& Switching v5 Workbook -
Advanced Technology Labs - IP
CCIE Routing
CCIE R&S v5
Routing
Policy Routing
A Note On Section Initial Configuration Files: You must load the
initial configuration files for the section, named Basic IP Addressing,
which can be found in
. Reference the Advanced Technology Labs With
Addressing Diagram to complete this task.
Task
Configure IPv4 default routes on R4 and R6 pointing to R1’s IPv4 address from the
shared Ethernet segment.
Configure IPv4 default route on R3 pointing to R1’s IPv4 address from the shared
Ethernet segment.
Configure IPv4 default route on R5 pointing to R1’s DMVPN cloud IPv4 address.
Configure IPv4 static routes on R3 for R5’s Loopback0 prefix and on R5 for R3’s
Loopback0 prefix through the DMVPN cloud.
Configure IPv4 policy-routing on R1 so that traffic from R4 is routed through R3 over
the Ethernet link, and traffic from R6 is routed through R5 over the DMVPN cloud.
Create two extended access-lists on R1, named FROM_R4 and FROM_R6:
Access-list FROM_R4 should match all IPv4 traffic sourced from R4’s
Ethernet segment.
Access-list FROM_R6 should match all IPv4 traffic sourced from R6’s
Ethernet segment.
Use traceroute on R4 and R6 for R3’s and R5’s Loopback0 prefixes to verify
your configuration.
Configuration
R1:
ip access-list extended FROM_R4
permit ip host 155.1.146.4 any
!
ip access-list extended FROM_R6
permit ip host 155.1.146.6 any
!
route-map POLICY_ROUTING permit 10
match ip address FROM_R4
set ip next-hop 155.1.13.3
!
route-map POLICY_ROUTING permit 20
match ip address FROM_R6
set ip next-hop 155.1.0.5
!
interface GigabitEthernet1.146
ip policy route-map POLICY_ROUTING
R3:
ip route 0.0.0.0 0.0.0.0 155.1.13.1
ip route 150.1.5.5 255.255.255.255 155.1.0.5
R4:
ip route 0.0.0.0 0.0.0.0 155.1.146.1
R5:
ip route 0.0.0.0 0.0.0.0 155.1.0.1
ip route 150.1.3.3 255.255.255.255 155.1.0.3
R6:
ip route 0.0.0.0 0.0.0.0 155.1.146.1
Verification
Policy routing allows the router to forward traffic based on user-defined criteria
without even consulting the IP routing table. In this example, we can see that R1
does not have routing information for either of the Loopbacks of R3 and R5, so it
cannot route locally originated traffic.
R1#show ip route 150.1.3.3
% Subnet not in table
!R1#show ip route 150.1.5.5
% Subnet not in table
!R1#debug ip packet
IP packet debugging is on
!R1#ping 150.1.3.3 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds:.
Success rate is 0 percent (0/1)
!
IP: s=150.1.1.1 (local), d=150.1.3.3, len 100, unroutable.
!R1#ping 150.1.5.5 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:.
Success rate is 0 percent (0/1)
!
IP: s=150.1.1.1 (local), d=150.1.3.3, len 100, local feature, feature skipped, Logical MN local(14), rtype 0, forus
IP: s=150.1.1.1 (local), d=150.1.5.5, len 100, local feature, feature skipped, Logical MN local(14), rtype 0, forus
IP: s=150.1.1.1 (local), d=150.1.5.5, len 100, unroutable.
If traffic is received inbound on R1’s VLAN 146 Ethernet segment and is sourced
from R4’s or R6’s IPv4 addresses attached to VLAN 146, it is policy-routed
accordingly to the route-map attached to the interface:
R4#traceroute 150.1.3.3
Type escape sequence to abort.
Tracing the route to 150.1.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 155.1.146.1 63 msec 40 msec 17 msec2 155.1.13.3 16 msec
!R4#traceroute 150.1.5.5
Type escape sequence to abort.
Tracing the route to 150.1.5.5
VRF info: (vrf in name/id, vrf out name/id)
1 155.1.146.1 12 msec 3 msec 4 msec2 155.1.13.3 2 msec 4 msec 2 msec
3 155.1.0.5 9 msec * 4 msec
!R6#traceroute 150.1.3.3
Type escape sequence to abort.
Tracing the route to 150.1.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 155.1.146.1 11 msec 4 msec 2 msec2 155.1.0.5 3 msec 1 msec 3 msec
3 155.1.0.3 3 msec * 5 msec
!R6#traceroute 150.1.5.5
Type escape sequence to abort.
Tracing the route to 150.1.5.5
VRF info: (vrf in name/id, vrf out name/id)
1 155.1.146.1 7 msec 2 msec 8 msec2 155.1.0.5 5 msec * 2 msec
Verify policy-routing configuration and that traffic has matched the ACL:
R1#show ip policy
InterfaceRoute mapGi1.146POLICY_ROUTING
!R1#show ip interface gigabitEthernet 1.146 | i Policy
Policy routing is enabled, using route map POLICY_ROUTING
BGP Policy Mapping is disabled
Input features: Policy Routing, MCI Check
!R1#show route-map
route-map POLICY_ROUTING, permit, sequence 10
Match clauses:ip address (access-lists): FROM_R4
Set clauses:
ip next-hop 155.1.13.3
Nexthop tracking current: 155.1.13.3
155.1.13.3, fib_nh:7F01B9C1BD10,oce:7F01B9F6EDD8,status:1
Policy routing matches: 9 packets, 414 bytes
route-map POLICY_ROUTING, permit, sequence 20
Match clauses:ip address (access-lists): FROM_R6
Set clauses:
ip next-hop 155.1.0.5
Nexthop tracking current: 155.1.0.5
155.1.0.5, fib_nh:7F01B9C1BCB0,oce:7F01B9F6FAF8,status:1
Policy routing matches: 9 packets, 414 bytes
R1’s route-map used for policy routing does not match traffic sourced from other
interfaces of R4 and R6, so this traffic is dropped when it is by R1 inbound on its
VLAN 146:
R4#ping 150.1.5.5 source loopback0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
Packet sent with a source address of 150.1.4.4 .....
Success rate is 0 percent (0/5)
!R6#ping 150.1.5.5 source loopback0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
Packet sent with a source address of 150.1.6.6 .....
Success rate is 0 percent (0/5)