Using Extended ACL’s for Policy Routing to overcome sub-optimal routing

As seen in the previous look at policy routing using a standard ACL, it led to sub-optimal routing due to only routing on the source, and not both source and destination addresses – for this we will use an Extended ACL to correct. So I took the old commands off, nothing fancy:

R1(config)#no access-list 5
R1(config)#no route-map R5toR2
R1(config)#int fa0/1
R1(config-if)#no ip policy route-map R5toR2
R1(config-if)#exit
R1(config)#

As can be seen, just really go through each step of setting it up, add a no to the front using ctrl + a to jump to the front of command, and now it’s good to go to setup an Extended ACL. So now we add the new configs to R1, and see what a traceroute shows:

R1(config)#access-list 105 permit ip host 172.12.15.5 host 4.4.4.4
R1(config)#route-map NextHop permit 10
R1(config-route-map)#match ip add 105
R1(config-route-map)#set ip next-hop 172.12.123.2
R1(config-route-map)#int fa0/1
R1(config-if)#ip policy route-map NextHop
R1(config-if)#
ASR#5
[Resuming connection 5 to r5 … ]

R5#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.15.1 0 msec 4 msec 0 msec
  2 172.12.123.2 32 msec 36 msec 32 msec
  3 172.12.123.1 24 msec 24 msec 24 msec
  4 172.12.123.3 56 msec 56 msec 56 msec
  5 172.12.34.4 52 msec *  52 msec
R5#

I am disappointed with this result because it verifies that Chris Bryant did a poor job on his teaching of this section, their obviously needs to be some extra configuration along the route path which wasn’t mentioned at all in the training videos, and even his logical topology did not match his physical setup.

So now that I’ve got my moaning and groaning about that out of my system, we’ll need to review R2 and how to make it not throw that traffic back out S0/0 as it has in it’s route-table to do so and no policy routing is setup over there.

So I noticed one thing right away that needs to be addressed:

R2#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.1 32 msec 32 msec 32 msec
  2 172.12.123.3 64 msec 64 msec 64 msec
  3 172.12.34.4 64 msec *  60 msec
R2#

So what we see here is that even though 4.4.4.4 is on R4 off FastEthernet0/1, it is sending traffic back over both serial interfaces to get there. Now there is a couple of options here which I will demonstrate, the first being a quick static route to save the day:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip route 4.4.4.4 255.255.255.255 fa0/1
R2(config)#exit
R2#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1  *
    172.12.24.4 0 msec *
R2#
ASR#5
[Resuming connection 5 to r5 … ]

R5#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.15.1 4 msec 0 msec 4 msec
  2 172.12.123.2 32 msec 32 msec 32 msec
  3 172.12.24.4 32 msec *  32 msec
R5#

Just to illustrate from both points of view, problem solved, but given that network 4.4.4.4 is shared in the OSPF domain, I don’t want a static route overriding it so I will remove it and see what kind of route-map will allow this traffic to pass but all other traffic to route normally:

R2(config)#no ip route 4.4.4.4 255.255.255.255 fa0/1
R2(config)#access-list 105 permit ip host 172.12.15.5 host 4.4.4.4
R2(config)#route-map NextHop permit 10
R2(config-route-map)#match ip add 105
R2(config-route-map)#set ip next-hop 172.12.24.4
R2(config-route-map)#route-map NextHop permit 20
R2(config-route-map)#int s0/0
R2(config-if)#ip policy route-map NextHop
R2(config-if)#

Now theoretically, I should be able to get to 4.4.4.4 through R2 from R5, but from R2 it should again need to take the long way around, lets see what happens between the two:

R5#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.15.1 4 msec 0 msec 4 msec
  2 172.12.123.2 32 msec 32 msec 32 msec
  3  *
    172.12.24.4 32 msec *
R5#
ASR#2
[Resuming connection 2 to r2 … ]

R2#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.1 36 msec 32 msec 32 msec
  2 172.12.123.3 60 msec 60 msec 64 msec
  3 172.12.34.4 64 msec *  61 msec
R2#

And there it is, I am so glad that worked, because it’s getting late and that is when things tend not to work and drive me bonkers 🙂

So as can be seen, you will need to follow the path of the traffic and apply route-maps to router interfaces to keep the traffic moving as you configure it, otherwise you will not achieve optimal ‘route manipulation’ you are trying to achieve.

I am going to remove all PBR configs from routers, and decide whether I want to delve further into Policy Routing with a free-style sort of lab, or move on to Local Policy Routing.