jump to navigation

PBR next-hop and default next-hop for redirecting packets (Case#2) April 22, 2009

Posted by ZoeL in CCIE LAB, Cisco.
Tags: , ,
trackback

Here another case for PBR next-hop.
2 different networks with few clients, want to access SAP and nonSAP servers on headquarter via edge router, which is have two different path.

next-hop with 2 paths

R5 pretend as nonSAP clients, R4 as SAP clients and R3 have Loopback interfaces to represent SAP and nonSAP servers.

Our client specifically want us to meet conditions as below :

– R4 access SAP Server (Loopback interface of R3) via R1 – R3.
– R5 access nonSAP Server (Loopback interface of R3) via R1 – R2 – R3.
– If R1-R3 connection fail (disconnected), SAP will use R1 – R2 – R3 to access SAP server.
– R1-R3 running BGP (eBGP), while R1 – R2 – R3 running IGP (EIGRP).

R1 – R2 : 12.12.12.0/30
R1 – R3 : 13.13.13.0/30
R1 – R4 : 14.14.14.0/30
R1 – R5 : 15.15.15.0/30
R3 Loopback 0 : 34.34.34.34/32 (SAP server)
R3 Loopback 1 : 35.35.35.35/32 (nonSAP server)
R5 : nonSAP clients
R4 : SAP clients

Normally, all packets will access R3 via R1 – R3, because eBGP have lower AD than EIGRP.

AD Table

in order to meet requirements to redirect packets from R5 to R2 for nonSAP server, we can use PBR (Policy Based Routing) with set ip next-hop statement after matched clauses. For R4, if connections via eBGP to R3 fail, route will be removed from BGP routing table, then R5 will use R2 to access loopback on R3. To assure this, we create another route-map and use set ip default nex-hop to specifically tell R1 to throw packets from R4 to R2.

note : Actually, we dont have to create route-map for SAP (R1 – R3) connection, because naturally R4 will use BGP to reach R3. But,  for our experiment purposes, route-map to from R4 to R3 created to show us how PBR next-hop and default next-hop really works.

My setup for this scenario (comments and suggestions are always welcome).
EIGRP networks running on R1, R2 and R3. eBGP running on R3 and R1. Redistribute into EIGRP and BGP done inside R3. To avoid routing loop,  i am not redistribute EIGRP and BGP on R1.

R1
!
hostname R1
!
// IP Cef enabled for fast switching packets. Confirm next-hop
//
for each destinations and source with show ip cef
ip cef
!
interface FastEthernet0/0
ip address 13.13.13.1 255.255.255.252
!
interface FastEthernet0/1
ip address 12.12.12.1 255.255.255.252
!
interface FastEthernet1/0
ip address 15.15.15.1 255.255.255.252
ip policy route-map nonSAP // for nonSAP
!
interface FastEthernet1/1
ip address 14.14.14.1 255.255.255.252
ip policy route-map SAP //for SAP
!
//–network of R4 and R5 stated inside EIGRP–
router eigrp 100
network 12.12.12.0 0.0.0.3
network 14.14.14.0 0.0.0.3
network 15.15.15.0 0.0.0.3
auto-summary
!
//–network of R4 and R5 stated inside BGP–
router bgp 200
no synchronization
bgp log-neighbor-changes
network 13.13.13.0 mask 255.255.255.252
network 14.14.14.0 mask 255.255.255.252
network 15.15.15.0 mask 255.255.255.252
neighbor 13.13.13.2 remote-as 100
no auto-summary
!
access-list 101 permit icmp 14.14.14.0 0.0.0.3 host 34.34.34.34 echo
access-list 101 permit ip 14.14.14.0 0.0.0.3 host 34.34.34.34
access-list 102 permit icmp 15.15.15.0 0.0.0.3 host 35.35.35.35 echo
access-list 102 permit ip 15.15.15.0 0.0.0.3 host 35.35.35.35
!
route-map nonSAP permit 20
match ip address 102
set ip next-hop 12.12.12.2
!
route-map SAP permit 10
match ip address 101
set ip default next-hop 12.12.12.2
!

R2
!
hostname R2
!
ip cef
!
interface FastEthernet0/0
ip address 12.12.12.2 255.255.255.252
!
interface FastEthernet0/1
ip address 23.23.23.1 255.255.255.252
!
router eigrp 100
network 12.12.12.0 0.0.0.3
network 23.23.23.0 0.0.0.3
no auto-summary
!

R3
!
hostname R3
!
interface Loopback0
ip address 34.34.34.34 255.255.255.255
!
interface Loopback1
ip address 35.35.35.35 255.255.255.255
!
interface FastEthernet0/0
ip address 13.13.13.2 255.255.255.252
!
interface FastEthernet0/1
ip address 23.23.23.2 255.255.255.252
!
router eigrp 100
redistribute bgp 100 metric 1 1 255 255 1500
network 23.23.23.0 0.0.0.3
network 34.34.34.34 0.0.0.0
network 35.35.35.35 0.0.0.0
no auto-summary
!
router bgp 100
no synchronization
bgp log-neighbor-changes
network 13.13.13.0 mask 255.255.255.252
redistribute eigrp 100 metric 1
neighbor 13.13.13.1 remote-as 200
no auto-summary
!

R4
!
hostname R4-SAP
!
ip cef
!
interface FastEthernet0/0
ip address 14.14.14.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 14.14.14.1
!

R5
!
hostname R5-nonSAP
!
ip cef
!
interface FastEthernet0/0
ip address 15.15.15.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 15.15.15.1
!

Now, we do some test and here is the results

Verify existing nexthop with show ip cef on R1

R1#sh ip cef
—–output omitted—–
15.15.15.3/32        receive
23.23.23.0/30        13.13.13.2
34.34.34.34/32       13.13.13.2
35.35.35.35/32       13.13.13.2

224.0.0.0/4          drop
224.0.0.0/24         receive
255.255.255.255/32   receive
R1#

as seen, 34.34.34.34 and 35.35.35.35 is listed with nexthop 13.13.13.2
now, we check our PBR process with PING and TRACEROUTE from R4 and R5

R4-SAP#
R4-SAP#ping 34.34.34.34

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.34.34.34, timeout is 2 seconds:
!!!!!
Success rate is 100
percent (5/5), round-trip min/avg/max = 12/48/112 ms
R4-SAP#
R4-SAP#traceroute 34.34.34.34

Type escape sequence to abort.
Tracing the route to 34.34.34.34

1 14.14.14.1 36 msec 44 msec 64 msec
2 13.13.13.2 52 msec 60 msec *

R4-SAP#

as seen from R4, connection to SAP Server using path R1-R3.

R5-nonSAP#
R5-nonSAP#ping 35.35.35.35

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 35.35.35.35, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/23/32 ms
R5-nonSAP#
R5-nonSAP#traceroute 35.35.35.35

Type escape sequence to abort.
Tracing the route to 35.35.35.35

1 15.15.15.1 84 msec 64 msec 24 msec
2 12.12.12.2 100 msec 52 msec 52 msec
3 23.23.23.2 92 msec 84 msec *

R5-nonSAP#

and, for R5, use R1-R2-R3 path to access nonSAP server.
Now we check access-list hit counts.

R1#sh ip access-l
Extended IP access list 101
10 permit icmp 14.14.14.0 0.0.0.3 host 34.34.34.34 echo (9 matches)
20 permit ip 14.14.14.0 0.0.0.3 host 34.34.34.34 (6 matches)

Extended IP access list 102
10 permit icmp 15.15.15.0 0.0.0.3 host 35.35.35.35 echo (9 matches)
20 permit ip 15.15.15.0 0.0.0.3 host 35.35.35.35 (9 matches)

R1#

regardless the amount of hit counts, we can confirm that our PBR has works successfully by the increased matches each time we do ping and traceroute to R3 loopbacks.

What if, user from nonSAP router accessing SAP server on R3?

R5-nonSAP#
R5-nonSAP#traceroute 34.34.34.34

Type escape sequence to abort.
Tracing the route to 34.34.34.34

1 15.15.15.1 44 msec 24 msec 20 msec
2 13.13.13.2 80 msec 80 msec *

R5-nonSAP#

our access-list stated that path R1-R2-R3 works only if the source ip 14.14.14.0 and destination 34.34.34.34. When R5 (nonSAP) want to access SAP loopback on R3, normal Path (R1-R3) used and route-map skipped.

So, if you want to redirect all packet from R5 to R3 via R2, reconfig your access-list as below :

!
access-list 102 permit icmp any host 35.35.35.35 echo
access-list 102 permit ip any host 35.35.35.35

!

Okay, next test.
what happen if we shutdown link from R1 to R3?
Before we do that, confirm BGP / EIGRP routes and CEF Table on R2.
And witness that current path to R2 comes from R3 (fastethernet0/1).

// CEF Table
R2#sh ip cef
—– output omitted —–
14.0.0.0/8           12.12.12.1           FastEthernet0/0
14.14.14.0/30        23.23.23.2           FastEthernet0/1
15.0.0.0/8           12.12.12.1           FastEthernet0/0
15.15.15.0/30        23.23.23.2           FastEthernet0/1
—– output omitted —–

R2#

//verify current routes to network 34.34.34.34 and 35.35.35.35 on R2
R2#sh ip route
——— output omitted ———
14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D EX    14.14.14.0/30

[170/2560002816] via 23.23.23.2, 01:38:24, FastEthernet0/1
D       14.0.0.0/8 [90/30720] via 12.12.12.1, 01:39:35, FastEthernet0/0
15.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D EX    15.15.15.0/30

[170/2560002816] via 23.23.23.2, 01:38:25, FastEthernet0/1
D       15.0.0.0/8 [90/30720] via 12.12.12.1, 01:39:35, FastEthernet0/0
R2#

Now, shutdown interface fa0/0 on R1 to force shutdown of BGP Process.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int fa0/0
R1(config-if)#shut
R1(config-if)#
01:38:54: %BGP-5-ADJCHANGE: neighbor 13.13.13.2 Down Interface flap
01:38:56: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
01:38:57: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
R1(config-if)#
R1(config-if)#^Z
R1#

Wait a little longer for BGP down notification sent from R3.

R3#
01:40:46: %BGP-5-ADJCHANGE: neighbor 13.13.13.1 Down BGP Notification sent
01:40:46: %BGP-3-NOTIFICATION: sent to neighbor 13.13.13.1 4/0 (hold time expired) 0 bytes
R3#

Verify routing Path on R2. EIGRP External (from BGP) 34.34.34.34 and 35.35.35.35  from R3 dissapear. In exchange, R2 receive both networks 34.34.34.34 and 35.35.35.35 from R1.

R2#sh ip route
——- output omitted ——-
14.0.0.0/8 is subnetted, 1 subnets
D       14.0.0.0 [90/30720] via 12.12.12.1, 01:43:37, FastEthernet0/0
15.0.0.0/8 is subnetted, 1 subnets
D       15.0.0.0 [90/30720] via 12.12.12.1, 01:43:37, FastEthernet0/0
R2#

and CEF table on R2 shows 14.14.14.0 and 15.15.15.0 nexthop is 12.12.12.1 (fa0/0).

R2#sh ip cef
—— output omitted ——
14.0.0.0/8           12.12.12.1           FastEthernet0/0
15.0.0.0/8           12.12.12.1           FastEthernet0/0
—— output omitted ——

R2#

Traceroute Results from R4 and R5

R4-SAP#traceroute 34.34.34.34

Type escape sequence to abort.
Tracing the route to 34.34.34.34

1 14.14.14.1 52 msec 24 msec 24 msec
2 12.12.12.2 72 msec 24 msec 40 msec
3 23.23.23.2 44 msec 120 msec *
R4-SAP#

R5-nonSAP#traceroute 35.35.35.35

Type escape sequence to abort.
Tracing the route to 35.35.35.35

1 15.15.15.1 44 msec 64 msec 28 msec
2 12.12.12.2 44 msec 56 msec 48 msec
3 23.23.23.2 44 msec 96 msec *
R5-nonSAP#

Both R4 and R5 now using R2 as their next-hop to reach R3.

.end.

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: