Problem description
You can define your own rules to route packets rather than just the destination address. Here
You can learn how to solve this problem using policy-based routing.
In specific applications, policy-based routing is:
☆ Policy routing based on source IP address
☆ Policy routing based on packet size
☆ Application-based policy routing
☆Balance load through default routes
Here, the routing strategy for the first case is described.
Give an example
In this example, the function of the firewall is to translate the 10.0.0.0/8 intranet address into a routable 172.16
.255.0/24 subnet address.
The following firewall configuration is added for integrity and is not required for policy routing configuration. Here
The firewall inside can be replaced by other similar products, such as PIX or other similar firewall devices. The firewall here
The configuration is as follows:
!
ip nat pool net-10 172.16.255.1 172.16.255.254 prefix-length 24
ip nat inside source list 1 pool net-10
!
interface Ethernet0
ip address 172.16.20.2 255.255.255.0
ip nat outside
!
interface Ethernet1
ip address 172.16.39.2 255.255.255.0
ip nat inside
!
router eigrp 1
redistribute static
network 172.16.0.0
default-metric 10000 100 255 1 1500
!
ip route 172.16.255.0 255.255.255.0 Null0
access-list 1 permit 10.0.0.0 0.255.255.255
!
end
In our case, a policy routing is run on a Cisco WAN router to ensure I from the 10.0.0.0/8 network
The P packet is sent to the firewall. Two net-10 policy rules are defined in the configuration. The first strategy defines the
10.0.0.0/8 IP packets from the network are sent to the firewall (we will soon see that there is a problem with the configuration here)
. The second rule allows all other packets to be routed normally. The Cisco WAN router configuration here is
Down:
!
interface Ethernet0/0
ip address 172.16.187.3 255.255.255.0
no ip directed-broadcast
!
interface Ethernet0/1
ip address 172.16.39.3 255.255.255.0
no ip directed-broadcast
!
interface Ethernet3/0
ip address 172.16.79.3 255.255.255.0
no ip directed-broadcast
ip policy route-map net-10
!
router eigrp 1
network 172.16.0.0
!
access-list 110 permit ip 10.0.0.0 0.255.255.255 172.16.36.0 0.0.0.255
access-list 111 permit ip 10.0.0.0 0.255.255.255 any
!
route-map net-10 permit 10
match ip address 111
set interface Ethernet0/1
!
route-map net-10 permit 20
!
end
We can test the configuration we made in this way. Send ping on router 10.1.1.1 named Cisco-1
Let a host on the Internet (here is the 192.1.1.1 host). To view a name called Internet Router
In the case of the router, we execute the debug ip packet 101 detail command in privileged command mode. (
Among them, there is the access-list 101 permit icmp any any configuration command on this router). Below is the output
result:
Results of ping from Cisco-1 to 192.1.1.1/internet taken from Internet_R
outer:
Pakcet never makes it to Internet_Router
As you can see: the packet does not arrive at the Internet_Router router. The following is on the Cisco WAN road
The debug command on the router gives the reason:
Debug commands run from Cisco_WAN_Router:
"debug ip policy"
2d15h: IP: s=10.1.1.1 (Ethernet3/0), d=192.1.1.1, len 100, policy match
2d15h: IP: route map net-10, item 10, permit
2d15h: IP: s=10.1.1.1 (Ethernet3/0), d=192.1.1.1 (Ethernet0/1), len 100,
policy routed
2d15h: IP: Ethernet3/0 to Ethernet0/1 192.1.1.1
Here, the packet does match the first rule in the net-10 policy graph. But why did it not meet the pre-requisite
What is the purpose of the period? Use "debug arp" to see it.
"debug arp"
2d15h: IP ARP: sent req src 172.16.39.3 0010.7bcf.5b02,
dst 192.1.1.1 0000.0000.0000 Ethernet0/1
2d15h: IP ARP rep filtered src 192.1.1.1 00e0.b064.243d, dst 172.16.39.3
0010.7bcf.5b02
wrong cable, interface Ethernet0/1
The output of debug arp gives the reason. The router strives to complete the action it is instructed to do and tries to count
The packet is sent to the Ethernet0/1 interface, but failed. This requires the router to perform address solution for the destination address 192.1.1.1
Resolve protocol operation. When performing this task, the router knows that the destination address is not on the interface. Next, the router
A package error occurred. Therefore, the final packet cannot reach 192.1.1.1.
How can we avoid this problem? Modify the routing map to make the firewall address the next hop.
Config changed on Cisco_WAN_Router:
!
route-map net-10 permit 10
match ip address 111
set ip next-hop 172.16.39.2
!
After modification, run the same command on the Internet Router: debug ip packet 101 detail. At this time,
The packets can be advanced by configuration. We can also see that the data packet is translated by the firewall to 172.16.255.1. 192.1.
1.1 Host Response:
Results of ping from Cisco_1 to 192.1.1.1/internet taken from Internet_R
outer:
2d15h: IP: s=172.16.255.1 (Ethernet1), d=192.1.1.1 (Serial0), g=192.1.1.
1, len 100, forward
2d15h: ICMP type=8, code=0
2d15h:
2d15h: IP: s=192.1.1.1 (Serial0), d=172.16.255.1 (Ethernet1), g=172.16.2
0.2, len 100, forward
2d15h: ICMP type=0, code=0
2d15h:
After executing the debug ip policy command on the Cisco WAN router, we can see that the packet is being passed to
Firewall, 172.16.39.2:
Debug commands run from Cisco_WAN_Router:
"debug ip policy"
2d15h: IP: s=10.1.1.1 (Ethernet3/0), d=192.1.1.1, len 100, policy match
2d15h: IP: route map net-10, item 20, permit
2d15h: IP: s=10.1.1.1 (Ethernet3/0), d=192.1.1.1 (Ethernet0/1), len 100,
policy routed
2d15h: IP: Ethernet3/0 to Ethernet0/1 172.16.39.2
Article entry: csh Editor in charge: csh
You can define your own rules to route packets rather than just the destination address. Here
You can learn how to solve this problem using policy-based routing.
In specific applications, policy-based routing is:
☆ Policy routing based on source IP address
☆ Policy routing based on packet size
☆ Application-based policy routing
☆Balance load through default routes
Here, the routing strategy for the first case is described.
Give an example
In this example, the function of the firewall is to translate the 10.0.0.0/8 intranet address into a routable 172.16
.255.0/24 subnet address.
The following firewall configuration is added for integrity and is not required for policy routing configuration. Here
The firewall inside can be replaced by other similar products, such as PIX or other similar firewall devices. The firewall here
The configuration is as follows:
!
ip nat pool net-10 172.16.255.1 172.16.255.254 prefix-length 24
ip nat inside source list 1 pool net-10
!
interface Ethernet0
ip address 172.16.20.2 255.255.255.0
ip nat outside
!
interface Ethernet1
ip address 172.16.39.2 255.255.255.0
ip nat inside
!
router eigrp 1
redistribute static
network 172.16.0.0
default-metric 10000 100 255 1 1500
!
ip route 172.16.255.0 255.255.255.0 Null0
access-list 1 permit 10.0.0.0 0.255.255.255
!
end
In our case, a policy routing is run on a Cisco WAN router to ensure I from the 10.0.0.0/8 network
The P packet is sent to the firewall. Two net-10 policy rules are defined in the configuration. The first strategy defines the
10.0.0.0/8 IP packets from the network are sent to the firewall (we will soon see that there is a problem with the configuration here)
. The second rule allows all other packets to be routed normally. The Cisco WAN router configuration here is
Down:
!
interface Ethernet0/0
ip address 172.16.187.3 255.255.255.0
no ip directed-broadcast
!
interface Ethernet0/1
ip address 172.16.39.3 255.255.255.0
no ip directed-broadcast
!
interface Ethernet3/0
ip address 172.16.79.3 255.255.255.0
no ip directed-broadcast
ip policy route-map net-10
!
router eigrp 1
network 172.16.0.0
!
access-list 110 permit ip 10.0.0.0 0.255.255.255 172.16.36.0 0.0.0.255
access-list 111 permit ip 10.0.0.0 0.255.255.255 any
!
route-map net-10 permit 10
match ip address 111
set interface Ethernet0/1
!
route-map net-10 permit 20
!
end
We can test the configuration we made in this way. Send ping on router 10.1.1.1 named Cisco-1
Let a host on the Internet (here is the 192.1.1.1 host). To view a name called Internet Router
In the case of the router, we execute the debug ip packet 101 detail command in privileged command mode. (
Among them, there is the access-list 101 permit icmp any any configuration command on this router). Below is the output
result:
Results of ping from Cisco-1 to 192.1.1.1/internet taken from Internet_R
outer:
Pakcet never makes it to Internet_Router
As you can see: the packet does not arrive at the Internet_Router router. The following is on the Cisco WAN road
The debug command on the router gives the reason:
Debug commands run from Cisco_WAN_Router:
"debug ip policy"
2d15h: IP: s=10.1.1.1 (Ethernet3/0), d=192.1.1.1, len 100, policy match
2d15h: IP: route map net-10, item 10, permit
2d15h: IP: s=10.1.1.1 (Ethernet3/0), d=192.1.1.1 (Ethernet0/1), len 100,
policy routed
2d15h: IP: Ethernet3/0 to Ethernet0/1 192.1.1.1
Here, the packet does match the first rule in the net-10 policy graph. But why did it not meet the pre-requisite
What is the purpose of the period? Use "debug arp" to see it.
"debug arp"
2d15h: IP ARP: sent req src 172.16.39.3 0010.7bcf.5b02,
dst 192.1.1.1 0000.0000.0000 Ethernet0/1
2d15h: IP ARP rep filtered src 192.1.1.1 00e0.b064.243d, dst 172.16.39.3
0010.7bcf.5b02
wrong cable, interface Ethernet0/1
The output of debug arp gives the reason. The router strives to complete the action it is instructed to do and tries to count
The packet is sent to the Ethernet0/1 interface, but failed. This requires the router to perform address solution for the destination address 192.1.1.1
Resolve protocol operation. When performing this task, the router knows that the destination address is not on the interface. Next, the router
A package error occurred. Therefore, the final packet cannot reach 192.1.1.1.
How can we avoid this problem? Modify the routing map to make the firewall address the next hop.
Config changed on Cisco_WAN_Router:
!
route-map net-10 permit 10
match ip address 111
set ip next-hop 172.16.39.2
!
After modification, run the same command on the Internet Router: debug ip packet 101 detail. At this time,
The packets can be advanced by configuration. We can also see that the data packet is translated by the firewall to 172.16.255.1. 192.1.
1.1 Host Response:
Results of ping from Cisco_1 to 192.1.1.1/internet taken from Internet_R
outer:
2d15h: IP: s=172.16.255.1 (Ethernet1), d=192.1.1.1 (Serial0), g=192.1.1.
1, len 100, forward
2d15h: ICMP type=8, code=0
2d15h:
2d15h: IP: s=192.1.1.1 (Serial0), d=172.16.255.1 (Ethernet1), g=172.16.2
0.2, len 100, forward
2d15h: ICMP type=0, code=0
2d15h:
After executing the debug ip policy command on the Cisco WAN router, we can see that the packet is being passed to
Firewall, 172.16.39.2:
Debug commands run from Cisco_WAN_Router:
"debug ip policy"
2d15h: IP: s=10.1.1.1 (Ethernet3/0), d=192.1.1.1, len 100, policy match
2d15h: IP: route map net-10, item 20, permit
2d15h: IP: s=10.1.1.1 (Ethernet3/0), d=192.1.1.1 (Ethernet0/1), len 100,
policy routed
2d15h: IP: Ethernet3/0 to Ethernet0/1 172.16.39.2
Article entry: csh Editor in charge: csh