Just a small lab taking a closer look at how policy-based routing works.
- Configure a default-route on R3 towards R1s local interface (Gi1.13)
- Configure a default-route on R4 & R6 towards R1s local interface (Gi1.146)
- Configure a default-route on R5 towards R1s DMVPN-interface (Tu0)
- Configure static routes thru the DMVPN-cloud on R3 for R5’s Lo0, and vice versa on R5 for R3’s lo0
- Configure policy-routing on R1 so that traffic sourced from R4s G1.146 is routed to R3 over Gi1.13
- Configure policy-routing on R1 so that traffic sourced from R6s Gi1.146 is routed to R5 over DMVPN
Let’s start with the basic static routes first:
! 1-1 R3 ip route 0.0.0.0 0.0.0.0 Gi1.13 220.127.116.11 ! 2-1 R4 & R6 ip route 0.0.0.0 0.0.0.0 Gi1.146 18.104.22.168 ! 3-1 R5 ip route 0.0.0.0 0.0.0.0 Tu0 22.214.171.124 ! 4-1 ! R3 ip route 126.96.36.199 255.255.255.255 Tu0 188.8.131.52 ! R5 ip route 184.108.40.206 255.255.255.255 Tu0 220.127.116.11
That should be all the routing we need to start with. Notice however that R1 doesn’t have a clue what to do with the packets trying to reach loopbacks and will instead timeout.
R1#sh ip route static Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is not set R1#
We’ll solve this problem by using policy-based routing and manually setting next-hop ip-address depending on source address instead. First we need access-lists to separate traffic coming from R4 and R6.
ip access-list extended SRC-R4 10 permit ip host 18.104.22.168 any ip access-list extended SRC-R6 10 permit ip host 22.214.171.124 any
Next step is to use a route-map to manually set the next-hop address depending on which ACL matches.
route-map PBR_LAB permit 10
match ip address SRC-R4 set ip next-hop 126.96.36.199 route-map PBR_LAB permit 20 match ip address SRC-R6 set ip next-hop 188.8.131.52
Last step is to activate policy-based routing on our incoming interface, in this case R1s Gi1.146.
interface Gi1.146 ip policy route-map PBR_LAB
All done! To verify that traffic is routed correctly we can use traceroute.
R4#ping 184.108.40.206 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/10 ms R4#traceroute 18.104.22.168 Type escape sequence to abort. Tracing the route to 22.214.171.124 VRF info: (vrf in name/id, vrf out name/id) 1 126.96.36.199 5 msec 4 msec 4 msec 2 188.8.131.52 4 msec * 3 msec R6#ping 184.108.40.206 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 6/12/27 ms R6#traceroute 18.104.22.168 Type escape sequence to abort. Tracing the route to 22.214.171.124 VRF info: (vrf in name/id, vrf out name/id) 1 126.96.36.199 5 msec 5 msec 4 msec 2 188.8.131.52 5 msec R1#sh route-map route-map PBR_LAB, permit, sequence 10 Match clauses: ip address (access-lists): SRC-R4 Set clauses: ip next-hop 184.108.40.206 Policy routing matches: 20 packets, 1280 bytes route-map PBR_LAB, permit, sequence 20 Match clauses: ip address (access-lists): SRC-R6 Set clauses: ip next-hop 220.127.116.11 Policy routing matches: 14 packets, 1004 bytes
If we however change the source-address in either R4 or R6 our access-list in R1 will no longer match, so packets will just timeout instead.
R6#ping 18.104.22.168 source lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.214.171.124, timeout is 2 seconds: Packet sent with a source address of 126.96.36.199 ..... Success rate is 0 percent (0/5)
For more information how to configure policy-based routing I managed to find the section in CiscoDoc at:
Configuration Guides -> IP Routing: Protocol-Independent Configuration Guide – > Policy-based Routing