Difference between revisions of "IPv6: Policy Route Map"
Onnowpurbo (talk | contribs) (Created page with "Sumber: http://www.ciscopress.com/articles/article.asp?p=426637&seqNum=2 Configuring Route Maps Like access lists (see Appendix B, "Tutorial: Access Lists"), route maps...") |
Onnowpurbo (talk | contribs) |
||
Line 2: | Line 2: | ||
− | + | ==Configuring Route Maps== | |
− | |||
− | |||
− | Configuring Route Maps | ||
Like access lists (see Appendix B, "Tutorial: Access Lists"), route maps by themselves affect nothing; they must be "called" by some command. The command will most likely be either a policy routing command or a redistribution command. Policy routing will send packets to the route map, whereas redistribution will send routes to the route map. The case studies in this section demonstrate the use of route maps for both redistribution and policy routing. | Like access lists (see Appendix B, "Tutorial: Access Lists"), route maps by themselves affect nothing; they must be "called" by some command. The command will most likely be either a policy routing command or a redistribution command. Policy routing will send packets to the route map, whereas redistribution will send routes to the route map. The case studies in this section demonstrate the use of route maps for both redistribution and policy routing. | ||
Line 13: | Line 10: | ||
route-map Hagar permit 10 | route-map Hagar permit 10 | ||
− | |||
match ip address 110 | match ip address 110 | ||
− | |||
set metric 100 | set metric 100 | ||
Line 21: | Line 16: | ||
The sequence number allows the identification and editing of multiple statements. Consider the configuration steps in Example 14-2. | The sequence number allows the identification and editing of multiple statements. Consider the configuration steps in Example 14-2. | ||
+ | |||
Example 14-2. Route map Hagar is modified in this configuration. | Example 14-2. Route map Hagar is modified in this configuration. | ||
− | + | route-map Hagar 20 | |
− | + | match ip address 111 | |
− | + | set metric 50 | |
− | |||
− | |||
− | + | route-map Hagar 15 | |
− | + | match ip address 112 | |
− | + | set metric 80 | |
− | |||
− | |||
Here, a second and third set of route map statements, each with their own match and set statements, have been added to route map Hagar. Notice that a sequence number of 20 was configured first and then a sequence number of 15. In the final configuration, the IOS has placed statement 15 before 20 even though it was entered later, as shown in Example 14-3. [1] | Here, a second and third set of route map statements, each with their own match and set statements, have been added to route map Hagar. Notice that a sequence number of 20 was configured first and then a sequence number of 15. In the final configuration, the IOS has placed statement 15 before 20 even though it was entered later, as shown in Example 14-3. [1] | ||
+ | |||
Example 14-3. IOS places the commands in sequential order. | Example 14-3. IOS places the commands in sequential order. | ||
− | + | route-map Hagar permit 10 | |
− | + | match ip address 110 | |
− | + | set metric 100 | |
− | + | ! | |
− | + | route-map Hagar permit 15 | |
− | + | match ip address 112 | |
− | + | set metric 80 | |
− | + | ! | |
− | + | route-map Hagar permit 20 | |
− | + | match ip address 111 | |
− | + | set metric 50 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
The sequence numbers also allow for the elimination of individual statements. For example, the statement | The sequence numbers also allow for the elimination of individual statements. For example, the statement | ||
− | Linus(config)#no route-map Hagar 15 | + | Linus(config)#no route-map Hagar 15 |
deletes statement 15 and leaves the other statements intact, as shown in Example 14-4. | deletes statement 15 and leaves the other statements intact, as shown in Example 14-4. | ||
Example 14-4. Route-map Hagar after the match/set statements associated with sequence 15 have been removed. | Example 14-4. Route-map Hagar after the match/set statements associated with sequence 15 have been removed. | ||
− | + | route-map Hagar permit 10 | |
− | + | match ip address 110 | |
− | + | set metric 100 | |
− | + | ! | |
− | + | route-map Hagar permit 20 | |
− | + | match ip address 111 | |
− | + | set metric 50 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Be careful when editing route maps. In this example, if no route-map Hagar had been typed, without specifying a sequence number, the entire route map would have been deleted. Likewise, if no sequence numbers had been specified when the additional match and set statements were added, they would have simply changed statement 10. [2] | Be careful when editing route maps. In this example, if no route-map Hagar had been typed, without specifying a sequence number, the entire route map would have been deleted. Likewise, if no sequence numbers had been specified when the additional match and set statements were added, they would have simply changed statement 10. [2] | ||
A packet or route is passed sequentially through route map statements. If a match is made, any set statements are executed and the permit or deny action is executed. As with access lists, processing stops when a match is made and the specified action is executed; the route or packet is not passed to subsequent statements. Consider the route map in Example 14-5. | A packet or route is passed sequentially through route map statements. If a match is made, any set statements are executed and the permit or deny action is executed. As with access lists, processing stops when a match is made and the specified action is executed; the route or packet is not passed to subsequent statements. Consider the route map in Example 14-5. | ||
+ | |||
Example 14-5. Route-map Sluggo. | Example 14-5. Route-map Sluggo. | ||
− | + | route-map Sluggo permit 10 | |
− | + | match ip route-source 1 | |
− | + | set next-hop 192.168.1.5 | |
− | + | ! | |
− | + | route-map Sluggo permit 20 | |
− | + | match ip route-source 2 | |
− | + | set next-hop 192.168.1.10 | |
− | + | ! | |
− | + | route-map Sluggo permit 30 | |
− | + | match ip route-source 3 | |
− | + | set next-hop 192.168.1.15 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
If a route does not match statement 10, it will be passed to statement 20. If a match is made at statement 20, the set command will be executed and the route will be permitted. The matched route will not be passed on to statement 30. | If a route does not match statement 10, it will be passed to statement 20. If a match is made at statement 20, the set command will be executed and the route will be permitted. The matched route will not be passed on to statement 30. | ||
Line 119: | Line 87: | ||
Example 14-6. Route map Garfield contains multiple match and set statements for the map statement with sequence number 10. | Example 14-6. Route map Garfield contains multiple match and set statements for the map statement with sequence number 10. | ||
− | + | route-map Garfield permit 10 | |
+ | match ip route-source 15 | ||
+ | match interface Serial0 | ||
+ | set metric-type type-1 | ||
+ | set next-hop 10.1.2.3 | ||
− | + | In a case such as this, every match statement must be matched for the set statements to be executed. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ==Case Study: Policy Routing== | |
− | Case Study: Policy Routing | ||
Policy routing is defined with the command ip policy route-map. The command is configured on an interface and affects incoming packets only. | Policy routing is defined with the command ip policy route-map. The command is configured on an interface and affects incoming packets only. | ||
Line 138: | Line 103: | ||
Figure 14-3 Policy routes can be configured at Linus to route some packets through Lucy and other packets through Pigpen. | Figure 14-3 Policy routes can be configured at Linus to route some packets through Lucy and other packets through Pigpen. | ||
+ | |||
Example 14-7. Linus's policy routing configuration. | Example 14-7. Linus's policy routing configuration. | ||
− | + | interface Serial0 | |
− | + | ip address 172.16.5.1 255.255.255.0 | |
− | + | ip policy route-map Sally | |
− | + | ! | |
− | + | access-list 1 permit 172.16.6.0 0.0.0.255 | |
− | + | access-list 2 permit 172.16.7.0 0.0.0.255 | |
− | + | ! | |
+ | route-map Sally permit 10 | ||
+ | match ip address 1 | ||
+ | set ip next-hop 172.16.4.2 | ||
+ | ! | ||
+ | route-map Sally permit 15 | ||
+ | match ip address 2 | ||
+ | set ip next-hop 172.16.4.3 | ||
− | + | The policy routing command on S0 sends incoming packets to route map Sally. Statement 10 of route map Sally uses access list 1 to identify source addresses from subnet 172.16.6.0/24. If a match is made, the packet is forwarded to Lucy, whose next-hop interface address is 172.16.4.2. If no match is made, the packet is sent to statement 15. That statement uses access list 2 to match source addresses from subnet 172.16.7.0/24. If a match is made at that statement, the packet is forwarded to Pigpen (172.16.4.3). Any packets that do not match statement 15, such as packets sourced from subnet 172.16.8.0/24, are routed normally. Example 14-8 shows the results of the policy route. [3] | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Example 14-8. The policy route configured on Linus's S0 interface routes packets from subnet 172.16.6.0/24 to Lucy (172.16.4.2) and routes packets from subnet 172.16.7.0/24 to Pigpen (172.16.4.3). Packets from subnet 172.16.8.0/24, which do not match the policy route, are routed normally (load balancing between Lucy and Pigpen). | Example 14-8. The policy route configured on Linus's S0 interface routes packets from subnet 172.16.6.0/24 to Lucy (172.16.4.2) and routes packets from subnet 172.16.7.0/24 to Pigpen (172.16.4.3). Packets from subnet 172.16.8.0/24, which do not match the policy route, are routed normally (load balancing between Lucy and Pigpen). | ||
− | Linus#debug ip packet 5 | + | Linus#debug ip packet 5 |
− | IP packet debugging is on for access list 5 | + | IP packet debugging is on for access list 5 |
− | Linus# | + | Linus# |
− | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward | + | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward |
− | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward | + | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward |
− | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward | + | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward |
− | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward | + | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward |
− | IP: s=172.16.6.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward | + | IP: s=172.16.6.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward |
− | IP: s=172.16.6.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward | + | IP: s=172.16.6.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward |
− | IP: s=172.16.6.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward | + | IP: s=172.16.6.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward |
− | IP: s=172.16.6.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward | + | IP: s=172.16.6.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward |
− | IP: s=172.16.8.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward | + | IP: s=172.16.8.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward |
− | IP: s=172.16.8.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward | + | IP: s=172.16.8.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward |
− | IP: s=172.16.8.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward | + | IP: s=172.16.8.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward |
− | IP: s=172.16.8.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward | + | IP: s=172.16.8.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward |
Suppose Lucy's Ethernet interface fails. Linus would still attempt to forward packets from 172.16.6.0 to Lucy's IP address. Because a match is made in the route map, even if the specified next-hop interface were down, no other matches would be attempted nor would the packet be routed normally. To force Linus to verify the availability of the next-hop address before attempting to forward the packet, use the command set ip next-hop verify-availability. Linus will search its CDP neighbors table to verify that the next-hop address is listed. If it is not, the policy is rejected and the packet is forwarded normally. Example 14-9 shows the output of the commands debug ip policy and debug arp while Lucy's Ethernet interface is down. Packets are matched and policy routed, even while the router is attempting to ARP for the next-hop address, without receiving an ARP reply. The packets are dropped. | Suppose Lucy's Ethernet interface fails. Linus would still attempt to forward packets from 172.16.6.0 to Lucy's IP address. Because a match is made in the route map, even if the specified next-hop interface were down, no other matches would be attempted nor would the packet be routed normally. To force Linus to verify the availability of the next-hop address before attempting to forward the packet, use the command set ip next-hop verify-availability. Linus will search its CDP neighbors table to verify that the next-hop address is listed. If it is not, the policy is rejected and the packet is forwarded normally. Example 14-9 shows the output of the commands debug ip policy and debug arp while Lucy's Ethernet interface is down. Packets are matched and policy routed, even while the router is attempting to ARP for the next-hop address, without receiving an ARP reply. The packets are dropped. | ||
Example 14-10 shows the output of the debug ip policy command with the addition of the set ip next-hop verify-availability command in the IP policy configuration. The example shows Linus's operation with Lucy's Ethernet interface still down. The packets are matched by the policy, but the policy is rejected because the next-hop address is no longer in Linus's CDP table. Since the policy is rejected, the packets are routed using the normal method. | Example 14-10 shows the output of the debug ip policy command with the addition of the set ip next-hop verify-availability command in the IP policy configuration. The example shows Linus's operation with Lucy's Ethernet interface still down. The packets are matched by the policy, but the policy is rejected because the next-hop address is no longer in Linus's CDP table. Since the policy is rejected, the packets are routed using the normal method. | ||
+ | |||
Example 14-9. debug ip policy and debug arp on Linus shows packets are attempting to be routed according to the configured policy, even if the next hop specified by the policy is unavailable. | Example 14-9. debug ip policy and debug arp on Linus shows packets are attempting to be routed according to the configured policy, even if the next hop specified by the policy is unavailable. | ||
− | Linus#debug arp | + | Linus#debug arp |
− | ARP packet debugging is on | + | ARP packet debugging is on |
− | Linus#debug ip policy | + | Linus#debug ip policy |
− | Policy routing debugging is on | + | Policy routing debugging is on |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, policy match | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, policy match |
− | IP: route map Sally, item 10, permit | + | IP: route map Sally, item 10, permit |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1 (Ethernet0), len 100, policy routed | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1 (Ethernet0), len 100, policy routed |
− | IP: Serial0 to Ethernet0 172.16.4.2 | + | IP: Serial0 to Ethernet0 172.16.4.2 |
− | IP ARP: sent req src 172.16.4.1 0004.c150.e700, | + | IP ARP: sent req src 172.16.4.1 0004.c150.e700, |
− | + | dst 172.16.4.2 0000.0000.0000 Ethernet0 | |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, policy match | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, policy match |
− | IP: route map Sally, item 10, permit | + | IP: route map Sally, item 10, permit |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1 (Ethernet0), len 100, policy routed | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1 (Ethernet0), len 100, policy routed |
− | IP: Serial0 to Ethernet0 172.16.4.2 | + | IP: Serial0 to Ethernet0 172.16.4.2 |
− | IP ARP: sent req src 172.16.4.1 0004.c150.e700, | + | IP ARP: sent req src 172.16.4.1 0004.c150.e700, |
− | + | dst 172.16.4.2 0000.0000.0000 Ethernet0 | |
− | IP ARP: creating incomplete entry for IP address: 172.16.4.2 interface Ethernet0 | + | IP ARP: creating incomplete entry for IP address: 172.16.4.2 interface Ethernet0 |
− | IP ARP: sent req src 172.16.4.1 0004.c150.e700, | + | IP ARP: sent req src 172.16.4.1 0004.c150.e700, |
− | + | dst 172.16.4.2 0000.0000.0000 Ethernet0 | |
− | IP ARP throttled out the ARP Request for 172.16.4.2 | + | IP ARP throttled out the ARP Request for 172.16.4.2 |
Example 14-10. debug ip policy on Linus with set ip next-hop verify-availability configured, shows the policy is rejected (the next hop is not in Linus's CDP neighbor table) and packets are routed normally (not policy routed). | Example 14-10. debug ip policy on Linus with set ip next-hop verify-availability configured, shows the policy is rejected (the next hop is not in Linus's CDP neighbor table) and packets are routed normally (not policy routed). | ||
− | Linus#debug ip policy | + | Linus#debug ip policy |
− | Policy routing debugging is on | + | Policy routing debugging is on |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy rejected - normal | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy rejected - normal |
− | forwarding | + | forwarding |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy rejected - normal | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy rejected - normal |
− | forwarding | + | forwarding |
Example 14-11 shows the output of the same debug command, debug ip policy, after Lucy's Ethernet interface is backed up. The output shows that the packets are successfully policy routed. | Example 14-11 shows the output of the same debug command, debug ip policy, after Lucy's Ethernet interface is backed up. The output shows that the packets are successfully policy routed. | ||
Example 14-11. debug ip policy on Linus with set ip next-hop verify-availability configured. The packets are policy routed when the next hop is verified. | Example 14-11. debug ip policy on Linus with set ip next-hop verify-availability configured. The packets are policy routed when the next hop is verified. | ||
− | Linus# | + | Linus# |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, g=172.16.4.2, len 100, FIB policy routed | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, g=172.16.4.2, len 100, FIB policy routed |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match |
− | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, g=172.16.4.2, len 100, FIB policy routed | + | IP: s=172.16.6.1 (Serial0), d=172.16.2.1, g=172.16.4.2, len 100, FIB policy routed |
Standard IP access lists are used when policy routing by source address only. To route by both source and destination, an extended IP access list is used. The configuration in Example 14-12 causes packets from any subnet to host 172.16.1.1 to be forwarded to Lucy, whereas packets from host 172.16.7.1 to host 172.16.1.2 are forwarded to Pigpen. All other packets are routed normally. | Standard IP access lists are used when policy routing by source address only. To route by both source and destination, an extended IP access list is used. The configuration in Example 14-12 causes packets from any subnet to host 172.16.1.1 to be forwarded to Lucy, whereas packets from host 172.16.7.1 to host 172.16.1.2 are forwarded to Pigpen. All other packets are routed normally. | ||
Example 14-12. Policy route maps can reference extended IP access-lists to specify a source and destination address pair to match, as shown in this configuration. | Example 14-12. Policy route maps can reference extended IP access-lists to specify a source and destination address pair to match, as shown in this configuration. | ||
− | + | interface Serial0 | |
+ | ip address 172.16.5.1 255.255.255.0 | ||
+ | ip policy route-map Sally | ||
+ | ! | ||
+ | access-list 101 permit ip any host 172.16.1.1 | ||
+ | access-list 102 permit ip host 172.16.7.1 host 172.16.1.2 | ||
+ | ! | ||
+ | route-map Sally permit 10 | ||
+ | match ip address 101 | ||
+ | set ip next-hop 172.16.4.2 | ||
+ | ! | ||
+ | route-map Sally permit 15 | ||
+ | match ip address 102 | ||
+ | set ip next-hop 172.16.4.3 | ||
− | + | Route map Sally is again used, except the match statements now reference access lists 101 and 102. Example 14-13 shows the results. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Example 14-13. Packets from any host to host 172.16.1.1 match statement 10 of route map Sally and are forwarded to Lucy. Packets from host 172.16.7.1 to host 172.16.1.2 are forwarded to Pigpen. Packets from another address on subnet 172.16.7.0/24 to host 172.16.1.2 are not matched by Sally and are routed normally. | Example 14-13. Packets from any host to host 172.16.1.1 match statement 10 of route map Sally and are forwarded to Lucy. Packets from host 172.16.7.1 to host 172.16.1.2 are forwarded to Pigpen. Packets from another address on subnet 172.16.7.0/24 to host 172.16.1.2 are not matched by Sally and are routed normally. | ||
− | Linus#debug ip packet 5 | + | Linus#debug ip packet 5 |
− | IP packet debugging is on for access list 5 | + | IP packet debugging is on for access list 5 |
− | Linus# | + | Linus# |
− | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward | + | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward |
− | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward | + | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward |
− | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward | + | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward |
− | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward | + | IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward |
− | IP: s=172.16.7.1 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward | + | IP: s=172.16.7.1 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward |
− | IP: s=172.16.7.1 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward | + | IP: s=172.16.7.1 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward |
− | IP: s=172.16.7.1 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward | + | IP: s=172.16.7.1 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward |
− | IP: s=172.16.7.1 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward | + | IP: s=172.16.7.1 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward |
− | IP: s=172.16.7.254 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward | + | IP: s=172.16.7.254 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward |
− | IP: s=172.16.7.254 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.2, len 60, forward | + | IP: s=172.16.7.254 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.2, len 60, forward |
− | IP: s=172.16.7.254 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward | + | IP: s=172.16.7.254 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward |
− | IP: s=172.16.7.254 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.2, len 60, forward | + | IP: s=172.16.7.254 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.2, len 60, forward |
Next, suppose your policy states that FTP traffic from the servers on subnet 172.16.1.0/24 should be forwarded to Lucy and that Telnet traffic from the same servers should be forwarded to Pigpen. This plan allows the bulk FTP traffic and the bursty, interactive Telnet traffic to be segregated on the two serial links from Schroeder. Schroeder will have the configuration in Example 14-14. | Next, suppose your policy states that FTP traffic from the servers on subnet 172.16.1.0/24 should be forwarded to Lucy and that Telnet traffic from the same servers should be forwarded to Pigpen. This plan allows the bulk FTP traffic and the bursty, interactive Telnet traffic to be segregated on the two serial links from Schroeder. Schroeder will have the configuration in Example 14-14. | ||
Example 14-14. Schroeder's policy route configuration forwarding FTP and Telnet traffic. | Example 14-14. Schroeder's policy route configuration forwarding FTP and Telnet traffic. | ||
− | + | interface Ethernet0 | |
+ | ip address 172.16.1.4 255.255.255.0 | ||
+ | ip policy route-map Rerun | ||
+ | ! | ||
+ | access-list 105 permit tcp 172.16.1.0 0.0.0.255 eq ftp any | ||
+ | access-list 105 permit tcp 172.16.1.0 0.0.0.255 eq ftp-data any | ||
+ | access-list 106 permit tcp 172.16.1.0 0.0.0.255 eq telnet any | ||
+ | ! | ||
+ | route-map Rerun permit 10 | ||
+ | match ip address 105 | ||
+ | set ip next-hop 172.16.2.1 | ||
+ | ! | ||
+ | route-map Rerun permit 20 | ||
+ | match ip address 106 | ||
+ | set ip next-hop 172.16.3.1 | ||
− | + | Access lists 105 and 106 are examining not only the source and destination addresses, but also the source port. In Example 14-15, the detail option is used with debug ip packet to allow observation of the packet types being forwarded by Schroeder. An access list 10 limits the displayed packets to those from 172.16.1.1 to 172.16.6.1. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Example 14-15. FTP packets (TCP ports 20 and 21) are being forwarded to Lucy, whereas Telnet packets (TCP port 23) with the same source and destination addresses are forwarded to Pigpen. Echo Reply packets (ICMP type 0), which do not find a match in the policy route, are routed normally. | Example 14-15. FTP packets (TCP ports 20 and 21) are being forwarded to Lucy, whereas Telnet packets (TCP port 23) with the same source and destination addresses are forwarded to Pigpen. Echo Reply packets (ICMP type 0), which do not find a match in the policy route, are routed normally. | ||
− | Schroeder#debug ip packet detail 10 | + | Schroeder#debug ip packet detail 10 |
− | IP packet debugging is on (detailed) for access list 10 | + | IP packet debugging is on (detailed) for access list 10 |
− | Schroeder# | + | Schroeder# |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1064, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1064, forward |
− | + | TCP src=20, dst=1047, seq=3702770065, ack=591246297, win=14335 ACK PSH | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 64, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 64, forward |
− | + | TCP src=21, dst=1046, seq=3662108731, ack=591205663, win=14335 ACK PSH | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1476, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1476, forward |
− | + | TCP src=20, dst=1047, seq=3702771089, ack=591246297, win=14335 ACK PSH | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward |
− | + | TCP src=23, dst=1048, seq=3734385279, ack=591277873, win=14332 ACK | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 52, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 52, forward |
− | + | TCP src=23, dst=1048, seq=3734385279, ack=591277873, win=14335 ACK PSH | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward |
− | + | TCP src=23, dst=1048, seq=3734385291, ack=591277876, win=14332 ACK | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 60, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 60, forward |
− | + | ICMP type=0, code=0 | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward |
− | + | ICMP type=0, code=0 | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 60, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 60, forward |
− | + | ICMP type=0, code=0 | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward |
− | + | ICMP type=0, code=0 | |
The purpose of segregating bulk and interactive traffic, as demonstrated in the last example, is so that the small packets characteristic of interactive traffic do not become delayed by the large packets characteristic of bulk traffic. The problem with the approach in this example is that if many types of traffic must be segregated, the access lists identifying the traffic by destination port might become prohibitively large. | The purpose of segregating bulk and interactive traffic, as demonstrated in the last example, is so that the small packets characteristic of interactive traffic do not become delayed by the large packets characteristic of bulk traffic. The problem with the approach in this example is that if many types of traffic must be segregated, the access lists identifying the traffic by destination port might become prohibitively large. | ||
If the objective is to segregate small packets from large packets, the length of the packet can be matched, as shown in Example 14-16. | If the objective is to segregate small packets from large packets, the length of the packet can be matched, as shown in Example 14-16. | ||
+ | |||
Example 14-16. Schroeder's policy route configuration forwards traffic based on packet length. | Example 14-16. Schroeder's policy route configuration forwards traffic based on packet length. | ||
− | + | interface Ethernet0 | |
− | + | ip address 172.16.1.4 255.255.255.0 ip policy route-map Woodstock ! | |
− | + | route-map Woodstock permit 20 | |
− | + | match length 1000 1600 | |
− | + | set ip next-hop 172.16.2.1 | |
− | + | ! | |
− | + | route-map Woodstock permit 30 | |
− | + | match length 0 400 | |
− | + | set ip next-hop 172.16.3.1 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Here the match length statement specifies a minimum and a maximum packet size. Statement 20 of the route map causes all packets between 1000 and 1600 octets in length to be routed across the serial link to Lucy. Statement 30 causes all packets up to 400 octets in length to be routed across the serial link to Pigpen. Packets between 400 and 1000 octets are routed normally. | Here the match length statement specifies a minimum and a maximum packet size. Statement 20 of the route map causes all packets between 1000 and 1600 octets in length to be routed across the serial link to Lucy. Statement 30 causes all packets up to 400 octets in length to be routed across the serial link to Pigpen. Packets between 400 and 1000 octets are routed normally. | ||
Example 14-17 shows the results of the new route map. Again there are FTP, Telnet, and Echo Reply packets from 172.16.1.2 to 172.16.6.1, but now the packets are routed according to their size instead of their addresses and ports. | Example 14-17 shows the results of the new route map. Again there are FTP, Telnet, and Echo Reply packets from 172.16.1.2 to 172.16.6.1, but now the packets are routed according to their size instead of their addresses and ports. | ||
+ | |||
Example 14-17. Packets of 1000 octets or larger are routed to Lucy, whereas packets of 400 octets or less are routed to Pigpen. Any packets between 400 and 1000 octets are routed normally. | Example 14-17. Packets of 1000 octets or larger are routed to Lucy, whereas packets of 400 octets or less are routed to Pigpen. Any packets between 400 and 1000 octets are routed normally. | ||
− | Schroeder#debug ip packet detail 10 | + | Schroeder#debug ip packet detail 10 |
− | IP packet debugging is on (detailed) for access list 10 | + | IP packet debugging is on (detailed) for access list 10 |
− | Schroeder# | + | Schroeder# |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1476, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1476, forward |
− | + | TCP src=20, dst=1063, seq=1528444161, ack=601956937, win=14335 ACK PSH | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1476, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1476, forward |
− | + | TCP src=20, dst=1063, seq=1528442725, ack=601956937, win=14335 ACK PSH | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1476, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1476, forward |
− | + | TCP src=20, dst=1063, seq=1528444161, ack=601956937, win=14335 ACK PSH | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 840, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 840, forward |
− | + | TCP src=20, dst=1063, seq=1528445597, ack=601956937, win=14335 ACK PSH | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward |
− | + | TCP src=21, dst=1062, seq=1469372904, ack=601897901, win=14329 ACK | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 54, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 54, forward |
− | + | TCP src=21, dst=1062, seq=1469372904, ack=601897901, win=14335 ACK PSH | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward |
− | + | TCP src=21, dst=1062, seq=1469372918, ack=601897901, win=14335 ACK FIN | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 44, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 44, forward |
− | + | TCP src=23, dst=1064, seq=1712116521, ack=602140570, win=14335 ACK SYN | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 43, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 43, forward |
− | + | TCP src=23, dst=1064, seq=1712116522, ack=602140570, win=14335 ACK PSH | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward |
− | + | TCP src=23, dst=1064, seq=1712116525, ack=602140573, win=14332 ACK | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 52, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 52, forward |
− | + | TCP src=23, dst=1064, seq=1712116525, ack=602140573, win=14335 ACK PSH | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward |
− | + | ICMP type=0, code=0 | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward |
− | + | ICMP type=0, code=0 | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward |
− | + | ICMP type=0, code=0 | |
− | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward | + | IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward |
− | + | ICMP type=0, code=0 | |
The policy routes demonstrated so far affect packets entering the router from a particular interface. But what about packets generated by the router itself? These can also be policy routed, with the command ip local policy route-map. Unlike the ip policy route-map command, which is configured on an interface, this command is configured globally on the router. | The policy routes demonstrated so far affect packets entering the router from a particular interface. But what about packets generated by the router itself? These can also be policy routed, with the command ip local policy route-map. Unlike the ip policy route-map command, which is configured on an interface, this command is configured globally on the router. | ||
To apply the previously demonstrated policy to packets generated by Schroeder, the configuration is as displayed in Example 14-18. | To apply the previously demonstrated policy to packets generated by Schroeder, the configuration is as displayed in Example 14-18. | ||
+ | |||
Example 14-18. Route policy configuration for packets generated by Schroeder. | Example 14-18. Route policy configuration for packets generated by Schroeder. | ||
− | + | interface Ethernet0 | |
− | + | ip address 172.16.1.4 255.255.255.0 | |
− | + | ip policy route-map Woodstock | |
− | + | ! | |
− | + | ip local policy route-map Woodstock | |
− | + | ! | |
− | + | access-list 120 permit ip any 172.16.1.0 0.0.0.255 | |
− | + | access-list 120 permit ospf any any | |
− | + | ! | |
− | + | route-map Woodstock permit 10 | |
− | + | match ip address 120 | |
− | + | ! | |
− | + | route-map Woodstock permit 20 | |
− | + | match length 1000 1600 | |
− | + | set ip next-hop 172.16.2.1 | |
− | + | ! | |
− | + | route-map Woodstock permit 30 | |
− | + | match length 0 400 | |
− | + | set ip next-hop 172.16.3.1 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Of particular interest is statement 10. This statement does not have a set statement, but merely permits packets that match access list 120. Access list 120, in turn, permits all packets destined for subnet 172.16.1.0/24 and all OSPF packets. Without the first line of the access list, some packets originated by Schroeder and destined for subnet 172.16.1.0/24 would be forwarded to the wrong interface by statement 20 or 30. Figure 14-4 shows why the second line of the access list is necessary. The length of Schroeder's OSPF Hellos is 44 octets. If statement 10 were not included, the OSPF Hellos would all match statement 30 and be forwarded to Pigpen, breaking the adjacency between Lucy and Schroeder. By matching statement 10, the OSPF packets are permitted with no changes and are forwarded normally. | Of particular interest is statement 10. This statement does not have a set statement, but merely permits packets that match access list 120. Access list 120, in turn, permits all packets destined for subnet 172.16.1.0/24 and all OSPF packets. Without the first line of the access list, some packets originated by Schroeder and destined for subnet 172.16.1.0/24 would be forwarded to the wrong interface by statement 20 or 30. Figure 14-4 shows why the second line of the access list is necessary. The length of Schroeder's OSPF Hellos is 44 octets. If statement 10 were not included, the OSPF Hellos would all match statement 30 and be forwarded to Pigpen, breaking the adjacency between Lucy and Schroeder. By matching statement 10, the OSPF packets are permitted with no changes and are forwarded normally. | ||
Line 455: | Line 362: | ||
Figure 14-4 The length of the OSPF Hello packets is seen in this analyzer capture. | Figure 14-4 The length of the OSPF Hello packets is seen in this analyzer capture. | ||
− | Case Study: Policy Routing and Quality of Service Routing | + | |
+ | ==Case Study: Policy Routing and Quality of Service Routing== | ||
Although quality of service (QoS) routing is outside the scope of this volume, it must be noted here that policy routing can be an integral part of QoS. Policy routing in conjunction with QoS is done by setting the Precedence or the Type of Service (TOS) bits of the TOS field in the IP headers of packets as they enter a router's interface. Figure 14-5 shows the bits of the TOS field. Although the TOS bits are seldom used in modern networks, the Precedence bits have found new life in QoS applications. The TOS bits are used to influence the path a router selects for a packet, whereas the Precedence bits are used to prioritize packets within a router. | Although quality of service (QoS) routing is outside the scope of this volume, it must be noted here that policy routing can be an integral part of QoS. Policy routing in conjunction with QoS is done by setting the Precedence or the Type of Service (TOS) bits of the TOS field in the IP headers of packets as they enter a router's interface. Figure 14-5 shows the bits of the TOS field. Although the TOS bits are seldom used in modern networks, the Precedence bits have found new life in QoS applications. The TOS bits are used to influence the path a router selects for a packet, whereas the Precedence bits are used to prioritize packets within a router. | ||
Line 538: | Line 446: | ||
The TOS bits are set by using the set ip tos statement. Like the Precedence statement, the argument of the statement might be a number or a keyword, as shown in Table 14-6. Unlike Precedence, you might use a combination of TOS values. For example, specifying a TOS value of 12 (1100b) means minimum delay and maximum throughput. Only a single keyword can be used, so to set a combination of TOS values, a number must be specified. | The TOS bits are set by using the set ip tos statement. Like the Precedence statement, the argument of the statement might be a number or a keyword, as shown in Table 14-6. Unlike Precedence, you might use a combination of TOS values. For example, specifying a TOS value of 12 (1100b) means minimum delay and maximum throughput. Only a single keyword can be used, so to set a combination of TOS values, a number must be specified. | ||
+ | |||
Table 14-6. TOS values and keywords used with the set ip tos command. | Table 14-6. TOS values and keywords used with the set ip tos command. | ||
Line 596: | Line 505: | ||
Example 14-19. Pogo's configuration sets Precedence and TOS bits. | Example 14-19. Pogo's configuration sets Precedence and TOS bits. | ||
− | + | interface Serial0 | |
− | + | ip address 10.1.18.67 255.255.255.252 | |
− | + | ip policy route-map Albert | |
− | + | ! | |
− | + | interface Serial1 | |
− | + | ip address 10.34.16.83 255.255.255.252 | |
− | + | ip policy route-map Albert | |
− | + | ! | |
− | + | access-list 1 permit 172.16.0.0 0.0.255.255 | |
− | + | access-list 110 permit tcp any eq www any | |
− | + | ! | |
− | + | route-map Albert permit 10 | |
− | + | match ip address 1 110 | |
− | + | set ip precedence critical | |
− | + | ! | |
− | + | route-map Albert permit 20 | |
− | + | set ip tos 10 | |
− | + | set ip precedence priority | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Statement 10 says that if packets match both access lists 1 and 110, the Precedence will be set to critical. Notice that statement 20 has no match statement. This statement will match any packets that haven't been matched by statement 10. There are also two set statements under statement 20. These statements will set the TOS bits to minimum delay and maximum reliability and will set the Precedence bits to priority. Figure 14-7 shows a capture of a packet from somewhere inside OkefenokeeNet, which has been modified by the route map at Pogo. | Statement 10 says that if packets match both access lists 1 and 110, the Precedence will be set to critical. Notice that statement 20 has no match statement. This statement will match any packets that haven't been matched by statement 10. There are also two set statements under statement 20. These statements will set the TOS bits to minimum delay and maximum reliability and will set the Precedence bits to priority. Figure 14-7 shows a capture of a packet from somewhere inside OkefenokeeNet, which has been modified by the route map at Pogo. | ||
Line 638: | Line 530: | ||
After the Precedence or TOS bits have been set in packets entering the network, the routers within the Internet can make QoS decisions based in part or wholly on the class of service these bits define. For example, priority, custom, or weighted fair queuing might be configured to prioritize traffic according to the Precedence or TOS bits. In some implementations, Precedence can be used with congestion avoidance mechanisms such as Weighted Random Early Detection (WRED). Or a crude Class-of-Service routing can be implemented by configuring access lists that permit or deny packets across certain links based on the setting of their Precedence or TOS bits. | After the Precedence or TOS bits have been set in packets entering the network, the routers within the Internet can make QoS decisions based in part or wholly on the class of service these bits define. For example, priority, custom, or weighted fair queuing might be configured to prioritize traffic according to the Precedence or TOS bits. In some implementations, Precedence can be used with congestion avoidance mechanisms such as Weighted Random Early Detection (WRED). Or a crude Class-of-Service routing can be implemented by configuring access lists that permit or deny packets across certain links based on the setting of their Precedence or TOS bits. | ||
− | Case Study: Route Maps and Redistribution | + | |
+ | ==Case Study: Route Maps and Redistribution== | ||
A route map can be used with redistribution for both IPv4 and IPv6 by adding a call to the route map in the redistribute command. Figure 14-8 shows a network in which IPv4 IS-IS and OSPF routes are being mutually redistributed at router Zippy. Of the network and subnet addresses listed in the illustration, only the ones whose third octet is odd-numbered are to be redistributed. | A route map can be used with redistribution for both IPv4 and IPv6 by adding a call to the route map in the redistribute command. Figure 14-8 shows a network in which IPv4 IS-IS and OSPF routes are being mutually redistributed at router Zippy. Of the network and subnet addresses listed in the illustration, only the ones whose third octet is odd-numbered are to be redistributed. | ||
Line 648: | Line 541: | ||
Example 14-20. Zippy is configured to redistribute only addresses with an odd numbered third octet. | Example 14-20. Zippy is configured to redistribute only addresses with an odd numbered third octet. | ||
− | + | router ospf 1 | |
− | + | redistribute isis level-1 metric 20 subnets route-map Griffy | |
− | + | network 172.16.10.2 0.0.0.0 area 5 | |
− | + | ! | |
− | + | router isis | |
− | + | redistribute ospf 1 metric 25 route-map Toad metric-type internal level-2 | |
− | + | net 47.0001.1234.5678.9056.00 | |
− | + | ! | |
− | + | access-list 1 permit 192.168.2.0 | |
− | + | access-list 1 permit 192.168.4.0 | |
− | + | access-list 1 permit 192.168.6.0 | |
− | + | access-list 2 permit 172.16.1.0 | |
− | + | access-list 2 permit 172.16.3.0 | |
− | + | access-list 2 permit 172.16.5.0 | |
− | + | access-list 2 permit 172.16.7.0 | |
− | + | access-list 2 permit 172.16.9.0 | |
− | + | ! | |
− | + | route-map Griffy deny 10 | |
− | + | match ip address 1 | |
− | + | ! | |
− | + | route-map Griffy permit 20 | |
− | + | ! | |
− | + | route-map Toad permit 10 | |
− | + | match ip address 2 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Route maps Griffy and Toad perform the same functions, but with different logic. Griffy uses negative logic, identifying the routes that should not be redistributed, and Toad uses positive logic, identifying the routes that should be redistributed. | Route maps Griffy and Toad perform the same functions, but with different logic. Griffy uses negative logic, identifying the routes that should not be redistributed, and Toad uses positive logic, identifying the routes that should be redistributed. | ||
Statement 10 of Griffy denies any routes that are permitted by access list 1 (the addresses with an even third octet). Because the addresses with odd-numbered third octets do not find a match at statement 10, they are passed to statement 20. Statement 20 has no match statement, so the default is to match everything. Statement 20 has a permit action, so the odd routes are permitted. The result is shown in Example 14-21. | Statement 10 of Griffy denies any routes that are permitted by access list 1 (the addresses with an even third octet). Because the addresses with odd-numbered third octets do not find a match at statement 10, they are passed to statement 20. Statement 20 has no match statement, so the default is to match everything. Statement 20 has a permit action, so the odd routes are permitted. The result is shown in Example 14-21. | ||
+ | |||
Example 14-21. The only destinations within the IS-IS domain that are contained in Shelflife's route table are those with an odd-numbered third octet. | Example 14-21. The only destinations within the IS-IS domain that are contained in Shelflife's route table are those with an odd-numbered third octet. | ||
− | Shelflife#show ip route | + | Shelflife#show ip route |
− | Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP | + | Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP |
− | + | D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area | |
− | + | E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP | |
− | + | i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default | |
− | Gateway of last resort is not set | + | Gateway of last resort is not set |
− | O E2 192.168.9.0 [110/20] via 172.16.10.2, 00:24:46, Ethernet0 | + | O E2 192.168.9.0 [110/20] via 172.16.10.2, 00:24:46, Ethernet0 |
− | O E2 192.168.1.0 [110/20] via 172.16.10.2, 00:24:46, Ethernet0 | + | O E2 192.168.1.0 [110/20] via 172.16.10.2, 00:24:46, Ethernet0 |
− | O E2 192.168.3.0 [110/20] via 172.16.10.2, 00:24:46, Ethernet0 | + | O E2 192.168.3.0 [110/20] via 172.16.10.2, 00:24:46, Ethernet0 |
− | O E2 192.168.5.0 [110/20] via 172.16.10.2, 00:24:47, Ethernet0 | + | O E2 192.168.5.0 [110/20] via 172.16.10.2, 00:24:47, Ethernet0 |
− | O E2 192.168.7.0 [110/20] via 172.16.10.2, 00:24:47, Ethernet0 | + | O E2 192.168.7.0 [110/20] via 172.16.10.2, 00:24:47, Ethernet0 |
− | + | 172.16.0.0 255.255.255.0 is subnetted, 9 subnets | |
− | C 172.16.9.0 is directly connected, Serial0 | + | C 172.16.9.0 is directly connected, Serial0 |
− | C 172.16.10.0 is directly connected, Ethernet0 | + | C 172.16.10.0 is directly connected, Ethernet0 |
− | O 172.16.4.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 | + | O 172.16.4.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 |
− | O 172.16.5.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 | + | O 172.16.5.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 |
− | O 172.16.6.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 | + | O 172.16.6.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 |
− | O 172.16.7.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 | + | O 172.16.7.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 |
− | O 172.16.1.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 | + | O 172.16.1.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 |
− | O 172.16.2.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 | + | O 172.16.2.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 |
− | O 172.16.3.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 | + | O 172.16.3.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 |
− | Shelflife# | + | Shelflife# |
Route map Toad has a single statement that permits routes that have been permitted by access list 2 (addresses with an odd third octet). The addresses with an even third octet do not find a match at access list 2. The default route map statement when redistributing is to deny all routes, so the addresses that are not matched by access list 2 are not redistributed. Example 14-22 shows the results of route map Toad. | Route map Toad has a single statement that permits routes that have been permitted by access list 2 (addresses with an odd third octet). The addresses with an even third octet do not find a match at access list 2. The default route map statement when redistributing is to deny all routes, so the addresses that are not matched by access list 2 are not redistributed. Example 14-22 shows the results of route map Toad. | ||
+ | |||
Example 14-22. The only destinations within the OSPF domain that are contained in Zerbina's route table are those with an odd-numbered third octet. | Example 14-22. The only destinations within the OSPF domain that are contained in Zerbina's route table are those with an odd-numbered third octet. | ||
− | Zerbina#show ip route | + | Zerbina#show ip route |
− | Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP | + | Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP |
− | + | D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area | |
− | + | N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 | |
− | + | E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP | |
− | + | i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default | |
− | + | U - per-user static route, o - ODR | |
− | Gateway of last resort is not set | + | Gateway of last resort is not set |
− | C 192.168.9.0/24 is directly connected, Serial0 | + | C 192.168.9.0/24 is directly connected, Serial0 |
− | C 192.168.10.0/24 is directly connected, Ethernet0 | + | C 192.168.10.0/24 is directly connected, Ethernet0 |
− | i L1 192.168.1.0/24 [115/15] via 192.168.9.2, Serial0 | + | i L1 192.168.1.0/24 [115/15] via 192.168.9.2, Serial0 |
− | i L1 192.168.2.0/24 [115/15] via 192.168.9.2, Serial0 | + | i L1 192.168.2.0/24 [115/15] via 192.168.9.2, Serial0 |
− | i L1 192.168.3.0/24 [115/15] via 192.168.9.2, Serial0 | + | i L1 192.168.3.0/24 [115/15] via 192.168.9.2, Serial0 |
− | i L1 192.168.4.0/24 [115/15] via 192.168.9.2, Serial0 | + | i L1 192.168.4.0/24 [115/15] via 192.168.9.2, Serial0 |
− | i L1 192.168.5.0/24 [115/15] via 192.168.9.2, Serial0 | + | i L1 192.168.5.0/24 [115/15] via 192.168.9.2, Serial0 |
− | i L1 192.168.6.0/24 [115/15] via 192.168.9.2, Serial0 | + | i L1 192.168.6.0/24 [115/15] via 192.168.9.2, Serial0 |
− | i L1 192.168.7.0/24 [115/15] via 192.168.9.2, Serial0 | + | i L1 192.168.7.0/24 [115/15] via 192.168.9.2, Serial0 |
− | + | 172.16.0.0/24 is subnetted, 5 subnets | |
− | i L2 172.16.9.0 [115/35] via 192.168.10.2, Ethernet0 | + | i L2 172.16.9.0 [115/35] via 192.168.10.2, Ethernet0 |
− | i L2 172.16.5.0 [115/35] via 192.168.10.2, Ethernet0 | + | i L2 172.16.5.0 [115/35] via 192.168.10.2, Ethernet0 |
− | i L2 172.16.7.0 [115/35] via 192.168.10.2, Ethernet0 | + | i L2 172.16.7.0 [115/35] via 192.168.10.2, Ethernet0 |
− | i L2 172.16.1.0 [115/35] via 192.168.10.2, Ethernet0 | + | i L2 172.16.1.0 [115/35] via 192.168.10.2, Ethernet0 |
− | i L2 172.16.3.0 [115/35] via 192.168.10.2, Ethernet0 | + | i L2 172.16.3.0 [115/35] via 192.168.10.2, Ethernet0 |
− | Zerbina# | + | Zerbina# |
Other configurations will achieve the same ends. For instance, route map Toad will have the same effect with the access list in Example 14-23. | Other configurations will achieve the same ends. For instance, route map Toad will have the same effect with the access list in Example 14-23. | ||
+ | |||
Example 14-23. An alternate configuration for route-map Toad on Zippy. | Example 14-23. An alternate configuration for route-map Toad on Zippy. | ||
− | + | access-list 2 deny 172.16.2.0 | |
− | + | access-list 2 deny 172.16.4.0 | |
− | + | access-list 2 deny 172.16.6.0 | |
− | + | access-list 2 permit any | |
− | |||
− | |||
− | |||
Although route maps work fine as simple route filters, their strength lies in their ability to change the routes in various ways. Consider the configuration in Example 14-24 of Zippy in Figure 14-8. | Although route maps work fine as simple route filters, their strength lies in their ability to change the routes in various ways. Consider the configuration in Example 14-24 of Zippy in Figure 14-8. | ||
Example 14-24. Zippy's route-map configuration sets the metric type, metric and level of certain redistributed routes. | Example 14-24. Zippy's route-map configuration sets the metric type, metric and level of certain redistributed routes. | ||
− | + | router ospf 1 | |
− | + | redistribute isis level-1 metric 20 subnets route-map Griffy | |
− | + | network 172.16.10.2 0.0.0.0 area 5 | |
− | + | ! | |
− | + | router isis | |
− | + | redistribute ospf 1 metric 25 route-map Toad metric-type internal level-2 | |
− | + | net 47.0001.1234.5678.9056.00 | |
− | + | ! | |
− | + | ip classless | |
− | + | access-list 1 permit 192.168.2.0 | |
− | + | access-list 1 permit 192.168.4.0 | |
− | + | access-list 1 permit 192.168.6.0 | |
− | + | access-list 2 permit 172.16.9.0 | |
− | + | access-list 2 permit 172.16.5.0 | |
− | + | access-list 2 permit 172.16.7.0 | |
− | + | access-list 2 permit 172.16.1.0 | |
− | + | access-list 2 permit 172.16.3.0 | |
− | + | ! | |
− | + | route-map Griffy permit 10 | |
− | + | match ip address 1 | |
− | + | set metric-type type-1 | |
− | + | ! | |
− | + | route-map Griffy permit 20 | |
− | + | ! | |
− | + | route-map Toad permit 10 | |
− | + | match ip address 2 | |
− | + | set metric 15 | |
− | + | set level level-1 | |
− | + | ! | |
− | + | route-map Toad permit 20 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Statement 10 of route map Griffy permits routes to the addresses in access list 1 and redistributes them into OSPF as type 1 external routes. Statement 20 permits all other routes, which will be redistributed with the default external type 2. Example 14-25 shows the results. | Statement 10 of route map Griffy permits routes to the addresses in access list 1 and redistributes them into OSPF as type 1 external routes. Statement 20 permits all other routes, which will be redistributed with the default external type 2. Example 14-25 shows the results. | ||
Example 14-25. The routes to destinations in the IS-IS domain are E1 if the third octet of the address is even and E2 if the third octet is odd. | Example 14-25. The routes to destinations in the IS-IS domain are E1 if the third octet of the address is even and E2 if the third octet is odd. | ||
− | Shelflife#show ip route | + | Shelflife#show ip route |
− | Codes:C -connected,S -static,I -IGRP,R -RIP,M -mobile,B -BGP | + | Codes:C -connected,S -static,I -IGRP,R -RIP,M -mobile,B -BGP |
− | + | D -EIGRP,EX -EIGRP external,O -OSPF,IA -OSPF inter area | |
− | + | E1 -OSPF external type 1,E2 -OSPF external type 2,E -EGP | |
− | + | i -IS-IS,L1 -IS-IS level-1,L2 -IS-IS level-2,*-candidate default | |
− | Gateway of last resort is not set | + | Gateway of last resort is not set |
− | O E2 192.168.9.0 [110/20 ] via 172.16.10.2,,00:13:43,Ethernet0 | + | O E2 192.168.9.0 [110/20 ] via 172.16.10.2,,00:13:43,Ethernet0 |
− | O E2 192.168.1.0 [110/20 ] via 172.16.10.2,,00:13:43,Ethernet0 | + | O E2 192.168.1.0 [110/20 ] via 172.16.10.2,,00:13:43,Ethernet0 |
− | O E1 192.168.2.0 [110/30 ] via 172.16.10.2,,00:13:43,Ethernet0 | + | O E1 192.168.2.0 [110/30 ] via 172.16.10.2,,00:13:43,Ethernet0 |
− | O E2 192.168.3.0 [110/20 ] via 172.16.10.2,,00:13:44,Ethernet0 | + | O E2 192.168.3.0 [110/20 ] via 172.16.10.2,,00:13:44,Ethernet0 |
− | O E1 192.168.4.0 [110/30 ] via 172.16.10.2,,00:13:44,Ethernet0 | + | O E1 192.168.4.0 [110/30 ] via 172.16.10.2,,00:13:44,Ethernet0 |
− | O E2 192.168.5.0 [110/20 ] via 172.16.10.2,,00:13:44,Ethernet0 | + | O E2 192.168.5.0 [110/20 ] via 172.16.10.2,,00:13:44,Ethernet0 |
− | O E1 192.168.6.0 [110/30 ] via 172.16.10.2,,00:13:44,Ethernet0 | + | O E1 192.168.6.0 [110/30 ] via 172.16.10.2,,00:13:44,Ethernet0 |
− | O E2 192.168.7.0 [110/20 ] via 172.16.10.2,,00:13:44,Ethernet0 | + | O E2 192.168.7.0 [110/20 ] via 172.16.10.2,,00:13:44,Ethernet0 |
− | + | 172.16.0.0 255.255.255.0 is subnetted,9 subnets | |
− | C 172.16.9.0 is directly connected,Serial0 | + | C 172.16.9.0 is directly connected,Serial0 |
− | C 172.16.10.0 is directly connected,Ethernet0 | + | C 172.16.10.0 is directly connected,Ethernet0 |
− | O 172.16.4.0 [110/159 ] via 172.16.9.2,,15:49:29,Serial0 | + | O 172.16.4.0 [110/159 ] via 172.16.9.2,,15:49:29,Serial0 |
− | O 172.16.5.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 | + | O 172.16.5.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 |
− | O 172.16.6.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 | + | O 172.16.6.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 |
− | O 172.16.7.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 | + | O 172.16.7.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 |
− | O 172.16.1.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 | + | O 172.16.1.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 |
− | O 172.16.2.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 | + | O 172.16.2.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 |
− | O 172.16.3.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 | + | O 172.16.3.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 |
− | Shelflife# | + | Shelflife# |
Statement 10 of route map Toad permits routes to addresses in access list 2 and redistributes them into IS-IS as level 1 routes. Their metric is set to 15. Statement 20 permits all other routes, which will be redistributed as level 2 and with a metric of 25, as specified by the redistribute command under the IS-IS configuration (see Example 14-26). | Statement 10 of route map Toad permits routes to addresses in access list 2 and redistributes them into IS-IS as level 1 routes. Their metric is set to 15. Statement 20 permits all other routes, which will be redistributed as level 2 and with a metric of 25, as specified by the redistribute command under the IS-IS configuration (see Example 14-26). | ||
Example 14-26. The routes to destinations in the OSPF domain are L2 if the third octet of the address is even and L1 if the third octet is odd. The "odds" are redistributed with a metric of 15, and the "evens" are redistributed with a metric of 25 (10 is added for the hop from Zippy to Zerbina). | Example 14-26. The routes to destinations in the OSPF domain are L2 if the third octet of the address is even and L1 if the third octet is odd. The "odds" are redistributed with a metric of 15, and the "evens" are redistributed with a metric of 25 (10 is added for the hop from Zippy to Zerbina). | ||
− | Zerbina#show ip route | + | Zerbina#show ip route |
− | Codes:C -connected,S -static,I -IGRP,R -RIP,M -mobile,B -BGP | + | Codes:C -connected,S -static,I -IGRP,R -RIP,M -mobile,B -BGP |
− | + | D -EIGRP,EX -EIGRP external,O -OSPF,IA -OSPF inter area | |
− | + | N1 -OSPF NSSA external type 1,N2 -OSPF NSSA external type 2 | |
− | + | E1 -OSPF external type 1,E2 -OSPF external type 2,E -EGP | |
− | + | i -IS-IS,L1 -IS-IS level-1,L2 -IS-IS level-2,*-candidate default | |
− | + | U -per-user static route,o -ODR | |
− | Gateway of last resort is not set | + | Gateway of last resort is not set |
− | C 192.168.9.0/24 is directly connected,Serial0 | + | C 192.168.9.0/24 is directly connected,Serial0 |
− | C 192.168.10.0/24 is directly connected,Ethernet0 | + | C 192.168.10.0/24 is directly connected,Ethernet0 |
− | i L1 192.168.1.0/24 [115/15 ] via 192.168.9.2,,Serial0 | + | i L1 192.168.1.0/24 [115/15 ] via 192.168.9.2,,Serial0 |
− | i L1 192.168.2.0/24 [115/15 ] via 192.168.9.2,,Serial0 | + | i L1 192.168.2.0/24 [115/15 ] via 192.168.9.2,,Serial0 |
− | i L1 192.168.3.0/24 [115/15 ] via 192.168.9.2,,Serial0 | + | i L1 192.168.3.0/24 [115/15 ] via 192.168.9.2,,Serial0 |
− | i L1 192.168.4.0/24 [115/15 ] via 192.168.9.2,,Serial0 | + | i L1 192.168.4.0/24 [115/15 ] via 192.168.9.2,,Serial0 |
− | i L1 192.168.5.0/24 [115/15 ] via 192.168.9.2,,Serial0 | + | i L1 192.168.5.0/24 [115/15 ] via 192.168.9.2,,Serial0 |
− | i L1 192.168.6.0/24 [115/15 ] via 192.168.9.2,,Serial0 | + | i L1 192.168.6.0/24 [115/15 ] via 192.168.9.2,,Serial0 |
− | i L1 192.168.7.0/24 [115/15 ] via 192.168.9.2,,Serial0 | + | i L1 192.168.7.0/24 [115/15 ] via 192.168.9.2,,Serial0 |
− | + | 172.16.0.0/24 is subnetted,8 subnets | |
− | i L1 172.16.9.0 [115/25 ] via 192.168.10.2,,Ethernet0 | + | i L1 172.16.9.0 [115/25 ] via 192.168.10.2,,Ethernet0 |
− | i L2 172.16.4.0 [115/35 ] via 192.168.10.2,,Ethernet0 | + | i L2 172.16.4.0 [115/35 ] via 192.168.10.2,,Ethernet0 |
− | i L1 172.16.5.0 [115/25 ] via 192.168.10.2,,Ethernet0 | + | i L1 172.16.5.0 [115/25 ] via 192.168.10.2,,Ethernet0 |
− | i L2 172.16.6.0 [115/35 ] via 192.168.10.2,,Ethernet0 | + | i L2 172.16.6.0 [115/35 ] via 192.168.10.2,,Ethernet0 |
− | i L1 172.16.7.0 [115/25 ] via 192.168.10.2,,Ethernet0 | + | i L1 172.16.7.0 [115/25 ] via 192.168.10.2,,Ethernet0 |
− | i L1 172.16.1.0 [115/25 ] via 192.168.10.2,,Ethernet0 | + | i L1 172.16.1.0 [115/25 ] via 192.168.10.2,,Ethernet0 |
− | i L2 172.16.2.0 [115/35 ] via 192.168.10.2,,Ethernet0 | + | i L2 172.16.2.0 [115/35 ] via 192.168.10.2,,Ethernet0 |
− | i L1 172.16.3.0 [115/25 ] via 192.168.10.2,,Ethernet0 | + | i L1 172.16.3.0 [115/25 ] via 192.168.10.2,,Ethernet0 |
− | Zerbina# | + | Zerbina# |
− | Case Study: Route Tagging | + | ==Case Study: Route Tagging== |
Figure 14-9 shows a situation in which routes from several routing domains, each running a separate routing protocol, are being redistributed into a single transit domain running OSPF. On the other side of the OSPF cloud, the routes must be redistributed back into their respective domains. Route filters can be used at the egress points from the OSPF cloud into each domain to permit only the routes that belong to that domain. However, if each domain has many routes or if the routes within the domain change frequently, the route filters can become difficult to manage. | Figure 14-9 shows a situation in which routes from several routing domains, each running a separate routing protocol, are being redistributed into a single transit domain running OSPF. On the other side of the OSPF cloud, the routes must be redistributed back into their respective domains. Route filters can be used at the egress points from the OSPF cloud into each domain to permit only the routes that belong to that domain. However, if each domain has many routes or if the routes within the domain change frequently, the route filters can become difficult to manage. | ||
Line 905: | Line 746: | ||
Example 14-27. Dagwood is configured to tag routes as they are redistributed into OSPF from RIP and EIGRP. | Example 14-27. Dagwood is configured to tag routes as they are redistributed into OSPF from RIP and EIGRP. | ||
− | + | router ospf 1 | |
− | + | redistribute eigrp 1 metric 10 subnets tag 1 | |
− | + | redistribute rip metric 10 subnets route-map Dithers | |
− | + | network 10.100.200.1 0.0.0.0 area 0 | |
− | + | ! | |
− | + | router rip | |
− | + | network 10.0.0.0 | |
− | + | ! | |
− | + | router eigrp 1 | |
− | + | network 10.0.0.0 | |
− | + | ! | |
− | + | access-list 1 permit 10.1.2.3 | |
− | + | access-list 2 permit 10.1.2.4 | |
− | + | ! | |
− | + | route-map Dithers permit 10 | |
− | + | match ip route-source 1 | |
− | + | set tag 2 | |
− | + | ! | |
− | + | route-map Dithers permit 20 | |
− | + | match ip route-source 2 | |
− | + | set tag 3 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
First, notice the redistribute eigrp command under OSPF. Dagwood is accepting routes from only one EIGRP domain, so the tag can be set to 1 directly on the redistribute command. However, routes are being learned from two RIP domains. Here a route map is needed. Route map Dithers sets the tag of the RIP routes to either 2 or 3, depending on whether the route was learned from Funky (10.1.2.3) or Beetle (10.1.2.4). Figure 14-11 shows an LSA advertising one of the RIP-learned routes, with the route tag set to 2. | First, notice the redistribute eigrp command under OSPF. Dagwood is accepting routes from only one EIGRP domain, so the tag can be set to 1 directly on the redistribute command. However, routes are being learned from two RIP domains. Here a route map is needed. Route map Dithers sets the tag of the RIP routes to either 2 or 3, depending on whether the route was learned from Funky (10.1.2.3) or Beetle (10.1.2.4). Figure 14-11 shows an LSA advertising one of the RIP-learned routes, with the route tag set to 2. | ||
Line 955: | Line 776: | ||
Example 14-28. The OSPF link state database indicates the tags that were set for each of the external routes by Dagwood's redistribution processes. | Example 14-28. The OSPF link state database indicates the tags that were set for each of the external routes by Dagwood's redistribution processes. | ||
− | Blondie#show ip ospf database | + | Blondie#show ip ospf database |
− | + | OSPF Router with ID (10.100.200.2)(Process ID 1) | |
− | + | Router Link States (Area 0) | |
− | Link ID ADV Router Age Seq# Checksum Link count | + | Link ID ADV Router Age Seq# Checksum Link count |
− | 10.100.200.3 10.100.200.3 671 0x80000003 0x00A137 4 | + | 10.100.200.3 10.100.200.3 671 0x80000003 0x00A137 4 |
− | 10.100.200.2 10.100.200.2 39 0x80000002 0x6FF5 3 | + | 10.100.200.2 10.100.200.2 39 0x80000002 0x6FF5 3 |
− | 10.100.200.1 10.100.200.1 40 0x80000033 0x33E1 3 | + | 10.100.200.1 10.100.200.1 40 0x80000033 0x33E1 3 |
− | + | Net Link States (Area 0) | |
− | Link ID ADV Router Age Seq# Checksum | + | Link ID ADV Router Age Seq# Checksum |
− | 10.100.200.1 10.100.200.1 40 0x80000001 0xB0A7 | + | 10.100.200.1 10.100.200.1 40 0x80000001 0xB0A7 |
− | + | AS External Link States | |
− | Link ID ADV Router Age Seq# Checksum Tag | + | Link ID ADV Router Age Seq# Checksum Tag |
− | 192.168.2.0 10.100.200.1 641 0x80000028 0x904D 2 | + | 192.168.2.0 10.100.200.1 641 0x80000028 0x904D 2 |
− | 10.17.77.0 10.100.200.1 642 0x80000028 0xC817 3 | + | 10.17.77.0 10.100.200.1 642 0x80000028 0xC817 3 |
− | 192.168.3.0 10.100.200.1 642 0x80000028 0x9744 3 | + | 192.168.3.0 10.100.200.1 642 0x80000028 0x9744 3 |
− | 10.15.75.0 10.100.200.1 642 0x80000028 0xD213 1 | + | 10.15.75.0 10.100.200.1 642 0x80000028 0xD213 1 |
− | 10.1.2.0 10.100.200.1 642 0x80000028 0xA19B 1 | + | 10.1.2.0 10.100.200.1 642 0x80000028 0xA19B 1 |
− | 10.16.76.0 10.100.200.1 642 0x80000028 0xCD15 2 | + | 10.16.76.0 10.100.200.1 642 0x80000028 0xCD15 2 |
− | 192.168.1.0 10.100.200.1 644 0x80000028 0x8956 1 | + | 192.168.1.0 10.100.200.1 644 0x80000028 0x8956 1 |
− | 10.100.200.0 10.100.200.1 644 0x80000028 0x6EA4 1 | + | 10.100.200.0 10.100.200.1 644 0x80000028 0x6EA4 1 |
− | Blondie# | + | Blondie# |
In Figure 14-12, Blondie must redistribute only domain 2 routes to Alley and only domain 1 routes to Oop. Because the routes were tagged as they entered the OSPF transit domain, this is easily done. Blondie's configuration is shown in Example 14-29. | In Figure 14-12, Blondie must redistribute only domain 2 routes to Alley and only domain 1 routes to Oop. Because the routes were tagged as they entered the OSPF transit domain, this is easily done. Blondie's configuration is shown in Example 14-29. | ||
Line 983: | Line 804: | ||
Example 14-29. Blondie is configured to use route maps to redistribute routes with tag 1 to EIGRP and tag 2 to RIP. | Example 14-29. Blondie is configured to use route maps to redistribute routes with tag 1 to EIGRP and tag 2 to RIP. | ||
− | + | router ospf 1 | |
− | + | network 10.100.200.2 0.0.0.0 area 0 | |
− | + | ! | |
− | + | router rip | |
− | + | redistribute ospf 1 match external 2 route-map Daisy | |
− | + | passive-interface Ethernet0 | |
− | + | passive-interface Serial1 | |
− | + | network 10.0.0.0 | |
− | + | default-metric 5 | |
− | + | ! | |
− | + | router eigrp 1 | |
− | + | redistribute ospf 1 match external 2 route-map Herb | |
− | + | passive-interface Ethernet0 | |
− | + | passive-interface Serial0 | |
− | + | network 10.0.0.0 | |
− | + | default-metric 10000 1000 255 1 1500 | |
− | + | ! | |
− | + | route-map Daisy permit 10 | |
− | + | match tag 2 | |
− | + | ! | |
− | + | route-map Herb permit 10 | |
− | + | match tag 1 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Example 14-30 shows the resulting routes at Alley and Oop. One drawback to the use of route tags to filter routes is that there is no way to filter routes by interface. For example, if Blondie had to send routes to both domain 2 and domain 3, which both run RIP, route maps could not be configured to send some routes to one RIP process and other routes to another RIP process. The routes would have to be filtered by address with distribute-list commands. | Example 14-30 shows the resulting routes at Alley and Oop. One drawback to the use of route tags to filter routes is that there is no way to filter routes by interface. For example, if Blondie had to send routes to both domain 2 and domain 3, which both run RIP, route maps could not be configured to send some routes to one RIP process and other routes to another RIP process. The routes would have to be filtered by address with distribute-list commands. | ||
Example 14-30. The route tables of Alley and Oop in Figure 14-12 show the results of the redistribution configuration at Blondie. | Example 14-30. The route tables of Alley and Oop in Figure 14-12 show the results of the redistribution configuration at Blondie. | ||
− | Alley#show ip route | + | Alley#show ip route |
− | Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP | + | Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP |
− | + | D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area | |
− | + | N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 | |
− | + | E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP | |
− | + | i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area | |
− | + | * - candidate default, U - per-user static route, o - ODR | |
− | + | P - periodic downloaded static route | |
− | + | ||
− | Gateway of last resort is not set | + | Gateway of last resort is not set |
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks | 10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks | ||
− | C 10.1.3.0/24 is directly connected, Serial0 | + | C 10.1.3.0/24 is directly connected, Serial0 |
− | R 10.1.5.4/30 [120/1] via 10.1.3.1, 00:00:25, Serial0 | + | R 10.1.5.4/30 [120/1] via 10.1.3.1, 00:00:25, Serial0 |
− | R 10.1.4.0/24 [120/1] via 10.1.3.1, 00:00:25, Serial0 | + | R 10.1.4.0/24 [120/1] via 10.1.3.1, 00:00:25, Serial0 |
− | R 10.16.76.0/24 [120/5] via 10.1.3.1, 00:00:25, Serial0 | + | R 10.16.76.0/24 [120/5] via 10.1.3.1, 00:00:25, Serial0 |
− | R 10.100.200.2/32 [120/1] via 10.1.3.1, 00:00:25, Serial0 | + | R 10.100.200.2/32 [120/1] via 10.1.3.1, 00:00:25, Serial0 |
− | R 192.168.2.0/24 [120/5] via 10.1.3.1, 00:00:25, Serial0 | + | R 192.168.2.0/24 [120/5] via 10.1.3.1, 00:00:25, Serial0 |
− | Alley# | + | Alley# |
______________________________________________________________________________________ | ______________________________________________________________________________________ | ||
− | Oop#show ip route | + | Oop#show ip route |
− | Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP | + | Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP |
− | + | D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area | |
− | + | N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 | |
− | + | E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP | |
− | + | i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area | |
− | + | * - candidate default, U - per-user static route, o - ODR | |
− | + | P - periodic downloaded static route | |
− | Gateway of last resort is not set | + | Gateway of last resort is not set |
− | + | 10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks | |
− | D 10.1.3.0/24 [90/2681856] via 10.1.4.1, 00:21:36, Serial0 | + | D 10.1.3.0/24 [90/2681856] via 10.1.4.1, 00:21:36, Serial0 |
− | D EX 10.1.2.0/24 [170/2425856] via 10.1.4.1, 00:08:22, Serial0 | + | D EX 10.1.2.0/24 [170/2425856] via 10.1.4.1, 00:08:22, Serial0 |
− | D 10.1.5.4/30 [90/2681856] via 10.1.4.1, 00:22:40, Serial0 | + | D 10.1.5.4/30 [90/2681856] via 10.1.4.1, 00:22:40, Serial0 |
− | C 10.1.4.0/24 is directly connected, Serial0 | + | C 10.1.4.0/24 is directly connected, Serial0 |
− | D EX 10.15.75.0/24 [170/2425856] via 10.1.4.1, 00:04:56, Serial0 | + | D EX 10.15.75.0/24 [170/2425856] via 10.1.4.1, 00:04:56, Serial0 |
− | D 10.100.200.2/32 [90/2297856] via 10.1.4.1, 00:22:40, Serial0 | + | D 10.100.200.2/32 [90/2297856] via 10.1.4.1, 00:22:40, Serial0 |
− | D EX 192.168.1.0/24 [170/2425856] via 10.1.4.1, 00:04:56, Serial0 | + | D EX 192.168.1.0/24 [170/2425856] via 10.1.4.1, 00:04:56, Serial0 |
− | Oop# | + | Oop# |
Case Study: Filtering Tagged Routes Out of OSPF Route Table | Case Study: Filtering Tagged Routes Out of OSPF Route Table | ||
Line 1,078: | Line 878: | ||
Example 14-31. Sally's configuration uses tags to filter routes from the OSPF route table. | Example 14-31. Sally's configuration uses tags to filter routes from the OSPF route table. | ||
− | + | router ospf 1 | |
− | + | network 10.100.200.1 0.0.0.0 area 0 | |
− | + | network 10.1.5.0 0.0.0.255 area 0 | |
− | + | distribute-list route-map Charlie in | |
− | + | ! | |
− | + | route-map Charlie deny 10 | |
− | + | match tag 1 2 3 | |
− | + | ! | |
− | + | route-map Charlie permit 20 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
The route map Charlie denies addresses that are marked with tags 1, 2 or 3. These addresses are omitted from the IP route table by the distribute-list in command. Any other address is added to the route table, permitted by the route map sequence 20. The distribute list is not applied to Blondie and Dagwood, the edge routers that are performing redistribution. If an address is not in the route table, even if it is in the OSPF LSA database, it will not be redistributed into another routing protocol. Example 14-32 shows Sally's IP route table and OSPF LSA database. | The route map Charlie denies addresses that are marked with tags 1, 2 or 3. These addresses are omitted from the IP route table by the distribute-list in command. Any other address is added to the route table, permitted by the route map sequence 20. The distribute list is not applied to Blondie and Dagwood, the edge routers that are performing redistribution. If an address is not in the route table, even if it is in the OSPF LSA database, it will not be redistributed into another routing protocol. Example 14-32 shows Sally's IP route table and OSPF LSA database. | ||
Example 14-32. The OSPF addresses marked with tags are filtered out of the IP route table. The addresses still exist in the OSPF LSA database. | Example 14-32. The OSPF addresses marked with tags are filtered out of the IP route table. The addresses still exist in the OSPF LSA database. | ||
− | Sally#show ip route | + | Sally#show ip route |
− | Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP | + | Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP |
− | + | D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area | |
− | + | N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 | |
− | + | E1 - OSPF external type 1, E2 - OSPF external type 2 | |
− | + | i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 | |
− | + | ia - IS-IS inter area, * - candidate default, U - per-user static route | |
− | + | o - ODR, P - periodic downloaded static route | |
− | + | ||
− | Gateway of last resort is not set | + | Gateway of last resort is not set |
− | + | ||
− | + | 10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks | |
− | C 10.1.5.4/30 is directly connected, Serial0/0.2 | + | C 10.1.5.4/30 is directly connected, Serial0/0.2 |
− | C 10.1.5.0/30 is directly connected, Serial0/0.1 | + | C 10.1.5.0/30 is directly connected, Serial0/0.1 |
− | O 10.100.200.2/32 [110/65] via 10.1.5.6, 00:17:24, Serial0/0.2 | + | O 10.100.200.2/32 [110/65] via 10.1.5.6, 00:17:24, Serial0/0.2 |
− | C 10.100.200.3/32 is directly connected, Loopback0 | + | C 10.100.200.3/32 is directly connected, Loopback0 |
− | O 10.100.200.1/32 [110/65] via 10.1.5.1, 00:17:24, Serial0/0.1 | + | O 10.100.200.1/32 [110/65] via 10.1.5.1, 00:17:24, Serial0/0.1 |
________________________________________________________________________________________ | ________________________________________________________________________________________ | ||
− | Sally#show ip ospf database | + | Sally#show ip ospf database |
+ | |||
+ | OSPF Router with ID (10.100.200.3) (Process ID 1) | ||
− | + | Router Link States (Area 0) | |
+ | |||
+ | Link ID ADV Router Age Seq# Checksum Link count | ||
+ | 10.100.200.1 10.100.200.1 1183 0x80000004 0x003756 3 | ||
+ | 10.100.200.2 10.100.200.2 1181 0x80000004 0x00E1A1 3 | ||
+ | 10.100.200.3 10.100.200.3 1177 0x8000000A 0x00933E 4 | ||
+ | |||
+ | Type-5 AS External Link States | ||
+ | |||
+ | Link ID ADV Router Age Seq# Checksum Tag | ||
+ | 10.1.2.0 10.100.200.1 94 0x80000003 0x00EB76 1 | ||
+ | 10.15.75.0 10.100.200.1 603 0x80000002 0x001FEC 1 | ||
+ | 10.16.76.0 10.100.200.1 346 0x80000002 0x001AEE 2 | ||
+ | 10.16.77.0 10.100.200.1 353 0x80000002 0x001FEE 2 | ||
+ | 192.168.1.0 10.100.200.1 603 0x80000002 0x00D530 1 | ||
+ | 192.168.2.0 10.100.200.1 346 0x80000002 0x00DC27 2 | ||
+ | 192.168.3.0 10.100.200.1 353 0x80000002 0x00E427 2 | ||
+ | Sally# | ||
− | + | None of the tagged routes, tag 1, 2, or 3, exist in Sally's IP route table. | |
− | + | ==Case Study: IPv6 Redistribution with Route Maps== | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | Case Study: IPv6 Redistribution with Route Maps | ||
IPv6 routing protocols also support redistribution of routes using route maps. The configuration is almost identical to IPv4. | IPv6 routing protocols also support redistribution of routes using route maps. The configuration is almost identical to IPv4. | ||
Line 1,153: | Line 946: | ||
Example 14-33. Dagwood's IPv6 configuration. | Example 14-33. Dagwood's IPv6 configuration. | ||
− | + | Interface ethernet 0/0 | |
− | + | ipv6 address 2001:db8:0:2::1/64 | |
− | + | ipv6 rip domain3 enable | |
− | + | ! | |
− | + | interface serial 0/0.1 point-to-point | |
− | + | ipv6 address 2001:db8:0:5::1/64 | |
− | + | ipv6 router isis | |
− | + | ! | |
− | + | ipv6 router rip domain3 | |
− | + | ! | |
− | + | router isis | |
− | + | net 00.0001.0000.5678.ef01.00 | |
− | + | Address-family ipv6 | |
− | + | Redistribute rip domain3 route-map Beetlefilter | |
− | + | ! | |
− | + | route-map Beetlefilter permit 10 | |
− | + | match ipv6 route-source prefix-list 1 | |
− | + | match ipv6 address prefix-list 3 | |
− | + | set metric 10 | |
− | + | ! | |
− | + | route-map Beetlefilter permit 20 | |
− | + | match ipv6 route-source prefix-list 1 | |
− | + | match ipv6 address prefix-list 2 | |
− | + | set metric 100 | |
− | + | ! | |
− | + | ipv6 prefix-list 1 permit 2001:db8:0:2::4/128 | |
− | + | ipv6 prefix-list 2 permit 2001:db8:0:200::/64 | |
− | + | ipv6 prefix-list 3 permit 2001:db8:0:77::/64 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
IPv6 prefix-lists are used to match the source of route information or to match specific addresses for redistribution. Statement 10 of Beetlefilter specifies that the route source must equal Beetle's IPv6 address and the prefix must equal 2001:db8:0:77::/64 for the metric to be set to 10. If the route source or the prefix does not match, statement 20 is executed. If the source is Beetle and the prefix is 2001:db8:0:200::/64, the metric is set to 100. If the source is not Beetle, or the prefix is not one of the ones specified, the route is not redistributed. | IPv6 prefix-lists are used to match the source of route information or to match specific addresses for redistribution. Statement 10 of Beetlefilter specifies that the route source must equal Beetle's IPv6 address and the prefix must equal 2001:db8:0:77::/64 for the metric to be set to 10. If the route source or the prefix does not match, statement 20 is executed. If the source is Beetle and the prefix is 2001:db8:0:200::/64, the metric is set to 100. If the source is not Beetle, or the prefix is not one of the ones specified, the route is not redistributed. | ||
Line 1,216: | Line 982: | ||
Sally#show isis database detail Dagwood-00.00 | Sally#show isis database detail Dagwood-00.00 | ||
− | IS-IS Level-1 LSP Dagwood.00-00 | + | IS-IS Level-1 LSP Dagwood.00-00 |
− | LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL | + | LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL |
− | Dagwood.00-00 0x00000004 0xCA8B 938 0/0/0 | + | Dagwood.00-00 0x00000004 0xCA8B 938 0/0/0 |
− | + | Area Address: 00.0001 | |
− | + | NLPID: 0x8E | |
− | + | Hostname: Dagwood | |
− | + | IPv6 Address: 2001:DB8:0:5::1 | |
− | + | Metric: 10 IPv6 2001:DB8:0:5::/64 | |
− | + | Metric: 10 IS Sally.00 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | IS-IS Level-2 LSP Dagwood.00-00 | |
− | Sally# | + | LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL |
+ | Dagwood.00-00 0x00000008 0x28D7 1089 0/0/0 | ||
+ | Area Address: 00.0001 | ||
+ | NLPID: 0x8E | ||
+ | Hostname: Dagwood | ||
+ | IPv6 Address: 2001:DB8:0:5::1 | ||
+ | Metric: 10 IS Sally.00 | ||
+ | Metric: 10 IPv6 2001:DB8:0:5::/64 | ||
+ | Metric: 10 IPv6 2001:DB8:0:77::/64 | ||
+ | Metric: 100 IPv6 2001:DB8:0:200::/64 | ||
+ | Sally# | ||
Latest revision as of 10:23, 14 March 2019
Sumber: http://www.ciscopress.com/articles/article.asp?p=426637&seqNum=2
Configuring Route Maps
Like access lists (see Appendix B, "Tutorial: Access Lists"), route maps by themselves affect nothing; they must be "called" by some command. The command will most likely be either a policy routing command or a redistribution command. Policy routing will send packets to the route map, whereas redistribution will send routes to the route map. The case studies in this section demonstrate the use of route maps for both redistribution and policy routing.
Route maps are identified by a name. For example, the route map in Example 14-1 is named Hagar. Example 14-1. A route map named Hagar is defined in this configuration.
route-map Hagar permit 10 match ip address 110 set metric 100
Each route map statement has a "permit" or "deny" action and a sequence number. This route map shows a permit action and a sequence number of 10. These settings are the defaults—that is, if no action or sequence number is specified when the route map is configured, the route map will default to a permit and a sequence number of 10.
The sequence number allows the identification and editing of multiple statements. Consider the configuration steps in Example 14-2.
Example 14-2. Route map Hagar is modified in this configuration.
route-map Hagar 20 match ip address 111 set metric 50
route-map Hagar 15 match ip address 112 set metric 80
Here, a second and third set of route map statements, each with their own match and set statements, have been added to route map Hagar. Notice that a sequence number of 20 was configured first and then a sequence number of 15. In the final configuration, the IOS has placed statement 15 before 20 even though it was entered later, as shown in Example 14-3. [1]
Example 14-3. IOS places the commands in sequential order.
route-map Hagar permit 10 match ip address 110 set metric 100 ! route-map Hagar permit 15 match ip address 112 set metric 80 ! route-map Hagar permit 20 match ip address 111 set metric 50
The sequence numbers also allow for the elimination of individual statements. For example, the statement
Linus(config)#no route-map Hagar 15
deletes statement 15 and leaves the other statements intact, as shown in Example 14-4. Example 14-4. Route-map Hagar after the match/set statements associated with sequence 15 have been removed.
route-map Hagar permit 10 match ip address 110 set metric 100 ! route-map Hagar permit 20 match ip address 111 set metric 50
Be careful when editing route maps. In this example, if no route-map Hagar had been typed, without specifying a sequence number, the entire route map would have been deleted. Likewise, if no sequence numbers had been specified when the additional match and set statements were added, they would have simply changed statement 10. [2]
A packet or route is passed sequentially through route map statements. If a match is made, any set statements are executed and the permit or deny action is executed. As with access lists, processing stops when a match is made and the specified action is executed; the route or packet is not passed to subsequent statements. Consider the route map in Example 14-5.
Example 14-5. Route-map Sluggo.
route-map Sluggo permit 10 match ip route-source 1 set next-hop 192.168.1.5 ! route-map Sluggo permit 20 match ip route-source 2 set next-hop 192.168.1.10 ! route-map Sluggo permit 30 match ip route-source 3 set next-hop 192.168.1.15
If a route does not match statement 10, it will be passed to statement 20. If a match is made at statement 20, the set command will be executed and the route will be permitted. The matched route will not be passed on to statement 30.
The behavior of a "deny" action depends on whether the route map is being used for policy routing or for redistribution. If a route map is being used for redistribution and a route matches a statement with a deny action, the route will not be redistributed. If the route map is being used for policy routing and a packet matches a statement with a deny action, the packet is not policy routed but is passed back to the normal routing process for forwarding.
Again as with access lists, there must be a default action for the route map to take in the event that a route or packet passes through every statement without a match. An implicit deny exists at the end of every route map. Routes that pass through a redistribution route map without a match are not redistributed, and packets that pass through a policy route map without a match are sent to the normal routing process.
If no match statement is configured under a route map statement, the default action is to match everything.
Each map statement might have multiple match and set statements, as shown in Example 14-6. Example 14-6. Route map Garfield contains multiple match and set statements for the map statement with sequence number 10.
route-map Garfield permit 10 match ip route-source 15 match interface Serial0 set metric-type type-1 set next-hop 10.1.2.3
In a case such as this, every match statement must be matched for the set statements to be executed.
Case Study: Policy Routing
Policy routing is defined with the command ip policy route-map. The command is configured on an interface and affects incoming packets only.
Suppose a policy were to be implemented on Linus in Figure 14-3 such that traffic from subnet 172.16.6.0/24 would be forwarded to Lucy and traffic from subnet 172.16.7.0/24 would be forwarded to Pigpen. Linus's configuration is displayed in Example 14-7. 14fig03.gif
Figure 14-3 Policy routes can be configured at Linus to route some packets through Lucy and other packets through Pigpen.
Example 14-7. Linus's policy routing configuration.
interface Serial0 ip address 172.16.5.1 255.255.255.0 ip policy route-map Sally ! access-list 1 permit 172.16.6.0 0.0.0.255 access-list 2 permit 172.16.7.0 0.0.0.255 ! route-map Sally permit 10 match ip address 1 set ip next-hop 172.16.4.2 ! route-map Sally permit 15 match ip address 2 set ip next-hop 172.16.4.3
The policy routing command on S0 sends incoming packets to route map Sally. Statement 10 of route map Sally uses access list 1 to identify source addresses from subnet 172.16.6.0/24. If a match is made, the packet is forwarded to Lucy, whose next-hop interface address is 172.16.4.2. If no match is made, the packet is sent to statement 15. That statement uses access list 2 to match source addresses from subnet 172.16.7.0/24. If a match is made at that statement, the packet is forwarded to Pigpen (172.16.4.3). Any packets that do not match statement 15, such as packets sourced from subnet 172.16.8.0/24, are routed normally. Example 14-8 shows the results of the policy route. [3]
Example 14-8. The policy route configured on Linus's S0 interface routes packets from subnet 172.16.6.0/24 to Lucy (172.16.4.2) and routes packets from subnet 172.16.7.0/24 to Pigpen (172.16.4.3). Packets from subnet 172.16.8.0/24, which do not match the policy route, are routed normally (load balancing between Lucy and Pigpen).
Linus#debug ip packet 5 IP packet debugging is on for access list 5 Linus# IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward IP: s=172.16.6.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward IP: s=172.16.6.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward IP: s=172.16.6.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward IP: s=172.16.6.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward IP: s=172.16.8.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward IP: s=172.16.8.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward IP: s=172.16.8.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward IP: s=172.16.8.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.3, len 60, forward
Suppose Lucy's Ethernet interface fails. Linus would still attempt to forward packets from 172.16.6.0 to Lucy's IP address. Because a match is made in the route map, even if the specified next-hop interface were down, no other matches would be attempted nor would the packet be routed normally. To force Linus to verify the availability of the next-hop address before attempting to forward the packet, use the command set ip next-hop verify-availability. Linus will search its CDP neighbors table to verify that the next-hop address is listed. If it is not, the policy is rejected and the packet is forwarded normally. Example 14-9 shows the output of the commands debug ip policy and debug arp while Lucy's Ethernet interface is down. Packets are matched and policy routed, even while the router is attempting to ARP for the next-hop address, without receiving an ARP reply. The packets are dropped.
Example 14-10 shows the output of the debug ip policy command with the addition of the set ip next-hop verify-availability command in the IP policy configuration. The example shows Linus's operation with Lucy's Ethernet interface still down. The packets are matched by the policy, but the policy is rejected because the next-hop address is no longer in Linus's CDP table. Since the policy is rejected, the packets are routed using the normal method.
Example 14-9. debug ip policy and debug arp on Linus shows packets are attempting to be routed according to the configured policy, even if the next hop specified by the policy is unavailable.
Linus#debug arp ARP packet debugging is on Linus#debug ip policy Policy routing debugging is on IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, policy match IP: route map Sally, item 10, permit IP: s=172.16.6.1 (Serial0), d=172.16.2.1 (Ethernet0), len 100, policy routed IP: Serial0 to Ethernet0 172.16.4.2 IP ARP: sent req src 172.16.4.1 0004.c150.e700, dst 172.16.4.2 0000.0000.0000 Ethernet0 IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, policy match IP: route map Sally, item 10, permit IP: s=172.16.6.1 (Serial0), d=172.16.2.1 (Ethernet0), len 100, policy routed IP: Serial0 to Ethernet0 172.16.4.2 IP ARP: sent req src 172.16.4.1 0004.c150.e700, dst 172.16.4.2 0000.0000.0000 Ethernet0 IP ARP: creating incomplete entry for IP address: 172.16.4.2 interface Ethernet0 IP ARP: sent req src 172.16.4.1 0004.c150.e700, dst 172.16.4.2 0000.0000.0000 Ethernet0 IP ARP throttled out the ARP Request for 172.16.4.2
Example 14-10. debug ip policy on Linus with set ip next-hop verify-availability configured, shows the policy is rejected (the next hop is not in Linus's CDP neighbor table) and packets are routed normally (not policy routed).
Linus#debug ip policy Policy routing debugging is on
IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy rejected - normal forwarding IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy rejected - normal forwarding
Example 14-11 shows the output of the same debug command, debug ip policy, after Lucy's Ethernet interface is backed up. The output shows that the packets are successfully policy routed. Example 14-11. debug ip policy on Linus with set ip next-hop verify-availability configured. The packets are policy routed when the next hop is verified.
Linus# IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match IP: s=172.16.6.1 (Serial0), d=172.16.2.1, g=172.16.4.2, len 100, FIB policy routed IP: s=172.16.6.1 (Serial0), d=172.16.2.1, len 100, FIB policy match IP: s=172.16.6.1 (Serial0), d=172.16.2.1, g=172.16.4.2, len 100, FIB policy routed
Standard IP access lists are used when policy routing by source address only. To route by both source and destination, an extended IP access list is used. The configuration in Example 14-12 causes packets from any subnet to host 172.16.1.1 to be forwarded to Lucy, whereas packets from host 172.16.7.1 to host 172.16.1.2 are forwarded to Pigpen. All other packets are routed normally. Example 14-12. Policy route maps can reference extended IP access-lists to specify a source and destination address pair to match, as shown in this configuration.
interface Serial0 ip address 172.16.5.1 255.255.255.0 ip policy route-map Sally ! access-list 101 permit ip any host 172.16.1.1 access-list 102 permit ip host 172.16.7.1 host 172.16.1.2 ! route-map Sally permit 10 match ip address 101 set ip next-hop 172.16.4.2 ! route-map Sally permit 15 match ip address 102 set ip next-hop 172.16.4.3
Route map Sally is again used, except the match statements now reference access lists 101 and 102. Example 14-13 shows the results.
Example 14-13. Packets from any host to host 172.16.1.1 match statement 10 of route map Sally and are forwarded to Lucy. Packets from host 172.16.7.1 to host 172.16.1.2 are forwarded to Pigpen. Packets from another address on subnet 172.16.7.0/24 to host 172.16.1.2 are not matched by Sally and are routed normally.
Linus#debug ip packet 5 IP packet debugging is on for access list 5 Linus# IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward IP: s=172.16.7.1 (Serial0), d=172.16.1.1 (Ethernet0), g=172.16.4.2, len 60, forward IP: s=172.16.7.1 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward IP: s=172.16.7.1 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward IP: s=172.16.7.1 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward IP: s=172.16.7.1 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward IP: s=172.16.7.254 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward IP: s=172.16.7.254 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.2, len 60, forward IP: s=172.16.7.254 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.3, len 60, forward IP: s=172.16.7.254 (Serial0), d=172.16.1.2 (Ethernet0), g=172.16.4.2, len 60, forward
Next, suppose your policy states that FTP traffic from the servers on subnet 172.16.1.0/24 should be forwarded to Lucy and that Telnet traffic from the same servers should be forwarded to Pigpen. This plan allows the bulk FTP traffic and the bursty, interactive Telnet traffic to be segregated on the two serial links from Schroeder. Schroeder will have the configuration in Example 14-14. Example 14-14. Schroeder's policy route configuration forwarding FTP and Telnet traffic.
interface Ethernet0 ip address 172.16.1.4 255.255.255.0 ip policy route-map Rerun ! access-list 105 permit tcp 172.16.1.0 0.0.0.255 eq ftp any access-list 105 permit tcp 172.16.1.0 0.0.0.255 eq ftp-data any access-list 106 permit tcp 172.16.1.0 0.0.0.255 eq telnet any ! route-map Rerun permit 10 match ip address 105 set ip next-hop 172.16.2.1 ! route-map Rerun permit 20 match ip address 106 set ip next-hop 172.16.3.1
Access lists 105 and 106 are examining not only the source and destination addresses, but also the source port. In Example 14-15, the detail option is used with debug ip packet to allow observation of the packet types being forwarded by Schroeder. An access list 10 limits the displayed packets to those from 172.16.1.1 to 172.16.6.1.
Example 14-15. FTP packets (TCP ports 20 and 21) are being forwarded to Lucy, whereas Telnet packets (TCP port 23) with the same source and destination addresses are forwarded to Pigpen. Echo Reply packets (ICMP type 0), which do not find a match in the policy route, are routed normally.
Schroeder#debug ip packet detail 10 IP packet debugging is on (detailed) for access list 10 Schroeder# IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1064, forward TCP src=20, dst=1047, seq=3702770065, ack=591246297, win=14335 ACK PSH IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 64, forward TCP src=21, dst=1046, seq=3662108731, ack=591205663, win=14335 ACK PSH IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1476, forward TCP src=20, dst=1047, seq=3702771089, ack=591246297, win=14335 ACK PSH IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward TCP src=23, dst=1048, seq=3734385279, ack=591277873, win=14332 ACK IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 52, forward TCP src=23, dst=1048, seq=3734385279, ack=591277873, win=14335 ACK PSH IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward TCP src=23, dst=1048, seq=3734385291, ack=591277876, win=14332 ACK IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 60, forward ICMP type=0, code=0 IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward ICMP type=0, code=0 IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 60, forward ICMP type=0, code=0 IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward ICMP type=0, code=0
The purpose of segregating bulk and interactive traffic, as demonstrated in the last example, is so that the small packets characteristic of interactive traffic do not become delayed by the large packets characteristic of bulk traffic. The problem with the approach in this example is that if many types of traffic must be segregated, the access lists identifying the traffic by destination port might become prohibitively large.
If the objective is to segregate small packets from large packets, the length of the packet can be matched, as shown in Example 14-16.
Example 14-16. Schroeder's policy route configuration forwards traffic based on packet length.
interface Ethernet0 ip address 172.16.1.4 255.255.255.0 ip policy route-map Woodstock ! route-map Woodstock permit 20 match length 1000 1600 set ip next-hop 172.16.2.1 ! route-map Woodstock permit 30 match length 0 400 set ip next-hop 172.16.3.1
Here the match length statement specifies a minimum and a maximum packet size. Statement 20 of the route map causes all packets between 1000 and 1600 octets in length to be routed across the serial link to Lucy. Statement 30 causes all packets up to 400 octets in length to be routed across the serial link to Pigpen. Packets between 400 and 1000 octets are routed normally.
Example 14-17 shows the results of the new route map. Again there are FTP, Telnet, and Echo Reply packets from 172.16.1.2 to 172.16.6.1, but now the packets are routed according to their size instead of their addresses and ports.
Example 14-17. Packets of 1000 octets or larger are routed to Lucy, whereas packets of 400 octets or less are routed to Pigpen. Any packets between 400 and 1000 octets are routed normally.
Schroeder#debug ip packet detail 10 IP packet debugging is on (detailed) for access list 10 Schroeder# IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1476, forward TCP src=20, dst=1063, seq=1528444161, ack=601956937, win=14335 ACK PSH IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1476, forward TCP src=20, dst=1063, seq=1528442725, ack=601956937, win=14335 ACK PSH IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial0), g=172.16.2.1, len 1476, forward TCP src=20, dst=1063, seq=1528444161, ack=601956937, win=14335 ACK PSH IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 840, forward TCP src=20, dst=1063, seq=1528445597, ack=601956937, win=14335 ACK PSH IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward TCP src=21, dst=1062, seq=1469372904, ack=601897901, win=14329 ACK IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 54, forward TCP src=21, dst=1062, seq=1469372904, ack=601897901, win=14335 ACK PSH IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward TCP src=21, dst=1062, seq=1469372918, ack=601897901, win=14335 ACK FIN IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 44, forward TCP src=23, dst=1064, seq=1712116521, ack=602140570, win=14335 ACK SYN IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 43, forward TCP src=23, dst=1064, seq=1712116522, ack=602140570, win=14335 ACK PSH IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 40, forward TCP src=23, dst=1064, seq=1712116525, ack=602140573, win=14332 ACK IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 52, forward TCP src=23, dst=1064, seq=1712116525, ack=602140573, win=14335 ACK PSH IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward ICMP type=0, code=0 IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward ICMP type=0, code=0 IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward ICMP type=0, code=0 IP: s=172.16.1.2 (Ethernet0), d=172.16.6.1 (Serial1), g=172.16.3.1, len 60, forward ICMP type=0, code=0
The policy routes demonstrated so far affect packets entering the router from a particular interface. But what about packets generated by the router itself? These can also be policy routed, with the command ip local policy route-map. Unlike the ip policy route-map command, which is configured on an interface, this command is configured globally on the router.
To apply the previously demonstrated policy to packets generated by Schroeder, the configuration is as displayed in Example 14-18.
Example 14-18. Route policy configuration for packets generated by Schroeder.
interface Ethernet0 ip address 172.16.1.4 255.255.255.0 ip policy route-map Woodstock ! ip local policy route-map Woodstock ! access-list 120 permit ip any 172.16.1.0 0.0.0.255 access-list 120 permit ospf any any ! route-map Woodstock permit 10 match ip address 120 ! route-map Woodstock permit 20 match length 1000 1600 set ip next-hop 172.16.2.1 ! route-map Woodstock permit 30 match length 0 400 set ip next-hop 172.16.3.1
Of particular interest is statement 10. This statement does not have a set statement, but merely permits packets that match access list 120. Access list 120, in turn, permits all packets destined for subnet 172.16.1.0/24 and all OSPF packets. Without the first line of the access list, some packets originated by Schroeder and destined for subnet 172.16.1.0/24 would be forwarded to the wrong interface by statement 20 or 30. Figure 14-4 shows why the second line of the access list is necessary. The length of Schroeder's OSPF Hellos is 44 octets. If statement 10 were not included, the OSPF Hellos would all match statement 30 and be forwarded to Pigpen, breaking the adjacency between Lucy and Schroeder. By matching statement 10, the OSPF packets are permitted with no changes and are forwarded normally. 14fig04.jpg
Figure 14-4 The length of the OSPF Hello packets is seen in this analyzer capture.
Case Study: Policy Routing and Quality of Service Routing
Although quality of service (QoS) routing is outside the scope of this volume, it must be noted here that policy routing can be an integral part of QoS. Policy routing in conjunction with QoS is done by setting the Precedence or the Type of Service (TOS) bits of the TOS field in the IP headers of packets as they enter a router's interface. Figure 14-5 shows the bits of the TOS field. Although the TOS bits are seldom used in modern networks, the Precedence bits have found new life in QoS applications. The TOS bits are used to influence the path a router selects for a packet, whereas the Precedence bits are used to prioritize packets within a router. 14fig05.gif
Figure 14-5 The Precedence and TOS bits of the Type of Service field of the IP header.
The Precedence bits are set by using the set ip Precedence statement within a route map. The Precedence might be set by specifying the decimal equivalent of the three Precedence bits or by using keywords. Table 14-5 shows the decimal numbers and the keywords that can be used. Table 14-5. Precedence values and keywords used with the set ip precedence command.
Bits
Number
Keyword
000
0
routine
001
1
priority
010
2
immediate
011
3
flash
100
4
flash-override
101
5
critical
110
6
internet
111
7
network
The TOS bits are set by using the set ip tos statement. Like the Precedence statement, the argument of the statement might be a number or a keyword, as shown in Table 14-6. Unlike Precedence, you might use a combination of TOS values. For example, specifying a TOS value of 12 (1100b) means minimum delay and maximum throughput. Only a single keyword can be used, so to set a combination of TOS values, a number must be specified.
Table 14-6. TOS values and keywords used with the set ip tos command.
Bits
Number (0–15)
Keyword
0000
0
normal
0001
1
min-monetary-cost
0010
2
max-reliability
0100
4
max-throughput
1000
8
min-delay
Figure 14-6 shows an example of how policy routes can be used for QoS routing. 14fig06.gif
Figure 14-6 Policy routes can be used to set the Precedence or TOS bits of packets entering a network. The routers within the network can then make QoS decisions based on the setting of these bits.
Here, router Pogo is at the "edge" of the Internet OkefenokeeNet. By configuring policy routes on Pogo's serial links, the Precedence or TOS bits of incoming packets can be changed so that IP traffic is divided into several traffic classes. See Example 14-19 for instance. Example 14-19. Pogo's configuration sets Precedence and TOS bits.
interface Serial0 ip address 10.1.18.67 255.255.255.252 ip policy route-map Albert ! interface Serial1 ip address 10.34.16.83 255.255.255.252 ip policy route-map Albert ! access-list 1 permit 172.16.0.0 0.0.255.255 access-list 110 permit tcp any eq www any ! route-map Albert permit 10 match ip address 1 110 set ip precedence critical ! route-map Albert permit 20 set ip tos 10 set ip precedence priority
Statement 10 says that if packets match both access lists 1 and 110, the Precedence will be set to critical. Notice that statement 20 has no match statement. This statement will match any packets that haven't been matched by statement 10. There are also two set statements under statement 20. These statements will set the TOS bits to minimum delay and maximum reliability and will set the Precedence bits to priority. Figure 14-7 shows a capture of a packet from somewhere inside OkefenokeeNet, which has been modified by the route map at Pogo. 14fig07.jpg
Figure 14-7 Pogo's policy route has set the Precedence bits of this packet to priority (001b) and the TOS bits to minimum delay and maximum reliability (1010b).
After the Precedence or TOS bits have been set in packets entering the network, the routers within the Internet can make QoS decisions based in part or wholly on the class of service these bits define. For example, priority, custom, or weighted fair queuing might be configured to prioritize traffic according to the Precedence or TOS bits. In some implementations, Precedence can be used with congestion avoidance mechanisms such as Weighted Random Early Detection (WRED). Or a crude Class-of-Service routing can be implemented by configuring access lists that permit or deny packets across certain links based on the setting of their Precedence or TOS bits.
Case Study: Route Maps and Redistribution
A route map can be used with redistribution for both IPv4 and IPv6 by adding a call to the route map in the redistribute command. Figure 14-8 shows a network in which IPv4 IS-IS and OSPF routes are being mutually redistributed at router Zippy. Of the network and subnet addresses listed in the illustration, only the ones whose third octet is odd-numbered are to be redistributed. 14fig08.gif
Figure 14-8 The OSPF and IS-IS routes are being mutually redistributed. Route maps can be used with the redistribute command as simple route filters, or they can be used to modify characteristics of the redistributed routes.
Zippy's configuration is displayed in Example 14-20. Example 14-20. Zippy is configured to redistribute only addresses with an odd numbered third octet.
router ospf 1 redistribute isis level-1 metric 20 subnets route-map Griffy network 172.16.10.2 0.0.0.0 area 5 ! router isis redistribute ospf 1 metric 25 route-map Toad metric-type internal level-2 net 47.0001.1234.5678.9056.00 ! access-list 1 permit 192.168.2.0 access-list 1 permit 192.168.4.0 access-list 1 permit 192.168.6.0 access-list 2 permit 172.16.1.0 access-list 2 permit 172.16.3.0 access-list 2 permit 172.16.5.0 access-list 2 permit 172.16.7.0 access-list 2 permit 172.16.9.0 ! route-map Griffy deny 10 match ip address 1 ! route-map Griffy permit 20 ! route-map Toad permit 10 match ip address 2
Route maps Griffy and Toad perform the same functions, but with different logic. Griffy uses negative logic, identifying the routes that should not be redistributed, and Toad uses positive logic, identifying the routes that should be redistributed.
Statement 10 of Griffy denies any routes that are permitted by access list 1 (the addresses with an even third octet). Because the addresses with odd-numbered third octets do not find a match at statement 10, they are passed to statement 20. Statement 20 has no match statement, so the default is to match everything. Statement 20 has a permit action, so the odd routes are permitted. The result is shown in Example 14-21.
Example 14-21. The only destinations within the IS-IS domain that are contained in Shelflife's route table are those with an odd-numbered third octet.
Shelflife#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default Gateway of last resort is not set O E2 192.168.9.0 [110/20] via 172.16.10.2, 00:24:46, Ethernet0 O E2 192.168.1.0 [110/20] via 172.16.10.2, 00:24:46, Ethernet0 O E2 192.168.3.0 [110/20] via 172.16.10.2, 00:24:46, Ethernet0 O E2 192.168.5.0 [110/20] via 172.16.10.2, 00:24:47, Ethernet0 O E2 192.168.7.0 [110/20] via 172.16.10.2, 00:24:47, Ethernet0 172.16.0.0 255.255.255.0 is subnetted, 9 subnets C 172.16.9.0 is directly connected, Serial0 C 172.16.10.0 is directly connected, Ethernet0 O 172.16.4.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 O 172.16.5.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 O 172.16.6.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 O 172.16.7.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 O 172.16.1.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 O 172.16.2.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 O 172.16.3.0 [110/159] via 172.16.9.2, 14:05:33, Serial0 Shelflife#
Route map Toad has a single statement that permits routes that have been permitted by access list 2 (addresses with an odd third octet). The addresses with an even third octet do not find a match at access list 2. The default route map statement when redistributing is to deny all routes, so the addresses that are not matched by access list 2 are not redistributed. Example 14-22 shows the results of route map Toad.
Example 14-22. The only destinations within the OSPF domain that are contained in Zerbina's route table are those with an odd-numbered third octet.
Zerbina#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR Gateway of last resort is not set C 192.168.9.0/24 is directly connected, Serial0 C 192.168.10.0/24 is directly connected, Ethernet0 i L1 192.168.1.0/24 [115/15] via 192.168.9.2, Serial0 i L1 192.168.2.0/24 [115/15] via 192.168.9.2, Serial0 i L1 192.168.3.0/24 [115/15] via 192.168.9.2, Serial0 i L1 192.168.4.0/24 [115/15] via 192.168.9.2, Serial0 i L1 192.168.5.0/24 [115/15] via 192.168.9.2, Serial0 i L1 192.168.6.0/24 [115/15] via 192.168.9.2, Serial0 i L1 192.168.7.0/24 [115/15] via 192.168.9.2, Serial0 172.16.0.0/24 is subnetted, 5 subnets i L2 172.16.9.0 [115/35] via 192.168.10.2, Ethernet0 i L2 172.16.5.0 [115/35] via 192.168.10.2, Ethernet0 i L2 172.16.7.0 [115/35] via 192.168.10.2, Ethernet0 i L2 172.16.1.0 [115/35] via 192.168.10.2, Ethernet0 i L2 172.16.3.0 [115/35] via 192.168.10.2, Ethernet0 Zerbina#
Other configurations will achieve the same ends. For instance, route map Toad will have the same effect with the access list in Example 14-23.
Example 14-23. An alternate configuration for route-map Toad on Zippy.
access-list 2 deny 172.16.2.0 access-list 2 deny 172.16.4.0 access-list 2 deny 172.16.6.0 access-list 2 permit any
Although route maps work fine as simple route filters, their strength lies in their ability to change the routes in various ways. Consider the configuration in Example 14-24 of Zippy in Figure 14-8. Example 14-24. Zippy's route-map configuration sets the metric type, metric and level of certain redistributed routes.
router ospf 1 redistribute isis level-1 metric 20 subnets route-map Griffy network 172.16.10.2 0.0.0.0 area 5 ! router isis redistribute ospf 1 metric 25 route-map Toad metric-type internal level-2 net 47.0001.1234.5678.9056.00 ! ip classless access-list 1 permit 192.168.2.0 access-list 1 permit 192.168.4.0 access-list 1 permit 192.168.6.0 access-list 2 permit 172.16.9.0 access-list 2 permit 172.16.5.0 access-list 2 permit 172.16.7.0 access-list 2 permit 172.16.1.0 access-list 2 permit 172.16.3.0 ! route-map Griffy permit 10 match ip address 1 set metric-type type-1 ! route-map Griffy permit 20 ! route-map Toad permit 10 match ip address 2 set metric 15 set level level-1 ! route-map Toad permit 20
Statement 10 of route map Griffy permits routes to the addresses in access list 1 and redistributes them into OSPF as type 1 external routes. Statement 20 permits all other routes, which will be redistributed with the default external type 2. Example 14-25 shows the results. Example 14-25. The routes to destinations in the IS-IS domain are E1 if the third octet of the address is even and E2 if the third octet is odd.
Shelflife#show ip route Codes:C -connected,S -static,I -IGRP,R -RIP,M -mobile,B -BGP D -EIGRP,EX -EIGRP external,O -OSPF,IA -OSPF inter area E1 -OSPF external type 1,E2 -OSPF external type 2,E -EGP i -IS-IS,L1 -IS-IS level-1,L2 -IS-IS level-2,*-candidate default Gateway of last resort is not set O E2 192.168.9.0 [110/20 ] via 172.16.10.2,,00:13:43,Ethernet0 O E2 192.168.1.0 [110/20 ] via 172.16.10.2,,00:13:43,Ethernet0 O E1 192.168.2.0 [110/30 ] via 172.16.10.2,,00:13:43,Ethernet0 O E2 192.168.3.0 [110/20 ] via 172.16.10.2,,00:13:44,Ethernet0 O E1 192.168.4.0 [110/30 ] via 172.16.10.2,,00:13:44,Ethernet0 O E2 192.168.5.0 [110/20 ] via 172.16.10.2,,00:13:44,Ethernet0 O E1 192.168.6.0 [110/30 ] via 172.16.10.2,,00:13:44,Ethernet0 O E2 192.168.7.0 [110/20 ] via 172.16.10.2,,00:13:44,Ethernet0 172.16.0.0 255.255.255.0 is subnetted,9 subnets C 172.16.9.0 is directly connected,Serial0 C 172.16.10.0 is directly connected,Ethernet0 O 172.16.4.0 [110/159 ] via 172.16.9.2,,15:49:29,Serial0 O 172.16.5.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 O 172.16.6.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 O 172.16.7.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 O 172.16.1.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 O 172.16.2.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 O 172.16.3.0 [110/159 ] via 172.16.9.2,,15:49:30,Serial0 Shelflife#
Statement 10 of route map Toad permits routes to addresses in access list 2 and redistributes them into IS-IS as level 1 routes. Their metric is set to 15. Statement 20 permits all other routes, which will be redistributed as level 2 and with a metric of 25, as specified by the redistribute command under the IS-IS configuration (see Example 14-26). Example 14-26. The routes to destinations in the OSPF domain are L2 if the third octet of the address is even and L1 if the third octet is odd. The "odds" are redistributed with a metric of 15, and the "evens" are redistributed with a metric of 25 (10 is added for the hop from Zippy to Zerbina).
Zerbina#show ip route Codes:C -connected,S -static,I -IGRP,R -RIP,M -mobile,B -BGP D -EIGRP,EX -EIGRP external,O -OSPF,IA -OSPF inter area N1 -OSPF NSSA external type 1,N2 -OSPF NSSA external type 2 E1 -OSPF external type 1,E2 -OSPF external type 2,E -EGP i -IS-IS,L1 -IS-IS level-1,L2 -IS-IS level-2,*-candidate default U -per-user static route,o -ODR Gateway of last resort is not set C 192.168.9.0/24 is directly connected,Serial0 C 192.168.10.0/24 is directly connected,Ethernet0 i L1 192.168.1.0/24 [115/15 ] via 192.168.9.2,,Serial0 i L1 192.168.2.0/24 [115/15 ] via 192.168.9.2,,Serial0 i L1 192.168.3.0/24 [115/15 ] via 192.168.9.2,,Serial0 i L1 192.168.4.0/24 [115/15 ] via 192.168.9.2,,Serial0 i L1 192.168.5.0/24 [115/15 ] via 192.168.9.2,,Serial0 i L1 192.168.6.0/24 [115/15 ] via 192.168.9.2,,Serial0 i L1 192.168.7.0/24 [115/15 ] via 192.168.9.2,,Serial0 172.16.0.0/24 is subnetted,8 subnets i L1 172.16.9.0 [115/25 ] via 192.168.10.2,,Ethernet0 i L2 172.16.4.0 [115/35 ] via 192.168.10.2,,Ethernet0 i L1 172.16.5.0 [115/25 ] via 192.168.10.2,,Ethernet0 i L2 172.16.6.0 [115/35 ] via 192.168.10.2,,Ethernet0 i L1 172.16.7.0 [115/25 ] via 192.168.10.2,,Ethernet0 i L1 172.16.1.0 [115/25 ] via 192.168.10.2,,Ethernet0 i L2 172.16.2.0 [115/35 ] via 192.168.10.2,,Ethernet0 i L1 172.16.3.0 [115/25 ] via 192.168.10.2,,Ethernet0 Zerbina#
Case Study: Route Tagging
Figure 14-9 shows a situation in which routes from several routing domains, each running a separate routing protocol, are being redistributed into a single transit domain running OSPF. On the other side of the OSPF cloud, the routes must be redistributed back into their respective domains. Route filters can be used at the egress points from the OSPF cloud into each domain to permit only the routes that belong to that domain. However, if each domain has many routes or if the routes within the domain change frequently, the route filters can become difficult to manage. 14fig09.gif
Figure 14-9 Routes from each of the three domains on the left are redistributed into a transit network running OSPF. On the right, the routes for each domain must be redistributed back into their original domains.
Another way of handling this problem is to tag the routes at their ingress points to the OSPF transit domain with a tag that is unique to each domain. At the egress points, the routes can be redistributed by their tags instead of by specific addresses. The routing protocol of the transit network does not necessarily use the tag, but merely conveys it to and from its external networks. RIPv2, EIGRP, Integrated IS-IS, and OSPF all support route tags. BGP also supports route tags. Tags are not supported by RIPv1. A case study in this section shows how a transit network running OSPF can use the route tags.
A re-examination of the packet formats in Chapter 6, "RIPv2, RIPng, and Classless Routing," Chapter 7, "Enhanced Interior Gateway Routing Protocol (EIGRP)," Chapter 8, "OSPFv2," and Chapter 10, "Integrated IS-IS" show that RIPv2 messages support 16-bit tags, IS-IS Inter-Domain Routing Protocol Information TLVs support 16-bit tags, and EIGRP external route TLVs and OSPF type 5 LSAs support 32-bit tags. These tags are expressed as decimal numbers, so tags carried by RIPv2 and IS-IS will be between 0 and 65,535, and tags carried by EIGRP and OSPF will be between 0 and 4,294,967,295.
In Figure 14-10, router Dagwood is accepting routes from three different routing domains and redistributing them into a domain running OSPF. The objective here is to tag the routes from each domain so that their source domain might be identified within the OSPF cloud. Routes from domain 1 will have a tag of 1, domain 2 will have a tag of 2, and so on. 14fig10.gif
Figure 14-10 Dagwood is configured to tag the routes from each of the three routing domains as they are redistributed into OSPF.
Dagwood's configuration is displayed in Example 14-27. Example 14-27. Dagwood is configured to tag routes as they are redistributed into OSPF from RIP and EIGRP.
router ospf 1 redistribute eigrp 1 metric 10 subnets tag 1 redistribute rip metric 10 subnets route-map Dithers network 10.100.200.1 0.0.0.0 area 0 ! router rip network 10.0.0.0 ! router eigrp 1 network 10.0.0.0 ! access-list 1 permit 10.1.2.3 access-list 2 permit 10.1.2.4 ! route-map Dithers permit 10 match ip route-source 1 set tag 2 ! route-map Dithers permit 20 match ip route-source 2 set tag 3
First, notice the redistribute eigrp command under OSPF. Dagwood is accepting routes from only one EIGRP domain, so the tag can be set to 1 directly on the redistribute command. However, routes are being learned from two RIP domains. Here a route map is needed. Route map Dithers sets the tag of the RIP routes to either 2 or 3, depending on whether the route was learned from Funky (10.1.2.3) or Beetle (10.1.2.4). Figure 14-11 shows an LSA advertising one of the RIP-learned routes, with the route tag set to 2. 14fig11.jpg
Figure 14-11 This type 5 LSA is advertising network 192.168.2.0, which is in domain 2, within the OSPF domain. The route tag is shown on the last line.
The route tags can also be observed in the OSPF link state database (see Example 14-28). Example 14-28. The OSPF link state database indicates the tags that were set for each of the external routes by Dagwood's redistribution processes.
Blondie#show ip ospf database OSPF Router with ID (10.100.200.2)(Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 10.100.200.3 10.100.200.3 671 0x80000003 0x00A137 4 10.100.200.2 10.100.200.2 39 0x80000002 0x6FF5 3 10.100.200.1 10.100.200.1 40 0x80000033 0x33E1 3 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 10.100.200.1 10.100.200.1 40 0x80000001 0xB0A7 AS External Link States Link ID ADV Router Age Seq# Checksum Tag 192.168.2.0 10.100.200.1 641 0x80000028 0x904D 2 10.17.77.0 10.100.200.1 642 0x80000028 0xC817 3 192.168.3.0 10.100.200.1 642 0x80000028 0x9744 3 10.15.75.0 10.100.200.1 642 0x80000028 0xD213 1 10.1.2.0 10.100.200.1 642 0x80000028 0xA19B 1 10.16.76.0 10.100.200.1 642 0x80000028 0xCD15 2 192.168.1.0 10.100.200.1 644 0x80000028 0x8956 1 10.100.200.0 10.100.200.1 644 0x80000028 0x6EA4 1 Blondie#
In Figure 14-12, Blondie must redistribute only domain 2 routes to Alley and only domain 1 routes to Oop. Because the routes were tagged as they entered the OSPF transit domain, this is easily done. Blondie's configuration is shown in Example 14-29. 14fig12.gif
Figure 14-12 Blondie is using route maps to redistribute routes according to their route tag. Example 14-29. Blondie is configured to use route maps to redistribute routes with tag 1 to EIGRP and tag 2 to RIP.
router ospf 1 network 10.100.200.2 0.0.0.0 area 0 ! router rip redistribute ospf 1 match external 2 route-map Daisy passive-interface Ethernet0 passive-interface Serial1 network 10.0.0.0 default-metric 5 ! router eigrp 1 redistribute ospf 1 match external 2 route-map Herb passive-interface Ethernet0 passive-interface Serial0 network 10.0.0.0 default-metric 10000 1000 255 1 1500 ! route-map Daisy permit 10 match tag 2 ! route-map Herb permit 10 match tag 1
Example 14-30 shows the resulting routes at Alley and Oop. One drawback to the use of route tags to filter routes is that there is no way to filter routes by interface. For example, if Blondie had to send routes to both domain 2 and domain 3, which both run RIP, route maps could not be configured to send some routes to one RIP process and other routes to another RIP process. The routes would have to be filtered by address with distribute-list commands. Example 14-30. The route tables of Alley and Oop in Figure 14-12 show the results of the redistribution configuration at Blondie.
Alley#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks C 10.1.3.0/24 is directly connected, Serial0 R 10.1.5.4/30 [120/1] via 10.1.3.1, 00:00:25, Serial0 R 10.1.4.0/24 [120/1] via 10.1.3.1, 00:00:25, Serial0 R 10.16.76.0/24 [120/5] via 10.1.3.1, 00:00:25, Serial0 R 10.100.200.2/32 [120/1] via 10.1.3.1, 00:00:25, Serial0 R 192.168.2.0/24 [120/5] via 10.1.3.1, 00:00:25, Serial0 Alley#
______________________________________________________________________________________
Oop#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks D 10.1.3.0/24 [90/2681856] via 10.1.4.1, 00:21:36, Serial0 D EX 10.1.2.0/24 [170/2425856] via 10.1.4.1, 00:08:22, Serial0 D 10.1.5.4/30 [90/2681856] via 10.1.4.1, 00:22:40, Serial0 C 10.1.4.0/24 is directly connected, Serial0 D EX 10.15.75.0/24 [170/2425856] via 10.1.4.1, 00:04:56, Serial0 D 10.100.200.2/32 [90/2297856] via 10.1.4.1, 00:22:40, Serial0 D EX 192.168.1.0/24 [170/2425856] via 10.1.4.1, 00:04:56, Serial0 Oop#
Case Study: Filtering Tagged Routes Out of OSPF Route Table
The network running OSPF in Figure 14-10 and Figure 14-12 is a transit network. If devices within that transit area do not need to send packets to any of the other domains, there is no need to maintain the addresses of those domains in the OSPF route tables. The tags that were added to the routes, along with distribute lists and route maps, can be applied to the OSPF routers to prevent the addresses from being added to the route tables, while not affecting the entries in the link-state database.
Sally, a router wholly within the OSPF domain, has been modified with the configuration in Example 14-31. Example 14-31. Sally's configuration uses tags to filter routes from the OSPF route table.
router ospf 1 network 10.100.200.1 0.0.0.0 area 0 network 10.1.5.0 0.0.0.255 area 0 distribute-list route-map Charlie in ! route-map Charlie deny 10 match tag 1 2 3 ! route-map Charlie permit 20
The route map Charlie denies addresses that are marked with tags 1, 2 or 3. These addresses are omitted from the IP route table by the distribute-list in command. Any other address is added to the route table, permitted by the route map sequence 20. The distribute list is not applied to Blondie and Dagwood, the edge routers that are performing redistribution. If an address is not in the route table, even if it is in the OSPF LSA database, it will not be redistributed into another routing protocol. Example 14-32 shows Sally's IP route table and OSPF LSA database. Example 14-32. The OSPF addresses marked with tags are filtered out of the IP route table. The addresses still exist in the OSPF LSA database.
Sally#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks C 10.1.5.4/30 is directly connected, Serial0/0.2 C 10.1.5.0/30 is directly connected, Serial0/0.1 O 10.100.200.2/32 [110/65] via 10.1.5.6, 00:17:24, Serial0/0.2 C 10.100.200.3/32 is directly connected, Loopback0 O 10.100.200.1/32 [110/65] via 10.1.5.1, 00:17:24, Serial0/0.1
________________________________________________________________________________________
Sally#show ip ospf database OSPF Router with ID (10.100.200.3) (Process ID 1)
Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 10.100.200.1 10.100.200.1 1183 0x80000004 0x003756 3 10.100.200.2 10.100.200.2 1181 0x80000004 0x00E1A1 3 10.100.200.3 10.100.200.3 1177 0x8000000A 0x00933E 4 Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag 10.1.2.0 10.100.200.1 94 0x80000003 0x00EB76 1 10.15.75.0 10.100.200.1 603 0x80000002 0x001FEC 1 10.16.76.0 10.100.200.1 346 0x80000002 0x001AEE 2 10.16.77.0 10.100.200.1 353 0x80000002 0x001FEE 2 192.168.1.0 10.100.200.1 603 0x80000002 0x00D530 1 192.168.2.0 10.100.200.1 346 0x80000002 0x00DC27 2 192.168.3.0 10.100.200.1 353 0x80000002 0x00E427 2 Sally#
None of the tagged routes, tag 1, 2, or 3, exist in Sally's IP route table.
Case Study: IPv6 Redistribution with Route Maps
IPv6 routing protocols also support redistribution of routes using route maps. The configuration is almost identical to IPv4.
Figure 14-13 shows the addition of IPv6 addresses and routing protocols to the network shown in Figure 14-10. Funky and Beetle are each running RIPng. Dagwood is redistributing IPv6 prefixes between RIPng and IS-IS. Only IPv6 prefixes from Beetle are redistributed into IS-IS, and prefix 2001:db8:0:77::/64 is set with a metric of 10 while prefix 2001:db8:0:200::/64 has a metric of 100. 14fig13.gif
Figure 14-13 IPv6 has been added to the network in Figure 14-10. IPv6 prefixes are redistributed between RIPng and IS-IS.
Dagwood's configuration is displayed in Example 14-33. Example 14-33. Dagwood's IPv6 configuration.
Interface ethernet 0/0 ipv6 address 2001:db8:0:2::1/64 ipv6 rip domain3 enable ! interface serial 0/0.1 point-to-point ipv6 address 2001:db8:0:5::1/64 ipv6 router isis ! ipv6 router rip domain3 ! router isis net 00.0001.0000.5678.ef01.00 Address-family ipv6 Redistribute rip domain3 route-map Beetlefilter ! route-map Beetlefilter permit 10 match ipv6 route-source prefix-list 1 match ipv6 address prefix-list 3 set metric 10 ! route-map Beetlefilter permit 20 match ipv6 route-source prefix-list 1 match ipv6 address prefix-list 2 set metric 100 ! ipv6 prefix-list 1 permit 2001:db8:0:2::4/128 ipv6 prefix-list 2 permit 2001:db8:0:200::/64 ipv6 prefix-list 3 permit 2001:db8:0:77::/64
IPv6 prefix-lists are used to match the source of route information or to match specific addresses for redistribution. Statement 10 of Beetlefilter specifies that the route source must equal Beetle's IPv6 address and the prefix must equal 2001:db8:0:77::/64 for the metric to be set to 10. If the route source or the prefix does not match, statement 20 is executed. If the source is Beetle and the prefix is 2001:db8:0:200::/64, the metric is set to 100. If the source is not Beetle, or the prefix is not one of the ones specified, the route is not redistributed.
Sally's IS-IS database (Example 14-34) shows the redistributed prefixes. Example 14-34. The redistributed routes are seen in Sally's IS-IS database.
Sally#show isis database detail Dagwood-00.00
IS-IS Level-1 LSP Dagwood.00-00 LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL Dagwood.00-00 0x00000004 0xCA8B 938 0/0/0 Area Address: 00.0001 NLPID: 0x8E Hostname: Dagwood IPv6 Address: 2001:DB8:0:5::1 Metric: 10 IPv6 2001:DB8:0:5::/64 Metric: 10 IS Sally.00
IS-IS Level-2 LSP Dagwood.00-00 LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL Dagwood.00-00 0x00000008 0x28D7 1089 0/0/0 Area Address: 00.0001 NLPID: 0x8E Hostname: Dagwood IPv6 Address: 2001:DB8:0:5::1 Metric: 10 IS Sally.00 Metric: 10 IPv6 2001:DB8:0:5::/64 Metric: 10 IPv6 2001:DB8:0:77::/64 Metric: 100 IPv6 2001:DB8:0:200::/64 Sally#