Upload
forthegroups
View
221
Download
0
Embed Size (px)
Citation preview
8/3/2019 2200 Advanced Routing Protocols(1)
1/80
1 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
8/3/2019 2200 Advanced Routing Protocols(1)
2/80
2 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Advanced RoutingTechnologies
Advanced RoutingTechnologies
Session 2200
By Itsik Malka
Session 2200
By Itsik Malka
8/3/2019 2200 Advanced Routing Protocols(1)
3/80
3 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
AgendaAgenda
Host Interaction
Default Route and Filtering
Distance
Redistribution
Policy Routing
Routing to the internet
8/3/2019 2200 Advanced Routing Protocols(1)
4/80
4 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Host InteractionHost Interaction
8/3/2019 2200 Advanced Routing Protocols(1)
5/80
5 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
How Hosts TransmitHow Hosts Transmit
Using default-gw:
Compare DA tointerfaces and masks
If local, get L2 datavia arp and transmit
Else get L2 data ofdefault router via arp
and transmit
Using tables:
Search table for longestmatch use next hop
Local is a special case,next hop is DA
If no match use defaultroute for next hop
Get L2 data of next hopvia arp and transmit
Note: Simplified
8/3/2019 2200 Advanced Routing Protocols(1)
6/80
6 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
ip irdp [multicastholdtime seconds (3X max)maxadvertinterval seconds (600)minadvertinterval seconds (3/4X max)preference number (0)address address [number]]
IRDP on RoutersIRDP on Routers
Announcements have a lifetime and preference
Configured per interface; off by default
Can advertise via all systems multicast
(224.0.0.1) Preference level can be set
8/3/2019 2200 Advanced Routing Protocols(1)
7/80
7 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
IRDP on HostsIRDP on Hosts
in.rdisc in Solaris (multicast only)
gated in Linux, HP-UX and AIX
routerdiscovery client yes | no | on | off ;
WinSock2 in Windows
NT 4.0 KB Article Q223756HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adaptername\Parameters\Tcpip\
DHCP option 31
8/3/2019 2200 Advanced Routing Protocols(1)
8/80
8 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
10.1.1.3
00:10:7B:04:88:BB10.1.1.3310.1.1.1
00:10:7B:04:88:AA
10.1.1.2
00:10:7B:04:88:CC
default-gw = 10.1.1.1
HSRPHot StandbyRouter Protocol
HSRPHot StandbyRouter Protocol
Transparent failover of default router
Phantom router created
One router is active, responds to phantomL2 and L3 addresses
Others monitor and take over phantom addresses
8/3/2019 2200 Advanced Routing Protocols(1)
9/80
9 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Router Group #1
Router Group #2
StandbyStandby
StandbyStandby
StandbyStandby
PrimaryPrimary
PrimaryPrimary
HSRPRFC 2281HSRPRFC 2281
HSR multicasts hellosevery 3 sec with adefault priority of 100
HSR will assume controlif it has the highestpriority and preemptconfigured after delay(default=0) seconds
HSR will deduct 10 fromits priority if the trackedinterface goes down
8/3/2019 2200 Advanced Routing Protocols(1)
10/80
10 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
HSRPHSRP
Hot Standby Router ProtocolRouter1:
interface ethernet 0/0
bandwidth 128128
ip address 169.223.10.1 255.255.255.0standby 10 ip 169.223.10.254169.223.10.254
Router2:
interface ethernet 0/0
bandwidth 15001500
ip address 169.223.10.2 255.255.255.0standby 10 priority 150150 preempt delay 1010
standby 10 ip 169.223.10.254169.223.10.254
standby 10 track serial 0 6060
Internet or ISPbackbone
Server Systems
Router 1Router 1 Router 2Router 2
8/3/2019 2200 Advanced Routing Protocols(1)
11/80
11 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
IP Broadcast ControlIP Broadcast Control
Subnet or directed broadcast->w.x.y.255
All net broadcast->255.255.255.255
IP directed broadcasts are dropped by default
ip helper-address forwards ip forward-protocol packets
ip directed-broadcast floods ip forward-protocolpackets
To be forwarded:
The packet must be a MAC-level broadcast.
The packet must be an IP-level all or major network broadcast.
The packet must be a TFTP, DNS, Time, NetBIOS, ND, or BOOTPpacket, or a UDP protocol specified by the ip forward-protocoludp global configuration command.
The time-to-live (TTL) value of the packet must be at least two.
8/3/2019 2200 Advanced Routing Protocols(1)
12/80
12 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
IP Helper AddressIP Helper Address
Specified on the input interface
Indicates direction towardbroadcast destination
Forwards ip forward-protocolbroadcast packets, specifically:
TFTP, DNS, bootp, DHCP, TACACS,time, NetBIOS name and datagramservers
e0
Router A:interface ethernet 0ip helper-address 10.2.1.3 TFTP server
10.2.1.3
AA
8/3/2019 2200 Advanced Routing Protocols(1)
13/80
13 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
IP Forward ProtocolIP Forward Protocol
Flooded UDP packets have destination addresschanged to ip broadcast-address
ip forward-protocol spanning-tree
uses spanning tree database for flooding
ip forward-protocol turbo-flood
speed-up if using spanning tree flooding
Example:
ip forward-protocol spanning-tree
bridge 1 protocol dec
access-list 201 deny 0x0000 0xFFFF
interface ethernet 0
bridge-group 1
bridge-group 1 input-type-list 201
8/3/2019 2200 Advanced Routing Protocols(1)
14/80
14 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
UDP Broadcast ApplicationUDP Broadcast Application
TIC Servers 164.53.7.0
.61 .62
164.53.8.0 164.53.9.0 164.53.10.0
Trader Networks
AA BB
FeedNetwork 200.200.200.0 Feed network
provides data
TIC servers UDPbroadcast data
Feed networkconnected to
routers formanagement
e0 e0
8/3/2019 2200 Advanced Routing Protocols(1)
15/80
15 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Helper AddressesHelper Addresses
IP helper added torouter interfaceson TIC network
Each router seesthe other routersbroadcasts
Each stationreceives multiplecopies of data
TIC Servers 164.53.7.0
.61 .62
164.53.8.0 164.53.9.0 164.53.10.0
Trader Networks
AA BB
FeedNetwork 200.200.200.0
8/3/2019 2200 Advanced Routing Protocols(1)
16/80
16 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
UDP Forward ProtocolUDP Forward Protocol
Configure spanningtree
Filter non-routedprotocols
STP path costs set
A = 100 default
B = 50
Router A defaultrouter
IRDP preference
TIC Servers 164.53.7.0
.61 .62
164.53.8.0 164.53.9.0 164.53.10.0
Trader Networks
AA BB
FeedNetwork 200.200.200.0
8/3/2019 2200 Advanced Routing Protocols(1)
17/80
17 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Router A ConfigurationRouter A Configuration
ip forward-protocol spanning-treeip forward-protocol udp 111
!
interface ethernet 0ip address 200.200.200.61 255.255.255.0
ip broadcast-address 200.200.200.255
!interface ethernet 1ip address 164.53.7.61 255.255.255.192
ip broadcast-address 164.53.7.63
ip irdp preference 100
bridge-group 1
bridge-group 1 input-type-list 201
!bridge 1 protocol dec
bridge 1 priority 255
access-list 201 deny 0xFFFF 0x0000
8/3/2019 2200 Advanced Routing Protocols(1)
18/80
18 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Router B ConfigurationRouter B Configuration
ip forward-protocol spanning-treeip forward-protocol udp 111
!
interface ethernet 0
ip address 200.200.200.62 255.255.255.0
ip broadcast-address 200.200.200.255
!
interface ethernet 1
ip address 164.53.7.62 255.255.255.192
ip broadcast-address 164.53.7.63
ip irdp preference 90
bridge-group 1
bridge-group 1 path-cost 50
bridge-group 1 input-type-list 201
!
bridge 1 protocol dec
bridge 1 priority 255
access-list 201 deny 0xFFFF 0x0000
8/3/2019 2200 Advanced Routing Protocols(1)
19/80
19 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Default RoutesDefault Routes
8/3/2019 2200 Advanced Routing Protocols(1)
20/80
20 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
CITY
WORLD
Default RoutesDefault Routes
Route used if no match is found inforwarding table
Can be carried by routing protocols
Two models
Special network number: 0.0.0.0
Flagged in routing protocol
Protocols support multiple models
8/3/2019 2200 Advanced Routing Protocols(1)
21/80
21 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Creating a Default RouteCreating a Default Route
default-gateway is for host mode
RIP, RIPv2: network 0.0.0.0
IGRP, EIGRP: ip default-network
OSPF, ISIS, BGP:default originate
8/3/2019 2200 Advanced Routing Protocols(1)
22/80
22 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
ip route 0.0.0.0 0.0.0.0 s1router isis
network 19.0.0.0
default-information originate
ISIS19.0.0.0
ISIS19.0.0.0S1
19.1.1.119.1.1.2
ServiceProviderRunningBGP
L1L2L1
ISIS ExampleISIS Example
L1 default is nearest L1L2 router Both L1 and L2 ISs cangenerate a default route
A L1 IS will always prefer a L1 default route beforeusingthe closest L2 capable IS
8/3/2019 2200 Advanced Routing Protocols(1)
23/80
23 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
BGP ExampleBGP Example
Allows redistribution of 0.0.0.0 Same as adding network 0.0.0.0
IGP19.0.0.0
eBGPiBGP
19.1.1.119.1.1.2
router bgp 164default-information originate
Service
ProviderRunningBGP
8/3/2019 2200 Advanced Routing Protocols(1)
24/80
24 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Conditional DefaultConditional Default
Inserts a default route if the condition inthe route map is met
In this case, if network (prefix) 10.1.1.0/24is present, advertise a default
ip prefix-list condcond permit 10.1.1.0/24
!
route-map def-conddef-cond permit 10
match ip address prefix-list condcond
!
router ripdefault-information originate route-map def-conddef-cond
8/3/2019 2200 Advanced Routing Protocols(1)
25/80
25 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Filtering Route DataFiltering Route Data
8/3/2019 2200 Advanced Routing Protocols(1)
26/80
26 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
router xxxpassive interface serial 0
neighbor w.x.y.zneighbor w.x.y.z
s0
Passive InterfacePassive Interface
Prevents routing updates from being transmittedout an interface
Dont waste resources generating updates oninterfaces that have no need for them (loopback)
Can also usepassive-interface default
8/3/2019 2200 Advanced Routing Protocols(1)
27/80
27 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
AdvertiseB and X
AdvertiseB and Y
NetworkX
NetworkA
NetworkA
NetworkB
NetworkY
Route FilteringRoute Filtering
Selectively announce routes, per neighbor
Hide part of the topology/connectivity
Selectively accept routes, per neighbor
Refuse erroneous make-believe announcements
Protect against redistribution loops
Route filter with distribute-list command Can filter anywhere in distance-vector protocols:
RIP, IGRP, EIGRP, RIPv2 and BGP
Can filter at redistribution points betweenany protocols:
RIP, EIGRP, OSPF, IGRP, IS-IS, BGP, Static, etc.
Use route-maps at redistribution pointsBased on extended access-lists for route prefixes
Based on tags of route origin or history
Based on AS filters in BGP
8/3/2019 2200 Advanced Routing Protocols(1)
28/80
28 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
s0
10.0.0.0
172.16.1.0 129.1.1.0
PartnerNetwork
distribute list 11 in serial 0
access-list 11 permit 129.1.0.0
access-list 11 deny 0.0.0.0 255.255.255.255
10.0.0.0
Filtering Incoming UpdatesFiltering Incoming Updates
Control input of routing data
8/3/2019 2200 Advanced Routing Protocols(1)
29/80
29 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
router eigrp 111
network 128.1.0.0
distribute list 11 out serial 0
access-list 11 permit 128.1.0.0 0.0.0.0
ip default network 128.1.0.0
s0
Filtering Outgoing UpdatesFiltering Outgoing Updates
Useful to propagate default route
8/3/2019 2200 Advanced Routing Protocols(1)
30/80
30 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Precedence of FiltersPrecedence of Filters
Filter routing updates in or out bound
Interface specific or global
Evaluation order: interface, global
Example:access-list 1 deny 1.0.0.0 0.255.255.255
access-list 2 permit 1.2.3.0 0.0.0.255
router rip
distribute-list 1 in ethernet 0distribute-list 2 in
List 2 is overridden on interface ethernet 0
8/3/2019 2200 Advanced Routing Protocols(1)
31/80
31 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
RIPRIP
RIPv2RIPv2
IGRPIGRP
EIGRPEIGRP
OSPFOSPF
BGPBGP
UDP Port 520UDP Port 520
UDP Port 520UDP Port 520
IP Protocol Field 9IP Protocol Field 9
IP Protocol Field 88IP Protocol Field 88
IP Protocol Field 89IP Protocol Field 89
TCP Port 179TCP Port 179
255.255.255.255255.255.255.255
224.0.0.9 (Default)
255.255.255.255
224.0.0.9 (Default)
255.255.255.255
255.255.255.255255.255.255.255
224.0.0.10224.0.0.10
224.0.0.5 (AllOSPFRouters)224.0.0.6 (DRRouters)
224.0.0.5 (AllOSPFRouters)224.0.0.6 (DRRouters)
Neighbor AddressNeighbor Address
ACL OversightsACL Oversights
Access control lists can filter routing updates
ISISISIS 01:80:C2:00:00:1501:80:C2:00:00:15SAP 0xFEFE; Protocol 83SAP 0xFEFE; Protocol 83
8/3/2019 2200 Advanced Routing Protocols(1)
32/80
32 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
SignatureSignature
Signs RouteUpdates
VerifiesSignature
Campus
Configure: Key and Hash Function
Route UpdatesRoute Updates
Secure RoutingRoute Authentication
Secure RoutingRoute Authentication
Certifies authenticity of neighborand integrity of route updates
8/3/2019 2200 Advanced Routing Protocols(1)
33/80
33 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Signature = Encrypted Hash of Routing Update
SignatureSignature
HashHash
Routing UpdateRouting Update
Routing UpdateRouting UpdateSignatureSignature
Router A
HashFunction
HashFunction
Signature GenerationSignature Generation
8/3/2019 2200 Advanced Routing Protocols(1)
34/80
34 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
SignatureSignature
Decrypt UsingPreconfigured Key
Re-Hash theRouting Update
If Hashes AreEqual, Signature
Is Authentic
HashHash
Routing UpdateRouting Update
Routing UpdateRouting UpdateSignatureSignature
HashHash
Router B
Receiving Router SeparatesRouting Update and Signature
HashFunction
HashFunction
Signature VerificationSignature Verification
8/3/2019 2200 Advanced Routing Protocols(1)
35/80
35 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
key chain kalkey 1
key-string 234
!
interface Serial2
ip rip authentication mode md5
ip rip authentication key-chain kal
!router rip
version 2
AA
Authentication in RIPv2Authentication in RIPv2
key chain ka2
key 1
key-string 234
!
interface Serial1/0
ip rip authentication mode md5
ip rip authentication key-chain ka2
!
router rip
version 2
BB
8/3/2019 2200 Advanced Routing Protocols(1)
36/80
36 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
AuthenticationAuthentication
RIP uses text and MD5
also validate-update-source
(E)IGRP uses MD5 OSPF has text and MD5 per area and intf
ISIS has text per area and domain
MD5 authentication is on the way
BGP uses MD5 per neighbor
8/3/2019 2200 Advanced Routing Protocols(1)
37/80
37 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
DistanceDistance
8/3/2019 2200 Advanced Routing Protocols(1)
38/80
38 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Route SourceRoute Source Default DistanceDefault Distance
Connected InterfaceConnected Interface
Static RouteStatic Route
Enhanced IGRP Summary RouteEnhanced IGRP Summary Route
External BGPExternal BGP
Internal Enhanced IGRPInternal Enhanced IGRP
IGRPIGRP
OSPFOSPF
IS-ISIS-IS
RIPRIP
EGPEGP
External Enhanced IGRPExternal Enhanced IGRP
Internal BGPInternal BGP
Unknown, Discard RouteUnknown, Discard Route
00
11
55
2020
9090
100100
110110
115115
120120
140140
170170
200200
255255
Default Administrative DistancesDefault Administrative Distances
8/3/2019 2200 Advanced Routing Protocols(1)
39/80
39 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Modifying Default DistanceModifying Default Distance
distance weight [address mask
[access-list-number]
address and mask specify the source
access list applies to content
ip route dest next-hop distance
Remember the floating static route?
8/3/2019 2200 Advanced Routing Protocols(1)
40/80
40 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
128.88.1.0
router rip
network 192.31.7.0
network 128.88.0.0
distance 255distance 90 128.88.1.3 0.0.0.0
distance 120 192.31.7.0 0.0.0.255
.3
192.31.7.0
.1
.1.2
.2
Using DistanceUsing Distance
8/3/2019 2200 Advanced Routing Protocols(1)
41/80
41
RedistributionRedistribution
Hops = Bandwidth = Compound =
AS-PATH ?
Hops = Bandwidth = Compound =
AS-PATH ?
2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
8/3/2019 2200 Advanced Routing Protocols(1)
42/80
42 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Redistributing RoutesRedistributing Routes
Under a router xxx command, redistribute:
a source protocol:bgp | igrp | isis | ospf |static | connected | rip
a value for the destination protocol:metric
a route map for filtering: route-map
scope of redistribution: subnets
as well as some protocol specific parameters
RIP OSPF
8/3/2019 2200 Advanced Routing Protocols(1)
43/80
43 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Default MetricsDefault Metrics
The first, or seed, metric for a route isderived from being directly connectedto a router interface
Re-distributed routes are not physically connecteddefault-metric establishes the seedmetric for the route
Once a compatible metric is established, the metriccancan increment just like any other route
Set default metric bigger than the biggestnative metric
8/3/2019 2200 Advanced Routing Protocols(1)
44/80
44 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Configuring Default MetricsConfiguring Default Metrics
default-metric bandwidth delay
reliability loading mtu
Used for IGRP and EnhancedIGRP redistribution
default-metric number
Used for OSPF, RIP, ISIS,and BGP redistribution
8/3/2019 2200 Advanced Routing Protocols(1)
45/80
45 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Offset ListsOffset Lists
Increases incoming and outgoing metric(hops or delay)
Add 10 to the delay component of routesmatching access list 21 when outbound
router igrp
offset-list 21 out 10
access-list 21 ..
Add 5 to routes learned from interface Ethernet 0
router rip
offset-list in 5 ethernet 0
8/3/2019 2200 Advanced Routing Protocols(1)
46/80
46 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Filtering Redistribution withAccess Lists
Filtering Redistribution withAccess Lists
Filter routing updates in or out bound
Interface specific or global or redistribution
Evaluation order: interface, redistribution, global
Exampleaccess-list 1 deny 10.0.0.0 0.255.255.255
access-list 2 permit 10.2.3.0 0.0.0.255
router rip
default-metric 1
redistribute igrp 20
distribute-list 1 out igrp 20
distribute-list 2 out
8/3/2019 2200 Advanced Routing Protocols(1)
47/80
47 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Route Maps for Filtering ExampleRoute Maps for Filtering Example
Redistribute RIP routes with a hop count equalto 1 into OSPF
These routes will be redistributed into OSPF asexternal LSAs with
a metric of 5,
metric type of Type1
a tag equal to 1.
router ospf 109
redistribute rip route-map rip-to-ospf
!
route-map rip-to-ospf permit
match metric 1
set metric 5
set metric-type type1
set tag 1
8/3/2019 2200 Advanced Routing Protocols(1)
48/80
48 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Feedback LoopsFeedback Loops
When crossing a redistribution boundary,information is lost
A physical or logical loop causes a route
to be advertised back to the redistributingrouter that first advertised it
How does the router know which routeto accept?
Answer: it cantcant know
Humans have to re-insert the lost information
8/3/2019 2200 Advanced Routing Protocols(1)
49/80
49 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
AS 300
EIGRP
RIP
172.16.0.0
172.16
EIGRP
172.16
RIP
172.16
EIGRP
172.16
RIP
ASBRASBR
ASBRASBR
Implementation ConsiderationsImplementation Considerations
Routing feedbackSuboptimal path selection
Routing loops
Incompatible routing information
Inconsistent convergence time
8/3/2019 2200 Advanced Routing Protocols(1)
50/80
50 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
172.16.2.0
IGRPProcess
RIPProcess
Filter172.16.1.0
Allow172.16.2.0
Filter172.16.2.0
Allow172.16.1.0
172.16.1.0
Filter to AvoidRedistribution Feedback
Filter to AvoidRedistribution Feedback
Impose split horizon when redistributing
8/3/2019 2200 Advanced Routing Protocols(1)
51/80
51
Policy RoutingPolicy Routing
When Destinations Arent
Enough
When Destinations Arent
Enough
2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
8/3/2019 2200 Advanced Routing Protocols(1)
52/80
52 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Customer A
Customer B
ISP A
ISP B
Policy RoutingPolicy Routing
Forwarding decision not based ondestination address
Selects defined path based on attributes of userpacket (source/destination IP address,application port, packet lengths, and so forth)
Set next hop or interface
Set default next hop or interface
8/3/2019 2200 Advanced Routing Protocols(1)
53/80
53 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
How Policy Routing WorksHow Policy Routing Works
All packets received on an interface are consideredfor policy routing
Each packet is passed through a route map
Each entry in a route map has match and set clauses
Match clauses are conditions to be met
If all match clauses conditions are met by the packet, thenthat route map entry is used and no others are considered
An entry can be marked permit or deny
If deny, normal forwarding is used
If is permit, all set clauses are then applied andthe packet is forwarded
8/3/2019 2200 Advanced Routing Protocols(1)
54/80
54 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
match lengthmin-length max-length
Policy Routing Match ClausesPolicy Routing Match Clauses
Match packets against the access lists to permitpolicy routing of them
If the Layer3 packet length is between min-lengthand max-length, inclusive, the packet matches
Useful for distinguishing interactive versus bulktraffic when access lists will not work
match ip address access-list-expressions
8/3/2019 2200 Advanced Routing Protocols(1)
55/80
55 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
set ip next-hop ip-address1 []
Policy Routing Set ClausesPolicy Routing Set Clauses
Route packets to router at ip-address1
If there is no explicit route for thisdestination, then route to this hop
Both use the first IP address associatedwith an up/up interface
set ip default next-hop ip-address1 []
8/3/2019 2200 Advanced Routing Protocols(1)
56/80
56 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
set interface interface1 []
set default interface interface1 []
Policy Routing Set ClausesPolicy Routing Set Clauses
Specifies the output interface for thematched packet
If there is no explicit route for this destination,then route to this interface
If interface1 is down interface2 and subsequentinterfaces are tried
Setting interface to Null0 creates a policy thatdrops the packet
8/3/2019 2200 Advanced Routing Protocols(1)
57/80
57 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Policy Routing Set ClausesPolicy Routing Set Clauses
Set the IP TOS or precedence header field
Can use numeric or symbolic value
set ip precedence value
valuevalue namename
0 routine0 routine
1 priority1 priority
2 immediate2 immediate
3 flash3 flash
4 flash-override4 flash-override
5 critical5 critical6 internet6 internet
7 network7 network
set ip tos value
valuevalue namename
0 normal0 normal
1 min-monetary-cost1 min-monetary-cost
2 max-reliability2 max-reliability
4 max-throughput4 max-throughput8 min-delay8 min-delay
8/3/2019 2200 Advanced Routing Protocols(1)
58/80
58 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Policy Routing ConfigurationPolicy Routing Configuration
The set commands are evaluated in thefollowing order:
set ip precedence
set ip next-hop
set interfaceset ip default next-hop
set default interface
A valid next hop implies the output interface
The first combination of next hop andinterface is used
Router sourced packets are policy routed via ip localroute-map foocommand
8/3/2019 2200 Advanced Routing Protocols(1)
59/80
59 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
interface Ethernet0
ip address 192.168.93.10 255.255.255.0
ip policy route-map foofoo
interface Serial1
ip address 11.0.0.2 255.0.0.0
interface BRI0
ip address 10.0.0.2 255.0.0.0
route-map foofoo permit 12
set default interface Null0
route-map foofoo permit 11
match ip address 103
set ip next-hop 10.0.0.1
route-map foofoo permit 10
match ip address 101
set ip next-hop 11.0.0.1
access-list 101 permit tcp 192.168.93.0 0.0.0.255 any eq telnet
access-list 101 permit icmp any any
access-list 103 permit tcp 192.168.93.0 0.0.0.255 any eq ftp
192.168.93.0
s1
bri0
telnetand ping
ftp
Policy Routing ExamplePolicy Routing Example
8/3/2019 2200 Advanced Routing Protocols(1)
60/80
60 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
EnterpriseBackbone
Standard ISPStandard ISPPremium ISPPremium ISP
NPR NPR
E.g. ERP Application E.g. E-mail
NetFlow Policy Routing (NPR)NetFlow Policy Routing (NPR)
Powerful trafficengineering
ISP and/orapplicationselection
Distributedperformance andflow acceleration
IP precedence-based QoS
8/3/2019 2200 Advanced Routing Protocols(1)
61/80
61 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
NetFlow Policy Based RoutingNetFlow Policy Based Routing
No flow acceleration if anymatch packet-sizeclause is used
Packet size is not part of a flow definition
If the router is policy routing packets to a next hop
and it is down, the router will try unsuccessfully touse ARP (which is down). This behavior willcontinue forever
To prevent this, configure the router to first verifythat the next hop(s) of the route map is a CDP
neighbor(s) before routing to that next hop
set ip next-hop verify-availability is notsupported in dCEF since it doesnt support CDP
8/3/2019 2200 Advanced Routing Protocols(1)
62/80
62 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
NPR ExampleNPR Example
Configure CEF, NetFlow, andNetFlow with flow acceleration
Configure policy routing to verifythat next hop 50.0.0.8 of routemap test is a CDP neighbor before
the router tries to policy route to it If the first packet is policy routed
via route map 10, the packets ofthe same flow always take thesame route map (10), not routemap 20, because they all match or
pass access list 1 check Policy Routing can be flow-
accelerated by bypassing theaccess-list check
ip cef
ip flow-cache feature-accelerate
interface ethernet0/0/1
ip route-cache flow
ip policy route-map test
route-map test permit 10
match ip address 1
set ip precedence priority
set ip next-hop 50.0.0.8
set ip next-hop verify-availability
route-map test permit 20
match ip address 101
set interface Ethernet0/0/3
set ip tos max-throughput
8/3/2019 2200 Advanced Routing Protocols(1)
63/80
63 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Routing to the InternetRouting to the Internet
To Infinity and Beyond!To Infinity and Beyond!
8/3/2019 2200 Advanced Routing Protocols(1)
64/80
64 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
The Internet ChallengeThe Internet Challenge
On the Internet, nobody knows youre a dog.
I d EI d E
8/3/2019 2200 Advanced Routing Protocols(1)
65/80
65 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Ingress and EgressRoute Filtering
Ingress and EgressRoute Filtering
There are routes that should notbe routed on the Internet
RFC 1918
127.0.0.0/8
Multicast blocks
Martian Networks
BGP should have filters applied
so that these routes are notadvertised to or propagatedthrough the Internet
I d EI d E
8/3/2019 2200 Advanced Routing Protocols(1)
66/80
66 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
access-list 180
deny ip host 0.0.0.0 any
deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
deny ip 192.0.2.0.0 0.0.0.255 255.255.255.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
permit ip any any
Access List
Ingress and EgressRoute Filtering
Ingress and EgressRoute Filtering
8/3/2019 2200 Advanced Routing Protocols(1)
67/80
67 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Simplest scheme is touse defaults
Learn/advertise prefix forbetter control
Use eBGP multi-path toinstall multiple paths inIP table
maximum-path
Load share over thealternate paths
AS 201
ISP
DD FF
AA
Multiple Sessions to an ISPMultiple Sessions to an ISP
8/3/2019 2200 Advanced Routing Protocols(1)
68/80
68 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
What Is Multihoming?What Is Multihoming?
Connecting to two or more ISPs to increase:
Reliability: one ISP fails, still OK
Performance: better paths to common
Internet destinations
Three common cases:
Default from all providers
Customer+default routes from all
Full routes from all AS 400
AS 200
Customer
AS 100
160.10.0.0/16
AS 300
EE
BB
CC
AA
DD
8/3/2019 2200 Advanced Routing Protocols(1)
69/80
69 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
ISP 2
Sessions to Multiple ISPsSessions to Multiple ISPs
Difficult to achieve loadsharing
Point default towards one ISP Learn selected prefixes from
second ISP
Modify the number of prefixes
learned to achieve acceptableload sharing AS 201
ISP 1
8/3/2019 2200 Advanced Routing Protocols(1)
70/80
70 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Default from All ProvidersDefault from All Providers
Low memory/CPU/$$$ solution Provider sends BGP default => exit
path decided by IGP metrics toreach default
Customer sends all local AS routes toprovider => inbound pathdecided by Internet
You can try to
influence usingAS-path
AS 400
AS 200
AS 100160.10.0.0/16
AS 300
EE
BB
CC
AA
DD
0.0.0.0 0.0.0.0
C t d D f lt F AllC t d D f lt F All
8/3/2019 2200 Advanced Routing Protocols(1)
71/80
71 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Customer and Default From AllProviders
Customer and Default From AllProviders
Medium memory and CPU
Best pathusually shortest AS-path
Use local-preference to override based
on prefix, as-path, or community
IGP metric to defaultused for all otherdestinations
AS 400
ProviderAS 200
CustomerAS 100
160.10.0.0/16
ProviderAS 300
EE
BB
CC
AA
DD
8/3/2019 2200 Advanced Routing Protocols(1)
72/80
72 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Full Routes from All ProvidersFull Routes from All Providers
Higher memory/CPU/$$$ solution Reach all destinations by best
pathUsually shortest AS path
Can still manually tune using local-prefand as-path/community/prefix matches
AS 400
AS 200
AS 100
AS 300
EE
BB
CC
AA
DD
AS 500
8/3/2019 2200 Advanced Routing Protocols(1)
73/80
73
ConclusionConclusion
Be Careful Out ThereBe Careful Out There
2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
8/3/2019 2200 Advanced Routing Protocols(1)
74/80
74 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Summary Part 1Summary Part 1
Under normal operation, there should beexactly one interior routing protocol onany network segment
Use passive-interface as necessary toensure this
The number of redistribution boundariesshould be kept to a minimum
Run as few routing protocols as possible
8/3/2019 2200 Advanced Routing Protocols(1)
75/80
75 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
Summary Part 2Summary Part 2
Choose routing protocol based on matchingrequirements with features
Addressing should be contiguous with
respect to topology Redistribute routes only as necessary and as
few as required
Use advanced features for special cases and
for fine tuning
Test and understand before you implement
8/3/2019 2200 Advanced Routing Protocols(1)
76/80
8/3/2019 2200 Advanced Routing Protocols(1)
77/80
Advanced
Routing Technologies
Advanced
Routing Technologies
77 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
By Itsik Malka
By Itsik Malka
8/3/2019 2200 Advanced Routing Protocols(1)
78/80
Please Complete Your
Evaluation Form
Please Complete Your
Evaluation FormSession 2200Session 2200
78 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
8/3/2019 2200 Advanced Routing Protocols(1)
79/80
79 2000, Cisco Systems, Inc.
2200
1303_06_2000_c2
8/3/2019 2200 Advanced Routing Protocols(1)
80/80