Monday, December 12, 2011

POLICY BASED ROUTING OVERVIEW + LAB (ISSUE WITH LAB STILL UNRESOLVED)


PBR

  • Normal routing is destination based
  • Policy routing can decide routing in different manners not just destination so we could have source based routing, destination based routing, protocol type,intcoming interface,application type,size of packets defining how it routing
  • Policy based routing is manual process configured by a admin one of the disadvantages is that it is not very scalable as of this. Alot of platforms do not support it in hardware.
  • We need to be careful we understand the entire topology before making the change as we are basically overriding the routers selected path for our defined path routing protocol  paths are choosen as loop free 
  • Some versions  depending on platform support route caching which the first time the traffic will go through fully then cache is kept for future flows
  • Policy routing can be applied on incoming interface or globally for locally generated traffic.
  • Previously in version you needed to be careful with the local generated traffic say for example you had default match any in your route map and set particular interface as outgoing this could affect routing updates which are generated locally forcing them out a particular interface when they should be on all interfaces running the protocol. Effectively breaking the control plane routing process. In newer ios version routing protocols are out of scope for pbr it is for traffic like icmp ssh snmp so on.
  • We can set ip next hop or set default next hop the difference being with ip next hop it will do the policy routing straight a way with default next hop it will do route lookup if no route then it will policy route so the route lookup comes first

Commands

route-map PBR
match ip address "acl"
set ip next-hop " ip/int"

to apply to int
ip policy route-map PBR

or globally

ip local policy route-map PBR


LAB




For this example i will use eigrp to have full connectivity and set the route for sw2 to go through sw1 by default for all traffic for icmp traffic going to router 5 i will tell sw2 to go through the path via sw3
I have setup all running eigrp
on sw4 on the interface going to sw3 i have turned on eigrp passive interface

switch2(config-router)#passive port-channel 1
switch2(config-router)#exit
01:41:08: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.25.13.2 (Port-channel1) is down: interface passive
switch2(config)#exit
switch2#s
01:41:12: %SYS-5-CONFIG_I: Configured from console by consol
This gives only one route in routing table via port channel 2 via s1

switch2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     5.0.0.0/32 is subnetted, 1 subnets
D       5.5.5.5 [90/158720] via 192.168.1.2, 00:01:06, Port-channel2
     172.25.0.0/24 is subnetted, 2 subnets
C       172.25.13.0 is directly connected, Port-channel1
D       172.25.12.0 [90/33280] via 192.168.1.2, 00:01:06, Port-channel2
     10.0.0.0/24 is subnetted, 2 subnets
D       10.228.254.0 [90/30720] via 192.168.1.2, 00:57:31, Port-channel2
C       10.164.49.0 is directly connected, FastEthernet0/2
C    192.168.1.0/24 is directly connected, Port-channel
Ok so the first thing i am doing is configuring an access-list matching any icmp traffic then i create a route map which matches anything that gets through the access list i.e icmp and it will set the next hop to port channel 1 the ip address 172.25.13.2
switch2(config)#access-list 101 permit icmp any any
switch2(config)#route-map PBR permit 10
switch2(config-route-map)#match ip address 101
switch2(config-route-map)#set ip next-hop 172.25.13.2
switch2(config-route-map)#exit

I got the following error when i tried to apply the pbr to the interface
switch2(config)#int fa0/2
switch2(config-if)#ip policy ?
  route-map  Policy route map
switch2(config-if)#ip policy route-map PBR
switch2(config-if)#exi
02:10:58: %PLATFORM_PBR-4-SDM_MISMATCH: PBR requires sdm template routingt
switch2(config)#
switch2#
02:11:22: %SYS-5-CONFIG_I: Configured from console by console
switch2#


So i needed to enable SDM to prefer routing
switch2(config)#SDM prefer rout
Changes to the running SDM preferences have been stored, but cannot take effect
until the next reload.
Use 'show sdm prefer' to see what SDM preference is currently active.
it applied ok then
switch2(config)#
switch2(config)#int fa0/2
switch2(config-if)#ip policy route-map PBR
switch2(config-if)#
I put on debugging for policy routing on sw2

switch2#debug ip policy
Policy routing debugging is on

ok so for non icmp i tested with trace route
r2#traceroute 5.5.5.5
Type escape sequence to abort.
Tracing the route to 5.5.5.5
  1 10.164.49.2 4 msec 0 msec 4 msec
  2 192.168.1.2 0 msec 0 msec 4 msec
  3 10.228.254.2 0 msec 0 msec *
r2#
it is going the  rib way
then i sent a ping from r2 icmp this should go out portchannel 1 next hop 172.25.13.2

r2#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
But it doesnt it did not show up on the debug policy routing or debug icmp. The route map is not incrementing. Not sure what the issue is here. I have put a permit ip any any in the acess list with also icmp any any. If i tracert it is policy routed if i ping it does not increment any of the stats and no output from the debug. I have spent all yesterday on it disabling cef using no ip route-cache i set it up on different switches/routers in my topology it was the same output. It is very strange I have posted a question on a few forums i am going move ahead and come back to this hopefully i will get a few replies and find a solution but at the moment this issue is still open.

No comments:

Post a Comment