Submit

Home > Policy Based Routing Sim

Policy Based Routing Sim

July 31st, 2010 in LabSim Go to comments

Question

Company Acan has two links which can take it to the Internet. The company policy demands that you use web traffic to be forwarded
only to Frame Relay link if available and other traffic can go through any links. No static or default routing is allowed.
Answer and Explanation:
Notice: The answer and explanation below are from PeterPan and Helper.Please say thank to them!

All the HTTP traffic from the EIGRP Network should go through Frame Relay link if available and all the other traffic should go
through either link.
The only router you are able to administrate is the Border Router, from the EIGRP Network you may only send HTTP traffic. As the
other people mentioned, actually it is not a BGP lab. You are not able to execute the command “router bgp 65001″

1) Access list that catches the HTTP traffic:

BorderRouter#access-list 101 permit tcp any any eq www

Note that the server was not directly connected to the Border Router. There were a lot of EIGRP routes on it. In the real exam you do
not know the exact IP address of the server in the EIGRP network so we have to use the source as “any” to catch all the source
addresses.

2) Route map that sets the next hop address to be ISP1 and permits the rest of the traffic:
BorderRouter(config)#route-map pbr permit 10
BorderRouter(config-route-map)#match ip address 101
BorderRouter(config-route-map)#set ip next-hop 10.1.101.1
BorderRouter(config-route-map)#exit
BorderRouter(config)#route-map pbr permit 20

(Notice: the route-map pbr permit 20 line allows other traffic than HTTP to be routed. Otherwise, other traffic will be dropped)

3) Apply the route-map on the interface to the server in the EIGRP Network:
BorderRouter(config-route-map)#exit
BorderRouter(config)#int fa0/0
BorderRouter(config-if)#ip policy route-map pbr
BorderRouter(config-if)#exit
BorderRouter(config)#exit

4) There is a “Host for Testing”, click on this host to open a box in which there is a button named “Generate HTTP traffic”. Click on
this button to generate some packets for HTTP traffic. Jump back to the BorderRouter and type the command “show route-map”.

BorderRouter#show route-map
In the output you will see the line “Policy routing matches: 9 packets…”. It means that the route-map we configured is working
properly.

Other lab-sims on this site:

EIGRP Stub Sim

OSPF Sim

EIGRP OSPF Redistribution Sim

IPv6 OSPF Virtual Link Sim

EIGRP Simlet

Comments

1. mongolio

August 10th, 2010

>BorderRouter(-route-map)#exit
>BorderRouter(config)#route-map pbr permit 20

What for is statement route-map pbr permit 20 ? PBR doesnt filter traffic.

2. ukk

August 10th, 2010

 @mongolio
Route map permit 10 statement is permitting access list 101 traffic only. what abt other traffic which is not permitted by seq 10
so to allows other traffic than HTTP (or seq 10) to be routed seq 20 is inlcluded. Otherwise, other traffic will be dropped

3. mongolio

August 11th, 2010

@ukk
PBR doesnt filters traffic, it will route traffic as normal if it denied in route map.

4. Vinch

August 12th, 2010

I agree with mongolio.

The statement “route-map pbr permit 20″ is not needed!

5. KeN

August 13th, 2010

Hi,

I created the lab on GNS3, but failed to route traffic (ICMP, ping) via FR(10.1.101.2, S1/0). It just route the ICMP packets to
another path (10.1.102.0). Anyone have idea? Actually, does GNS3 support PBR?

Here is my config on Border Router

 access-list 100 permit icmp 172.16.14.0 0.0.0.255 any echo
route-map testworkstation permit 10
match ip address 100
set ip next-hop 10.1.101.2

interface FastEthernet0/0
ip address 172.16.14.1 255.255.0.0
ip policy route-map testworkstation

interface FastEthernet2/0
ip address 10.1.102.1 255.255.255.0

interface Serial1/0
ip address 10.1.101.1 255.255.255.0

6. Anoni

August 13th, 2010

Remove the echo argument from access-list 100

7. Coco

August 16th, 2010

Are you sure about the route map. I think i would configure like that:

BorderRouter(config)#route-map pbr permit 10

BorderRouter(config-route-map)#match ip address 101
BorderRouter(config-route-map)#set ip next-hop 10.1.101.1
BorderRouter(config-route-map)#exit
 BorderRouter(config)#route-map pbr permit 20
BorderRouter(config-route-map)#set ip next-hop 10.1.102.1

Because the figure said other traffic via ISP2, so to be certain i would set the next-hop 10.1.102.1 for all no-http traffic.

8. digitaltut

August 17th, 2010

The question requires other traffic can go through either ISP1 or ISP2 so we can’t “set ip next-hop 10.1.102.1″ because it will
forward all other traffic to 10.1.102.1

9. ukk

August 27th, 2010

@ mongolio
@ Vinch

Route Maps are used in policy based routing (in addition to the manipulating of the routing updates) of traffic as well. Like an
access contrl list at the end of each route map there is an implicit deny, any traffic not matched with a route map statement is
denied so seq 20 needs to be inlcluded!

Some uses of rotue maps are

1.Filtering redistributed routes.

2.Policy based routing (To specify which traffic should be policy routed).
3.BGP policy

@digitaltut Any comments?

10. Gerrit

August 27th, 2010

This is not correct, Ukk. As mentioned before, seq 20 is not needed. Traffic not matched is indeed denied, but for policy based
routing, a deny means it is not being policy based routed, it will be routed via the routing table instead.
With every route-map you need to consider its function, and what the consequences are of a deny. Policy-based routing has
nothing to do with filtering traffic, it dictates whether to use a policy to route traffic (1), or to use the routing table to route
traffic (2). A permit will do the first (1) , a deny will do the second (2).

11. sotfgine

August 29th, 2010

@ukk, Read this from “CCNP ROUTE 642-902 Official Certification Guide”, chapter 11, page 369

“All route maps have an implicit deny clause at the end that matches all packets not already matched by the route map. PBR
processes packets that match a permit clause using the defined set command. For packets matched by a deny clause, PBR lets
the packet go through to the normal IP routing process.”

So, please remove “route-map pbr permit 20″ , is not needed.

12. xxx

August 30th, 2010

@sotfgine ,
I agere with you~~~
“For packets matched by a deny clause, PBR lets the packet go through to the normal IP routing process”

13. LORD
 September 1st, 2010

I have created this lab in GNS3… it works perfectly…

http://www.4shared.com/file/ZHu4r-4E/PBR_ROUTE_EXAM.html

14. Blurp

September 1st, 2010

I had this on my exam, did everything except the Permit 20 and it worked fine

15. LORD

September 1st, 2010

@ALL
Adding Permit 20 or not… will not going to change anything..
But actually adding the Permit 20 route-map.. u can see that the HTTP Traffic is not going to any other destination rather than
over Frame relay link.. if u “telnet 10.1.102.1 www” u won’t see the changes in route-map permit 20.. But u can see the
packets are changing in Permit 10.
Permit 20 is just for the checking propose.

16. siddharth

September 8th, 2010

even me and my friend had this lab but both of us could not do it.

17. E.Poosa
 September 12th, 2010

@LORD September 1st, 2010

Thanks LORD. U r lab is working fine…but..look at below
HOST#telnet 10.1.101.1 www
Trying 10.1.101.1, 80 …
% Connection refused by remote host

Isn’t there any way to get this as a acceptance ? I mean same result should be when try to ISP-2. **** but u r config is exactly
correct for Border router…..

18. Pedro Perez

September 13th, 2010

on my last ROUTE exam it was requiered that non http traffic should have routed through the second link. How do you route
it? is the EoMPLS route the default route for traffic so you just have to reroute http traffic though frame relay link?

thanks in advance

19. Cvetelina

September 14th, 2010

Hi All,

I have one question and will be very happy if someone have an answer :)))
I have to pass the 642-902 but I don’t know are labs the same like 642-901. Please if someone know what is the difference
between two exams (I mean labs.).
Thank you in advance
20. Kamalakar Patil

September 15th, 2010

Hey Guys,

Does anybody have latest CCNP Route (642-902) dumps. I am preparing for the exam. If yes, please reply on the following
mail id: Kamalakar.Patil@techmahindra.com, patilkamlakar99@yahoo.co.in. Many thanks in advance.

21. msxy

September 20th, 2010

guys not typing route-map pbr permit 20 worked fine with u because there is no other traffic then http but if there is it will be
drop on the new cbt nuggets he configured the same good luck!

22. kemot

September 20th, 2010

what will happen when the FR link fails? if ‘next-hop 10.1.101.1′ won’t be reachable, http traffic will be dropped, so maybe
we should consider to use ip sla monitor?

23. hussam

September 27th, 2010

i gotta a question is dis command should be written in dis mode

BorderRouter#access-list 101 permit tcp any any eq www

or it should be in da global config mode

 BorderRouter(config)#access-list 101 permit tcp any any eq www

???????

24. jamil

September 30th, 2010

hey everybody there

i m preparing my ccnp certificate if any body have latest dumps of ccnp course plz send me
at my link or mail royaldream_30@yahoo.com

25. TEE

September 30th, 2010

hussam you are correct it should be in global config mode.

26. TEE

September 30th, 2010

Question team why isn’t there a sequence to permit ip any any in the access-list wouldn’t the implicit deny at the bottom of the
access-list block all other traffic?

27. Ben Hayak

October 4th, 2010

 @kemot – if PBR is not reachable then it will go to the ROUTING TABLE and just route by ISP2. no sla needed
@TEE – Start studying, in PBR ACL is used for match only, deny = no match which means PBR will not be effective and
again the router will forward the packets using the routing table.

For all of you who are still confused, PRB is not filtering, permit 20 not needed yet not causing any error, permit 20 match all
but SETS NOTHING so it’ll forward by the ROUTING TABLE normaly.

Good luck,

28. TEE

October 7th, 2010

I think the example is close but the route-map pbr should be applied to S0/0/0

29. Nguyen Duc Hoa

October 8th, 2010

@:mongolio

If you don’t use the statement route-map pbr permit 20, other traffic (except http), will be routed via two interfaces, so it will
lead looping. Please use traceroute command, you will see it.

30. Tshoot

October 10th, 2010

@E.Poosa September 12th, 2010

If you ‘re getting the error ”

 HOST#telnet 10.1.101.1 www
Trying 10.1.101.1, 80 …
% Connection refused by remote host

Confirm if Http service is running on both routers ISP1 & 2. if not, issue the command “ip http server” global configuration.

Gudluck

1. No trackbacks yet.

Add a Comment
Name
Website (not required)

Submit Comment

Subscribe to comments feed

EIGRP OSPF Redistribution Sim IPv6 OSPF Virtual Link Sim

ROUTE 642-902
• LabSim
• OSPF Hotspot
 • EIGRP Questions
• EIGRP Simlet
• OSPF Questions
• BGP Questions
• IPv6 Questions
• Drag and Drop Questions
• Operations Questions
• Share your ROUTE Experience

Practice Labs with GNS3

• Basic Labs

Network Resources
• CCNA Website

• BSCI/ROUTE Website

• BCMSN/SWITCH Website

• ISCW/ONT/TSHOOT Website

• CCNA Voice Website

• CCNA Security Website

 • CCDA Website

Support Digitaltut

Your contribution will help keep this site updated!

Top
Copyright © 2010 ROUTE 642-902 Questions and Answers
Privacy Policy. Valid XHTML 1.1 and CSS 3.