Tuesday, March 24, 2015

Policy-Based Routing {Part-1 CCNP}

Policy-Based Routing


Introduction:-
Ø  Is a most powerful feature you have available to you to direct traffic moving to your cisco router
Ø  Process applied to ingress interface of a router which override’s the normal routing process

Objectives:-
Ø  PC1 surfs the internet all day doing nothing productive. All traffic from this PC should route out ISP, which is a slower internet connection. If ISP2 is down, PC1 should not be able to access the internet
Ø  PC2 handles sophisticated transactions. Both Telnet and HTTPS traffic should route towards ISP1, which is the more reliable connections. All other traffic from PC2 should router out ISP2
Ø  Traffic from other clients (not shown in this diagram) should route out ISP2.

Testing:-
Ø  Telnet from PC1 to ISP2 (200.200.200.5). This session should be connect to the ISP Router
Ø  Verify the traffic by using “show route-map” command on the R1.
Ø  Performing the telnet session to ISP1(200.200.200.1) should fail (Simply because ISP1 and ISP2 have no knowledge of each other)
Ø  Telnet from PC2 to ISP1 (200.200.200.1} .Both session should connect

v  Router1 interfaces Configuration
Ø  interface FastEthernet0/0
Ø   description CONNECTED WITH SW1
Ø   ip address 192.168.2.1 255.255.255.0
Ø  no shut

Ø  interface Serial1/0
Ø   description CONNECTED WITH ISP1
Ø   ip address 200.200.200.2 255.255.255.252
Ø  no shut

Ø  interface Serial1/1
Ø   description CONNECTED WITH ISP2
Ø   ip address 200.200.200.6 255.255.255.252
Ø  no shut

ISP1 (actually a routers} interfaces configuration
Ø  interface Serial1/0
Ø   description CONNECTED WITH R1
Ø   ip address 200.200.200.1 255.255.255.252
Ø  clock rate 64000
Ø  no shut

Ø  ip route 192.168.2.0 255.255.255.0 200.200.200.2         {for connecting R1 internal network}

ISP2 (actually a routers} interfaces configuration
Ø  interface Serial1/1
Ø   description CONNECTED WITH R1
Ø   ip address 200.200.200.5 255.255.255.252
Ø  clock rate 64000
Ø  no shut

Ø  ip route 192.168.2.0 255.255.255.0 200.200.200.6                  {for connecting R1 internal network}
First all the Devices ping each other But ISP1 and ISP2 do not ping each other

Create an access-list for permit PC1 and PC2 traffic
Ø  access-list 10 permit 192.168.2.50                                                      {Permit PC1}
Ø  access-list 120 permit tcp host 192.168.2.100 any eq 443             {Permit PC2 https}
Ø  access-list 120 permit tcp host 192.168.2.100 any eq telnet          {Permit PC2 telnet}

Now Implement the ACL into Route-map
Ø  route-map POLICY-DEMO permit 10     {POLICY-DEMO:- route-map name}
Ø   match ip address 10                                 {Match PC1 ACL 10}
Ø   set ip next-hop 200.200.200.5               {Set ISP2}

Ø  route-map POLICY-DEMO permit 20      
Ø   match ip address 120                                  {Match PC2 ACL 120}
Ø   set ip next-hop 200.200.200.1                  {Set ISP2 for Telnet & https}

Ø  route-map POLICY-DEMO permit 30        
Ø   set ip next-hop 200.200.200.5                 {Permit PC2 and All Traffic to ISP2}

Apply Route-map into R1 Fastethernet interface
Ø  interface FastEthernet0/0
Ø   description CONNECTED WITH SW1
Ø   ip policy route-map POLICY-DEMO            {filter the incoming traffic from internal networks}

Troubleshooting & Verification Commands
Ø  Show ip route
Ø  Show ip interface brief
Ø  Show access-list
Ø  Show route-map
Ø  Debug ip policy


Now Test




Click Here To Download The PDF File

0 comments:

Post a Comment