policy_routing_top

Still working with the same Topology seen above, I want to round off the Policy Routing videos to see if I can bring that into some scenario or freestyle lab, and see how crazy one can get with Policy Routing.

The first thing to note that I have amazingly not known at all until this video, from a router there are two ways to do extended traceroutes (like extended pings):

  • Type “traceroute” and hit enter to fill in options exactly like an extended ping
  • “traceroute (dest IP) source (source IP)” to simulate traffic from that network

Also to note on the second method, you can actually source several different ways, shown with the extended options as I fill them out, so there shall be a bit of output:

R1#traceroute 4.4.4.4 ?
numeric  display numeric address
port     specify port number
probe    specify number of probes per hop
source   specify source address or name
timeout  specify time out
ttl      specify minimum and maximum ttl
<cr>

R1#traceroute 4.4.4.4 source ?
A.B.C.D            Source address
Async              Async interface
BVI                Bridge-Group Virtual Interface
CDMA-Ix            CDMA Ix interface
CTunnel            CTunnel interface
Dialer             Dialer interface
FastEthernet       FastEthernet IEEE 802.3
Lex                Lex interface
Loopback           Loopback interface
MFR                Multilink Frame Relay bundle interface
Multilink          Multilink-group interface
Null               Null interface
Port-channel       Ethernet Channel of interfaces
Serial             Serial
Tunnel             Tunnel interface
Vif                PGM Multicast Host interface
Virtual-PPP        Virtual PPP interface
Virtual-Template   Virtual Template interface
Virtual-TokenRing  Virtual TokenRing

R1#traceroute 4.4.4.4 source 10.20.30.40 ?
numeric  display numeric address
port     specify port number
probe    specify number of probes per hop
timeout  specify time out
ttl      specify minimum and maximum ttl
<cr>

R1#traceroute 4.4.4.4 source 10.20.30.40

% Invalid source address- IP address not on any of our up interfaces


R1#

It’s like a build your own sundae, you can just keep adding scoops of detail to your traceroute, but as can be seen highlighted in red text we have an important message. The source IP address must be on one of our “Up” interfaces on the local router, so beine this requires a Physical or Logical interface that is in “Up” status, it sounds like Loopback interfaces is the way to go as they won’t go down unless administratively.

However if we are using an extended traceroute, it is because we are simulating traffic from another network for testing the path, but as we well know Policy Routing requires an interface of the incoming traffic to Policy Route and this is where Local Policy Routing comes into play.

To makes things harder on my already exhausted brain, I assigned loopback names to match the IP addresses:

R1(config)#int lo ?
  <0-2147483647>  Loopback interface number (<- What!!!)

R1(config)#int lo1234
*Mar  1 17:00:40.658: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1234, changed state to up
R1(config-if)#ip add 10.20.30.40 255.255.255.0
R1(config-if)#int lo4321
*Mar  1 17:01:03.131: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback4321, changed state to up
R1(config-if)#ip add 40.30.20.10 255.255.255.0
R1(config-if)#

Another interesting thing, you can make an interface loopback 2,147,483,647 (2.1 billion), I have been setting my bar way too low for loopback interface numbers. Back to the matter at hand, I now have my two loopbacks just created as well as lo1 with IP address 1.1.1.1 /32 to use in the lab.

So the structure of of how you create the route-map is the same of making an ACL / matching it on a route-map / set ip next-hop (ip addy), however there is no incoming interface on the local router so we will examine where we apply this route-map if not to an incoming interface.

To start I will send an initial traceroute to see my current path so I know how to alter it:

R1(config)#do traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

1 172.12.123.3 32 msec 32 msec 36 msec
2 172.12.34.4 32 msec *  32 msec
R1(config)#do traceroute 4.4.4.4 source 40.30.20.10

Type escape sequence to abort.
Tracing the route to 4.4.4.4

1  *  *  *
2  *  *  *
3  *  *  *
4  *  *  *
5  *

This is a good learning lesson, because I just made these loopbacks, but forgot to add them to OSPF so no other routers would know a route back, so I’ll add them to OSPF and we’ll try again:

R1(config)#router ospf 1
R1(config-router)#network 1.1.1.1 0.0.0.0 area 0
R1(config-router)#network 10.20.30.40 0.0.0.255 area 0
R1(config-router)#network 40.30.20.10 0.0.0.255 area 0
R1(config-router)#do traceroute 4.4.4.4 source 40.30.20.10

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.3 36 msec 33 msec 32 msec
  2 172.12.34.4 32 msec *  32 msec
R1(config-router)#

Much better. So being that 172.12.123.3 is the preferred path to R4’s loopback of 4.4.4.4, I want our 2 new loopback interfaces to route traffic towards R2 instead, so I will create a multi-line ACL this time for Policy Routing and create the Route-map:

R1(config)#access-list 105 permit ip host 10.20.30.40 host 4.4.4.4
R1(config)#access-list 105 permit ip host 40.30.20.10 host 4.4.4.4
R1(config)#route-map LocalNextHop permit 10
R1(config-route-map)#match ip add 105
R1(config-route-map)#set ip next-hop 172.12.123.2
R1(config-route-map)#

I am still not sure if you can have multiple route-maps on an interface, I will lab the scenario because I think it makes sense that one interface can have multiple networks coming into it that it needs to route different places, however for now I can confirm that 1 route-map can contain multi-line ACL’s to direct more than one line of traffic towards a next hop destination.

So no incoming interface, where do we configure the route-map? The answer is – Globally:

R1(config)#ip local ?
  policy  Enable policy routing
  pool    IP Local address pool lists

R1(config)#ip local policy ?
  route-map  Policy route map

R1(config)#ip local policy route-map ?
  WORD  Route map name

R1(config)#ip local policy route-map LocalNextHop ?
  <cr>

R1(config)#ip local policy route-map LocalNextHop
R1(config)#

And to test it out, we will use our new friend extended traceroute:

R1#traceroute 4.4.4.4 source 40.30.20.10

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.2 32 msec 32 msec 32 msec
  2 172.12.123.1 25 msec 24 msec 24 msec
  3 172.12.123.3 56 msec 56 msec 56 msec
  4 172.12.34.4 56 msec *  52 msec
R1#traceroute 4.4.4.4 source 1.1.1.1

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.3 33 msec 32 msec 32 msec
  2 172.12.34.4 32 msec *  32 msec
R1#

I’ve highlighted first one of the IP addresses called out in the ACL, then our lo1, to show that we have not only sub-optimal routing (described in last post how to fix), but that it does in fact attempt to take R2 because of the Local Policy Routing happening whereas 1.1.1.1 goes right to R3.

As mentioned how to overcome that sub-optimal routing you see in the first trace is picked apart in detail in my last post, so please read up on how PBR is not one and done on a single router as taught in the video courses I am watching.

Just a couple more points on Local Policy Routing to wrap this up:

  • Local Policy Routing will not effect any other Policy Routing assigned to interfaces
  • Local Policy Route-maps must be named differently than any existing route-maps currently configured on the router

So basically for local policy routing, you just need to remember the global command to apply it, and off to the races you go. I will be doing one more freestyle lab with PBR to see its limitations, as you learn things like in my training materials it did not mention that error we saw saying it needs to be an “Up” interface on the router.

So I invite you or future me to check out the next post of just messing around with PBR in general to see what we can break and fix, and then it is onward to VPNs. Thee ya!