& Switching v5 Workbook -
Advanced Technology Labs - IP
CCIE Routing
CCIE R&S v5
Routing
Reliable Policy Routing
A Note On Section Initial Configuration Files: You must load the
initial configuration files for the section, named Basic IP Addressing,
which can be found in
. Reference the Advanced Technology Labs With
Addressing Diagram to complete this task.
Task
Configure IPv4 default routes on R4 and R6 pointing to R1’s IPv4 address from the
shared Ethernet segment.
Configure IPv4 default route on R3 pointing to R1’s IPv4 address from the shared
Ethernet segment.
Configure IPv4 default route on R5 pointing to R1’s DMVPN cloud IPv4 address.
Configure IPv4 static routes on R3 for R5’s Loopback0 prefix and on R5 for R3’s
Loopback0 prefix through the DMVPN cloud.
Configure R1 and R5 to run CDP over the DMVPN cloud with each other.
Configure an IP SLA instance on R1 that pings R3’s connection to VLAN 13 every
five seconds.
Configure IPv4 policy-routing on R1 so that traffic from R4 is routed through R3 over
the Ethernet link, and traffic from R6 is routed through R5 over the DMVPN cloud.
Create two extended access-lists on R1, named FROM_R4 and FROM_R6:
Access-list FROM_R4 should match all IPv4 traffic sourced from
R4’s Ethernet segment.
Access-list FROM_R6 should match all IPv4 traffic sourced from
R6’s Ethernet segment.
Use traceroute on R4 and R6 for R3’s and R5’s Loopback0 prefixes to verify
your configuration.
Modify R1’s policy routing so that if R1 loses ICMP reachability to R3, traffic from R4
is rerouted to R5 over the DMVPN cloud.
Modify R1’s policy routing so that if R1 loses R5 as a CDP neighbor, traffic from R6
is rerouted to R3 over the Ethernet link.
Configuration
R1:
ip sla 1
icmp-echo 155.1.13.3 source-interface GigabitEthernet1.13
frequency 5
!
ip sla schedule 1 start-time now life forever
track 1 ip sla 1 state
!
ip access-list extended FROM_R4
permit ip host 155.1.146.4 any
!
ip access-list extended FROM_R6
permit ip host 155.1.146.6 any
!
route-map POLICY_ROUTING permit 10
match ip address FROM_R4
set ip next-hop verify-availability 155.1.13.3 1 track 1
set ip default next-hop 155.1.0.5
!
route-map POLICY_ROUTING permit 20
match ip address FROM_R6
set ip next-hop 155.1.0.5
set ip next-hop verify-availability
set ip default next-hop 155.1.13.3
!
interface GigabitEthernet1.146
ip policy route-map POLICY_ROUTING
!
interface Tunnel0
cdp enable
R3:
ip route 0.0.0.0 0.0.0.0 155.1.13.1
ip route 150.1.5.5 255.255.255.255 155.1.0.5
R4:
ip route 0.0.0.0 0.0.0.0 155.1.146.1
R5:
ip route 0.0.0.0 0.0.0.0 155.1.0.1
ip route 150.1.3.3 255.255.255.255 155.1.0.3
!
interface Tunnel0
cdp enable
R6:
ip route 0.0.0.0 0.0.0.0 155.1.146.1
Verification
Verify the IP SLA configuration and its state, and also that R1 and R5 are CDP
neighbors over the DMVPN cloud.
R1#show ip sla configuration
IP SLAs Infrastructure Engine-IIIEntry number: 1
Owner:
Tag:
Operation timeout (milliseconds): 5000Type of operation to perform: icmp-echo
Target address/Source interface: 155.1.13.3/GigabitEthernet1.13
Type Of Service parameter: 0x0
Request size (ARR data portion): 28
Verify data: No
Vrf Name:
Schedule:Operation frequency (seconds): 5 (not considered if randomly scheduled)
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000
Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
Enhanced History:
History Statistics:
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None
!R1#show ip sla statistics
IPSLAs Latest Operation Statistics
IPSLA operation id: 1
Latest RTT: 1 milliseconds
Latest operation start time: 16:40:43 UTC Thu May 15 2014Latest operation return code: OK
Number of successes: 86
Number of failures: 0
Operation time to live: Forever
!R1#show track
Track 1
IP SLA 1 stateState is Up
1 change, last change 00:08:43Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
Route Map 0
!R1#show cdp neighbors tunnel0
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID
Local Intrfce
Holdtme
Capability
Platform
Port ID
R5
Tunnel0
175
R I
CSR1000V
Tunnel0
Total cdp entries displayed : 1
Verify that traffic is policy-routed as requested.
R4#traceroute 150.1.3.3
Type escape sequence to abort.
Tracing the route to 150.1.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 155.1.146.1 16 msec 4 msec 2 msec2 155.1.13.3 3 msec * 2 msec
!R4#traceroute 150.1.5.5
Type escape sequence to abort.
Tracing the route to 150.1.5.5
VRF info: (vrf in name/id, vrf out name/id)
1 155.1.146.1 7 msec 2 msec 6 msec2 155.1.13.3 3 msec 5 msec 5 msec
3 155.1.0.5 6 msec * 9 msec
!R6#traceroute 150.1.3.3
Type escape sequence to abort.
Tracing the route to 150.1.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 155.1.146.1 12 msec 24 msec 14 msec 2 155.1.0.5 23 msec 50 msec 22 msec
3 155.1.0.3 5 msec * 2 msec
!R6#traceroute 150.1.5.5
Type escape sequence to abort.
Tracing the route to 150.1.5.5
VRF info: (vrf in name/id, vrf out name/id)
1 155.1.146.1 14 msec 2 msec 15 msec2 155.1.0.5 14 msec * 3 msec
Verify policy-routing configuration and that traffic has matched the ACL, and note
the tracking object in the UP state.
R1#show ip policy
InterfaceRoute mapGi1.146POLICY_ROUTING
!R1#show ip interface gigabitEthernet 1.146 | i Policy
Policy routing is enabled, using route map POLICY_ROUTING
BGP Policy Mapping is disabled
Input features: Policy Routing, MCI Check
!R1#show route-map
route-map POLICY_ROUTING, permit, sequence 10
Match clauses:
ip address (access-lists): FROM_R4
Set clauses:ip next-hop verify-availability 155.1.13.3 1 track 1 [up]
ip default next-hop 155.1.0.5Policy routing matches: 12 packets, 552 bytes
route-map POLICY_ROUTING, permit, sequence 20
Match clauses:
ip address (access-lists): FROM_R6
Set clauses:ip next-hop 155.1.0.5
ip next-hop verify-availability
ip default next-hop 155.1.13.3Policy routing matches: 9 packets, 414 bytes
Because a regular policy routing configuration is only locally significant, network
failures do not automatically update the routing policy of the router. To resolve this
design problem, R1 needs some way to track end-to-end reachability on these links
used for the outbound forwarding through policy routing. The two ways illustrated in
this example are through the IP SLA and Enhanced Object Tracking features, and
through CDP. With IP SLA configured, R1 tracks the end-to-end circuit status of
VLAN 13 through ICMP ping. When R3’s connection to VLAN 13 goes down, R1’s
SLA instance reports its status down, which in turn causes the tracked object to go
down. The tracked object is called from the route-map syntax
set ip next-hop
verify-availability 155.1.13.3 1 track 1
. This means that if tracked object 1 goes down,
do not use the next-hop 155.1.13.3. Instead, this route-map sequence fails
over to the “default” next-hop of 155.1.0.5. Let’s disable R3’s Ethernet link on VLAN
13:
R1#debug track state
track state debugging enabled
!R3#configure terminal
R3(config)#interface gigabitEthernet1.13
R3(config-subif)#shutdown
With debug track being enabled on R1, the following log message should be
displayed; verify that tracking object state is down.
R1:
%TRACK-6-STATE: 1 ip sla 1 state Up -> Down
!R1#show track
Track 1
IP SLA 1 stateState is Down
2 changes, last change 00:02:55
Latest operation return code: Timeout
Tracked by:
Route Map 0
Verify that traffic received from R4 is now rerouted over the DMVPN cloud, based
on the
set ip default next-hop 155.1.0.5
route-map entry.
R4#traceroute 150.1.5.5
Type escape sequence to abort.
Tracing the route to 150.1.5.5
VRF info: (vrf in name/id, vrf out name/id)
1 155.1.146.1 15 msec 2 msec 2 msec2 155.1.0.5 4 msec * 3 msec
Re-activate R3’s Ethernet link on VLAN 13.
R3#configure terminal
R3(config)#interface gigabitEthernet1.13
R3(config-subif)#no shutdown
With CDP tracking for policy routing, R1 looks into the CDP table to see if there is a
neighbor installed with the IP address that matches the next-hop value being set in
the route-map. In this case, the syntax
set ip next-hop 155.1.0.5 , set ip next-hop
verify-availability
and
set ip default next-hop 155.1.13.3
means if there is no CDP
neighbor with the IP address 155.1.0.5, traffic that matches this sequence will be
routed to 155.1.13.3. Let’s disable R1’s DMVPN interface to trigger CDP failure:
R1#configure terminal
R1(config)#interface Tunnel0
R1(config-if)#shutdown
Normally, you would disable R5’s DMVPN interface to trigger CDP
failure on R1, but on CSR 1000v routers, it seems that CDP next-hop
tracking does not work as expected.
Slowly, after 180 seconds (the default CDP holdtime), the CDP entry of R5 will
timeout from R1’s CDP table.
R1#show cdp neighbors Tunnel0
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID
Local IntrfceHoldtme Capability Platform Port ID
R5
Tunnel055
R I CSR1000V Tunnel0
Total cdp entries displayed : 1
!R1#show cdp neighbors Tunnel0
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device IDLocal IntrfceHoldtme Capability Platform Port ID
Total cdp entries displayed : 0
Verify that traffic received from R6 is now rerouted over the Ethernet link to R3,
based on the
set ip default next-hop 155.1.13.3
route-map entry.
R6#traceroute 150.1.3.3
Type escape sequence to abort.
Tracing the route to 150.1.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 155.1.146.1 6 msec 8 msec 2 msec2 155.1.13.3 5 msec * 6 msec