Policy Based Routing CCNP Route Sim
Question:
Question:
Company Route.com has two links which can take it to the Internet. The company policy demands that you use web traffic to be forwarded only to Frame Relay link if available and other traffic can go through any links. No static or default routing is allowed.
Solution:
I have created above lab in GNS3. BorderRouter and R1 are configured with EIGRP 11. I have used a cloud for generating HTTP Traffic. I connect the e3/0 interface with PC’s NIC using cloud and assigned the following IP.
And also add a manual route for 13.13.13.2 so that my PC can access internal R1 Router.
For this go to Run\cmd (make sure you have admin rights) and use the following command.
Route add 13.13.13.2 mask 255.255.255.255 14.14.14.1 –p
You can use “Route print” command to verify. In testing part I will show you how I generate HTTP traffic from using GNS3 cloud.
First you need to create an access-list, which allows all HTTP traffic.
BorderRouter(config)#route-map blockftp permit 10
BorderRouter(config-route-map)#match ip address 111
BorderRouter(config-route-map)#set ip next-hop 13.13.13.2
BorderRouter(config-route-map)#exit
BorderRouter(config)#route-map blockftp permit 20
GNS3 Configurations:
To made communication between R1 and Borderrouter I use the EIGRP, in real exam lab you don’t have any concerned with routing protocol for this Sim you just need to create ACL and Route map in real exam.
BorderRouter Configurations:
R3#config t
R3(config)#hostname Borderrouter
Borderrouter(config)#interface e3/0
Borderrouter(config-if)# ip address 14.14.14.1 255.255.255.0
Borderrouter(config-if)#no shut
Borderrouter(config)#interface s1/0
Borderrouter(config-if)# ip address 13.13.13.1 255.255.255.0
Borderrouter(config-if)#no shut
Borderrouter(config)#router eigrp 11
Borderrouter(config-router)#network 13.13.13.0 0.0.0.255
Borderrouter(config-router)#network 14.14.14.0 0.0.0.255
Borderrouter(config)#ip default-gateway 13.13.13.2
R1 Configurations:
R1#config t
R1(config)#interface s1/0
R1(config-if)# ip address 13.13.13.2 255.255.255.0
R1(config-if)#no shut
R1(config)#router eigrp 11
R1(config)#router eigrp 11
R1(config-router)# network 13.13.13.0 0.0.0.255
Configurations that you needs in real Exam:
First you need to create an access-list, which allows all HTTP traffic.
BorderRouter#access-list 111 permit tcp any any eq www
Secondly you need to create route-map to send the traffic through Frame-relay interface.
BorderRouter(config)#route-map blockftp permit 10
BorderRouter(config-route-map)#match ip address 111
BorderRouter(config-route-map)#set ip next-hop 13.13.13.2
BorderRouter(config-route-map)#exit
BorderRouter(config)#route-map blockftp permit 20
(Notice: blockftp is just name of route-map, u can use any name. The route-map blockftp permit 20 line allows other traffic than HTTP to be routed. Otherwise, other traffic will be dropped)
3) Apply the route-map on the interface to the server in the EIGRP Network:
BorderRouter(config-route-map)#exit
BorderRouter(config)#int e3/0
BorderRouter(config-if)#ip policy route-map blockftp
BorderRouter(config-if)#exit
BorderRouter(config-route-map)#exit
BorderRouter(config)#int e3/0
BorderRouter(config-if)#ip policy route-map blockftp
BorderRouter(config-if)#exit
Testing and Verification:
In Real Examthere is a “Host for Testing”, click on that. Then click on this “Generate HTTP traffic” button to generate some packets for HTTP traffic. Jump back to the BorderRouter and type the command “show route-map”.
BorderRouter#show route-map
You will see that 9 packets matches which verify that your configurations is correct.
Testing in GNS3:
To test your configurations in GNS3 you just type “http://13.13.13.2” in web browser. Result will be “cannot fine this page” but this will pass some http packets to frame-relay ISP.
Now type the command “show route-map”.
BorderRouter#show route-map
You will see packets matches.
More CCNP Route lab.
thank you man, i am feeling difficulty in generating HTTP traffic in gns3 .. your web help me alot...
ReplyDeleteNIce JOb Thanks 4 posting LAb ...
ReplyDeletemany thanks..
Hi What router should I use for a e3 port also, how should i configure the cloud?
ReplyDeleteyou can use any router with ethernet port/module...
DeleteHi Sorry im still not able to get it to work ip actually not able to ping from the Border Router to the host ip address, any pointers ? is it necesarry to hace the nic connecteed to the modem or what else could be wrong ? im using this image c2691-advipservicesk9-mz.124-25d.image
ReplyDeleteits not necessary nic connected to the modem, but make sure you NIC should be up and running... make sure you have configure could correctly.. for help visit could configuration on gns3
DeleteAll packets are going to sequence 20 any idea why ?
ReplyDeleteroute-map blockftp, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 279 packets, 26100 bytes
can you please sure your route-map configurations for sequence 20. i think there is some issue with your configs..
Deletegetting 0 packets 0 bytes tried your configuration did not help
ReplyDeletesurely you are missing some configurations.
DeleteCould you pls tell which is the R1 router in the topology?
ReplyDeleteR1 is the router on left with serial link connected to border router.
Deleteduhhhh.. you can just use ip sla monitor and generate http traffic from a router itself. who needs windows.. just overhead on the cpu..
ReplyDeleteBorderRouter#access-list 111 permit tcp any any eq www
ReplyDeleteshould be
BorderRouter(config)#access-list 111 permit tcp any any eq www
instead of route-map blockftp permit 10 can we use route-map permit pbr 10?
ReplyDeleteCan you explain what the difference is?
Very very useful, APPRECIATED!!!
ReplyDeleteTHANK YOU FOR ALL THESE LABS AND GUIDES.....nice work!
Nice blog , but there is wrong config in the R1 , one line is missing , without that neighbor relationship will not b formed between r1 and border router , router eigrp 111 command is missing
ReplyDelete
Deletethank you, missing command is added now, but in next line there was network command so it is understood that you need router eigrp 111 command before network command.
Hi bro... just to let you know this: If the packets do not meet any of the defined match criteria (that is, if the packets fall off the end of a route map), then those packets are routed through the normal destination-based routing process. If it is desired not to revert to normal forwarding and to drop the packets that do not match the specified criteria, then interface Null 0 should be specified as the last interface in the list by using the set clause.
ReplyDeleteSo the last command you entered: BorderRouter(config)#route-map blockftp permit 20
it is not neccesary at all :)
Cheers!!!
Why is the route-map named blockftp? it should rather be http_traffic.
ReplyDeleteyou can use router instead of the cloud and use this command to generate http traffic
ReplyDeleteBorderRouter#telnet 13.13.13.2 www
Very Useful. Thanks for Sharing these labs
ReplyDeleteFor those that do not want to mess around with the virtual hosts or NIC settings on the host machine, you can simply toss another router, connecting to the two routers on the left, routing the entire routing table through EIGRP, and then using the "test network" router to telnet to that router.
ReplyDeleteFor example, I connected a router, with a loopback IP of 20.20.20.1/32 to the routers on the left. I then distributed all the routes through all routers using EIGRP. I then set variance of 2 on the router connecting to the "Test network". If that works, you should be able to ping the 20.20.20.1 IP from the router designated as the "test network" and see 2 routes on the connecting router.
Setting the route map on that router and generating traffic from the router in the "test network" should show hits on the route-map. Hope that helps. It's a little bit more involving that this particular lab, but we should all be doing more work anyway to make sure we get the concepts down, right?
@ Anonymous from FEB 13 2013 ( I know it's old but it wasn't answered)
ReplyDeleteI think they use the name blockftp to show you that you can use any name you want. I used ' route-map block-www permit 10 '. It doesn't matter what name you use but you have to use a name. That way when you reference for line 20, 30 or how ever many lines you need and that's how you reference it at the interface. ' ip policy route-map block-www ' (or whatever you named it)