& Switching v5 Workbook -
Advanced Technology Labs - IP
CCIE Routing
CCIE R&S v5
Routing
Local Policy Routing
A Note On Section Initial Configuration Files: You must load the
initial configuration files for the section, named Basic IP Addressing,
which can be found in
. Reference the Advanced Technology Labs With
Addressing Diagram to complete this task.
Task
Configure R3 with an IPv4 static route for R5’s Loopback0 through the DMVPN cloud
and for R1’s Loopback0 through VLAN 13.
Configure R5 with IPv4 static routes for R1’s and R3’s Loopback0 through the
DMVPN cloud.
Create two access-lists named TO_R3 and TO_R5 on R1.
Access-list TO_R3 should match all packets sourced from R1’s Loopback0
going to the Loopback0 network of R3.
Access-list TO_R5 should match all packets sourced from R1’s Loopback0
going to the Loopback0 network of R5.
Configure local policy-routing on R1 as follows:
Locally generated traffic matched by the list TO_R3 is routed out the
DMVPN cloud to R5.
Locally generated traffic matched by the list TO_R5 is routed out the
Ethernet link to R3.
Use traceroute on R1 for R3’s and R5’s Loopback0 networks to verify that
this configuration is functional.
Configuration
R1:
ip access-list extended TO_R3
permit ip host 150.1.1.1 host 150.1.3.3
!
ip access-list extended TO_R5
permit ip host 150.1.1.1 host 150.1.5.5
!
route-map LOCAL_POLICY permit 10
match ip address TO_R3
set ip next-hop 155.1.0.5
!
route-map LOCAL_POLICY permit 20
match ip address TO_R5
set ip next-hop 155.1.13.3
!
ip local policy route-map LOCAL_POLICY
R3:
ip route 150.1.1.1 255.255.255.255 155.1.13.1
ip route 150.1.5.5 255.255.255.255 155.1.0.5
R5:
ip route 150.1.1.1 255.255.255.255 155.1.0.1
ip route 150.1.3.3 255.255.255.255 155.1.0.3
Verification
Local policy routing is similar in operation to normal policy routing, except that it
affects locally generated traffic from the router instead of traffic transiting the router,
like received inbound on an interface. In the below output, we can see that R1 does
not have a route to either of the destinations 150.1.3.3 or 150.1.5.5, but traffic is
successfully routed because of the locally configured policy:
R1#show ip route 150.1.3.3
% Subnet not in table
!R1#traceroute 150.1.3.3
Type escape sequence to abort.
Tracing the route to 150.1.3.3
VRF info: (vrf in name/id, vrf out name/id)1 155.1.0.5 4 msec 1 msec 2 msec
2 155.1.0.3 2 msec * 2 msec
!R1#show ip route 150.1.5.5
% Subnet not in table
!R1#traceroute 150.1.5.5
Type escape sequence to abort.
Tracing the route to 150.1.5.5
VRF info: (vrf in name/id, vrf out name/id)1 155.1.13.3 3 msec 2 msec 1 msec
2 155.1.0.5 2 msec * 2 msec
Verify policy-routing configuration and that traffic has matched the ACL:
R1#show ip policy
InterfaceRoute maplocalLOCAL_POLICY
!R1#show route-map
route-map LOCAL_POLICY, permit, sequence 10
Match clauses:
ip address (access-lists): TO_R3
Set clauses:ip next-hop 155.1.0.5
Policy routing matches: 44 packets, 2925 bytes
route-map LOCAL_POLICY, permit, sequence 20
Match clauses:
ip address (access-lists): TO_R5
Set clauses:ip next-hop 155.1.13.3
Policy routing matches: 32 packets, 2477 bytes
Pitfall
Note that when the remote devices receive traffic from R1, it is sourced from
the Loopback0 interface of R1. Normally the router uses the IP address of
the outgoing interface in the routing table as the source IP address in its own
packets. However, because the routing table is not consulted for the lookup,
you may see inconsistencies in the source address of the local traffic. This
behavior could have a negative impact on protocols such as BGP, which
need to agree on the source and destination IP addresses for a peering.
R1#debug ip icmp
ICMP packet debugging is on
!R1#ping 150.1.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
!ICMP: echo reply rcvd, src 150.1.3.3,dst 150.1.1.1
, topology BASE, dscp 0 topoid 0ICMP: echo reply rcvd, src 150.1.3.3,dst 150.1.1.1
, topology BASE, dscp 0 topoid 0ICMP: echo reply rcvd, src 150.1.3.3,dst 150.1.1.1
, topology BASE, dscp 0 topoid 0ICMP: echo reply rcvd, src 150.1.3.3,dst 150.1.1.1
, topology BASE, dscp 0 topoid 0
ICMP: echo reply rcvd, src 150.1.3.3,dst 150.1.1.1
, topology BASE, dscp 0 topoid 0
!R1#traceroute 150.1.3.3
Type escape sequence to abort.
Tracing the route to 150.1.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 155.1.0.5 4 msec 0 msec 1 msec
2 155.1.0.3 2 msec
!
ICMP: time exceeded rcvd from 155.1.0.5
ICMP: time exceeded rcvd from 155.1.0.5
ICMP: time exceeded rcvd from 155.1.0.5ICMP:dst (150.1.1.1)
port unreachable rcv from 155.1.0.3 * 2 msecICMP:dst (150.1.1.1)
port unreachable rcv from 155.1.0.3