cis185 route 5 pathcontrolimplmentation

CIS 185 CCNP ROUTECh. 5 Path Control ImplementationRick GrazianiCabrillo [email protected]

Last Updated: Spring 2015

Once againThere are 135+ slides in this presentationBut we will only be covering the first 80 or so. *

TopicsBest Path DecisionsPolicy Based RoutingConcepts of Path ControlPath Control with Offset ListsPath Control with Cisco IOS IP SLAsPath Control with Policy Based Routing*

Best Path Decisions*

Best Path DecisionsThe router uses its routing table to determine the best path to forward the packet. When the router receives a packet, it examines its destination IP address and searches for the best network address match in the routing table. The routing table entries also includes the interface to be used to forward the packet. Once a match is found, the router encapsulates the IP packet into the data link frame of the outgoing or exit interface.The packet is then forwarded toward its destination.

Routers support three packet-forwarding mechanisms:Process switchingFast SwitchingCisco Express Forwarding (CEF)*

Process SwitchingEarliest switching method. (Applies to both routers and multilayer switches.)This is an older packet forwarding mechanism. When a packet arrives on an interface, it is forwarded to the control plane where the CPU examines the routing table, determines the exit interface and forwards the packet. It does this for every packet, even if the destination is the same for a stream of packets. 1st Packet2nd Packet 3rd Packet4th Packet5th PacketIngress InterfaceEgress InterfaceAnalogy: Process switching solves a problem by doing math long hand, even if it is the identical problem. IP Routing Table*

Fast SwitchingAs routers had to process more packets, it was determined process switching was not fast enough.Next evolution in packet switching was Fast Switching. (Applies to both routers and multilayer switches.)The first packet is process-switched (CPU + routing table) but it also uses a fast-switching cache to store next-hop information of the flow. The next packets in the flow are forwarded using the cache and without CPU intervention. 1st Packet2nd Packet 3rd Packet4th Packet5th PacketIngress InterfaceEgress InterfaceAnalogy: Fast switching solves a problem by doing math long hand one time and remembering the answer for subsequent identical problems.IP Routing Table*

CEF SwitchingPreferred and default Cisco IOS packet-forwarding mechanism for routers and multilayer switches. CEF copies the routing table to the Forwarding Information Base (FIB)CEF creates an adjacency table which contains all the layer 2 information a router would have to consider when forwarding a packet such as Ethernet destination MAC address.The adjacency table is created from the ARP table. 1st Packet2nd Packet 3rd Packet4th Packet5th PacketIngress InterfaceEgress InterfaceAnalogy: CEF solves every possible problem ahead of time in a spreadsheet.*

CEF*The FIB is derived from the IP routing table Arranged for maximum lookup throughput. Updates to the routing table update the FIB. CEF also caches Layer 2 next-hop addresses and frame header rewrite information for all FIB entries in the adjacency table

Every entry in the routing table has a preconfigured entry in the FIB table. HQ is currently not configured with any routing protocol. *HQ# show ip cefPrefix Next Hop Interface0.0.0.0/0 no route0.0.0.0/8 drop0.0.0.0/32 receive10.10.10.0/30 attached Ethernet0/010.10.10.0/32 receive Ethernet0/010.10.10.1/32 receive Ethernet0/010.10.10.3/32 receive Ethernet0/0127.0.0.0/8 drop192.168.100.0/24 attached Ethernet0/1192.168.100.0/32 receive Ethernet0/1192.168.100.1/32 receive Ethernet0/1192.168.100.255/32 receive Ethernet0/1224.0.0.0/4 drop224.0.0.0/24 receive240.0.0.0/4 drop255.255.255.255/32 receiveHQ#

*HQ# show adjacencyProtocol Interface AddressHQ#HQ# ping 10.10.10.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 msHQ#HQ# show adjacencyProtocol Interface AddressIP Ethernet0/0 10.10.10.2(7)HQ# show ip cefPrefix Next Hop Interface0.0.0.0/0 no route0.0.0.0/8 drop0.0.0.0/32 receive10.10.10.0/30 attached Ethernet0/010.10.10.0/32 receive Ethernet0/010.10.10.1/32 receive Ethernet0/010.10.10.2/32 attached Ethernet0/0

*HQ(config)# router eigrp 1HQ(config-router)# network 192.168.100.0 0.0.0.255HQ(config-router)# network 10.10.10.0 0.0.0.3*Jul 29 16:35:15.745: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.10.10.2(Ethernet0/0) is up: new adjacencyHQ# show ip route eigrp

D 192.168.110.0/24 [90/307200] via 10.10.10.2, 00:03:17, Ethernet0/0HQ#HQ# show adjacencyProtocol Interface AddressIP Ethernet0/0 10.10.10.2(11)HQ# show ip cefPrefix Next Hop Interface

192.168.110.0/24 10.10.10.2 Ethernet0/0

A Note About CEF for IPv6R1# show running-config

ip cefno ipv6 cefR1# R1# show ip cefPrefix Next Hop Interface0.0.0.0/0 no route R1# show ipv6 cef%IPv6 CEF not runningR1#R1CEF (Cisco Express Forwarding) is a forwarding mechanism to optimize the Layer 3 and Layer 2 lookup processes into a single process.CEF for IPv4 is enabled by defaultCEF for IPv6 is disabled by default

Enabling CEF for IPv6R1(config)# ipv6 unicast-routingR1(config)# exitR1# show running-config

ip cefipv6 cefR1# R1# show ipv6 cef::/0 nexthop 2001:DB8:CAFE:2::2 Serial0/0/0

R1# config tR1(config)# ipv6 cefR1(config)

R1You may need to enable CEF for IPv6.CEF IPv6 is now enabledPrior to IOS 15.x you may need to use this command in addition to ipv6 unicast-routing

*HQ(config)# interface ethernet 0/0HQ(config-if)# no ip route-cache cefHQ(config-if)# ^ZHQ#*Jul 29 17:10:14.737: %SYS-5-CONFIG_I: Configured from console by consoleHQ# show ip interface ethernet 0/0 | include switching IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is disabled IP multicast fast switching is enabled IP multicast distributed fast switching is disabledHQ#

Disable CEF for IPv4 on Ethernet 0/0 on HQCEF for IPv4 can be re-enabled on an interface using the ip route-cache cef interface configuration command.

*HQ# show ip cefPrefix Next Hop Interface0.0.0.0/0 no route0.0.0.0/8 drop0.0.0.0/32 receive10.10.10.0/30 attached Ethernet0/0

HQ(config)# no ip cefHQ(config)# endHQ#*Jul 29 17:14:36.676: %SYS-5-CONFIG_I: Configured from console by consoleHQ# show ip cef%IPv4 CEF not runningHQ#

CEF is still enabled globally

Path Control and PBR (Policy Based Routing)*

Concepts of Path ControlPath control tools can be used to change the default destination forwarding and optimize the path of the packets for some specific applicationPath Control is controlling the path that traffic takes through a network when there are:Redundant pathsAsymmetric paths (form of redundancy)Three tools for path control are detailed: Cisco IOS IP service level agreements (SLAs)Policy Based Routing (PBR)*

The other PBRPolicy Based RoutingPBR adds flexibility in a difficult-to-manage environment by providing the ability to route traffic that is based on network needs

*

*Quick Introduction Policy Based Routing (PBR) ExampleJeff Doyle, Routing TCP/IP Vol. IMore later in Chapter 5Using PBR is the best way to understand how route maps are configured, so here is a quick introduction (more later on PBR in chapter 5)

Policy routes are nothing more than sophisticated static routes.

Static routes forward a packet to a specified next hop based on destination address of the packet.

Policy routes can forward a packet to a specified next hop based on the source of the packet.Policy routes can also be linked to extended IP access lists so that routing may be based on protocol types and port numbers.Like a static route, policy route influences the routing only on the router on which it is configured.

*Match Options (a sample)Router(config-route-map)#match length min max Matches the Layer 3 length of the packet.

Router(config-route-map)# match ip address {access-list-number | name} [...access-list-number | name]Matches the source and destination IP address that is permitted by one or more standard or extended access lists.

If you do not specify a match command, the route map applies to all packets.

*Set Options (a sample)Router(config-route-map)#set ip precedence [number | name]Sets precedence value in the IP header. You can specify either the precedence number or name.

Router(config-route-map)#set ip next-hop ip-address [... ip-address]Sets next hop to which to route the packet (the next hop must be adjacent).

Router(config-route-map)#set interface interface-type interface-number [... type number]Sets output interface for the packet.

Router(config-route-map)#set ip default next-hop ip-address [...ip-address]Sets next hop to which to route the packet, if there is no explicit route for this destination.

Router(config-route-map)#set default interface interface-type interface-number [... type ...number]Sets output interface for the packet, if there is no explicit route for this destination.

*Jeff Doyles Peanuts ExampleSingle interface example source IP addressWe want to implement a policy on Linus such that:Traffic from 172.16.6.0/24 subnet is forwarded to LucyTraffic from 172.16.7.0/24 subnet is forwarded to PigpenAll other traffic is routed normally

*inter S0 ip policy route-map Sally

route-map Sally permit 10 match ip address 1 set ip next-hop 172.16.4.2


access-list 1 permit 172.16.6.0 0.0.0.255

access-list 2 permit 172.16.7.0 0.0.0.255

Linus:Any packets that do no match 15, such as from 172.16.8.0/24 are routed normally.

*Jeff Doyles Peanuts ExampleSingle interface example destination IP addressSuppose we want to implement a policy on Linus such that:Traffic to host 172.16.1.1 is forwarded to LucyTraffic from 172.16.7.1 to host 172.16.1.2 is forwarded to PigpenAll other traffic is routed normally

*inter S0 ip policy route-map Sally



access-list 101 permit ip any host 172.16.1.1

access-list 102 permit ip host 172.16.7.1 host 172.16.1.2

Linus:Any packets that do no match 15 are routed normally.

Book Example*PC> traceroute 192.168.100.1Type escape sequence to abort.Tracing the route to 192.168.100.1VRF info: (vrf in name/id, vrf out name/id) 1 192.168.110.1 1 msec 0 msec 0 msec 2 10.10.20.1 1 msec * 1 msecPC>Notebook> traceroute 192.168.100.1Type escape sequence to abort.Tracing the route to 192.168.100.1VRF info: (vrf in name/id, vrf out name/id) 1 192.168.110.1 0 msec 0 msec 2 10.10.20.1 1 msec * 1 msecNotebook>

*! Identify Traffic from NotebookBR1(config)# ip access-list extended PBR-ACLBR1(config-ext-nacl)# permit ip host 192.168.110.10 anyBR1(config-ext-nacl)# exit! Configure Route Map on BR1BR1(config)# route-map PBR-NotebookBR1(config-route-map)# match ip address PBR-ACLBR1(config-route-map)# set ip next-hop 10.10.20.1BR1(config-route-map)# exit! Apply Route Map to Inbound InterfaceBR1(config)# interface ethernet 0/1BR1(config-if)# ip policy route-map PBR-NotebookBR1(config-if)# exitBR1(config)# exit Configure PBR to Alter the Traffic Flow from the Notebook

*BR1# show route-maproute-map PBR-Notebook, permit, sequence 10 Match clauses: ip address (access-lists): PBR-ACL Set clauses: ip next-hop 10.10.20.1 Policy routing matches: 0 packets, 0 bytesBR1# show ip policyInterface Route mapEthernet0/1 PBR-Notebook

*Notebook> traceroute 192.168.100.1Type escape sequence to abort.Tracing the route to 192.168.100.1VRF info: (vrf in name/id, vrf out name/id) 1 192.168.110.1 1 msec 0 msec 1 msec 2 10.10.20.1 5 msec * 5 msecNotebook>PC> traceroute 192.168.100.1Type escape sequence to abort.Tracing the route to 192.168.100.1VRF info: (vrf in name/id, vrf out name/id) 1 192.168.110.1 1 msec 1 msec 0 msec 2 10.10.10.1 1 msec * 1 msecPC>

*BR1# debug ip policyPolicy routing debugging is onBR1#PC> ping 192.168.100.1!!!!!BR1#*Aug 4 17:36:42.981: IP: s=192.168.110.20 (Ethernet0/1), d=192.168.100.1, len 100,FIB policy rejected(no match) - normal forwarding*Aug 4 17:36:42.982: IP: s=192.168.110.20 (Ethernet0/1), d=192.168.100.1, len 100,FIB policy rejected(no match) - normal forwarding

*BR1# debug ip policyPolicy routing debugging is onBR1#Notebook> ping 192.168.100.1!!!!!BR1#*Aug 4 17:39:53.147: IP: s=192.168.110.10 (Ethernet0/1), d=192.168.100.1, len 100,FIB policy match*Aug 4 17:39:53.147: IP: s=192.168.110.10 (Ethernet0/1), d=192.168.100.1, len 100,PBR Counted*Aug 4 17:39:53.147: IP: s=192.168.110.10 (Ethernet0/1), d=192.168.100.1,g=10.10.10.1, len 100, FIB policy routed

Cisco IOS SLAs*

Using Cisco IOS IP SLAs to Control Path Selection *Cisco IOS IP SLAs send simulated data across the network and measures performance between multiple network locations or across multiple network paths. The information collected includes data about:response timeone-way latencyjitter (interpacket delay variance)packet lossvoice quality scoringnetwork resource availabilityapplication performanceserver response time

Cisco IP SLAIP SLA, feature of Cisco IOS software allows you to configure a router to send synthetic traffic to:A host computer Router that has been configured to respond (Responder)

*

Edge router:Connected to two ISPsRunning NAT and load balancingUsing two static default routesIf there is a direct failure on the link to one ISP, the other link can still be usedHowever, if the infrastructure within of one of the ISPs fails and the link to that ISP remains up, the edge router would continue to use that link; the static default route would still be valid. *Router(config)# ip route 0.0.0.0 0.0.0.0 ser0/0Router(config)# ip route 0.0.0.0 0.0.0.0 ser0/1

There are multiple solutions to this issue. Run a dynamic routing protocol with the ISPs: Impractical for smaller branch officesRequires additional interaction and integration with the ISPsMay be the best solution for critical branch offices or those with large traffic volumes. *Router(config)# ip route 0.0.0.0 0.0.0.0 ser0/0Router(config)# ip route 0.0.0.0 0.0.0.0 ser0/1 BGP

Use static routes or PBR:Make them subject to reachability tests toward critical destinations, such as the DNS server within the ISP.If the DNS servers in one of the ISPs go down or are unreachable, the static default toward that ISP would be removed. These reachability tests can be performed with Cisco IOS IP SLAs:Frequently probe the DNS servers Static routes attached to the success of these probes*Router(config)# ip route 0.0.0.0 0.0.0.0 ser0/0Router(config)# ip route 0.0.0.0 0.0.0.0 ser0/1 DNSDNSX

In its simplest form, IP SLAs verifies whether a network element is active and responsive for example:IP address on a router interfaceOpen TCP port on a host Cisco IOS IP SLAs are also accessible using Simple Network Management Protocol (SNMP)Can be used by performance monitoring applications such as CiscoWorks Internetwork Performance Monitor (IPM).Allows the router to receive alerts when performance drops below a specified level and when problems are corrected. These thresholds can trigger additional events and actions. *

For more information on SNMPhttp://www.cisco.com/en/US/docs/internetworking/technology/handbook/SNMP.html*

IP SLA OperationIOS IP SLAs measurements perform active monitoring by generating and analyzing traffic to measure performance: Between Cisco IOS Software devicesBetween a Cisco IOS device and a hostEach of these is a different type of IP SLA operationWith the IP SLAs feature enabled, a router sends synthetic traffic to the other device *

IP SLAs OperationsThere are two types of IP SLAs operations:Those in which the target device is not running the IP SLAs responder component (such as a web server or IP host).Mostly ICMP generated traffic.Those in which the target device is running the IP SLAs responder component (such as a Cisco router).Measurement accuracy is improved when the target is a responder. Additional statistics can be gathered.

IP SLAs responder is a component embedded in the destination Cisco device that allows the system to anticipate and respond to IP SLAs request packets.The responder provides accurate measurements without the need for dedicated probes. Only a Cisco IOS device can be a source for a destination IP SLAs Responder All SLA probes are configured on the SLA SourceCLISNMPSource sends probe packets to the target*

IP SLAs Operation with Responder The following sequence of events occurs for each IP SLAs operation that requires a responder on the target *

Step 1At the start of the control phaseIP SLAs source sends a control message with the configured IP SLAs information to Responders control port UDP 1967Control message includes the protocol, port number, and duration of the operation. UDP port 2020 is used for the IP SLAs test packets. MD5 authentication can be used*IP SLA SourceIP SLA ResponderControlPhase1Control Message: Ask Receiver toOpen UDP Port 2020IP SLAs-ControlUDP Port 1967

Step 2After the responder processes the control messageSends an OK messageback to the source Listens on the port specified in the control message (2020) for a specific duration. If the responder cannot process the control message, it returns an error. If the IP SLAs source does not receive a response from the responder, it tries to retransmit the control message and will eventually time out if it does not receive a response. *IP SLA SourceIP SLA ResponderControlPhase12Control Message: Ask Receiver toOpen UDP Port 2020IP SLAs-ControlResponder says OKUDP Port 1967

Step 3If an OK message is returnedSource IP SLAs operation moves to the probing phase Sends one or more test packets to the responder to compute responsetimes. The test messages are sent on control port 2020. *IP SLA SourceIP SLA ResponderControlPhaseProbingPhase123Control Message: Ask Receiver toOpen UDP Port 2020IP SLAs-ControlIP SLAs-TestResponder says OKSending Test PacketsUDP Port 1967Start Listening onUDP Port 2020UDP Port 2020

Step 4Theresponder accepts the test packets and responds with time-stamp information. See section in book on SLAs with Responder Time StampsThe responder disables the user-specified port after it responds to the IP SLAs measurements packet or when thespecified time expires. *IP SLA SourceIP SLA ResponderControlPhaseProbingPhase1234Control Message: Ask Receiver toOpen UDP Port 2020IP SLAs-ControlIP SLAs-TestResponder says OKSending Test PacketsDone: Stop ListeningUDP Port 1967Start Listening onUDP Port 2020UDP Port 2020

Configuring Path Control using IOS IP SLAsThe following steps are required to configure Cisco IOS IP SLA functionality:Step 1Define one or more probesStep 2Define one or more tracking objectsStep 3Define the action on tracking object

Note: Effective with Cisco IOS Release 12.4(4)T, 12.2(33)SB, and 12.2(33)SXI, the ip sla monitor command is replaced by the ip sla command. *Router(config)# ip sla operation-number

Step 1Define one or more probesThere are several SLA probes that can be used.We will focus on using the ICMP Echo operation. *Router(config)# ip sla monitor operation-numberRouter(config-rtr)# icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-address | hostname} | source-interface interface-name] orRouter(config-rtr)# type echo protocol ipIcmpEcho {destination-ip-address | destination-hostname} [source-ipaddr {ip-address | hostname} | source-interface interface-name] R1(config)# ip sla 1R1(config-ip-sla)# ?IP SLAs entry configuration commands: dhcp DHCP Operation dns DNS Query Operation exit Exit Operation Configuration frame-relay Frame-relay Operation ftp FTP Operation http HTTP Operation icmp-echo ICMP Echo Operation icmp-jitter ICMP Jitter Operation path-echo Path Discovered ICMP Echo Operation path-jitter Path Discovered ICMP Jitter Operation slm SLM Operation tcp-connect TCP Connect Operation udp-echo UDP Echo Operation udp-jitter UDP Jitter Operation voip Voice Over IP Operation

R1(config-ip-sla)#

Effective with Cisco IOS Release 12.4(4)T, 12.2(33)SB, and 12.2(33)SXI, the type echo protocol ipIcmpEcho command is replaced by the icmp-echo command.

icmp-echo Command Example Although many command options exist, the focus of this section will be on frequency and timeout commands.R1(config-ip-sla)# icmp-echo 209.165.201.30R1(config-ip-sla-echo)# ?

IP SLAs echo Configuration Commands: default Set a command to its defaults exit Exit operation configuration frequency Frequency of an operation history History and Distribution Data no Negate a command or set its defaults owner Owner of Entry request-data-size Request data size tag User defined tag threshold Operation threshold in milliseconds timeout Timeout of an operation tos Type Of Service verify-data Verify data vrf Configure IP SLAs for a VPN Routing/Forwarding in-stance

R1(config-ip-sla-echo)#

icmp-echo Sub-Commandsfrequency secondsSet the rate at which a specified IP SLAs operation repeats.The seconds parameter is the number of seconds between the IP SLAs operations with the default being 60 seconds.Router(config-ip-sla-echo)#timeout millisecondsSet the amount of time a Cisco IOS IP SLAs operation waits for a response from its request packet.The milliseconds parameter is the number of milliseconds (ms) the operation waits to receive a response from its request packet.Router(config-ip-sla-echo)#

*Router(config)# ip sla monitor operation-numberRouter(config-rtr)# icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-address | hostname} | source-interface interface-name] Router(config-rtr)# frequency seconds Router(config-rtr)# timeout millisecond

Schedule an IP SLA OperationSchedule an IP SLA operation.Router(config)#ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring]]Note:Effective with Cisco IOS Release 12.4(4)T, 12.2(33)SB, and 12.2(33)SXI, the ip sla monitor schedule command is replaced by the ip sla schedule command.

The ip sla schedule Command Parameters

ParameterDescriptionoperation-number Number of the IP SLAs operation to schedule. life forever(Optional) Schedules the operation to run indefinitely. life seconds (Optional) Number of seconds the operation actively collects information.The default is 3600 seconds (one hour). start-time (Optional) Time when the operation starts. hh:mm[:ss] Specifies an absolute start time using hour, minute, and (optionally) second. Use the 24-hour clock notation. month (Optional) Name of the month to start the operation in. If month is not specified, the current month is used. day (Optional) Number of the day (in the range 1 to 31) to start the operation on. If a day is not specified, the current day is used. pending (Optional) No information is collected. This is the default value. now (Optional) Indicates that the operation should start immediately. after hh:mm:ss (Optional) Indicates that the operation should start this amount of time after this command was entered. ageout seconds (Optional) Number of seconds to keep the operation in memory when it is not actively collecting information (default is 0 seconds which means it never ages out). recurring (Optional) Indicates that the operation will start automatically at the specified time and for the specified duration every day.

Configures the scheduling parameters for a single Cisco IOS IP SLAs probes. *Router(config)# ip sla monitor operation-numberRouter(config-rtr)# icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-address | hostname} | source-interface interface-name] Router(config-rtr)# frequency seconds Router(config-rtr)# timeout millisecond Router(config)# ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm[:ss] [monthday | daymonth] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring]

Step 2: Configure IP SLA Object TrackingDefine tracking objects, to track the state of IP SLAs operations such as is the device reachable.Router(config)#track object-number ip sla operation-number {state | reachability}Note:Effective with Cisco IOS Release 12.4(20)T, 12.2(33)SXI1, 12.2(33)SRE and Cisco IOS XE Release 2.4, the track rtr command is replaced by the track ip sla command.

ParameterDescriptionobject-numberObject number representing the object to be tracked. The range is from 1 to 500. operation-number Number used for the identification of the IP SLAs operation you are tracking. state Tracks the operation return code.reachability Tracks whether the route is reachable.

Step 2Define one or more tracking objectsTracks the state of an IOS IP SLAs operation such as is the device reachable

*Router(config)# ip sla monitor operation-numberRouter(config-rtr)# icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-address | hostname} | source-interface interface-name] Router(config-rtr)# frequency seconds Router(config-rtr)# timeout millisecond Router(config)# ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm[:ss] [monthday | daymonth] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring] Router(config)# track object-number ip sla operation-number {state | reachability} orRouter(config)# track object-number rtr operation-number {state | reachability}

track Command Example R1(config)# track 1 ip sla 1 reachabilityR1(config-track)# ?Tracking instance configuration commands: default Set a command to its defaults delay Tracking delay exit Exit from tracking configuration mode no Negate a command or set its defaults

R1(config-track)#

Configure Tracking DelaySpecify a period of time to delay communicating state changes of a tracked object. The delay can help alleviate the affect of flapping objects.Router(config-track)#delay {up seconds [down seconds] | [up seconds] down seconds}

ParameterDescriptionup Time to delay the notification of an up event. down Time to delay the notification of a down event. seconds Delay value, in seconds. The range is from 0 to 180 with the default being 0.

Delay - Specifies a period of time to delay communicating state changes of a tracked object. The delay can help alleviate the affect of flapping objects.*Router(config)# ip sla monitor operation-numberRouter(config-rtr)# icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-address | hostname} | source-interface interface-name] Router(config-rtr)# frequency seconds Router(config-rtr)# timeout millisecond Router(config)# ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm[:ss] [monthday | daymonth] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring] Router(config)# track object-number rtr operation-number {state | reachability}Router(config-track)# delay {up seconds [down seconds] | [up seconds] down seconds}

Step 3 Define the action on tracking objectThe static route is used to track the object.

Examples coming soon!

*Router(config)# ip sla monitor operation-numberRouter(config-rtr)# icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-address | hostname} | source-interface interface-name] Router(config-rtr)# frequency seconds Router(config-rtr)# timeout millisecond Router(config)# ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm[:ss] [monthday | daymonth] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring] Router(config)# track object-number rtr operation-number {state | reachability}Router(config-track)# delay {up seconds [down seconds] | [up seconds] down seconds} Router(config)# ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [dhcp] [distance] [name next-hop-name] [permanent | track number] [tag tag]

Verifying IP SLAs

These commands will be explained during the examples.

CommandDescriptionshow ip sla configuration [operation]Display configuration values including all defaults for all Cisco IOS IP SLAs operations, or for a specified operation. The operation parameter is the number of the IP SLAs operation for which the details will be displayed.show ip sla statistics [operation-number | details]Display the current operational status and statistics of all Cisco IOS IP SLAs operations, or of a specified operation.

show ip sla configuration Example Note: Effective with Cisco IOS Release 12.4(20)T, 12.2(33)SXI1, 12.2(33)SRE and Cisco IOS XE Release 2.4, the show ip sla monitor configuration command is replaced by the show ip sla configuration command.R1# show ip sla configuration 1IP SLAs, Infrastructure Engine-II.Entry number: 1Owner:Tag:Type of operation to perform: icmp-echoTarget address/Source address: 209.165.201.30/0.0.0.0Type Of Service parameter: 0x0Request size (ARR data portion): 28Operation timeout (milliseconds): 5000Verify data: NoVrf Name:Schedule: Operation frequency (seconds): 10 (not considered if randomly scheduled) Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Randomly Scheduled : FALSE Life (seconds): Forever

show ip sla statistics Example Note: Effective with Cisco IOS Release 12.4(20)T, 12.2(33)SXI1, 12.2(33)SRE and Cisco IOS XE Release 2.4, the show ip sla monitor statisitcs command is replaced by the show ip sla statistics command.R1# show ip sla statisticsIPSLAs Latest Operation Statistics

IPSLA operation id: 1

Latest operation start time: *21:22:29.707 UTC Fri Apr 2 2010Latest operation return code: OKNumber of successes: 5Number of failures: 0Operation time to live: Forever

Tracking Reachability to Two ISPs ExampleIn this scenario, Customer A is multihoming to two ISPs using R1 which is configured with two default floating static routes.The static route to R2 (ISP-1) has been given an administrative distance of 2 making it preferred and therefore the primary default route.The static route to R3 (ISP-2) has been given an administrative distance of 3 making it the backup default route.

Tracking Reachability to Two ISPs ExampleWhat would happen if a link within the ISP 1 provider infrastructure were to fail?The link from R1 to R2 would still remain up and the R1 would continue to use that link because the default static route would still be valid. The solution to this issue is the Cisco IOS IP SLAs feature.Configuring IP SLAs to continuously check the reachability of a specific destination (such as the ISPs DNS server, or any other specific destination) and conditionally announce the default route only if the connectivity is verified.X

The first step in this configuration defines the probe.Probe 11 is defined by the ip sla 11 command. The test defined with the icmp-echo 10.1.3.1 command specifies that the ICMP echoes are sent to destination 10.1.3.3 (DNS Server) to check connectivity. The frequency 10 command schedules the connectivity test to repeat every 10 seconds. The ip sla schedule 11 life forever start-time now command defines the start and end time of the connectivity test for probe 11; the start time is now and it will continue forever.R1(config)# ip sla 11R1(config-ip-sla)# icmp-echo 10.1.3.3R1(config-ip-sla-echo)# frequency 10R1(config-ip-sla-echo)# exitR1(config)# ip sla schedule 11 life forever start-time nowR1(config)# track 1 ip sla 11 reachabilityR1(config-track)# delay down 10 up 1R1(config-track)# exitR1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1R1(config)# ip route 0.0.0.0 0.0.0.0 172.16.1.1 3 Probe

The second step defines the tracking object, which is linked to the probe from the first step.The track 1 ip sla 11 reachability command specifies that object 1 is tracked; it is linked to probe 11 (defined in the first step) so that the reachability of the 10.1.3.3 is tracked.R1(config)# ip sla 11R1(config-ip-sla)# icmp-echo 10.1.3.3R1(config-ip-sla-echo)# frequency 10R1(config-ip-sla-echo)# exitR1(config)# ip sla schedule 11 life forever start-time nowR1(config)# track 1 ip sla 11 reachabilityR1(config-track)# delay down 10 up 1R1(config-track)# exitR1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1R1(config)# ip route 0.0.0.0 0.0.0.0 172.16.1.1 3

ProbeTrackingObject

The last step defines an action based on the status of the tracking object. The ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1 command conditionally configures the default route, via 10.1.1.1, with an administrative distance of 2, if the result of tracking object 1 is true.Thus, if 10.1.3.3 is reachable, a static default route via 10.1.1.1 with an administrative distance of 2, is installed in the routing table.R1(config)# ip sla 11R1(config-ip-sla)# icmp-echo 10.1.3.3R1(config-ip-sla-echo)# frequency 10R1(config-ip-sla-echo)# exitR1(config)# ip sla schedule 11 life forever start-time nowR1(config)# track 1 ip sla 11 reachabilityR1(config-track)# delay down 10 up 1R1(config-track)# exitR1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1R1(config)# ip route 0.0.0.0 0.0.0.0 172.16.1.1 3 ProbeTrackingObjectStatus of Tracking Object

Defining an action based on the status of the tracking object ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1: Conditionally announces the default route, via 10.1.1.2, with an administrative distance 2 if the result of tracking object 1 is true if the probe is successful. To summarize: If 10.1.3.3 is reachable, a static default route via 10.1.1.2 with an administrative distance of 2 is offered to the routing table. Because the default route via R3 has a higher AD of 3, if the path via R2 is available, this path will be the backup path.R1(config)# ip sla 11R1(config-ip-sla)# icmp-echo 10.1.3.3R1(config-ip-sla-echo)# frequency 10R1(config-ip-sla-echo)# exitR1(config)# ip sla schedule 11 life forever start-time nowR1(config)# track 1 ip sla 11 reachabilityR1(config-track)# delay down 10 up 1R1(config-track)# exitR1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1R1(config)# ip route 0.0.0.0 0.0.0.0 172.16.1.1 3

ProbeTrackingObjectStatus of Tracking Object

If 10.1.1.1 is reachable, a static default route via R2 with an administrative distance of 2, is installed in the routing tableIf 172.16.1.1 is reachable, a static default route via R3 with an administrative distance of 3 is available to the routing table as a backup path. R1(config)# ip sla 11R1(config-ip-sla)# icmp-echo 10.1.3.3R1(config-ip-sla-echo)# frequency 10R1(config-ip-sla-echo)# exitR1(config)# ip sla schedule 11 life forever start-time nowR1(config)# track 1 ip sla 11 reachabilityR1(config-track)# delay down 10 up 1R1(config-track)# exitR1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1R1(config)# ip route 0.0.0.0 0.0.0.0 172.16.1.1 3

ProbeTrackingObjectStatus of Tracking Object

IP SLA 11 continuously sends ICMP Echo Requests to the DNS server (10.1.3.3) every 10 seconds.IP SLAs is tracking that object and as long as the DNS server is reachable, the default route to R2 will be in the routing table.R1(config)# ip sla 11R1(config-ip-sla)# icmp-echo 10.1.3.3R1(config-ip-sla-echo)# frequency 10R1(config-ip-sla-echo)# exitR1(config)# ip sla schedule 11 life forever start-time nowR1(config)# track 1 ip sla 11 reachabilityR1(config-track)# delay down 10 up 1R1(config-track)# exitR1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1R1(config)# ip route 0.0.0.0 0.0.0.0 172.16.1.1 3

Configuring PBR and IP SLA ExampleIn the example, you willRedirect web traffic from clients on the BR1 router going to the HQ router over the serial link using PBREnsure that BR2 is reachable by using an IP SLA ICMP echo test to its WAN interfaceRedirect all other traffic from Notebook to router BR2 if BR2 is reachable

*! Match Web TrafficBR1(config)# ip access-list extended PBR-WWW-TRAFFICBR1(config-ext-nacl)# remark Permit only Web trafficBR1(config-ext-nacl)# permit tcp any any eq 80BR1(config-ext-nacl)# permit tcp any any eq 443BR1(config-ext-nacl)# exit! Create the PBRBR1(config)# route-map PBR-2-HQBR1(config-route-map)# match ip address PBR-WWW-TRAFFICBR1(config-route-map)# set ip next-hop 10.10.20.1BR1(config-route-map)# exit! Apply Route Map to the InterfaceBR1(config)# interface ethernet 0/2BR1(config-if)# ip policy route-map PBR-2-HQBR1(config-if)# exit

Redirecting Web Traffic from BR1 to HQ Using PBR

*! Create IP SLA Probing the BR2 WAN InterfaceBR1(config)# ip sla 1BR1(config-ip-sla)# icmp-echo 10.10.30.2 source-interface Ethernet 0/1BR1(config-ip-sla-echo)# frequency 10BR1(config-ip-sla-echo)# exitBR1(config)# ip sla schedule 1 start-time now life forever

! Create Tracking ObjectBR1(config)# track 1 ip sla 1BR1(config-track)# delay down 5 up 1BR1(config-track)# exit

Ensuring That BR2 Is Reachable Using IP SLA

*! Create ACL to Track Notebook TrafficBR1(config)# ip access-list extended PBR-FROM-BBR1(config-ext-nacl)# Remark Match all traffic from the Notebook hostBR1(config-ext-nacl)# permit ip host 192.168.110.10 anyBR1(config-ext-nacl)# exit

! Add New Entry to PBR-2-HQ Route MAPBR1(config)# route-map PBR-2-HQ permit 20BR1(config-route-map)# match ip address PBR-FROM-BBR1(config-route-map)# set ip next-hop verify-availability 10.10.30.2 1 track 1BR1(config-route-map)# end

! Apply Route Map to the InterfaceBR1(config)# interface ethernet 0/2BR1(config-if)# ip policy route-map PBR-2-HQBR1(config-if)# exit Redirect Traffic from Notebook to BR2 If Reachable

*BR1# show route-maproute-map PBR-2-HQ, permit, sequence 10 Match clauses: ip address (access-lists): PBR-WWW-TRAFFIC Set clauses: ip next-hop 10.10.20.1 Policy routing matches: 0 packets, 0 bytesroute-map PBR-2-HQ, permit, sequence 20 Match clauses: ip address (access-lists): PBR-FROM-B Set clauses: ip next-hop verify-availability 10.10.30.2 1 track 1 [up] Policy routing matches: 0 packets, 0 bytesBR1# Verify Route Maps on BR1

*BR1# show ip sla summaryIPSLAs Latest Operation SummaryCodes: * active, ^ inactive, ~ pendingID Type Destination Stats Return Last(ms) Code Run-----------------------------------------------------------------------*1 icmp-echo 10.10.30.2 RTT=1 OK 1 second agoBR1# Verify IP SLA Operations on BR1

Customer A is multihoming to two ISPs. Customer A is not using BGP with the ISPs; but using static default routes. Two default static routes with different administrative distances are configuredLink to ISP-1 is the primary link Link to ISP-2 is the backup link The static default route with the lower administrative distance will be preferred and injected into the routing table. However, if there is a problem within the ISP-1 router or with its connectivity toward the interface but its interface to Customer A is still up, all traffic from Customer A will still go to that ISPThe traffic may then get lost within the ISP. *Router(config)# ip route 0.0.0.0 0.0.0.0 fa0/0Router(config)# ip route 0.0.0.0 0.0.0.0 fa0/1 5fa0/0fa0/1172.16.1.1Example: Network Availability

The solution to this issue is the Cisco IOS IP SLAs functionalityConfigure the SLAs to: Continuously check the reachability of a specific destination such as:Provider edge [PE] router interfaceISP's DNS serverAny other specific destinationConditionally announce the default route only if the connectivity is verified. *fa0/0fa0/1172.16.1.1172.16.1.1

Defining the Probeip sla: defines probe 11type echo: specifies that the ICMP echoes are sent:To destination 10.1.1.1 to check connectivity With the source interface of FastEthernet0/0frequency 10: schedules the connectivity test to repeat every 10 seconds.ip sla monitor schedule 11 life forever start-time now: defines the start time of now and it will continue forever *R1(config)# ip sla monitor 11R1(config-rtr)# type echo protocol ipIcmpEcho 10.1.1.1 source-interface fa0/0R1(config-rtr)# frequency 10

R1(config)# ip sla monitor schedule schedule 11 life forever start-time now

R1(config)# track 1 rtr 11 reachability

R1(config)# ip route 0.0.0.0 0.0.0.0 fa0/0 2 track 1

ProbeTrackingObjectStatus of Tracking Object172.16.1.1

Defining the Tracking Objecttrack 1 rtr 11 reachability: Specifies that:Object 1 is tracked (next step)Linked to probe 11 (defined in the first step) so that the reachability of the 10.1.1.1 is tracked. *R1(config)# ip sla monitor 11R1(config-rtr)# type echo protocol ipIcmpEcho 10.1.1.1 source-interface fa0/0R1(config-rtr)# frequency 10





Defining an action based on the status of the tracking object ip route 0.0.0.0 0.0.0.0 fa0/0 2 track 1: Conditionally announces the default route, out fa0/0, with an administrative distance 2 (could have left it at default of 1) if the result of tracking object 1 is true if the probe is successful.

To summarize: If 10.1.1.1 is reachable, a static default route out Fa0/0 with an administrative distance of 2, is installed in the routing table. *R1(config)# ip sla monitor 11R1(config-rtr)# type echo protocol ipIcmpEcho 10.1.1.1 source-interface fa0/0R1(config-rtr)# frequency 10




ProbeTrackingObjectStatus of Tracking Object172.16.1.1AD=2

Defining the Probeip sla: defines probe 22type echo: specifies that the ICMP echoes are sent:To destination 172.16.1.1 to check connectivity, With the source interface of FastEthernet0/1frequency 10: schedules the connectivity test to repeat every 10 seconds.ip sla monitor schedule 22 life forever start-time now: defines the start time of now and it will continue forever *R1(config)# ip sla monitor 22R1(config-rtr)# type echo protocol ipIcmpEcho 172.16.1.1 source-interface fa0/1R1(config-rtr)# frequency 10

R1(config)# ip sla monitor schedule 22 life forever start-time now




Defining the Tracking Objecttrack 1 rtr 22 reachability: Specifies that:Object 2 is tracked (next step)Linked to probe 22 (defined in the first step) so that the reachability of the 172.16.1.1 is tracked. *R1(config)# ip sla monitor 22R1(config-rtr)# type echo protocol ipIcmpEcho 172.16.1.1 source-interface fa0/1R1(config-rtr)# frequency 10




ProbeTrackingObjectStatus of Tracking Object 172.16.1.1

Defining an action based on the status of the tracking object ip route 0.0.0.0 0.0.0.0 fa 0/1 3 track 2: Conditionally announces the default route, exit fa0/1, with an administrative distance 3 if the result of tracking object 1 is true if the probe is successful.

To summarize: If 172.16.1.1 is reachable, a static default route exit fa0/1 with an administrative distance of 3 is offered to the routing table. Because this default route has a higher AD of 3, if the path via R2 is available, this path will be the backup path.*R1(config)# ip sla monitor 22R1(config-rtr)# type echo protocol ipIcmpEcho 172.16.1.1 source-interface fa0/1R1(config-rtr)# frequency 10




ProbeTrackingObjectStatus of Tracking Object172.16.1.1AD=2AD=3

*R1(config)# ip sla monitor 11R1(config-rtr)# type echo protocol ipIcmpEcho 10.1.1.1 source-interface fa0/0R1(config-rtr)# frequency 10




ProbeTrackingObjectStatus of Tracking ObjectR1(config)# ip sla monitor 22R1(config-rtr)# type echo protocol ipIcmpEcho 172.16.1.1 source-interface fa0/1R1(config-rtr)# frequency 10




ProbeTrackingObjectStatus of Tracking Object172.16.1.1AD=2AD=3If 10.1.1.1 is reachable, a static default route via R2 with an administrative distance of 2, is installed in the routing tableIf 172.16.1.1 is reachable, a static default route via R3 with an administrative distance of 3 is available to the routing table as a backup path.

Example 2: DNS ReachabilityR3 represents a branch office connected to two ISPs. We use Cisco IOS IP SLAs to track the reachability to the DNS servers (with IP addresses 10.0.8.1 and 10.0.8.2), and tie the results to the static default routes on R3. If there is a DNS server failure:Then the Cisco IOS IP SLAs probes will failThe static default route to that DNS will be removedAll traffic will be rerouted toward the other ISP *EIGRP

Step 1 Verify reachability to the DNS servers *Track 1SLA 99Track 2SLA 1002.21.2EIGRP

Step 2 Configure the IOS IP SLAs ip sla monitor: Creates an ICMP echo probe on R3 to the first DNS server Operation number 99 is locally significant only to the router. Type echo: Create an ICMP echo probe to the DNS server on ISP1frequency 10: schedules the connectivity test to repeat every 10 seconds. The probe is scheduled to start now, and to run forever. We similarly create a second probe, 100, to test connectivity to the second DNS server. *R3(config)# ip sla monitor 99R3(config-rtr)# type echo protocol ipIcmpEcho 10.0.8.1R3(config-rtr)# frequency 10


R3(config)# ip sla monitor 100R3(config-rtr)# type echo protocol ipIcmpEcho 10.0.8.2R3(config-rtr)# frequency 10


Step 3 Verify Cisco IOS SLA OperationsVerify the IP SLAs configuration, using the show ip sla monitorEcho operation to 10.0.8.1With a frequency of 10 seconds that it has already started (the start time has already passed) *- more -

show ip sla monitor statistics display the number of successes, failures, and the results of the latest operations. Operation 99 Succeeded 16 times alreadyNo failuresLatest operation returned an OK result. Operation 100Succeeded 15 timesNo failuresLatest operation returned an OK result

*

Step 4 Configure tracking objects The first tracking object is tied to IP SLA object 99 10 seconds of down delay and 1 second of up delayIf the DNS server fails momentarily and comes back up within 10 seconds, there is no impact. Step 5 Configure static default routes (or PBR) tied to the tracking objectip route creates a static default route via 192.168.2.2 (R1) that appears or disappears, depending on the success or failure of the IP SLAs. Reference the tracking object 1, which references IP SLAs op. 99. *R3(config)# ip sla monitor 99R3(config-rtr)# type echo protocol ipIcmpEcho 10.0.8.1R3(config-rtr)# frequency 10


R3(config)# track 1 rtr 99 reachabilityR3(config-track)# delay down 10 up 1R3(config)# ip route 0.0.0.0 0.0.0.0 192.168.2.2 track 1




IP SLA object 100 and has a similar configuration

We examine the static routes in the IP routing tableThis output confirms that both static default routes currently appear in the routing table.

*R3(config)# ip route 0.0.0.0 0.0.0.0 192.168.2.2 track 1R3(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 2

Step 6 Verify the dynamic operations and routing changes when the tracked objects failShutdown the DNS address on R2*debug ip routingX

The EIGRP route to 10.0.8.2 is immediately deleted; there are now no routes to 10.0.8.2. This is the object we are tracking with the track 2 commandIt tracks reachability to IP SLA object 100, which is an ICMP echo to 10.0.8.2. After about 10 seconds, the value specified in the delay command, the static default route via 192.168.1.2 (R2) is deleted. *X

show ip sla statisticsOn SLA Object 100:The latest return code is TimeoutThere have been 11 failuresThese are failures in the ICMP echo to 10.0.8.2

*X

We see that only one static default remains, via 192168.2.2 (R1). *X

Connectivity to the R2 DNS is restoredThe EIGRP route to 10.0.8.2 comes upAnd almost immediately the default static route via 192.168.1.2 (R2) comes up*R3# debug ip routing

We again examine the routing table and verify that both static default routes are there. Full connectivity has been restored. *

One last look at the commands.If there is a DNS server failure:Then the Cisco IOS IP SLAs probes will failThe static default route to that DNS will be removedAll traffic will be rerouted toward the other ISP *R3(config)# ip sla monitor 99R3(config-rtr)# type echo protocol ipIcmpEcho 10.0.8.1R3(config-rtr)# frequency 10







Example 3: Type DNSTo measure the difference between the time taken to send a DNS request and the time a reply is received by a Cisco device, use the IP SLAs DNS operation. To view and interpret the results of an IP SLAs operation use the show ip sla monitor statistics command. Checking the output for fields that correspond to criteria in your service level agreement will help you determine whether the service metrics are acceptable.

*RouterB(config)# ip sla monitor 11 RouterB(config-rtr)# type dns target-addr www.cisco.com name-server 172.20.2.132 RouterB(config-rtr)# frequency 60 RouterB(config-rtr)# exit RouterB(config)# ip sla monitor schedule 11 life forever start-time now

Cisco Internetwork Performance Monitor (IPM)Several Cisco network management applications use IP SLAs One example is the Cisco Internetwork Performance Monitor (IPM) in CiscoWorks2000 RWAN bundle.

*

Intro to Cisco IP SLA Operations - SolarWinds Videohttp://www.youtube.com/watch?v=x-fQr24kFKg

*

Network Performance Monitoring: Using IP SLA Monitor with Orion NPMhttp://www.youtube.com/watch?v=YKXoexOVsaE&feature=related

*

http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsla_c.html*

http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_paper09186a00802d5efe.html*

Policy Based Routing (PBR)*

Using Policy Based Routing to Control Path SelectionRouters normally forward packets by: Examining the destination IP addresses of the packetFinding the best match in their routing table By using PBR you can implement policies that selectively cause packets to take different paths based on:source addressprotocol typesapplication typesPBR overrides the routers normal routing procedures.PBR is applied to incoming packetsPBR also provides a mechanism to mark packets with different types of service (ToS). Can be used in conjunction with queuing techniques so that certain kinds of traffic can receive preferential service.

*

Source-based transit provider selection ISPs and other organizations can use PBR to route traffic originating from different sets of users through different Internet connections across policy routers. (later in BGP)QoSCan provide QoS to differentiated traffic by setting the ToS values in the IP packet headers in routers and then using queuing mechanisms to prioritize traffic. Cost savingsCan direct the bulk traffic associated with a specific activity to use a higher-bandwidth, high-cost link for a short time and to continue basic connectivity over a lower-bandwidth, low-cost link for interactive traffic. Load sharingIn addition to the dynamic load-sharing capabilities managers can implement policies to distribute traffic among multiple paths based on the traffic characteristics. *

PBR involves configuring a route map with match and set commands and then applying the route map to the interface. Route maps are like complex access lists that allow some conditions to be tested against the packet or route in question using match commands. If the conditions match:Actions can be taken to modify attributes of the packet or routeThese actions are specified by set commands.BIG difference between route maps and ACLs:Route map can modify the packet or route using set commands

*Route MapACLPrefix List

A single match statement may contain multiple conditions. At least one condition in the match statement must be true for that match statement to be considered a matchLogical OR operationA route map statement may contain multiple match statements. All match statements in the route map statement must be considered true for the route map statement to be considered matched. Logical AND operation

*If {(x or y or z) and (a) match} then {set b and c}Else

If q matches then set rElse

Set nothing

If the statement is marked as denyAnd packet meets the match criteria Then the packet is not policy-based routedPacket is routed normallyIf the statement is marked as permitAnd packet meets the match criteriaThen set commands are appliedWhen the first set command is chosen for the next-hop address or exit interface is chosen other set commands for changing the destination are ignored. If no match is found in the route mapPacket is routed normally (not dropped)If you want to drop all packets that do not have a match with a route map statement:Create a route map statement with a set default interface null 0 (later)

*deny

match ip address CommandUsed to specify match criteria for a packets source address when using a standard access listAn extended access list can be used to specify match criteria based on source and destination addresses, application, protocol type, and ToS. *match ip address {access-list-number| access-list-name | prefix-list prefix-list-name [prefix-list-name}

match length Used to establish criteria based on the packet length between specified minimum and maximum values in bytes.*match length min max

set ip next-hopProvides a list of IP addresses used to specify the adjacent next-hop router to which the packets should be forwarded. If more than one IP address is specified, the first IP address associated with a currently up connected interface is used to route the packets. Note: The routing table is only checked to make sure the the next hop can be reached, not for an explicit route to the packets destination address.*set ip next-hop ip-address [...ip-address]

set interfaceProvides a list of exit interfaces through which the packets can be routed. If more than one interface is specified, the first interface that is found to be up is used to forward the packets. Note: If there no explicit route for the destination address of the packet in the routing table (unknown address or broadcast), the set interface command has no effect and is ignored.*set interface type number [... type number]

set ip default next-hopA packet is routed by the set ip default next-hop command only if there is no explicit route for the packets destination address in the routing table.A default route (0.0.0.0/0) is not considered as an explicit match.If more than one IP address is specified, the first next hop specified that appears to be adjacent to the router is used. *set ip default next-hop ip-address [...ip-address]

Default route

set default interfaceA packet is routed by the set ip default interface command only If there is no explicit route for the packets destination address in the routing table.A default route (0.0.0.0/0) is not considered as an explicit match.*set default interface type number [...type number] Default route

set ip tosUsed to set some of the bits in the IP ToS field in the IP packet.

set ip precedenceEnables you to set the 3 IP precedence bits in the IP packet header.

These commands is used when implementing QoS and can be used by other QoS services, such as weighted fair queuing (WFQ) and weighted random early detection (WRED). *set ip precedence [number | name] set ip tos [number | name]

Example: Using Policy-Based Routing When Connecting Two ISPsRouter A provides Internet access for a private enterprise and is connected to two different ISPs. This router is advertising a 0.0.0.0 default route into the enterprise network to avoid a large Internet routing table. Thus, when traffic from the enterprise networks 10.1.0.0 and 10.2.0.0 reaches router A, it can go to either ISP A or ISP B. *Default route

PBR is implemented on router A to shape, or load balance, traffic from router A to each of the ISPs. All traffic sourced from the 10.1.0.0 subnet is forwarded to ISP A if there is not a specific route to the destination in the routing table.All traffic sourced from the 10.2.0.0 subnet is forwarded to ISP B if there is not a specific route to the destination in the routing table.There is no default route.All traffic not sourced from 10.1.0.0 or 10.2.0.0 will be dropped.

*

*RA(config)# interface ser 0/0/0RA(config-if)# ip address 192.168.6.5 255.255.255.0

RA(config)# interface ser 0/0/1RA(config-if)# ip address 172.16.7.6 255.255.255.0

RA(config)# interface fa 0/0RA(config-if)# ip address 10.1.1.1 255.255.255.0RA(config-if)# ip policy route-map equal-access

RA(config)# route-map equal-access permit 10RA(config-route-map)# match ip address 1RA(config-route-map)# set ip default next-hop 192.168.6.6

RA(config)# route-map equal-access permit 20RA(config-route-map)# match ip address 2RA(config-route-map)# set ip default next-hop 172.16.7.7

RA(config)# route-map equal-access permit 30RA(config-route-map)# set default interface null0

RA(config)# access-list 1 permit 10.1.0.0 0.0.255.255RA(config)# access-list 2 permit 10.2.0.0 0.0.255.255

No match command matches all packets.Drops all traffic not sourced from subnet 10.1.0.0 or 10.2.0.0 Match all packets sourced from any host in subnet 10.1.0.0. If there is a match, and if the router has no explicit route for the packets destination, it is sent to next-hop address 192.168.6.6 (ISP As router). Match all packets sourced from any host in subnet 10.2.0.0. If there is a match, and if the router has no explicit route for the packets destination, it is sent to next-hop address 172.16.7.7 (ISP Bs router).

show ip policy command output, indicating that the route map called equal-access is used for PBR on the routers FastEthernet 0/0 interface.show route-map command output, indicating that three packets have matched sequence 10 of the equal-access route map. *

debug ip policy command output. The output indicates that:Because the source address of 10.1.1.1 matches line 10 of route map equal-access A packet from 10.1.1.1 destined for 172.19.1.1 Has been received on interface FastEthernet 0/0 Has been policy-routed on serial 0/0/0 to next hop 192.168.6.6*12234

Example: Using Policy-Based Routing Based on Source AddressRouter A has a policy that packets with a source address of 192.168.2.1 (on the other side of router B) should go out to router Cs interface Serial 0/0/1, 172.17.1.2. All other packets should be routed according to their destination address. *192.168.2.1

Router As Serial 0/0/2 interface, where packets from 192.168.2.1 go into router A is configured to do policy routing with the ip policy route-map command. It tests the IP addresses in packets against access list 1 to determine which packets will be policy-routed (source address of 192.168.2.1)Packets that match access list 1 are sent to the next-hop address 172.17.1.2, which is router Cs Serial 0/0/1 interface. All other packets are forwarded normally, according to their destination address*RA(config)# interface ser 0/0/2RA(config-if)# ip address 172.16.1.2 255.255.255.0RA(config-if)# ip policy route-map test

RA(config)# route-map test permit 10RA(config-route-map)# match ip address 1RA(config-route-map)# set ip next-hop 172.17.1.2

RA(config)# access-list 1 permit 192.168.2.1 0.0.0.0

show ip policyIt indicates that the route map called test is used for policy routing on the routers interface Serial 0/0/2show route-map Indicates that three packets have matched this route map*

debug ip policy Shows a packet from 172.16.1.1 destined for 192.168.1.1 was received on interface Serial 0/0/2 and that it was rejected by the policy on that interface. The packet is routed normally (by destination). Another packet, from 192.168.2.1 destined for 192.168.1.1, was later received on the same interface, Serial 0/0/2. This packet matched the policy on that interface and therefore was policy-routed and sent out interface Serial 0/0/1 to 172.17.1.2. *

FYI - Alternative Solution IP SLAs Configuration Example Using PBRThis section presents an alternative solution to the configuration of the R3 router given earlier in this chapter in the "Path Control using IP SLAs Examples" section. A partial configuration is shown in Example 5-22, providing just the configuration for reachability to the R1 router. Explanatory comments are provided within the configuration. (Configuration for reachability to the R2 router would be similar.) Using PBR allows the configuration to be very granular, to support other options. In this example, PBR points to a next hop address that is tracked via Cisco IOS IP SLAs.

*

If there is a DNS server failure:Then the Cisco IOS IP SLAs probes will failThe static default route to that DNS will be removedAll traffic will be rerouted toward the other ISP *R3(config)# ip sla monitor 99R3(config-rtr)# type echo protocol ipIcmpEcho 10.0.8.1R3(config-rtr)# frequency 10







set ip next-hop verify-availability - To configure policy routing to verify that the next hops of a route map is a CDP neighbor before policy routing to that next hop, use the set ip next-hop verify-availability command in route-map configuration mode. CDP must be enabledObject 1 will be up if the router can ping 10.0.8.1Enable PBR using route-map IP-SLA cConfigure a route-map to set the next-hop verify-availability to verify the reachability of the next hop of a route map before the router performs PBR to that next hop

*R3(config)# ip sla monitor 99R3(config-rtr)# type echo protocol ipIcmpEcho 10.0.8.1R3(config-rtr)# frequency 10R3(config-rtr)# timeout 5000



R3(config)# interface ser 0/0/2R3(config-if)# ip address 10.2.8.1 255.255.255.0R3(config-if)# ip policy route-map IP-SLA

R3(config)# route-map test IP-SLA 10R3(config-route-map)# set ip next-hop verify-availability 192.168.2.1 track 1

CIS 185 CCNP ROUTECh. 5 Implementing Path ControlRick GrazianiCabrillo [email protected]

*The behavior of CEFv6 is the same as CEF for IPv4. However, there are new configuration commands for CEFv6 and common commands for both CEFv6 and CEF for IPv4.

The ipv6 cef command enables the central CEFv6 mode.***************The first step in this configuration defines the probe.Probe 11 is defined by the ip sla 11 command. The test defined with the icmp-echo 10.1.3.1 command specifies that the ICMP echoes are sent to destination 10.1.3.3 (DNS Server) to check connectivity. The frequency 10 command schedules the connectivity test to repeat every 10 seconds. The ip sla schedule 11 life forever start-time now command defines the start and end time of the connectivity test for probe 11; the start time is now and it will continue forever.The second step defines the tracking object, which is linked to the probe from the first step.The track 1 ip sla 11 reachability command specifies that object 1 is tracked; it is linked to probe 11 (defined in the first step) so that the reachability of the 10.1.3.3 is tracked.The last step defines an action based on the status of the tracking object. The ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1 command conditionally configures the default route, via 10.1.1.1, with an administrative distance of 2, if the result of tracking object 1 is true.Thus, if 10.1.3.3 is reachable, a static default route via 10.1.1.1 with an administrative distance of 2, is installed in the routing table.*The first step in this configuration defines the probe.Probe 11 is defined by the ip sla 11 command. The test defined with the icmp-echo 10.1.3.1 command specifies that the ICMP echoes are sent to destination 10.1.3.3 (DNS Server) to check connectivity. The frequency 10 command schedules the connectivity test to repeat every 10 seconds. The ip sla schedule 11 life forever start-time now command defines the start and end time of the connectivity test for probe 11; the start time is now and it will continue forever.The second step defines the tracking object, which is linked to the probe from the first step.The track 1 ip sla 11 reachability command specifies that object 1 is tracked; it is linked to probe 11 (defined in the first step) so that the reachability of the 10.1.3.3 is tracked.The last step defines an action based on the status of the tracking object. The ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1 command conditionally configures the default route, via 10.1.1.1, with an administrative distance of 2, if the result of tracking object 1 is true.Thus, if 10.1.3.3 is reachable, a static default route via 10.1.1.1 with an administrative distance of 2, is installed in the routing table.*The first step in this configuration defines the probe.Probe 11 is defined by the ip sla 11 command. The test defined with the icmp-echo 10.1.3.1 command specifies that the ICMP echoes are sent to destination 10.1.3.3 (DNS Server) to check connectivity. The frequency 10 command schedules the connectivity test to repeat every 10 seconds. The ip sla schedule 11 life forever start-time now command defines the start and end time of the connectivity test for probe 11; the start time is now and it will continue forever.The second step defines the tracking object, which is linked to the probe from the first step.The track 1 ip sla 11 reachability command specifies that object 1 is tracked; it is linked to probe 11 (defined in the first step) so that the reachability of the 10.1.3.3 is tracked.The last step defines an action based on the status of the tracking object. The ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1 command conditionally configures the default route, via 10.1.1.1, with an administrative distance of 2, if the result of tracking object 1 is true.Thus, if 10.1.3.3 is reachable, a static default route via 10.1.1.1 with an administrative distance of 2, is installed in the routing table.*The first step in this configuration defines the probe.Probe 11 is defined by the ip sla 11 command. The test defined with the icmp-echo 10.1.3.1 command specifies that the ICMP echoes are sent to destination 10.1.3.3 (DNS Server) to check connectivity. The frequency 10 command schedules the connectivity test to repeat every 10 seconds. The ip sla schedule 11 life forever start-time now command defines the start and end time of the connectivity test for probe 11; the start time is now and it will continue forever.The second step defines the tracking object, which is linked to the probe from the first step.The track 1 ip sla 11 reachability command specifies that object 1 is tracked; it is linked to probe 11 (defined in the first step) so that the reachability of the 10.1.3.3 is tracked.The last step defines an action based on the status of the tracking object. The ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1 command conditionally configures the default route, via 10.1.1.1, with an administrative distance of 2, if the result of tracking object 1 is true.Thus, if 10.1.3.3 is reachable, a static default route via 10.1.1.1 with an administrative distance of 2, is installed in the routing table.*The first step in this configuration defines the probe.Probe 11 is defined by the ip sla 11 command. The test defined with the icmp-echo 10.1.3.1 command specifies that the ICMP echoes are sent to destination 10.1.3.3 (DNS Server) to check connectivity. The frequency 10 command schedules the connectivity test to repeat every 10 seconds. The ip sla schedule 11 life forever start-time now command defines the start and end time of the connectivity test for probe 11; the start time is now and it will continue forever.The second step defines the tracking object, which is linked to the probe from the first step.The track 1 ip sla 11 reachability command specifies that object 1 is tracked; it is linked to probe 11 (defined in the first step) so that the reachability of the 10.1.3.3 is tracked.The last step defines an action based on the status of the tracking object. The ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1 command conditionally configures the default route, via 10.1.1.1, with an administrative distance of 2, if the result of tracking object 1 is true.Thus, if 10.1.3.3 is reachable, a static default route via 10.1.1.1 with an administrative distance of 2, is installed in the routing table.*The first step in this configuration defines the probe.Probe 11 is defined by the ip sla 11 command. The test defined with the icmp-echo 10.1.3.1 command specifies that the ICMP echoes are sent to destination 10.1.3.3 (DNS Server) to check connectivity. The frequency 10 command schedules the connectivity test to repeat every 10 seconds. The ip sla schedule 11 life forever start-time now command defines the start and end time of the connectivity test for probe 11; the start time is now and it will continue forever.The second step defines the tracking object, which is linked to the probe from the first step.The track 1 ip sla 11 reachability command specifies that object 1 is tracked; it is linked to probe 11 (defined in the first step) so that the reachability of the 10.1.3.3 is tracked.The last step defines an action based on the status of the tracking object. The ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1 command conditionally configures the default route, via 10.1.1.1, with an administrative distance of 2, if the result of tracking object 1 is true.Thus, if 10.1.3.3 is reachable, a static default route via 10.1.1.1 with an administrative distance of 2, is installed in the routing table.***

cis185 route 5 pathcontrolimplmentation

Documents

packet switching

ip packet

ip routing table

packet2nd packet

cpu routing table

routing table entries

older packet

arp table