Policy-Based Routing (PBR) - Configuration

Here is the following scenario:

R1 configured with 3 networks:

Loopback 1 – 172.16.1.0/24

Loopback 2 – 172.16.2.0/24

Loopback 3 – 172.16.3.0/24

R5 configured with 3 networks:

Loopback 1 – 192.168.1.0/24

Loopback 2 – 192.168.2.0/24

Loopback 3 – 192.168.3.0/24

RIPv2 is running on R2-R3-R4 and R5 on all interfaces and configured with only one path (maximium-paths 1).

R1 is configured with default route to R2 (10.0.12.2) while R2 is configured with static routes to R1 networks (172.16.x.0/24) and redistribute them using redistribute static on RIP.

So when sending an ICMP, from R1 to R5, it will go through R2 and R4:

R1#traceroute 192.168.1.1 Type escape sequence to abort. Tracing the route to 192.168.1.1   1 10.0.12.2 36 msec 48 msec 20 msec   2 10.0.24.4 56 msec 52 msec 28 msec   3 10.0.34.5 76 msec *  76 msec

Now let’s assume that we want network 172.16.1.0 to reach R5 through R3, without modifying anything in the RIP domain, for that purpose we will use policy routing on R2 as followed:

First we will configure an access-list to match our criteria:

ip access-list standard NET172-16-1-0  permit 172.16.1.0 0.0.0.255

Then we will configure a route-map to do select match-set action:

route-map RM_NET1_R3_R5 permit 10  match ip address NET172-16-1-0  set ip next-hop 10.0.23.3

And apply this route-map on the interface toward R1:

interface FastEthernet0/0  ip address 10.0.12.2 255.255.255.0  ip policy route-map RM_NET1_R3_R5  speed 100  full-duplex

Note that unlike service-policies the ip policy doesn’t have direction, input or output, it relays on the action taken in the route-map which depend on the ACL configured.

The result:

R1#traceroute 192.168.1.1 source 172.16.1.1 Type escape sequence to abort. Tracing the route to 192.168.1.1   1 10.0.12.2 48 msec 40 msec 20 msec   2 10.0.23.3 40 msec 36 msec 28 msec   3 10.0.34.5 116 msec *  60 msec R1#traceroute 192.168.1.1 source 172.16.2.1 Type escape sequence to abort. Tracing the route to 192.168.1.1   1 10.0.12.2 36 msec 44 msec 24 msec   2 10.0.24.4 48 msec 44 msec 20 msec   3 10.0.34.5 72 msec *  60 msec

While sending an ICMP with 172.16.1.1 to R5 it will go through R3, all other networks will go through R4

Reliable Policy-Based Routing

Now let’s say that we want HTTP traffic (port 80) from R1 to R5 to go through R3 while all other traffic from this network will go through R4

Now we will configure extended ACL:

ip access-list extended NET172-16-2-0  permit tcp 172.16.2.0 0.0.0.255 any eq www

Then we will add to the route-map another match-set condition:

route-map RM_R1_TO_R5 permit 20  match ip address NET172-16-2-0  set ip next-hop 10.0.23.3

No need to add the ip policy to the interface as it’s already configured

The result:

R1#traceroute 192.168.1.1 source 172.16.2.1 Type escape sequence to abort. Tracing the route to 192.168.1.1   1 10.0.12.2 48 msec 36 msec 20 msec   2 10.0.24.4 32 msec 40 msec 40 msec   3 10.0.34.5 80 msec *  76 msec

While connecting to 192.168.1.1 using telnet port 80:

<policy-route_01.img>

Next we will add backup route to this policy by configuring default-route in case of R3 failure by adding the following lines into the route-map:

route-map RM_R1_TO_R5 permit 20  match ip address NET172-16-2-0  set ip next-hop 10.0.23.3  set ip default next-hop 10.0.24.4  set ip next-hop verify-availability

The command set ip default next-hop sets the next-hop to 10.0.24.4 only if no route can be found first in the routing table.

The command set ip next-hop verify-availability check and validate R3 reachability using CDP protocol, in case of failure to reach R3 normal routing decision will take place.

After disable CDP run on R3, R2 sees only R4 on the CDP neighbors table:

R2#sh cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge                   S - Switch, H - Host, I - IGMP, r - Repeater Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID R4               Fas 1/0            174        R S I      2691      Fas 0/0

Now trying to telnet 192.168.1.1 with source 172.16.2.1 while debugging the policy route with the command debug ip policy on R2:

*Mar  1 09:13:53.401: IP: s=172.16.2.1 (FastEthernet0/0), d=192.168.1.1, len 28, FIB policy rejected(explicit route) - normal forwarding

We can see that ip policy route is rejected and normal route is being used.

In the third scenario we will use IP-SLA and track object as another option for reliable policy-based routing, in this way we can track a non-directly connected hosts.

In the following example we will track interface f0/1 on R5

First configure an IP-SLA:

ip sla monitor 1  type pathEcho protocol ipIcmpEcho 10.0.35.5  frequency 5 ip sla monitor schedule 1 life forever start-time now ! track 1 rtr1

Take note that network 10.0.35.0/24 is filtered from R2 routing table, route to this prefix is based on static route else R2 could find a way through R4 or R3 switch interface.

Then the configuration of the new ACL and route-map:

ip access-list standard NET172-16-3-0  permit 172.16.3.0 0.0.0.255 ! route-map RM_R1_TO_R5 permit 30  match ip address NET172-16-3-0  set ip next-hop verify-availability 10.0.23.3 1 track 1  set ip default next-hop 10.0.23.4

Verification:

R1#traceroute 192.168.1.1 source 172.16.3.1 Type escape sequence to abort. Tracing the route to 192.168.1.1   1 10.0.12.2 40 msec 36 msec 16 msec   2 10.0.24.4 48 msec 36 msec 24 msec   3 10.0.34.5 72 msec *  104 msec

After shutting down interface f0/1 on R5:

R1#traceroute 192.168.1.1 source 172.16.3.1                                  Type escape sequence to abort. Tracing the route to 192.168.1.1   1 10.0.12.2 40 msec 52 msec 16 msec   2 10.0.23.3 52 msec 44 msec 20 msec   3 10.0.35.5 72 msec *  116 msec

IP-SLA can help us track and measure different parameters on our network and to configure conditional action based on the results but currently it’s out of the scope of this post.

Take note that starting from IOS 12.0 PBR is supported in the Cisco Express Forwarding (CEF) switching path. CEF-switched PBR has better performance and, therefore, is the optimal way to perform PBR on a router.

More information can be found in the following link:

http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html#wp5666

eBGP Recommended Configuration template

Here is a peer-group recommended configuration template  for eBGP peers:

neighbor ebgp-peer peer-group
neighbor x.x.x.x description <short_description>
neighbor x.x.x.x update-source <peer_source_interface>
neighbor x.x.x.x soft-reconfiguration inbound
neighbor x.x.x.x version 4
neighbor x.x.x.x password <password>
neighbor x.x.x.x ebgp-multihop <x>
neighbor x.x.x.x remove-private-as all replace-as

the last command is valid only for IOS 15.x and above while 12.x can be configured with remove-private-as only.

Cisco IOS policy/class map renaming

In Cisco IOS there is an option to rename a policy-map/class-map using single command instead of deleting and re-creating new ones.

For example:

! class-map match-all CM_LOCAL_NET match access-group name ACL_EXAMPLE ! ! policy-map PM_MARK_LOCAL class CM_LOCAL_NET set ip dscp af22 class class-default ! interface FastEthernet0/0 description LAN load-interval 30 speed auto full-duplex service-policy input PM_MARK_LOCAL !

Now we can change in single command the policy or class map name and the IOS will change it in the rest of the configuration:

RTR(config)#class-map CM_LOCAL_NET RTR(config-cmap)#rename CM_NEW_NAME RTR(config-cmap)#exit RTR(config)#policy-map PM_MARK_LOCAL RTR(config-pmap)#rename PM_NEW_NAME RTR(config-pmap)#exit

The new configuration output:

class-map match-all CM_NEW_NAME match access-group name ACL_EXAMPLE ! ! policy-map PM_NEW_NAME class CM_NEW_NAME set ip dscp af22 class class-default ! interface FastEthernet0/0 description LAN load-interval 30 speed auto full-duplex service-policy input PM_NEW_NAME

We can see that the IOS has changed the policy-map name automatically.

Frame-Relay Switching

Brief

Configuring R3 as Frame-relay switch for connecting R1 to R2 using PVC 132 and 231

Network Diagram:

 

R3 Configuration:

Frame-relay switching ! interface Serial1/2  encapsulation frame-relay  serial restart-delay 0  clock rate 64000  frame-relay intf-type dce ! interface Serial1/3  encapsulation frame-relay  serial restart-delay 0  clock rate 64000  frame-relay intf-type dce ! connect R1_R2 Serial1/2 132 Serial1/3 231

R2 Configuration:

interface Serial1/1  ip address 155.1.12.2 255.255.255.0  encapsulation frame-relay  no frame-relay inverse-arp  no shutdown

R1 Configuration:

interface Serial1/1  ip address 155.1.12.1 255.255.255.0  encapsulation frame-relay  no shutdown

Verification

R3:

R3#sh frame-relay pvc | in SWI DLCI = 132, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial1/2 DLCI = 231, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial1/3 R3#sh connection all ID   Name            Segment 1              Segment 2                  State    ================================================================================ 1    R1_R2           Se1/2 132              Se1/3 231                  UP

R2:

Rack1R2#sh frame-relay map Serial1/0 (up): bridge dlci 205(0xCD,0x30D0), static,               broadcast,               CISCO, status defined, active Serial1/1 (up): ip 155.1.12.1 dlci 231(0xE7,0x3870), dynamic,               broadcast,, status defined, active

R1:

R1#ping 155.1.12.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 155.1.12.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

Done following exercise 2.16 on INE iewb-rs-vol1.v5.015

Juniper Rescue Configuration Backup

although JUNOS provide us multiple configuration copies and we can rollback at anytime to last or even earlier configuration still it sometime confusing  so here is a quick one for saving a rescue configuration which will be available in case of massing or confusing with the rollback copies:

For saving rescue configuration, go to the operational mode and run the command:

user@router> request system configuration rescue save 

For loading rescue configuration, enter configuration mode and run the command:

user@router# rollback rescue

Cisco IOS Ether-Channel Configuration

Brief

Ether-Channel allows multiple physical Ethernet links to combine into one logical channel. This allows load sharing of traffic among the links in the channel as well as redundancy in the event that one or more links in the channel fail. Ether-Channel can be used to interconnect LAN switches, routers, servers, and clients via unshielded twisted pair (UTP) wiring or single-mode and multimode fiber.

Guidelines

     1. All physical interfaces, which belong to the same logical interface (port-channel) on the same switch, must be with the same physical characteristic (all Fast-Ethernet or all Giga-Ethernet).

     2. All switchport commands must be configured on physical interfaces before configuring the logical interface.

     3. Issue the command channel-group x, on the physical interface, will create the logical interface automatically while l inheriting the entire configuration.

Diagram

Configuration

Layer-2 FEC/GEC

SW1:

SW1(config)# interface gigabitEthernet 0/1 SW1(config-if)#switchport mode access SW1(config-if)#switchport nonegotiate SW1(config-if)#switchport trunk encapsulation dot1q SW1(config-if)#switchport mode trunk SW1(config-if)# channel-group 1 mode active Creating a port-channel interface Port-channel 1 SW1(config-if)# exit SW1(config)# interface gigabitEthernet 0/2 SW1(config-if)#switchport mode access SW1(config-if)#switchport nonegotiate SW1(config-if)#switchport trunk encapsulation dot1q SW1(config-if)#switchport mode trunk SW1(config-if)# channel-group 1 mode active SW1(config-if)# exit

SW2:

SW2(config)# interface fastEthernet 0/1 SW2(config-if)#switchport mode access SW2(config-if)#switchport nonegotiate SW2(config-if)#switchport trunk encapsulation dot1q SW2(config-if)#switchport mode trunk SW2(config-if)# channel-group 2 mode active Creating a port-channel interface Port-channel 2 SW2(config-if)# exit SW2(config)# interface fastEthernet 0/2 SW2(config-if)#switchport mode access SW2(config-if)#switchport nonegotiate SW2(config-if)#switchport trunk encapsulation dot1q SW2(config-if)#switchport mode trunk SW2(config-if)# channel-group 2 mode active SW2(config-if)# exit

The nonegotiate ensure that no DTP messages will be exchanged and that the port will be trunk without negotiation.

The channel-group will command will create automatically the logical interface port-channel

The mode active will force the use in LACP protocol

Verification

SW2#show etherchannel 2 summary Flags:  D - down        P - in port-channel         I - stand-alone s - suspended         H - Hot-standby (LACP only)         R - Layer3      S - Layer2         u - unsuitable for bundling         U - in use      f - failed to allocate aggregator         d - default port Number of channel-groups in use: 1 Number of aggregators:           1 Group  Port-channel  Protocol    Ports ------+-------------+-----------+----------------------------------------------- 2      Po2(SU)         LACP      Fa0/1(P)    Fa0/2(P)

In the table we can see which interfaces are members of the port-channel bundle and the port-channel status (S – Layer-2, U – In use) 

SW2#show etherchannel 2 protocol Protocol:  LACP

Shows which protocol is been used in the port-channel Ether-channel, PAgP or LACP 802.3ad

SW2#sh etherchannel 2 detail Group state = L2 Ports: 2   Maxports = 16 Port-channels: 1 Max Port-channels = 16 Protocol:   LACP                 Ports in the group:                 ------------------- Port: Fa0/1 ------------ Port state    = Up Mstr In-Bndl Channel group = 2           Mode = Active      Gcchange = - Port-channel  = Po2         GC   =   -         Pseudo port-channel = Po2 Port index    = 0           Load = 0x00        Protocol =   LACP Flags:  S - Device is sending Slow LACPDUs   F - Device is sending fast LACPDUs.         A - Device is in active mode.        P - Device is in passive mode. Local information:                             LACP port     Admin     Oper    Port     Port Port      Flags   State     Priority      Key       Key     Number   State Fa0/1     SA      bndl      32768         0x2       0x2     0x1      0x3D  Partner's information:                             LACP port                        Oper    Port     Port Port      Flags   Priority  Dev ID         Age     Key     Number   State Fa0/1     SA      32768     108c.cf99.e980   4s    0x1     0x1      0x3D  Age of the port in the current state: 00d:00h:09m:40s Port: Fa0/2 ------------ Port state    = Up Mstr In-Bndl Channel group = 2           Mode = Active      Gcchange = - Port-channel  = Po2         GC   =   -         Pseudo port-channel = Po2 Port index    = 0           Load = 0x00        Protocol =   LACP Flags:  S - Device is sending Slow LACPDUs   F - Device is sending fast LACPDUs.         A - Device is in active mode.        P - Device is in passive mode. Local information:                             LACP port     Admin     Oper    Port     Port Port      Flags   State     Priority      Key       Key     Number   State Fa0/2     SA      bndl      32768         0x2       0x2     0x2      0x3D  Partner's information:                   LACP port                        Oper    Port     Port Port      Flags   Priority  Dev ID         Age     Key     Number   State Fa0/2     SA      32768     108c.cf99.e980   9s    0x1     0x2      0x3D  Age of the port in the current state: 00d:00h:09m:41s                 Port-channels in the group:                 ---------------------- Port-channel: Po2    (Primary Aggregator) ------------ Age of the Port-channel   = 00d:00h:13m:31s Logical slot/port   = 1/0          Number of ports = 2 HotStandBy port = null Port state          = Port-channel Ag-Inuse Protocol            =   LACP Ports in the Port-channel: Index   Load   Port     EC state        No of bits ------+------+------+------------------+-----------   0     00     Fa0/1    Active    0   0     00     Fa0/2    Active    0 Time since last port bundled:    00d:00h:09m:43s    Fa0/2

Show more detailed information on the port-channel

Port-channel configuration

SW1 Port-channel 1 configuration:

SW1(config)# interface interface port-channel 1 SW1(config-if)# switchport trunk allowed vlan 1-5 SW1(config-if)# switchport trunk native vlan 5 SW1(config-if)# exit 2:08:13: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on Port-channel2 VLAN5. 02:08:13: %SPANTREE-2-BLOCK_PVID_PEER: Blocking Port-channel2 on VLAN0001. Inconsistent peer vlan. 02:08:13: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking Port-channel2 on VLAN0005. Inconsistent local vlan. 02:08:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan5, changed state to down 02:08:36: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (5), with SW1 GigabitEthernet0/1 (1).

SW2 Port-channel 2 configuration:

SW2(config)# interface interface port-channel 2 SW2(config-if)# switchport trunk allowed vlan 1-5 SW2(config-if)# switchport trunk native vlan 5 SW2(config-if)# exit

We can configure the allowed VLAN’s and native VLAN only on the port-channel, there is no need to configure it on the physical interfaces also.

Note that the native VLAN must be match on the trunk.

Verification

SW1#show interfaces port-channel 1 trunk Port        Mode         Encapsulation  Status        Native vlan Po1         on           802.1q         trunking      5 Port        Vlans allowed on trunk Po1         1-5 Port        Vlans allowed and active in management domain Po1         1-5 Port        Vlans in spanning tree forwarding state and not pruned Po1         1-5 SW1#show interfaces gigabitEthernet 0/1 trunk Port        Mode         Encapsulation  Status        Native vlan Gi0/1       on           802.1q         trunk-inbndl  5                                       (Po1) Port        Vlans allowed on trunk Gi0/1       1-5 Port        Vlans allowed and active in management domain Gi0/1       1-5 Port        Vlans in spanning tree forwarding state and not pruned Gi0/1       1-5