Home > Policy Based Routing Sim

Policy Based Routing Sim

February 8th, 2015 in Lab Sim, LabSim Go to comments

Question

Company TUT has two links to the Internet. The company policy requires that web traffic must be forwarded only to Frame Relay link if available and other traffic can go through any links. No static or default routing is allowed.

BGP_Policy_Based_Routing_Sim.jpg

 

Answer and Explanation:

Notice: The answer and explanation below are from PeterPan and Helper.Please say thank to them!

All the HTTP traffic from the EIGRP Network should go through Frame Relay link if available and all the other traffic should go through either link.
The only router you are able to administrate is the Border Router, from the EIGRP Network you may only send HTTP traffic. As the other people mentioned, actually it is not a BGP lab. You are not able to execute the command “router bgp 65001”

1) Access list that catches the HTTP traffic:
BorderRouter(config)#access-list 101 permit tcp any any eq www

Note that the server was not directly connected to the Border Router. There were a lot of EIGRP routes on it. In the real exam you do not know the exact IP address of the server in the EIGRP network so we have to use the source as “any” to catch all the source addresses.

2) Route map that sets the next hop address to be ISP1 and permits the rest of the traffic:
BorderRouter(config)#route-map pbr permit 10
BorderRouter(config-route-map)#match ip address 101
BorderRouter(config-route-map)#set ip next-hop 10.1.101.1
BorderRouter(config-route-map)#exit

(Update: We don’t need the last command route-map pbr permit 20 to permit other traffic according to Cisco:

“If the packets do not meet any of the defined match criteria (that is, if the packets fall off the end of a route map), then those packets are routed through the normal destination-based routing process. If it is desired not to revert to normal forwarding and to drop the packets that do not match the specified criteria, then interface Null 0 should be specified as the last interface in the list by using the set clause.”

Reference: http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml)

Note: We don’t need to use IP SLA to track the next-hop IP address as the “set ip next-hop” did this. From this link: https://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html
“The set ip next-hop command verifies the existence of the next hop specified, and…
+ If the next hop exists in the routing table, then the command policy routes the packet to the next hop.
+ If the next hop does not exist in the routing table, the command uses the normal routing table to forward the packet.”
So if the next-hop 10.1.101.1 goes down the PBR will use normal routing table.

3) Apply the route-map on the interface to the server in the EIGRP Network:
BorderRouter(config-route-map)#exit
BorderRouter(config)#int fa0/0
BorderRouter(config-if)#ip policy route-map pbr
BorderRouter(config-if)#exit
BorderRouter(config)#exit

4) There is a “Host for Testing”, click on this host to open a box in which there is a button named “Generate HTTP traffic”. Click on this button to generate some packets for HTTP traffic. Jump back to the BorderRouter and type the command “show route-map”.

BorderRouter#show route-map

In the output you will see the line “Policy routing matches: 9 packets…”. It means that the route-map we configured is working properly.

Note: We have posted a Policy Based Routing lab on GNS3 similar to this sim with detailed explanation, you can read it here.

Other lab-sims on this site:

EIGRP Stub Sim

OSPF Sim

EIGRP OSPF Redistribution Sim

IPv6 OSPF Virtual Link Sim

EIGRP Simlet

Comments
Comment pages
1 2 3 4 28
  1. KienNT
    April 14th, 2017

    Hi guy
    Please share this dumps VCE 149+41+15+183+56+82+32+8
    thanks
    ngocthanhkien9200 @ gmail com

  2. Anonymous
    April 14th, 2017

    guys help me

    In which scenario can asymmetric routing occur.
    1. active/active firewall setup
    2. reduntant routers running VRRp
    3. active/standby firewall setup
    4. simple path in and out of the network

  3. jZ
    April 15th, 2017

    the answer is 1. active/active firewall setup

  4. Don
    April 18th, 2017

    Hi JZ,

    what about the question on how to mitigate asymmetric routing using active/active firewall setup?

    Is it thru using a layer 3 device or router? Forgot the other options.

  5. Maksym
    April 20th, 2017

    Thanks S0laris!
    The best one!

  6. DAN
    April 25th, 2017

    Hi network brains
    which ones from lab are inn the exam ?????????
    waiting your kind response

  7. Chaka
    May 20th, 2017

    BorderRouter(config)#route-map pbr permit 10
    BorderRouter(config-route-map)#match ip address 101
    BorderRouter(config-route-map)#set ip next-hop 10.1.101.1
    BorderRouter(config-route-map)#exit
    I think this is wrong “match ip address 101”
    It have to be “match policy-list 101”
    Isn´t it?

  8. ANAroute
    May 21st, 2017

    Compilation of exams and including April and May.
    h t t p : / / c o r n e e y . c o m / q D 4 e y d
    the pass is
    !aAyefgyn-7nP18rSvGvzPPv5FJbO_e8AmeieWSZZtTk
    delete the spaces

  9. PBR route-maps
    May 22nd, 2017

    Can somebody please reply as if 2nd statement is needed or not to allow all other traffic==>#route-map PBR permit 20.

    Cisco press documentation said “There is always an implicit deny statement at the end of a route map” http://www.ciscopress.com/articles/article.asp?p=2273507&seqNum=12 .

    But also they mention that “The policy routing process proceeds through the route map until a match is found. If no match is found in the route map, or the route map entry is made a deny instead of a permit, then normal destination-based routing of the traffic ensues”. on http://www.cisco.com/en/US/products/ps6599 products_white_paper09186a00800a4409.shtml

    Please advise if following is correct or not:
    #####################
    #route-map PBR permit 10
    ()#match ip address 101
    ()#set ip address 10.1.101.1

    #route-map PBR permit 20
    ####################
    thank you

  10. PBR route-maps
    May 22nd, 2017

    @ Chaka: “match ip address” is the way to go, since you are trying to match with an ACL, that is the right statement when filtering for either ACLs or prefix list.

  11. Yrsillar
    May 26th, 2017

    Can someone please share/eail the new/updated dumps. im planning to take the exam this june.
    Thanks and more power to digitaltut.

    dlinuxuser1 @ gmail com

  12. hardik
    May 26th, 2017

    Request you please share latest dumps
    hardik.patira28 @ gmail .com
    thanks in advance

  13. Anonymous
    May 27th, 2017

    pass ccnp route exam today..

  14. 7oda
    June 2nd, 2017

    Hi guy

    Please share this dumps VCE 149+41+15+183+56+82+32+8

    mahmoud107@gmail com

    thanks you

  15. Anonymous
    June 2nd, 2017

    229 is still valid…ccnp route

  16. razvan
    June 3rd, 2017

    Dear All ,
    Please can any one send to me the latest dump for CCNP routing (razvan_0072@yahoo dot com)

    Thank You

  17. FSD
    June 4th, 2017

    229 dumps please at cmfarrukh@yahoo(dot)com

  18. Anonymous
    June 4th, 2017

    please send me 229q to {email not allowed}

  19. Anonymous
    June 4th, 2017

    please send me 229q to kheyr.qabe1(@)gmail.com

  20. Anonymous
    June 6th, 2017

    229 is still valid…email address

  21. funghet
    June 16th, 2017

    does anyone that can help me ?
    i have try with the GNS lab… but from the testing host i ping ISP1 and ISP2.

    interface FastEthernet0/0
    ip address 192.168.1.254 255.255.255.0
    ip policy route-map pbr
    duplex auto
    speed auto
    !
    interface Serial0/0
    ip address 10.1.101.254 255.255.255.0
    clock rate 2000000
    !
    interface FastEthernet0/1
    ip address 10.1.102.254 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial0/1
    no ip address
    shutdown
    clock rate 2000000
    !
    router eigrp 65001
    redistribute eigrp 65000 route-map to-eigrp65001
    network 192.168.0.0 0.0.255.255
    auto-summary
    !
    router eigrp 65000
    redistribute eigrp 65001 route-map to-eigrp65000
    network 10.1.100.0 0.0.3.255
    auto-summary
    !
    ip route 0.0.0.0 0.0.0.0 10.1.101.1
    ip route 0.0.0.0 0.0.0.0 10.1.102.1
    !
    !
    ip http server
    no ip http secure-server
    !
    access-list 111 permit icmp any any echo
    !
    route-map pbr permit 10
    match ip address 111
    set ip next-hop 10.1.101.1
    !
    route-map to-eigrp65000 deny 10
    match tag 65000
    !
    route-map to-eigrp65000 permit 20
    set tag 65001
    !
    route-map to-eigrp65001 deny 10
    match tag 65001
    !
    route-map to-eigrp65001 permit 20
    set tag 65000

    someone can help me ?

  22. Anonymous
    June 20th, 2017

    @funghet

    your ACL >>> is not right access-list 111 permit icmp any any echo

    should be access-list 111 permit tcp any any eq 80

    when test use the following in gns3

    telnet 10.1.101.1 80

    this will show when you do sho route map for confermation

  23. Trainnner
    June 21st, 2017

    @Anonymous

    Hi Bro
    the access-list 111 is the number of ACL that was in the test cause in this solution the number is 101 ?

  24. luwi
    June 28th, 2017

    Hi All,

    please send me 229q to acidgrempa@gmail(dot)com

    many thx in advance

  25. jokie
    July 13th, 2017

    @luwi you can in http://www.dump4exam.com/300-101.html find more

  26. atr
    July 13th, 2017

    who took exam last days? what labs are in exam now?

  27. mills
    July 20th, 2017

    passed yesterday.

    used the official ccnp route 300-101 guide book, jeremy videos from cbtnuggets and finally digitaltut.com.

    the dumps on digitaltut are 85% valid, quite impressive i must say. didnt use any other dumps to prepare (i can be lazy sometimes)

    sims were eigrp ospf redistribution, eigrp evaluation, ospf evaluation and policy based routing sim.

    all sims were the same with little modifications on IP addresses and interface numbers. but i must mention something about the policy based routing sim. it was kinda different. similar topology as we have on digitatut however the task was to allow all http traffic only to go through one ISP (framerelay link) while any other traffic can go either way. so this is what i did.

    access-list 100 permit tcp any any eq 80

    route-map ROUTE-MAP deny 10
    match ip address 100
    set ip next-hop THE-OTHER-ISP

    route-map ROUTE-MAP permit 20

    So i felt since they wanted only http traffic to go to framerelay while any other traffic can go eitherway, in other words they do not want http traffic to go through the other isp so i figure i should deny http traffic from going through the other isp while it will be business as usual for other traffic.

    well that was what i could come up with with al the exam tension and the racing time.

    at the end of the day i passed with 812. i am sure of about 80 to 85% of the other none sim questions because off course they were here on digitatut.

    please share your thoughts on the pbr sim senario and what the best approach would have been. because i feel i got it wrong, that should explain my score of 812. you can share your thoughts with me mbomat at yahoo dot come. good luck everyone, see you on the switch page…………

  28. ThatGuyNamed_G
    July 22nd, 2017

    Thank you, PeterPan and Helper – nicely done!

  29. E.T
    July 23rd, 2017

    @PBR route-maps and others that raised the same question.

    I strongly believe that when used for PBR the route-map does not need a void permit statement at the end to negate the implicit deny all.
    Whatever traffic is matched by the implicit statement will simply be routed based on the destination as per the normal routing process and NOT DROPPED.
    For those still in doubt I suggest to lab this and draw your own conclusions.

    From the official CERT guide:
    “Note that for each packet entering Fa0/0, PBR either matches a packet with a route map
    permit clause or matches a packet with a route map deny clause. All route maps have an
    implicit deny clause at the end that matches all packets not already matched by the route
    map. PBR processes packets that match a permit clause using the defined set command.
    For packets matched by a deny clause, PBR lets the packet go through to the normal IP
    routing process.”

    /ET

  30. not_my_real_name
    July 23rd, 2017

    please send me 229q to LCEICH(@)gmail.com

  31. Wamo
    July 24th, 2017

    Hi peeps

    what labs will be in the exam

    thanx

  32. aaa
    August 2nd, 2017

    Please share dumps {email not allowed}

  33. aaa
    August 2nd, 2017

    please share dumps nainarbe at gmail dot com

  34. Rcoky
    August 4th, 2017

    NOTE: PBR lab have some problems
    Note that key words”use frame-rely link when it is avilable”
    1) create an IP SLA to make sure if that avilable or not.
    R1(config-ip-sla)#icmp-echo 10.1.100.2 source-interface serial 0/0/0
    R1(config-ip-sla-echo)#ex
    R1(config)#ip sla schedule 1 start-time now life forever
    2) set track for that sla
    R1(config)#track 10 ip sla 1
    3) filter the HTTP trafic
    Rl(config)# access-list 101 permit tcp any any eq www
    4) apply on route map with tarcking object
    NOTE :- next hope 10.1.100.2 will set .(if it is reachable) otherwise it will take another path(EoMPLS link)
    R1(config)#route-map PBR permit 10
    R1(config-route-map)#match ip address 100
    R1(config-route-map)#set ip next-hop verify-availability 10.1.100.2 10 track 10
    R1(config-route-map)#ex
    5)apply policy route
    R1(config)#interface fastEthernet 0/1
    R1(config-if)#ip policy route-map PBR

  35. eLMo
    August 13th, 2017

    User E.T. wrote on August 11th, 2017 in share-your-route-v2-0-experience, that there was not default or static route on BD router. Without default\static route, any traffic can not go through ISP2’s link.

    BorderRouter(config)#route-map pbr permit 10
    BorderRouter(config-route-map)#match ip address 101
    BorderRouter(config-route-map)#set ip next-hop 10.1.101.1
    BorderRouter(config)#route-map pbr permit 20
    BorderRouter(config-route-map)#set ip next-hop 10.1.102.1
    BorderRouter(config-route-map)#exit

    could You confirm above config, which would be necessary in case of absence of static\default route to ISP2 on BD router?

  36. faheem
    August 17th, 2017

    I want CCNP route labs for practise from where i download it]

  37. elmo
    August 22nd, 2017

    hi gays
    second route map 20 not use in ip next-hop….
    exit

    and inteface fa0/0
    use in command ip policy route-map pbr

  38. Anonymous
    August 23rd, 2017

    @Elmo did u see any changes in the PBR Lab simulation on the exams .. I saw one of the guy configuring IP SLA etc .. I really think only Route Map with Next Hop ip is ok for this solution

  39. Invaders
    August 25th, 2017

    HI Friends,

    please share ccna dumps v3

  40. Tam
    September 18th, 2017

    7oda

    Do you have already the dumps of all you request?if you have can you send me also?thanks here is my email : {email not allowed}

  41. owenshinobi
    September 18th, 2017

    Hi all
    Do you have already the dumps of all you request? if you have can you send me also?thanks here is my email : owenshinobi @ gmail com

  42. DaMa
    September 25th, 2017

    Hey, is it now a complete EIGRP LAB or a EIGRP and BGP LAB?

    Thanks in advance.

  43. ARBI
    September 25th, 2017

    hi!!
    Said that to validate my solution, have to generate http traffc from test workstation, How can i do this?

  44. cisco
    September 29th, 2017

    Dear All ,
    Please can any one send to me the latest dump for CCNP routing (razvan_0072@yahoo dot com)

    Thank You

  45. elmo
    October 4th, 2017

    i passed the ccnp route exam scoure 872
    anyone need a ccnp route dumps context me

  46. kristen hellin
    October 4th, 2017

    i passed the ccnp route exam scoure 872
    anyone need a ccnp route dumps context me

  47. Anonymous
    October 7th, 2017

    hello elmo, can you please share route dumps with me at rhmian80 @ gmail dot com

  48. Scruffins
    October 8th, 2017

    I think there is no need to configure IP SLA. When the next hop is unavailable, the packet will use the normal routing table.

    https://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html#casetwo

  49. Anonymous
    October 14th, 2017

    ELMO please i need CCNP ROUTE exam. can u send me to (kheyrqabe1 AT Gmail.com)

  50. Anonymous
    October 14th, 2017

    ELMO please i need CCNP ROUTE exam. can u send me to (kheyrqabe1 @ gmail.com)

  51. Anonymous
    October 14th, 2017

    Hi all
    anyone can provide me the link for lab to download and also when opened On GNS show me there is error i have to convert how to do that

  52. fiddy
    October 15th, 2017

    Hi All,

    I have tried to open route Exam sims in GNS v1.5.2 but after opening topology all nodes in the topology turned red , when I click over the node it says ” This node is not initialized”

    Can someone please know how to fix this so that I can practice these exam labs ?? or any other way to practice these labs

  53. mario5046
    October 16th, 2017

    @Tej you missed just only one lab PBR ? What about the rest of questions , there you also made some mistakes?

  54. Mpolvora
    October 20th, 2017

    hello kristen hellin

    Could you send me the dumps please?
    Thank you very much
    {email not allowed}

  55. Mpolvora
    October 20th, 2017

    hello kristen hellin

    Could you send me the dumps please?
    Thank you very much
    mpolvoratjp @ gmail.com

  56. Chikku
    October 29th, 2017

    Anyone who took the exam recently can confirm which are the SIMs in the exam?????
    I’m gonna take it early next week.
    Please respond asap.

  57. Silver Star
    October 30th, 2017

    taking Exam Tomorrow, will provide feedback, have no idea which drag and drops will appear and have not studied any

  58. Chikku
    October 31st, 2017

    @SILVER STAR, Please check the drag and drop in digitaltut site itself. Hope this would suffice.
    BGP states, Nat64, NPT64, CEF adjacency types…

  59. Confused
    November 1st, 2017

    Host_For_Testing>en
    Host_For_Testing#telnet 10.1.101.1 80
    Trying 10.1.101.1, 80 …
    % Destination unreachable; gateway or host down

    Host_For_Testing#telnet 10.1.102.1 80
    Trying 10.1.102.1, 80 … Open
    ^C

    same commands as above , i am practicing in GNS3 labs here in this site. but it shows the opposite output. Can anybody help.

  60. Alpha
    November 4th, 2017

    Hello everyone. Can anyone help me by telling that 462q are still valid or not ?

  61. Alpha
    November 4th, 2017

    Response awaited.

  62. EU
    November 4th, 2017

    Hello Lemo,
    Congratulation, could you please send your 300-101 Dump ( {email not allowed} )
    Thank you

  63. EU
    November 4th, 2017

    Hello Lemo,
    Congratulation, could you please send your 300-101 Dump (oceanman2000 @ gmail.com)
    Thank you

  64. XXX
    November 7th, 2017

    Passed with 918/1000.
    For valid dump, please contact on jknishant87 @ gmail . com

  65. ZBM
    November 8th, 2017

    Hey Elmo kindly share the dump with me on “{email not allowed}” congrats hope you ready for the next task.

  66. Ray
    November 18th, 2017

    Hi Please send me a copy of update Dumps.

  67. FirePOWDER
    November 20th, 2017

    Hi Please sent to me VCE Update Dumps. Thx guy.
    {email not allowed}

  68. Erol
    November 26th, 2017

    Tried this in GNS3 and it works:

    – The first ‘set’ tries the 10.1.100.2 ISP 1 interface, and takes to the other if it’s not there.
    – The second ‘set’ sends all non TCP80 traffic to ISP 2

    You can see what happens at the various routers with

    – access-list 1 permit 172.16.14.2
    – debug ip pack 1

    Config on R1:

    access-list 101 permit tcp any any eq www
    !
    route-map PBR permit 10
    match ip address 101
    set ip next-hop 10.1.100.2 10.1.101.2
    !
    route-map PBR permit 20
    set ip next-hop 10.1.101.2
    !
    int f0/0
    ip policy route-map PBR

  69. Erol
    November 26th, 2017

    This is the accompanying output of a ‘debug ip policy’ on the Border Router that indicates what happens as soon as the link to ISP1 becomes unavailable. It uses CEF’s FIB to address any next-hop issues.

    The ‘Host for testing’, a GNS3 VPCS, generates TCP80 traffic by pinging a non-local ip address by using the following command: ping 1.1.1.1 -p 80 -3 -t

    As you can see at first this traffic is policy-based routed towards ISP1. As soon as CEF discovers that the next-hop ip address (ISP1 via interface S2/0 in my setup) is not reachable anymore, the ISP2 next-hop ip address 10.1.101.2 is chosen instead.

    *Nov 26 10:34:32.100: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, len 60, FIB policy match
    *Nov 26 10:34:32.100: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, len 60, PBR Counted
    *Nov 26 10:34:32.100: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, g=10.1.100.2, len 60, FIB policy routed
    R1#
    *Nov 26 10:34:33.101: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, len 60, FIB policy match
    *Nov 26 10:34:33.101: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, len 60, PBR Counted
    *Nov 26 10:34:33.101: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, g=10.1.100.2, len 60, FIB policy routed
    R1#
    *Nov 26 10:34:34.352: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to down
    R1#
    *Nov 26 10:34:35.102: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, len 60, FIB policy match
    *Nov 26 10:34:35.102: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, len 60, PBR Counted
    *Nov 26 10:34:35.102: CEF-IP-POLICY: fib for addr 10.1.100.2 is Not Attached; Nexthop rejected
    *Nov 26 10:34:35.102: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, g=10.1.101.2, len 60, FIB policy routed
    *Nov 26 10:34:36.103: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, len 60, FIB policy match
    *Nov 26 10:34:36.104: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, len 60, PBR Counted
    *Nov 26 10:34:36.104: CEF-IP-POLICY: fib for addr 10.1.100.2 is Not Attached; Nexthop rejected

    You can see the TCP80 traffic arriving at ISP1 or ISP2 routers by using a ‘debug ip packet 1’ command, whereas ‘1’ is a standard access-list that permits traffic from the Testing Host at 172.16.14.2.

    When non-TCP80 traffic is generated, all traffic goes to ISP2.

    Also you can use the ‘show ip policy’- command on the Border Router to see counters incrementing on hits.

  70. Erol
    November 26th, 2017

    If you omit the ‘set ip next-hop 10.1.101.2’, in the ‘route-map PBR permit 20’, non-TCP80 is not explicitly routed to ISP2 anymore but follows normal forwarding rules, as you would probably want :)

    Config now reads:

    route-map PBR permit 10
    match ip address 101
    set ip next-hop 10.1.100.2 10.1.101.2
    !
    route-map PBR permit 20
    !
    !
    access-list 101 permit tcp any any eq www
    !

    When i generate some non-TCP80 traffic i see the following in a debug ip policy on the Border Router:

    *Nov 26 11:06:38.748: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, len 60, FIB policy match
    *Nov 26 11:06:38.748: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, len 60, PBR Counted
    *Nov 26 11:06:38.748: IP: s=172.16.14.2 (Ethernet0/1), d=11.1.1.1, len 60, FIB policy rejected – normal forwarding

    Look at the incrementing counters of the ‘show ip policy’-command on the Border Router. Using the ‘debug ip policy’ command first, gives some nice extra output about Nexthop Tracking on the ‘show ip policy’-command, that you wouldn’t get without the debug command.

    R1#sh route-map
    route-map PBR, permit, sequence 10
    Match clauses:
    ip address (access-lists): 101
    Set clauses:
    ip next-hop 10.1.100.2 10.1.101.2
    Nexthop tracking current: 0.0.0.0
    10.1.100.2, fib_nh:0,oce:0,status:0

    10.1.101.2, fib_nh:0,oce:0,status:0

    Policy routing matches: 196 packets, 14504 bytes
    route-map PBR, permit, sequence 20
    Match clauses:
    Set clauses:
    Policy routing matches: 84 packets, 6216 bytes

Comment pages
1 2 3 4 28
  1. No trackbacks yet.