Policy Based Routing

Scenario:

After getting rid of the ring that ruled them all things have changed in Middle Earth. The hobbits have become network engineers and are interconnecting every creature in their fantasy world. OSPF is the routing protocol of choice but the hobbits have some problems since all traffic is sent down the same path. Do you think you can help them out by teaching them Policy Based Routing?

Goal:

  • All IP addresses have been preconfigured for you.
  • OSPF has been preconfigured for you for full connectivity.
  • Do not make any changes to OSPF.
  • Make changes on router Bilbo so traffic from 1.1.1.0 towards router Meriadoc is sent down the serial link.
  • Make changes on router Bilbo so traffic from 192.168.12.1 towards 33.33.33.33 is sent down the serial link.
  • Make changes on router Bilbo so packets that are greater than 200 bytes are sent down the serial link.
  • Make changes on router Bilbo so traffic from 192.168.12.2 towards 3.3.3.3 is sent down the serial link.

It took me 1000s of hours reading books and doing labs, making mistakes over and over again until I mastered all the routing protocols for CCNP.

Would you like to be a master of routing too? In a short time without having to read 900 page books or google the answers to your questions and browsing through forums?

I collected all my knowledge and created a single ebook for you that has everything you need to know to become a master of routing.

You will learn all the secrets about routing, policy based routing (PBR), route-maps and more.

Does this sound interesting to you? Take a look here and let me show you how to Master CCNP ROUTE

IOS:

c3640-jk9s-mz.124-16.bin

Topology:

Policy Based Routing

Video Solution:

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

Comments

  1. Avatar of Alex says

    Hi,
    For:
    Make changes on router Bilbo so traffic from 192.168.12.2 towards 3.3.3.3 are sent down the serial link:

    Where can I apply the policy route-map on BILBO so it can take effect?.
    Thanks.

    Report user
  2. Avatar of WiscBrad says

    In response to Rene and Alex.

    Packets generated by the router are not policy routed. If you want to policy route traffic generated by the router, you must enable it. To enable local PBR, use the following global configuration command.

    ‘ip local policy route-map’

    Report user
    • Avatar of Rene Molenaar says

      Thanks for sharing this, this is important to keep in mind in case you test things.

      There’s a big difference between traffic that flows "through" the router and traffic "generated" by the router itself and how the router deals with it. Traffic generated by the router is indeed not policy-routed so you need that command :)

      Same thing applies to access-lists btw, traffic generated by your own router will not hit your access-lists on your interfaces.

  3. Avatar of Ryan says

    I don’t know how you recommend going about mastering these labs, but I find them very useful to have the video running, and to pause before you give an answer to exhaust every way I think something could be done prior to following your lead. I found this lab excellent. I’ve been working through 5-6 labs/day along with other studies.

    Report user
    • Avatar of Rene Molenaar says

      I believe this is a good way to "master" the labs. If you just watch the video you might get a good understanding but it’s MUCH better when you try to wrap your head around it yourself. If you struggle on a topic and finally finish it you’ll learn a valuable lesson and it will be easier to remember.

      Watching the video and pausing it, doing the lab step-by-step is a good idea because it will prevent you from going down a rabbit hole that might not exist :)

      have fun!

  4. Avatar of Wesley says

    I cannot get passed the first step. For some reason it keeps inserting 2 ip adresses for the next hop even though I only enter one IP:

    Bilbo#sho route-map
    route-map ONE, permit, sequence 10
    Match clauses:
    ip address (access-lists): 1
    Set clauses:
    [u]ip next-hop 192.168.24.2 192.168.24.4[/u]
    Policy routing matches: 21 packets, 1260 bytes

    Bilbo#sho access-lists
    Standard IP access list 1
    10 permit 1.1.1.0, wildcard bits 0.0.0.255 (78 matches)

    as a result the policy tries to push traffic to .2 which then drops it. I cannot see when I am going wrong.

    *Mar 1 00:51:06.179: IP: s=1.1.1.1 (FastEthernet0/0), d=3.3.3.3, len 28, policy match
    *Mar 1 00:51:06.179: IP: route map ONE, item 10, permit
    *Mar 1 00:51:06.179: IP: s=1.1.1.1 (FastEthernet0/0), d=3.3.3.3 (Serial2/0), len 28, policy routed
    *Mar 1 00:51:06.183: IP: FastEthernet0/0 to Serial2/0 192.168.24.2
    Bilbo(config)#

    Bilbo#show run int fa0/0
    Building configuration…

    Current configuration : 122 bytes
    !
    interface FastEthernet0/0
    ip address 192.168.12.2 255.255.255.0
    ip policy route-map ONE
    duplex auto
    speed auto

    Bilbo#sho ver
    Cisco IOS Software, 3600 Software (C3640-JK9O3S-M), Version 12.4(16a), RELEASE SOFTWARE (fc2)

    Report user
  5. Avatar of Risaaq says

    I am getting this error and i don’t see where i made the mistake

    Mar 1 00:03:08.795: IP: s=192.168.12.1 (FastEthernet0/0), d=3.3.3.3, len 100, FIB policy rejected(no match) – normal forwarding.

    I see that source is wrong but see my configuration, i did the same you did in the video.

    Can you please point me where i got mistake. Here my Conf

    interface Loopback0
    ip address 2.2.2.2 255.255.255.0
    !
    interface FastEthernet0/0
    ip address 192.168.12.2 255.255.255.0
    ip policy route-map Name
    duplex auto
    speed auto
    !
    interface FastEthernet1/0
    ip address 192.168.23.2 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial2/0
    ip address 192.168.24.2 255.255.255.0
    serial restart-delay 0
    !
    interface Serial2/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial2/2
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial2/3
    no ip address
    shutdown
    serial restart-delay 0
    !
    router ospf 1
    log-adjacency-changes
    network 0.0.0.0 255.255.255.255 area 0
    !
    no ip http server
    no ip http secure-server
    !
    !
    !
    access-list 101 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
    !
    route-map Name permit 15
    match ip address 101
    set ip next-hop 192.168.24.4
    !
    !
    !
    control-plane

    Report user
    • Avatar of Druva says

      Hi Risaaq

      Mar 1 00:03:08.795: IP: s=[b]192.168.12.1[/b] (FastEthernet0/0), d=3.3.3.3, len 100, FIB policy rejected(no match) – normal forwarding.

      access-list 101 permit ip [b]1.1.1.0 0.0.0.255[/b] 3.3.3.0 0.0.0.255

      Correct ur access-list

      access-list 101 permit ip 192.168.12.0 0.0.0.255 3.3.3.0 0.0.00.255
      or
      access-list 101 permit ip host 192.168.12.1 3.3.3.0 0.0.00.255

      Report user
    • Avatar of Ahmed Eldrieny says

      your configuration is correct no need to change anything

      but when u ping from frodo ping like this
      Frodo(config)#do ping 3.3.3.3 so l0
      because here u specified your pings from source l0 which is 1.1.1.1
      but in normal pings
      it will be specified from int f0/0 of router frodo

      anyway u r correct just specify the source

      Report user
  6. Avatar of Keith says

    ………Im noticing a number of these labs state they are pre configured (ip addresses, routing protocols, interfaces etc) and most of them are missing incorrect information of the start up config. Are you going to update these labs or will i be better of configuring the entire lab myself????

    Report user
  7. Avatar of aule says

    I love doing labs here!
    "After getting rid of the ring that ruled them all things have changed in Middle Earth. The hobbits have become network engineers"
    :D HAHAH! That’s just awesome.

    Report user
  8. Avatar of diego says

    I don’t understand what is wrong.

    Bilbo#sh ip access 100
    Extended IP access list 100
    10 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255 log
    Bilbo#sh rou
    route-map questao1, permit, sequence 10
    Match clauses:
    ip address (access-lists): 100
    Set clauses:
    ip next-hop 192.168.24.4
    Policy routing matches: 0 packets, 0 bytes
    Bilbo#sh ip policy
    Interface Route map
    Fa0/0 questao1
    Bilbo#

    Is everything OK about configuration but the route-map debug says:
    Bilbo#

    *Mar 1 00:27:21.627: IP: s=1.1.1.1 (FastEthernet0/0), d=3.3.3.3, len 100, FIB policy rejected(no match) – normal forwarding

    R1 never get the right route.

    is it a bug?

    Report user
  9. Avatar of Roovin says

    Even I have same problem, even thought it matches my ACL, traffic is not routing thru defined next-hop

    ip access-list extended Redirect
    permit ip host 1.1.1.1 host 33.33.33.33 log
    !
    route-map SetNextHop permit 10
    match ip address Redirect
    set ip next-hop 192.168.24.4

    interface FastEthernet0/0
    ip address 192.168.12.2 255.255.255.0
    ip policy route-map SetNextHop

    ########################################
    Frodo#traceroute 33.33.33.33 source 1.1.1.1

    Type escape sequence to abort.
    Tracing the route to 33.33.33.33

    1 192.168.12.2 20 msec 20 msec 20 msec
    2 192.168.23.3 44 msec 36 msec 44 msec
    3 192.168.35.5 40 msec * 80 msec
    ########################################

    *Mar 1 00:38:46.243: IP: s=1.1.1.1 (FastEthernet0/0), d=33.33.33.33, len 28, FIB policy rejected(no match) – normal forwarding
    Bilbo#
    *Mar 1 00:38:49.231: IP: s=1.1.1.1 (FastEthernet0/0), d=33.33.33.33, len 28, FIB policy rejected(no match) – normal forwarding

    Report user
  10. Avatar of Roovin says

    Bizzare

    I see hits on ACL but not PBR

    Extended IP access list 102
    10 permit ip 1.1.1.0 0.0.0.255 any log[b] (3 matches)[/b]

    route-map redirect, permit, sequence 10
    Match clauses:
    ip address (access-lists): 102
    Set clauses:
    ip next-hop 192.168.24.4
    [b] Policy routing matches: 0 packets, 0 bytes[/b]

    Report user
  11. Avatar of Josh says

    [quote=roovind]Bizzare

    I see hits on ACL but not PBR

    Extended IP access list 102
    10 permit ip 1.1.1.0 0.0.0.255 any log[b] (3 matches)[/b]
    [/quote]

    I think the issue is the [b]log[/b] option at the end of your access-list. It looks like this is writing the match to your sys log, as opposed to actually permitting the traffic for your route-map. Try it without the log option.

    This lab worked perfectly for me.

    Report user
    • Avatar of Richard says

      Many thanks for leaving this comment, Josh.

      I have been working on this for a few hours. I first tried it with “log-input”, then “log”, neither would work. Cut & paste from Rene’s configs, worked fine. Could not understand. It works without the “log” option. No idea why.

      Report user

Leave a reply:

Your email address will not be published. Required fields are marked *

If you have any technical questions, please use the Forum instead of posting a comment.