CONMUTACIÓN Y RUTEO II

Clase 1. Policy Base Routing

Alberto Arellano A. Ing. Msc.

aarellano@espoch.edu.ec
CCNA – CCNP – CCSP – LPI - JNCIA
Class Objectives
At the end of class the student will be able
to:
• Understand the concepts related to policy-
based routing.(PBR)
• Understand the areas of use of Policy Based
Routing (PBR)
• Understand configuration PBR on Cisco
Routers
• Understand configuration PBR on Juniper
Routers
• Understand configuration PBR on HPE
Routers
What is the problem in this network?
CLIENTS  SERVERS
R1-R2-R3  3
R1-R2-R4-R5-R3  4

100 Mbps 100 Mbps

OSPF
100 Mbps EIGRP

50 Mbps 100 Mbps

192.168.92.0/24 192.168.94.0/24

192.168.90.0/24
Policy-Based Routing
Policy-based routing (PBR) is a technique that forwards,
and routes data packets based on policies or filters.

Network administrators can selectively apply policies based on

specific parameters such as source and destination IP
address, source or destination port, traffic type, protocols,
access list, packet size, or other criteria and then route the
packets on user-defined routes.
 Logical PBR Operation

Is there a
Incoming Packet PBR applied No
the incoming
interface?

Yes

Forward the
Is there a
Yes packet
match with a
through the
deny normal routing
statement? channel.

No R1

Is there a
match with a Yes Apply set
permit commands.
statement?
Filter Base Forwarding on Juniper Router
For IPv4 or IPv6 traffic only, you can use firewall filters in
conjunction with forwarding classes and routing instances
to control how packets travel in a network. This is
called filter-based forwarding (FBF).

6
Steps to Implement PBR or FBF

1. Match traffic to manipulate the path

2. Define the action for matched traffic
3. Apply PBR to traffic
To incoming traffic
To traffic local to the router
4. Verify path control results
PBR with Route-Map
Route maps are much like the “If . . . Then . . .” statements of many
programming languages. If a certain condition is true, then do
something
Router(config)#
route-map map-tag [permit | deny] [sequence-number]
 Defines the route map conditions.

Router(config-route-map)#
match {conditions}
 Defines the conditions to match.

Router(config-route-map)#
set {actions}
 Defines the action to be taken on a match.

Router(config-if)#
ip policy route-map map-tag
 Apply the route-map to the incoming interface.
 match Conditions
Command Description

match community Matches a BGP community

Matches any routes that have the next hop out of one of the
match interface interfaces specified

Matches any routes that have a destination network number address

match ip address that is permitted by a standard or extended ACL

Matches any routes that have a next-hop router address that is

match ip next-hop passed by one of the ACLs specified
Matches routes that have been advertised by routers and access
match ip route-source servers at the address that is specified by the ACLs

match length Matches based on the layer 3 length of a packet

match metric Matches routes with the metric specified

match route-type Matches routes of the specified type

match tag Matches tag of a route

match Conditions
Command Description

match community Matches a BGP community

Matches any routes that have the next hop out of one of the
match interface
interfaces specified

Matches any routes that have a destination network number address

match ip address that is permitted by a standard or extended ACL

Matches any routes that have a next-hop router address that is

match ip next-hop
passed by one of the ACLs specified
Matches routes that have been advertised by routers and access
match ip route-source
servers at the address that is specified by the ACLs

match length Matches based on the layer 3 length of a packet

match metric Matches routes with the metric specified

match route-type Matches routes of the specified type

match tag Matches tag of a route

match ip-address
 Specify criteria to be matched using ACLs or prefix lists.
Router(config-route-map)#
match ip address {access-list-number | name}
[...access-list-number | name] | prefix-list prefix-
list-name [..prefix-list-name]

Parameter Description

The number or name of a standard or extended access list to be

access-list- used to test incoming packets.
number | name If multiple access lists are specified, matching any one results in
a match.

prefix-list Specifies the name of a prefix list to be used to test packets.

If multiple prefix lists are specified, matching any one results in a
prefix-list-name match.
match length
 Specify criteria to be matched by packet length.
Router(config-route-map)#

match length min max

Parameter Description

The packet’s minimum Layer 3 length, inclusive, allowed for a

min match.

The packet’s maximum Layer 3 length, inclusive, allowed for a

max match.
Set conditions
Command Description
set as-path Modifies an AS path for BGP routes
set automatic-tag Computes automatically the tag value
set community Sets the BGP communities attribute
Indicates where to output packets that pass a match clause of a route
set ip next-hop
map for policy routing
Indicates where to output packets that pass a match clause of a route
set interface
map for policy routing
Indicates where to output packets that pass a match clause of a route
set ip default next-hop map for policy routing and for which the Cisco IOS software has no
explicit route to a destination
Indicates where to output packets that pass a match clause of a route
set default interface
map for policy routing and have no explicit route to the destination
set ip tos Used to set some of the bits in the IP ToS field in the IP packet.
set ip precedence set the 3 IP precedence bits in the IP packet header.
set tag Sets tag value for destination routing protocol
set weight Specifies the BGP weight value
* Partial list
Set conditions
Command Description
set as-path Modifies an AS path for BGP routes
set automatic-tag Computes automatically the tag value
set community Sets the BGP communities attribute
Indicates where to output packets that pass a match clause of a route
set ip next-hop map for policy routing
Indicates where to output packets that pass a match clause of a route
set interface map for policy routing

set ip default Indicates where to output packets that pass a match clause of a route
map for policy routing and for which the Cisco IOS software has no
next-hop explicit route to a destination
set default Indicates where to output packets that pass a match clause of a route
interface map for policy routing and have no explicit route to the destination

set ip tos Used to set some of the bits in the IP ToS field in the IP packet.

set ip precedence set the 3 IP precedence bits in the IP packet header.

set tag Sets tag value for destination routing protocol
set weight Specifies the BGP weight value
set ip next-hop
 Specify the next hop IP address for matching packets.

Router(config-route-map)#

set ip next-hop ip-address [...ip-address]

 The command provides a list of IP addresses used to

specify the adjacent next-hop router in the path toward the
destination to which the packets should be forwarded.

 If more than one IP address is specified, the first IP address

associated with a currently up connected interface is used
to route the packets.
set ip tos
 Mark packets using the IP ToS field.
Router(config-route-map)#
set ip tos [number | name]

 Used to set some of the bits in the IP ToS field in the IP packet.
 The ToS field in the IP header is 8 bits long, with 5 bits for setting
the class of service (CoS) and 3 bits for the IP precedence.
 The CoS bits are used to set the delay, throughput, reliability, and
cost.

Parameter Description
0 | normal Sets the normal ToS
1 | min-monetary-cost Sets the min-monetary-cost ToS
2 | max-reliability Sets the max reliable ToS
4 | max-throughput Sets the max throughput ToS
8 | min-delay Sets the min delay ToS
Configuring PBR on an Interface
 Identify a route map to use for policy routing on an interface.

Router(config-if)#
ip policy route-map map-tag

 The map-tag parameter is the name of the route map to

use for policy routing.

 It must match a map tag specified by a route-map

command.
Lab 1. PBR Router CISCO

Traffic from 192.168.10.0/24 forward R3

Traffic from 192.168.11.0/24 forward R5
Traffic from 192.168.12.0/24 forward R4

18
 Example 1. PBR

R2 R6

19
Example 1. PBR

20
 Example 1. PBR

21
Example 1. PBR

22
Lab 2. PBR Router HPE & CISCO

O–D RUTA
SERVER – VPCS1 R3 HPE_R2HPE_R1
SERVER – VPCS2 R3 HPE_R1
SERVER – VPCS3 R3 R2HPE_R1
23
1 Configure IP Address – HPE_R1

2 Verify IP Address – HPE_R1

24
3 Configure OSPF Protocol – HPE_R1

25
4
Configure IP Address& OSPF
Protocol – R2

26
5
Configure IP Address& OSPF
Protocol – R3

27
6 Verify Routing Table

28
7 Configure and verify HPE_R2

29
8 Verify connectivity between routers

30
10 Configure access to Provider from C1

C1

HPE_R1

31
11 Configure access to Provider from C2

C2

R3

32
12 Verify Routing Table – HPE_R1

33
12 Verify Routing Table – HPE_R1

34
13 Verify Routing Table – R3

35
14 Verify connectivity between Server –
VPC-1

36
 Config Router HPE access with TELNET

To be able to log in using GNS3 console TELNET we

have to configure following commands on both routers.

<HPE>system-view
[HPE]user-interface aux 0
[HPE-line-aux0]authentication-mode none
[HPE-line-aux0]user-role network-admin
[HPE-line-aux0]quit
[HPE]save

37
Config PBR on HPE Router
1. Create ACL MATCH TRAFFIC
acl advanced 3010
rule permit ip source 192.168.4.0 0.0.0.255 destination 172.20.20.10 0.0.0.0
quit
acl advanced 3020
rule permit ip source 192.168.7.0 0.0.0.255 destination 172.20.20.10 0.0.0.0
quit
2. Define PBR Policy
policy-based-route eietr permit node 10
if-match acl 3010
apply next-hop 10.10.5.2
quit
policy-based-route eietr permit node 20
if-match acl 3020
apply next-hop 10.10.8.2
quit
3. Apply the PBR Policy to Interface
interface ge1/0
ip ip policy-based-route eietr
38
quit
Verify PBR Policy

39
Lab 4. PBR Juniper&Mikrotik

Origen –> Destino Ruta

Webterm-1  Web Server JuniperCisco_2Cisco_1Cisco_3Mikrotik
Web Server Webterm-1 MikrotikCisco_3Cisco_1Cisco_2Juniper
Webterm-2  Web Server JuniperCisco_2Cisco_3Mikkrotik
Web Server  Webterm-2 Mikrotik  Cisco_3  Cisco_2  Juniper
40
Juniper Initial Configuration

41
Cisco_1 Initial Configuration

42
Cisco_2 Initial Configuration

43
Cisco_3 Initial Configuration

44
Mikrotik Initial Configuration

45
Mikrotik - WebFig
WebFig is a web based RouterOS utility which allows you to monitor, configure
and troubleshoot the router. It is designed as an alternative of WinBox, both have
similar layouts and both have access to almost any feature of RouterOS.

46
Mikrotik – IP Address config

47
Mikrotik – OSPF Router-ID

48
Mikrotik – OSPF Interfaces

49
Mikrotik – OSPF Networks

50
Mikrotik – OSPF Routing Table

51
Config Webterm1&Webterm2

52
Config Webterm1&Webterm2

53
Configure FBF on Juniper Router
1. Define firewall filter (Cisco ACL)

set firewall filter pbr1 term 1 from source-address 10.10.15.0/24

set firewall filter pbr1 term 1 then routing-instance rutaxcisco2
set firewall filter pbr2 term 1 from source-address 10.10.16.0/24
set firewall filter pbr2 term 1 then routing-instance rutaxcisco2

2. Apply firewall filter on interfaces

set interfaces em2 unit 0 family inet filter input pbr1

set interfaces em3 unit 0 family inet filter input pbr2
commit

3. Create a Routing Instance

A routing instance is a collection of routing tables, interfaces, and routing
protocol parameters.

54
Configure FBF on Juniper Router
3. Create a Routing Instance
A routing instance is a collection of routing tables, interfaces, and routing
protocol parameters.

set routing-instances rutaxcisco2 instance-type forwarding routing-

options static route 0.0.0.0/0 next-hop 10.10.3.2
commit

4. Create a RIB Groups

RIB groups can be used to specify the RIB(s) a routing protocol uses
when it is importing and exporting routes. RIB groups are protocol
specific (i.e. you cannot mix IPv4 and IPv6 RIBs in the same RIB group).

set routing-options interface-routes rib-group inet tabla1

set routing-options rib-groups tabla1 import-rib [inet.0
rutaxcisco2.inet.0]
commit check
commit
quit
55
Verify Routing Instance

56
Verify Firewall Base Forwarding

57
Verify Firewall Base Forwarding

58
Configure PBR on Cisco Routers

59
Configure PBR on Cisco Routers

60
Configure PBR on Mikrotik Route
1. Add two IP Firewall Mangle rules to mark the packets originated from
network 10.10.20.0/24 to 10.10.15.0/24 and 10.10.16.0/24.

61
Configure PBR on Mikrotik Route

62
Configure PBR on Mikrotik Route

63
Configure PBR on Mikrotik Route
2. Create a NAT Rule with action MASQUERADE

64
Verify PBR

65