Problem description
You can define your own rules to route data packets, not just the destination address. Here
You can learn how to use policy-based routing to solve this problem.
In specific applications, policy-based routes include:
☆Source IP address-Based Policy Routing
☆Policy Routing Based on data packet size
☆Application-Based Policy Routing
☆Load balancing through the default route
The routing policy in the first case is described here.
Example
In this example, the function of the firewall is to translate the 10.0.0.0/8 Intranet address into a routable 172.16
. 255.0/24 subnet address.
The following firewall configuration is added for integrity. It is not required for policy routing configuration. Here
The firewall in can be replaced by other similar products, such as PIX or other similar firewall devices. Here the Firewall
The configuration is as follows:
!
Ip nat pool net-10 172.16.255.1 172.16.255.254 prefix-length 24
Ip nat inside source list 1 pool net-10
!
Interface Ethernet0
Ip address 172.16.20.2 255.255.255.0
Ip nat outside
!
Interface Ethernet1
Ip address 172.16.39.2 255.255.255.0
Ip nat inside
!
Router VPN 1
Redistribute static
Network 172.16.0.0
Default-metric 10000 100 255 1 1500
!
Ip route 172.16.255.0 255.255.255.0 Null0
Access-list 1 permit 10.0.0.0 0.20.255.255
!
End
In our example, the Cisco WAN router runs a policy route to ensure that the I
P packets are sent to the firewall. Two net-10 policy rules are defined in the configuration. The first policy defines
IP packets from 10.0.0.0/8 networks are sent to the firewall (we will soon see the configuration problem here)
. The second rule allows all other data packets to be routed normally. The configuration of the Cisco WAN router is as follows:
Below:
!
Interface Ethernet0/0
Ip address 172.16.187.3 255.255.255.0
No ip directed-broadcast
!
Interface Ethernet0/1
Ip address 172.16.39.3 255.255.255.0
No ip directed-broadcast
!
Interface Ethernet3/0
Ip address 172.16.79.3 255.255.255.0
No ip directed-broadcast
Ip policy route-map net-10
!
Router VPN 1
Network 172.16.0.0
!
Access-list 110 permit ip 10.0.0.0 0.20.255.255 172.16.36.0 0.0.255
Access-list 111 permit ip 10.0.0.0 0.20.255.255 any
!
Route-map net-10 permit 10
Matches ip address 111
Set interface Ethernet0/1
!
Route-map net-10 permit 20
!
End
We can test our configuration in this way. Send ping command on vro10.10.1.1.1 named Cisco-1
Make a host on the Internet (here is the 192.1.1.1 host ). You want to view the name "Internet Router"
In the privileged command mode, run the debug ip packet 101 detail command. (
Here, there is an access-list 101 permit icmp any configuration command on this vro ). Below is the output
Result:
Results of ping from Cisco-1 to 192.1.1.1/internet taken from Internet_R
Outer:
Pakcet never makes it to Internet_Router
As you can see, the packet does not reach the Internet_Router router. The following
The debug command on the server gives the reason:
Debug commands run from Cisco_WAN_Router:
"Debug ip policy"
2d15h: IP: s = 10.1.1.1 (Ethernet3/0), d = 192.1.1.1, len 100, policy match
2d15h: IP: route map net-10, item 10, permit
2d15h: IP: s = 10.1.1.1 (Ethernet3/0), d = 192.1.1.1 (Ethernet0/1), len 100,
Policy routed
2d15h: IP: Ethernet3/0 to Ethernet0/1 192.1.1.1
Here, the packet indeed matches the first rule in the net-10 policy diagram. But why haven't we reached the pre-limit?
What is the purpose of the period? Let's take a look at it with "debug arp.
"Debug arp"
2d15h: ip arp: sent req src 172.16.39.3 0010.7bcf.5b02,
Dst 192.1.1.1 2.16.0000.0000 Ethernet0/1
2d15h: ip arp rep filtered src 192.1.1.1 00e0. b064.243d, dst 172.16.39.3
0010.7bcf.5b02
Wrong cable, interface Ethernet0/1
The output of debug arp provides the reason. The router tries to complete the action indicated by the router and tries
Data packets are sent to the Ethernet0/1 interface, but failed. This requires the router to perform address resolution for the destination address 192.1.1.1.
Analysis protocol operation. When this task is executed, the router knows that the destination address is not in this interface. Next, the router
An encapsulation error occurs. Therefore, the last packet cannot reach 192.1.1.1.
How can we avoid this problem? Modify the route chart to set the firewall address to the next hop.
Config changed on Cisco_WAN_Router:
!
Route-map net-10 permit 10
Matches ip address 111
Set ip next-hop 172.16.39.2
!
After the modification, run the same command on the Internet Router: debug ip packet 101 detail. At this time,
Data packets can be forwarded as configured. We can also see that the packet is translated into 172.16.255.1 by the firewall. 192.1.
1.1 host response:
Results of ping from Cisco_1 to 192.1.1.1/internet taken from Internet_R
Outer:
2d15h: IP: s = 172.16.255.1 (Ethernet1), d = 192.1.1.1 (Serial0), g = 192.1.1.
1, len 100, forward
2d15h: ICMP type = 8, code = 0
2d15h:
2d15h: IP: s = 192.1.1.1 (Serial0), d = 172.16.255.1 (Ethernet1), g = 172.16.2
0.2, len 100, forward
2d15h: ICMP type = 0, code = 0
2d15h:
After running the debug ip policy command on the Cisco WAN router, we can see that the packet is transmitted
Firewall, 172.16.39.2:
Debug commands run from Cisco_WAN_Router:
"Debug ip policy"
2d15h: IP: s = 10.1.1.1 (Ethernet3/0), d = 192.1.1.1, len 100, policy match
2d15h: IP: route map net-10, item 20, permit
2d15h: IP: s = 10.1.1.1 (Ethernet3/0), d = 192.1.1.1 (Ethernet0/1), len 100,
Policy routed
2d15h: IP: Ethernet3/0 to Ethernet0/1 172.16.39.2
Article entry: csh responsible editor: csh