CONMUTACIÓN Y RUTEO II

Clase 1. Policy Base Routing

Alberto Arellano A. Ing. Msc.

aarellano@espoch.edu.ec
CCNA – CCNP – CCSP - LPI
What is the problem in this network?

50 Mbps 100 Mbps

OSPF
50 Mbps EIGRP

25 Mbps 50 Mbps

192.168.92.0/24 192.168.94.0/24

192.168.90.0/24
Métrica = 6  (R1-R2-R3)
Policy-Based Routing
Policy-based routing (PBR) is a technique that forwards and routes
data packets based on policies or filters.
Network administrators can selectively apply policies based on
specific parameters such as source and destination IP address,
source or destination port, traffic type, protocols, access list,
packet size, or other criteria and then route the packets on user-
defined routes.
 Logical PBR Operation

Is there a
Incoming Packet PBR applied No
the incoming
interface?

Yes

Forward the
Is there a
Yes packet
match with a
through the
deny
normal routing
statement?
channel.

No R1

Is there a
match with a Yes Apply set
permit commands.
statement?
Filter Base Forwarding on Juniper Router
For IPv4 or IPv6 traffic only, you can use firewall filters in
conjunction with forwarding classes and routing instances to
control how packets travel in a network. This is called filter-
based forwarding (FBF).

5
Steps to Implement Path Control

1. Match traffic to manipulate the path

2. Define the action for matched traffic
3. Apply path control to traffic
 To incoming traffic
 To traffic local to the router
4. Verify path control results
PBR with Route-Map
Route maps are much like the “If . . . Then . . .” statements of many
programming languages. If a certain condition is true, then do something

Router(config)#
route-map map-tag [permit | deny] [sequence-number]
 Defines the route map conditions.

Router(config-route-map)#
match {conditions}
 Defines the conditions to match.

Router(config-route-map)#
set {actions}
 Defines the action to be taken on a match.

Router(config-if)#
ip policy route-map map-tag
 Apply the route-map to the incoming interface.
 match Conditions
Command Description

match community Matches a BGP community

Matches any routes that have the next hop out of one of the
match interface interfaces specified

Matches any routes that have a destination network number address

match ip address that is permitted by a standard or extended ACL

Matches any routes that have a next-hop router address that is

match ip next-hop passed by one of the ACLs specified
Matches routes that have been advertised by routers and access
match ip route-source servers at the address that is specified by the ACLs

match length Matches based on the layer 3 length of a packet

match metric Matches routes with the metric specified

match route-type Matches routes of the specified type

match tag Matches tag of a route

match Conditions
Command Description

match community Matches a BGP community

match interface Matches any routes that have the next hop out of one of the
interfaces specified

Matches any routes that have a destination network number address

match ip address that is permitted by a standard or extended ACL

match ip next-hop Matches any routes that have a next-hop router address that is
passed by one of the ACLs specified
Matches routes that have been advertised by routers and access
match ip route-source
servers at the address that is specified by the ACLs

match length Matches based on the layer 3 length of a packet

match metric Matches routes with the metric specified

match route-type Matches routes of the specified type

match tag Matches tag of a route

match ip-address
 Specify criteria to be matched using ACLs or prefix lists.
Router(config-route-map)#
match ip address {access-list-number | name}
[...access-list-number | name] | prefix-list prefix-
list-name [..prefix-list-name]

Parameter Description

The number or name of a standard or extended access list to be

access-list- used to test incoming packets.
number | name If multiple access lists are specified, matching any one results in
a match.

prefix-list Specifies the name of a prefix list to be used to test packets.

If multiple prefix lists are specified, matching any one results in a
prefix-list-name match.
match length
 Specify criteria to be matched by packet length.
Router(config-route-map)#

match length min max

Parameter Description

The packet’s minimum Layer 3 length, inclusive, allowed for a

min match.

The packet’s maximum Layer 3 length, inclusive, allowed for a

max match.
Set conditions
Command Description
set as-path Modifies an AS path for BGP routes
set automatic-tag Computes automatically the tag value
set community Sets the BGP communities attribute

set ip next-hop Indicates where to output packets that pass a match clause of a route
map for policy routing

set interface Indicates where to output packets that pass a match clause of a route
map for policy routing
Indicates where to output packets that pass a match clause of a route
set ip default next-hop map for policy routing and for which the Cisco IOS software has no
explicit route to a destination

set default interface Indicates where to output packets that pass a match clause of a route
map for policy routing and have no explicit route to the destination
set ip tos Used to set some of the bits in the IP ToS field in the IP packet.

set ip precedence set the 3 IP precedence bits in the IP packet header.

set tag Sets tag value for destination routing protocol
set weight Specifies the BGP weight value
* Partial list
Set conditions
Command Description
set as-path Modifies an AS path for BGP routes
set automatic-tag Computes automatically the tag value
set community Sets the BGP communities attribute
Indicates where to output packets that pass a match clause of a route
set ip next-hop map for policy routing
Indicates where to output packets that pass a match clause of a route
set interface map for policy routing

set ip default Indicates where to output packets that pass a match clause of a route
map for policy routing and for which the Cisco IOS software has no
next-hop explicit route to a destination
set default Indicates where to output packets that pass a match clause of a route
interface map for policy routing and have no explicit route to the destination

set ip tos Used to set some of the bits in the IP ToS field in the IP packet.

set ip precedence set the 3 IP precedence bits in the IP packet header.

set tag Sets tag value for destination routing protocol

set weight Specifies the BGP weight value

set ip next-hop
 Specify the next hop IP address for matching packets.

Router(config-route-map)#

set ip next-hop ip-address [...ip-address]

 The command provides a list of IP addresses used to

specify the adjacent next-hop router in the path toward the
destination to which the packets should be forwarded.

 If more than one IP address is specified, the first IP address

associated with a currently up connected interface is used
to route the packets.
set ip tos
 Mark packets using the IP ToS field.
Router(config-route-map)#
set ip tos [number | name]

 Used to set some of the bits in the IP ToS field in the IP packet.
 The ToS field in the IP header is 8 bits long, with 5 bits for setting
the class of service (CoS) and 3 bits for the IP precedence.
 The CoS bits are used to set the delay, throughput, reliability, and
cost.

Parameter Description
0 | normal Sets the normal ToS
1 | min-monetary-cost Sets the min-monetary-cost ToS
2 | max-reliability Sets the max reliable ToS
4 | max-throughput Sets the max throughput ToS
8 | min-delay Sets the min delay ToS
Configuring PBR on an Interface
 Identify a route map to use for policy routing on an interface.

Router(config-if)#
ip policy route-map map-tag

 The map-tag parameter is the name of the route map to

use for policy routing.

 It must match a map tag specified by a route-map

command.
Lab 1. PBR Router CISCO

Traffic from 192.168.10.0/24 forward R3

Traffic from 192.168.11.0/24 forward R5
Traffic from 192.168.12.0/24 forward R4

17
 Example 1. PBR

R2 R6

18
Example 1. PBR

19
 Example 1. PBR

20
Example 1. PBR

21
Workshop. PBR with Applications (Web & FTP)

HOST VLAN NETWORK ID

PC-1 2 172.10.10.0/26
PC-2 3 172.10.10.64/26
PC-3 4 172.10.10.128/26
SERVER-1 2 172.10.20.0/26
SERVER-2 3 172.10.20.64/26 22
Lab 2. PBR Router HPE & CISCO

O–D RUTA
SERVER – VPCS1 R3 HPE_R2HPE_R1
SERVER – VPCS2 R3 HPE_R1
SERVER – VPCS3 R3 R2HPE_R1
23
1 Configure IP Address – HPE_R1

2 Verify IP Address – HPE_R1

24
3 Configure OSPF Protocol – HPE_R1

25
4
Configure IP Address& OSPF
Protocol – R2

26
5
Configure IP Address& OSPF
Protocol – R3

27
6 Verify Routing Table

28
7 Configure and verify HPE_R2

29
8 Verify connectivity between routers

30
10 Configure access to Provider from C1

C1

HPE_R1

31
11 Configure access to Provider from C2

C2

R3

32
12 Verify Routing Table – HPE_R1

33
12 Verify Routing Table – HPE_R1

34
13 Verify Routing Table – R3

35
14 Verify connectivity between Server –
VPC-1

36
Config Router HPE access with TELNET

To be able to log in using GNS3 console TELNET we have to

configure following commands on both routers.

<HPE>system-view
[HPE]user-interface aux 0
[HPE-line-aux0]authentication-mode none
[HPE-line-aux0]user-role network-admin
[HPE-line-aux0]quit
[HPE]save

37
Lab 3. PBR Router HPE & CISCO

O–D RUTA
VPCS1_SERVER HPE_R1R2R3
VPCS2 – SERVER HPE_R1R3
VPCS3 – SERVER HPE_R1HPE_R2R3
38
Config PBR on HPE Router
1. Create ACL MATCH TRAFFIC
acl advanced 3010
rule permit ip source 192.168.4.0 0.0.0.255 destination 172.20.20.10 0.0.0.0
quit
acl advanced 3020
rule permit ip source 192.168.7.0 0.0.0.255 destination 172.20.20.10 0.0.0.0
quit
2. Define PBR Policy
policy-based-route eietr permit node 10
if-match acl 3010
apply next-hop 10.10.5.2
quit
policy-based-route eietr permit node 20
if-match acl 3020
apply next-hop 10.10.8.2
quit
3. Apply the PBR Policy to Interface
interface ge1/0
ip ip policy-based-route eietr
39
quit
Verify PBR Policy

40
Lab 4. PBR Juniper&Mikrotik

Origen –> Destino Ruta

Webterm-1  Centos JuniperCisco_2Cisco_1Cisco_3Mikrotik
CentosWebterm-1 MikrotikCisco_3Cisco_1Cisco_2Juniper
Webterm-2  Centos JuniperCisco_2Cisco_3Mikkrotik
Centos  Webterm-2 Mikrotik  Cisco_3  Cisco_2  Juniper
41
Juniper Initial Configuration

42
Cisco_1 Initial Configuration

43
Cisco_2 Initial Configuration

44
Cisco_3 Initial Configuration

45
Mikrotik Initial Configuration

46
Mikrotik - WebFig
WebFig is a web based RouterOS utility which allows you to monitor, configure
and troubleshoot the router. It is designed as an alternative of WinBox, both have
similar layouts and both have access to almost any feature of RouterOS.

47
Mikrotik – IP Address config

48
Mikrotik – OSPF Router-ID

49
Mikrotik – OSPF Interfaces

50
Mikrotik – OSPF Networks

51
Mikrotik – OSPF Routing Table

52
Config Webterm1&Webterm2

53
Config Webterm1&Webterm2

54
Config Centos 6

55
Config Centos 6

56
Configure FBF on Juniper Router
1. Define firewall filter (Cisco ACL)

set firewall filter pbr1 term 1 from source-address 10.10.15.0/24

set firewall filter pbr1 term 1 then routing-instance rutaxcisco2
set firewall filter pbr2 term 1 from source-address 10.10.16.0/24
set firewall filter pbr2 term 1 then routing-instance rutaxcisco2

2. Apply firewall filter on interfaces

set interfaces em2 unit 0 family inet filter input pbr1

set interfaces em3 unit 0 family inet filter input pbr2
commit

3. Create a Routing Instance

A routing instance is a collection of routing tables, interfaces, and routing
protocol parameters.

57
Configure FBF on Juniper Router
3. Create a Routing Instance
A routing instance is a collection of routing tables, interfaces, and routing
protocol parameters.

set routing-instances rutaxcisco2 instance-type forwarding routing-

options static route 0.0.0.0/0 next-hop 10.10.3.2
commit

4. Create a RIB Groups

RIB groups can be used to specify the RIB(s) a routing protocol uses
when it is importing and exporting routes. RIB groups are protocol
specific (i.e. you cannot mix IPv4 and IPv6 RIBs in the same RIB group).

set routing-options interface-routes rib-group inet tabla1

set routing-options rib-groups tabla1 import-rib [inet.0
rutaxcisco2.inet.0]
commit check
commit
quit
58
Verify Routing Instance

59
Verify Firewall Base Forwarding

60
Verify Firewall Base Forwarding

61
Configure PBR on Cisco Routers

62
Configure PBR on Cisco Routers

63
Configure PBR on Mikrotik Route
1. Add two IP Firewall Mangle rules to mark the packets originated from
network 10.10.20.0/24 to 10.10.15.0/24 and 10.10.16.0/24.

64
Configure PBR on Mikrotik Route

65
Configure PBR on Mikrotik Route

66
Configure PBR on Mikrotik Route
2. Create a NAT Rule with action MASQUERADE

67
Verify PBR

68
Homework 1 – PBR & IPv6

Origen –> Destino Ruta

Webterm-1  Centos JuniperCisco_2Cisco_1Cisco_3Mikrotik
CentosWebterm-1 MikrotikCisco_1Cisco_2Juniper
Webterm-2  Centos JuniperCisco_2Cisco_3Mikkrotik
Centos  Webterm-2 Mikrotik  Cisco_3  Cisco_2  Juniper
69
Homework 2 – PBR Huawei

Origen –> Destino Ruta

PC1-PC3 AR2-AR1-AR5
PC2-PC3 AR2-AR3-AR4-AR5
PC3-PC1 AR5-AR4-AR3-AR2
PC3-PC2 AR5-AR1-AR2

70