore a bit and will add another Loopback interface of 70.70.70.0/24 and 80.80.80.0/24 in Melbourne. My objective is to route 70.70.70.0/24 through Tokyo and any other network towards Singapore.
Below is my new configurations in Melbourne router.
Melbourne#sh run | sec eigrp
router eigrp 100
network 50.50.50.0 0.0.0.255
network 60.60.60.0 0.0.0.255
network 70.70.70.0 0.0.0.255
network 80.80.80.0 0.0.0.255
network 192.168.25.0
network 192.168.35.0
network 192.168.45.0
Let’s check whether this is advertise to Manila router.
Manila#show ip route eigrp
Gateway of last resort is not set
50.0.0.0/24 is subnetted, 1 subnets
D 50.50.50.0 [90/2809856] via 192.168.14.4, 00:20:08, Serial2/1
[90/2809856] via 192.168.13.3, 00:20:08, Serial2/3
[90/2809856] via 192.168.12.2, 00:20:08, Serial2/0
60.0.0.0/24 is subnetted, 1 subnets
D 60.60.60.0 [90/2809856] via 192.168.14.4, 00:20:08, Serial2/1
[90/2809856] via 192.168.13.3, 00:20:08, Serial2/3
[90/2809856] via 192.168.12.2, 00:20:08, Serial2/0
70.0.0.0/24 is subnetted, 1 subnets
D 70.70.70.0 [90/2809856] via 192.168.14.4, 00:01:23, Serial2/1
[90/2809856] via 192.168.13.3, 00:01:23, Serial2/3
[90/2809856] via 192.168.12.2, 00:01:23, Serial2/0
80.0.0.0/24 is subnetted, 1 subnets
D 80.80.80.0 [90/2809856] via 192.168.14.4, 00:01:16, Serial2/1
[90/2809856] via 192.168.13.3, 00:01:16, Serial2/3
[90/2809856] via 192.168.12.2, 00:01:16, Serial2/0
D 192.168.25.0/24 [90/2681856] via 192.168.12.2, 00:20:08, Serial2/0
D 192.168.35.0/24 [90/2681856] via 192.168.13.3, 00:20:08, Serial2/3
D 192.168.45.0/24 [90/2681856] via 192.168.14.4, 00:20:08, Serial2/1
Manila#
Now, let me add two route-maps in Manila.
Create the Access-list
Manila(config)#ip access-list extended NextHopRouterTK
Manila(config-ext-nacl)#10 permit ip any 70.70.70.0 0.0.0.255
Manila(config-ext-nacl)#exit
Manila(config)#ip access-list extended NextHopRouterSG
Manila(config-ext-nacl)#10 permit ip any 80.80.80.0 0.0.0.255
Manila(config-ext-nacl)#^Z
Create another instances of the Route-Map “CCIE-RM”, Match the access list and set the next hop address.
Manila(config)#route-map CCIE-RM permit 300
Manila(config-route-map)#match ip address NextHopRouterTK
Manila(config-route-map)#set ip next-hop 192.168.12.1
Manila(config-route-map)#exit
Manila(config)#route-map CCIE-RM permit 200
Manila(config-route-map)#match ip address NextHopRouterSG
Manila(config-route-map)#set ip next-hop 192.168.14.1
Manila(config-route-map)#exit
Now, let’s check the router configurations.
Manila#show route-map
route-map CCIE-RM, permit, sequence 100
Match clauses:
ip address (access-lists): NextHopRouterHK
Set clauses:
ip next-hop 192.168.13.1
Policy routing matches: 23 packets, 1344 bytes
route-map CCIE-RM, permit, sequence 200
Match clauses:
ip address (access-lists): NextHopRouterSG
Set clauses:
ip next-hop 192.168.14.1
Policy routing matches: 6 packets, 304 bytes
route-map CCIE-RM, permit, sequence 300
Match clauses:
ip address (access-lists): NextHopRouterTK
Set clauses:
ip next-hop 192.168.12.1
Policy routing matches: 6 packets, 344 bytes
To verify if our configurations are working, let’s do a traceroutes,
Manila#traceroute 50.50.50.1
Type escape sequence to abort.
Tracing the route to 50.50.50.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.13.3 56 msec 52 msec 60 msec <<< Path is via Hongkong
2 192.168.35.5 52 msec 52 msec 56 msec
Manila#traceroute 60.60.60.1
Type escape sequence to abort.
Tracing the route to 60.60.60.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.13.3 56 msec 40 msec 4 msec <<< Path is via Hongkong router
2 192.168.35.5 8 msec 16 msec 16 msec
Manila#traceroute 70.70.70.1
Type escape sequence to abort.
Tracing the route to 70.70.70.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.12.2 56 msec 32 msec 60 msec << Path is via Tokyo router
2 192.168.25.5 52 msec 56 msec 52 msec
Manila#traceroute 80.80.80.1
Type escape sequence to abort.
Tracing the route to 80.80.80.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.14.4 56 msec 60 msec 52 msec << Path is via Singapore router
2 192.168.45.5 56 msec 52 msec 52 msec
Manila#
My summary for this topic:
To enable PBR, we can to the following steps:
1. Create the access-list
ip access-list extended
2. Create the route-map
route-map
3. Set the matching access-list under route-map process.
match ip address
4. Set the next hop address under route-map process
set ip next-hop address
5. Set the local policy in global config mode.
ip local policy route-map
To verify, we can used the following command:
show route-map
show ip policy
debug ip policy
traceroutes or ping
*** This end my lab for Policy-Based Routing***
NETWORK LESSON 
Leave a comment