Policy-Based Routing
Introduction:-
Ø Is
a most powerful feature you have available to you to direct traffic moving to
your cisco router
Ø Process
applied to ingress interface of a router which override’s the normal routing
process
Objectives:-
Ø
PC1
surfs the internet all day doing nothing productive. All traffic from this PC
should route out ISP, which is a slower internet connection. If ISP2 is down,
PC1 should not be able to access the internet
Ø
PC2
handles sophisticated transactions. Both Telnet and HTTPS traffic should route
towards ISP1, which is the more reliable connections. All other traffic from
PC2 should router out ISP2
Ø
Traffic
from other clients (not shown in this diagram) should route out ISP2.
Testing:-
Ø Telnet from PC1 to ISP2 (200.200.200.5).
This session should be connect to the ISP Router
Ø
Verify the traffic by using “show route-map” command on the R1.
Ø
Performing the telnet session to ISP1(200.200.200.1) should fail
(Simply because ISP1 and ISP2 have no knowledge of each other)
Ø
Telnet from PC2 to ISP1 (200.200.200.1} .Both session should connect
v
Router1 interfaces
Configuration
Ø
interface
FastEthernet0/0
Ø
description CONNECTED
WITH SW1
Ø
ip address 192.168.2.1 255.255.255.0
Ø
no
shut
Ø
interface
Serial1/0
Ø
description CONNECTED
WITH ISP1
Ø
ip address 200.200.200.2 255.255.255.252
Ø
no
shut
Ø
interface
Serial1/1
Ø
description CONNECTED
WITH ISP2
Ø
ip address 200.200.200.6 255.255.255.252
Ø
no
shut
ISP1 (actually a routers}
interfaces configuration
Ø
interface
Serial1/0
Ø
description CONNECTED
WITH R1
Ø
ip address 200.200.200.1 255.255.255.252
Ø
clock
rate 64000
Ø
no
shut
Ø
ip
route 192.168.2.0 255.255.255.0 200.200.200.2 {for
connecting R1 internal network}
ISP2 (actually a routers}
interfaces configuration
Ø
interface
Serial1/1
Ø
description CONNECTED
WITH R1
Ø
ip address 200.200.200.5 255.255.255.252
Ø
clock
rate 64000
Ø
no
shut
Ø
ip
route 192.168.2.0 255.255.255.0 200.200.200.6 {for
connecting R1 internal network}
First all the Devices
ping each other But ISP1 and ISP2 do not ping each other
Create an access-list for
permit PC1 and PC2 traffic
Ø
access-list
10 permit 192.168.2.50 {Permit PC1}
Ø
access-list
120 permit tcp host 192.168.2.100 any eq 443 {Permit
PC2 https}
Ø
access-list
120 permit tcp host 192.168.2.100 any eq telnet {Permit PC2
telnet}
Now Implement the ACL
into Route-map
Ø
route-map
POLICY-DEMO permit 10 {POLICY-DEMO:- route-map name}
Ø
match ip address 10 {Match PC1 ACL 10}
Ø
set ip next-hop 200.200.200.5 {Set ISP2}
Ø
route-map
POLICY-DEMO permit 20
Ø
match ip address 120 {Match PC2 ACL 120}
Ø
set ip next-hop 200.200.200.1 {Set
ISP2 for Telnet & https}
Ø
route-map
POLICY-DEMO permit 30
Ø
set ip next-hop 200.200.200.5 {Permit
PC2 and All Traffic to ISP2}
Apply Route-map into R1
Fastethernet interface
Ø
interface
FastEthernet0/0
Ø
description CONNECTED WITH SW1
Ø
ip policy route-map POLICY-DEMO {filter the
incoming traffic from internal networks}
Troubleshooting &
Verification Commands
Ø
Show
ip route
Ø
Show
ip interface brief
Ø
Show
access-list
Ø
Show
route-map
Ø
Debug
ip policy
Now Test
Click Here To Download The PDF File
0 comments:
Post a Comment