CCNP 300-101 Route (Path Control)

Switching Types

• Cisco Express Forwarding (CEF)
  Default switching type
  “show ip cef summary”
  “show ip cef exact-route 1.1.1.1 2.2.2.2”
  “show ip cef 1.1.1.1 detail”
  To turn off “no ip cef“
• Fast switching
  Uses IP routing table for initial route lookup and stores the result in a cache
  “show ip cache“
• Process switching
  Queries the IP routing table directly
  Causes high CPU utilization

Debug with access-list 99 (source 5.5.5.5)

R5(config)#access-list 99 permit 5.5.5.5
R5#debug ip packet 99

### test ping
R5#ping 46.46.46.46 source 5.5.5.5 repeat 2

Path Control Methods

Path control: The control of packet forwarding on a hop-by-hop basis

Path Control Configuration Points

• Routing protocol decisions
  Modifying metrics
  Modifying route types
  Distribute Lists
• Administrative distance
  External Border Gateway Protocol (eBGP has AD of 20)
• IP routing table
  Static routes have an AD of 1
  Connected routes have an AD of 0
  Tunnel interfaces show up as connected routes in the IP routing table
• Switching process
  Overrides normal packet switching behavior (Policy Based Routing)
  Can be forwarded based on something other than the destination prefix

Border Gateway Protocol (BGP)

BGP is an external gateway protocol (EGP)
Also sometimes called a reachability protocol

Public BGP AS numbers

• Assigned by the Internet Assigned Numbers Authority
• Ranges from 1 to 64,511

Private GBP AS numbers

• Range from 64,512 to 65,534

Advantages of BGP

• Route stability
• BGP is a path vector protocol, not a distance vector protocol
• Loop prevent. BGP uses the AS path to determine if there is a routing loop

 

Path Vector vs. Distance Vector

Path vector (GBP)

• Concerned with the number of AS to reach a destination

Distance vector (EIGRP, RIP)

• Concerned with the number of hops or distance to reach a destination

 

Establishing a BGP Session

• BGP routers communicate via TCP port 179

BGP states (peers go through 6 states)

• Idle
  A BGP router tries to initiate a TCP connection with a peer
  It also listens for an incoming connection from that peer
• Connect
  BGP waits for the TCP connection with the peer to be completed
  Once the connection is completed, the router with the higher IP address manages the connection
• Active
  The active router (higher IP) starts a new TCP connection with its peer
  The passive router (lower IP) listens for the new connection
  Active means the peers have not yet established a GBP session.
• OpenSent
  Both routers perform sanity checks
  If the checks don’t pass, the routers move back into the Idle state
• OpenConfirm
  Each BGP router waits to receive a keepalive message
  Keepalive messages are sent by default every 60 seconds
  The default hold time is 180 seconds
• Established
  BGP peers begin to exchange routing updates

 

Peering & Authentication

Customer request:

• Configure R1 & R4 (AS 64,477) to establish eBGP peering with ISP1 (AS 65,550)
• If a password is required, it will be set to “cisco”

R1(config)#router bgp 64477
R1(config-router)#neighbor 203.0.113.2 remote-as 65550
R1(config-router)#neighbor 203.0.113.2 password cisco
R1#show bgp neighbor
R1#show ip route bgp
R1#show ip bgp

R4(config)#router bgp 64477
R4(config-router)#neighbor 198.51.100.2 remote-as 65550
R4(config-router)#neighbor 198.51.100.2 password cisco
R4#show bgp neighbor
R4#show ip route bgp
R4#show ip bgp

ISP1(config)#router bgp 65550
ISP1(config-router)#neighbor 198.51.100.1 remote-as 64477
ISP1(config-router)#neighbor 198.51.100.1 password cisco
ISP1(config-router)#neighbor 203.0.113.1 remote-as 64477
ISP1(config-router)#neighbor 203.0.113.1 password cisco

Mutual Redistribution with BGP, OSPF & EIGRP

BGP path attributes-

Characteristics of a BGP route that are advertised with a route

BGP Best Path Selection

• Uses both BGP path attributes and locally significant parameters
• Weight has the highest precedence

Customer Request:

• On R1, redistribute connected routes into BGP AS 64477
• Perform mutual redistribution as follows
  On R1, between BGP AS 64477 and OSPF
  On R4, between GBP AS 64477 and EIGRP 10

R1(config)#router bgp 64477
R1(config-router)#redistribute connected
R1(config-router)#redistribute ospf 1

### GBP into OSPF 1
R1(config)#router ospf 1
R1(config-router)#redistribute bgp 64477

R4(config)#router bgp 64477
R4(config-router)#redistribute eigrp 10

R4(config)#router eigrp 10
R4(config-router)#redistribute bgp 64477 metric 10000 10 255 1 1500

Understanding Best Path Selection

Customer request:

• Ensure ISP1 selects the path through 198.51.100.1 as its best path to the 1.0.0.0/8 prefix
• Do not make any changes to ISP1

ISP1#show ip bgp
ISP1#show ip bgp 6.6.6.6
### Check Weight, localpref, Origin, 
### You can influence Origin type by "network x.x.x.x" on next hop (R4) running BGP

1. Weight
   Locally significant
   Not advertised to other routes
   Provide a way to influence outbound traffic
2. Local Preference
   Optional path attribute that may be advertised within an AS
   Used for setting a preferred path out of an AS
   Default value is 100
3. Shortest AS path
   The path that goes through the fewest number of AS is more preferred
4. Origin type
   Incomplete (Prefix was redistributed into GBP)
   IGP. Preferred. (Prefix was advertised into GBP using the network statement)
5. Multi-exit Discriminator (MED)
   Lower is more preferred.
   When an IGP (EIGRP, OSPF or RIP) is redistributed into GBP, the metric of the IGP becomes the GBP MED.

 

 

 

 

 

 

 

Note*

• If the next hop for a route is not reachable, it will not get installed in the IP routing table
• A RIP failure occurs if an IGP with a lower AD already has a route in the IP routing table
• A route redistributed from an IGP into GBP will have the “incomplete” origin type
• A route advertised using the “network” statement will have the IGP origin type
• In BGP, “network” statement does not behave like EIGRP or OSPF

Static Routing

When combined with dynamic routing and redistribution, simple static routing can behave in unexpected ways.

Static route components

• Prefix (IP address, subnet mask)
• Next hop (Interface, IP address)
• Administrative distance (Default 1)

Static Route tracking using IP SLA

Customer request:

• Ensure R4 removes its existing static default route if ISP1 interface IP 198.51.100.2 becomes unreachable

R4#show ip route 0.0.0.0
### Verify the static route

R4#traceroute x.x.x.x
### Confirm the routing loop caused by the static route

### Remove static route when 198.51.100.2 is unreachable
R4(config)#ip sla 1
R4(config-ip-sla)#icmp-echo 198.51.100.2
R4(config-ip-sla-echo)#timeout 5000 ### 5 seconds ###
R4(config-ip-sla-echo)#frequency 5
R4(config)#ip sla schedule 1 life forever start-time now

### setup tracking (Object Tracker)
R4(config)#track 1 ip sla 1 reachability

### Verify tracking
R4#show track

### Manually remove existing default route and recreate with track
R4(config)#no ip route 0.0.0.0 0.0.0.0 198.51.100.2
R4(config)#ip route 0.0.0.0 0.0.0.0 198.51.100.2 track 1

Why remove at static route?

• Allows a backup static route to take effect
  (Floating static route)

Backup Paths using Floating Static Routes

Floating static Route

• A route with an administrative distance higher than the primary route
• AD greater than 1

Customer request:

• On R4, configure a floating static route that uses R1 interface IP 10.0.14.1 as its default gateway
• Configure this route with an AD of 4

R4(config)#ip route 0.0.0.0 0.0.0.0 10.0.14.1 4
R4#show ip route 0.0.0.0

### Test. Shutdown primary path interface and check new path 
R4(cofig-if)#shutdown
R4#show ip route 0.0.0.0 
R4#traceroute x.x.x.x

Interface Next Hops

• Requires layer 3 to layer 2 resolution
• ARP request for each destination address
• Potential for thousands of ARP requests!

IP Address Next Hops

• One ARP request for the next hop IP address
• Far less overhead!

Customer request:

• On R5, configure a static route for the 8.0.0.0/8 prefix using Fa0/0 as the next hop interface and 10.0.56.6 as the next hop IP address
• Modify the next hop parameters if necessary to achieve IP reachability to 8.8.8.8
• Do not consult any network diagrams

R5(config)#ip route 8.0.0.0 255.0.0.0 e0/0 10.0.56.6

### when tested not working, recreate with hop parameters modified
R5(config)#no ip route 8.0.0.0 255.0.0.0 FastEthernet0/0 10.0.56.6
R5(config)#ip route 8.0.0.0 255.0.0.0 fa0/0 10.0.56.6

Static route Notes*

• Routing loops are often caused by leftover static routes.
• A prefix is an IP network and subnet mask pairing.
  e.g. 192.168.0.0/24 not equal to 192.168.0.0/16
• Configuring an interface next hop requires layer 3 to layer 2 resolution of each destination address. (due to potential thousands of ARP requests, this method is not recommended)
• When both an interface and an IP address next hop are configured, the router will try to reach the next hop using that interface.
• When an IP address next hop is configured, router will verify the next hop’s network prefix is in the IP routing table before installing the route.
• If the next hop is not reachable, the route will get installed but packets will not get routed to the next hope.
• The IP SLA feature with object tracking can be used to create conditional static routes.

Configuring Path Control for Dynamic Routing Protocol

Why manipulate routing protocol decisions?

• Cause delay-sensitive traffic (e.g. VoIP) to use a low bandwidth, low delay link
• OSPF may not choose the best path (OSPF prefers intra-area route over inter-area)

Tricking Routing protocols into using alternate path

For example, EIGRP looks at bandwidth while OSPF looks at costs.

• Adding information
  (advertise a summary or default route)
• Removing information
  (use a distribute list to block an EIGRP advertisement)
  (use a Route-Map and prefix list to prevent certain prefixes from being redistributed)

Customer request:

• R1 loopback (1.1.1.1) takes the path R2->R3->R4->R5 to 5.5.5.5
• Modify existing dynamic routing protocols as necessary so that traffic takes the following path
  ISP1 -> R4 -> R3 -> R6 -> R5

  

### Check current path to 5.5.5.5
R1#traceroute 5.5.5.5 source 1.1.1.1

### Block OSPF inbound advertisement being installed in the routing table
R1(config)#router ospf 1
R1(config-router)#distribute-list route-map RM_NO5555 in
R1(config)#route-map RM_NO5555 deny
R1(config-route-map)#match ip address prefix-list PL_5555
R1(config)#ip prefix-list PL_5555 permit 5.5.5.5/32

### Create static route via ISP1 203.0.113.2
R1(config)#ip route 5.5.5.5 255.255.255.255 203.0.113.2

### Confirm that the path to 5.5.5.5 is changed
R1#ping 5.5.5.5 source 1.1.1.1

Manipulate path from R4 to R3 (prevent R4 to R5)

### Check current path to 5555
R4#traceroute 5.5.5.5
R4#show ip route 5.5.5.5

### Check OSPF Type-7 advertisements (R4 wins over R3 so change over)
R4#show ip ospf database

### Allow R3 to advertise 5.5.5.5 instead by increasing AD on R4 
### Make OSPF more preferred than EIGRP. Default EIGRP(90) is better than OSPF(110)

### Make EIGRP AD to 111 with ACL 45
R4(config)#router eigrp 10
R4(config-router)#distance 111 10.0.45.5 0.0.0.0 45
R4(config)#access-list 45 permit 5.5.5.5 0.0.0.0
### Change distance only for this prefix

Modifying OSPF Interface Costs

OSPF chooses the path with the lowest cost

• Higher bandwidth interfaces have a lower cost
• Interface costs can be configured independent of bandwidth

Customer request:

• On R1 & R3, configure loopback 31 with the anycast address 31.31.31.31/32
• Advertise this prefix into OSPF
• Ensure the path through R1 is preferred

R1(config)#int loopback 31
R1(config-if)#ip address 31.31.31.31 255.255.255.255
R1(config)#router ospf 1
R1(config-router)#network 31.31.31.31 0.0.0.0 area 0

R3(config)#int loopback 31
R3(config-if)#ip address 31.31.31.31 255.255.255.255
R3(config)#router ospf 1
R3(config-router)#network 31.31.31.31 0.0.0.0 area 23

### Check that path with area 23 is preferred
R2#show ip route 31.31.31.31
R2#show ip ospf rib 31.31.31.31

### Check the cost of both interfaces
R2#show ip ospf int br

### Lower the cost of the interface facing R1
R2(config)#int fa0/0
R2(config-if)#ip ospf cost 1

Manipulating Metrics using Offset Lists

Offset Lists

Provide a way to prefer a particular route while maintaining redundant paths

• Can be used by EIGRP or RIP
• Add to or subtract from the route metric

Customer request:

• R5 is performing equal cost load sharing to the 46.46.46.46/32 prefix
• Ensure the path to this prefix via R4 is preferred
• Do not block any route advertisements
• Do not modify the bandwidth or delay of any interface
• Do not make any configuration changes on R5 or R4

R6(config)#router eigrp 10

### Influence the metric going towards R5 (from R6 outgoing)
R6(config-router)#offset-list 46 out 46000 fa0/0
R6(config)#access-list 46 permit 46.46.46.46 0.0.0.0

### Verify the Route metric on neighbor R5
R5#show ip route 46.46.46.46
R5#show ip eigrp topology 46.46.46.46/32

Note*

• Path control may involve tricking routing protocols into choosing alternate paths
• Methods for manipulating routing protocols include (Route maps, prefix lists, distribute lists, offset-lists, summary routes and interface costs)
• There are often multiple ways to achieve the same result (master at least two methods per protocol)

Generic Routing Encapsulation (GRE) Tunnels

• Encapsulates an IPv4 or IPv6 packet inside an IPv4 packet
• Uses IP protocol 47
• GRE tunnels are point-to-point

Tunnel Interfaces

• Shows up in the IP routing table as a connected network
• Can be configured like a normal physical interface

Customer request:

• Create a tunnel between R1 & R4 using ISP1 for transport
• Configure OSPF normal area 14 to run across the tunnel interface
• The interface must be able to support both IPv4 & IPv6 payloads

R1(config)#interface tunnel 14
R1(config-if)#ip address 14.14.14.1 255.255.255.0
R1(config-if)#tunnel source 203.0.113.1
R1(config-if)#tunnel destination 198.51.100.1 ### R4 address
R1(config-if)#tunnel mode gre ip

R4(config)#interface tunnel 14
R4(config-if)#ip address 14.14.14.4 255.255.255.0
R4(config-if)#tunnel source 198.51.100.1
R4(config-if)#tunnel destination 203.0.113.1
R4(config-if)#tunnel mode gre IP

### Run OSPF area 14 over the tunnel
R1(config)#router ospf 1
R1(config-router)#network 14.14.14.1 0.0.0.0 area 14

R4(config)#router ospf 1
R4(config-router)#network 14.14.14.4 0.0.0.0 area 14

### Verify tunnel
R1#show int tunnel 14
R4#show int tunnel 14

GRE Tunnel Requirements

• Tunnel source interface or IP address
• Tunnel destination IP address

GRE Tunnels don’t scale

• Five routers requires eight tunnels!

Dynamic Multipoint VPN (DMVPN)

• Very similar to frame relay
• Multipoint GRE (mGRE)
• Next hop resolution protocol (NHRP)
• IPsec

Multipoint GRE (mGRE)

• mGRE tunnels do not specify a destination IP address
• The destination is set dynamically

Next Hop Resolution Protocol (NHRP)

• Maps a tunnel IP address to an interface IP address
• Provides layer 3 to layer 3 resolution

Example R2 (Tunnel interface: 192.168.246.2). Physical interface: 10.0.24.2

Example R4 (Tunnel interface: 192.168.246.4). Physical interface: unknown

### Configuring an NHRP Mapping
R2(config-if)#ip nhrp map 192.168.246.4 10.0.24.2

Next Hop Server (NHS) example

• NHS eliminates the need for multiple NHRP IP mappings

IPsec

• Provides encryption for mGRE tunnels

Customer request:

• A dynamic multipoint VPN has been configured among R2, R4 & R6
• The DMVPN subnet is 192.168.246.0/24
• Determine which router is the hub and which are the spokes
• Determine whether the mGRE tunnels are secure

R2#show dmvpn
ISP1#show ip nhrp
ISP1#show crypto ipsec sa
ISP1#show crypto isakmp sa

Virtual Routing and Forwarding (VRF) Lite

• Virtual IP routing table
• Virtual IP forwarding table
• Member interfaces or sub-interfaces
• Simply put it’s like a virtual router inside a physical router

Virtual Routing and Forwarding

• Isolated from the global IP routing and forwarding tables
• Useful for isolating networks without having additional routers

VRF vs. VLAN

• VLAN. Isolates broadcast domains
• VRF. Isolates layer 3 routing domains

Customer request:

• On R4 & R1, create a VRF named “test” and add the Tunnel14 interface to it
• Configure EIGRP AS 10 to run over the existing Tunnel14 interface

R4(config)#ip vrf test
R4#show ip vrf
R4(config)#int tunnel 14
R4(config-if)#ip vrf forwarding test
% Interface Tunnel14 IPv4 disabled and address(es) removed due to disabling VRF test

### tunnel interface lost ip address and became independent
R4(config-if)#ip address 14.14.14.4 255.255.255.0

### VRF with eigrp 10
R4(config)#router eigrp 10
R4(config-router)#address-family ipv4 vrf test autonomous-system 10
R4(config-router-af)#network 0.0.0.0

### confirm the VRF ip address and route no longer exist. (independent)
R4#show ip route
R4#show ip route vrf test

### Unable to ping as it's using global IP table
R4#ping 14.14.14.1 source 14.14.14.4
% Invalid source address- IP address not on any of our up interfaces

### Must specify vrf
R4#ping vrf test 14.14.14.1 source 14.14.14.4

Configure VRF too on R1

R1(config)#ip vrf test
R1(config)#int tunnel 14
R1(config-if)#ip vrf forwarding test
R1(config-if)#ip address 14.14.14.1 255.255.255.0
R1(config)#router eigrp 10
R1(config-router)#address-family ipv4 vrf test autonomous-system 10
R1(config-router-af)#network 0.0.0.0

### EIGRP interface also independent
R1#show ip eigrp interfaces

### Check EIGRP VRF interface
R1#show ip eigrp vrf test interfaces
R1#show ip eigrp vrf test neighbors
R1#show ip eigrp vrf test topology

Put loopback interface into VRF

R1(config)#int loopback 14
R1(config-if)#ip vrf forwarding test
R1(config-if)#ip address 14.0.0.1 255.255.255.255

### Check from neighbor 
R4#show ip route vrf test
R4#show ip cef vrf test

Cisco Easy Virtual Network (EVN)

Multi-VRF Configuration

R1(config)#vrf definition yellow
R1(config-vrf)#vnet tag 1001
R1(config-vrf)#address-family ipv4

### Locate interface facing R8 and enable vnet trunk
R1(config-vrf-af)#do show cdp neighbor
R1(config-vrf-af)#int fa1/0
R1(config-if)#vnet trunk

### Check and confirm the sub interface yellow
R1#show vnet

Cisco EVN & VRFs

• EVN still uses VRFs
• Just like multi-VRF, EVN uses separate IP routing and forwarding tables and interfaces

Differences between EVN & manual multi-VRF setup

• VNET tag
• Automatic configuration of subinterfaces
• Automatic 802.1q trunk configuration

Note*

• GRE provides a virtual poit-to-point tunnel that can carry IPv4 or IPv6 traffic
• GRE uses IP protocol 47
• Multipoint GRE (mGRE) tunnels are point-to-multipoint and do not have a static destination endpoint
• DMVPN can consolidate multiple point-to-point connections into a single, secure NBMA network
• Must know how to setup DMVPN
• A VRF provides isolated IP routing and forwarding tables (isolate layer 3 routing domains)
• VRFs can be used to isolate traffic on shared network infrastructure
• Cisco EVN simplifies the configuration of a multi-VRF topology

Policy Based Routing (PBR)

• Explicitly sets the outgoing interface and next hop
• Can make forwarding decisions on something other than the destination prefix

Why use Policy Based Routing (PBR)

• Send traffic from an important server across high bandwidth link
• Forward traffic based on the destination protocol and port

Customer request:

• R1 loopback0 (1.1.1.1) takes the path (ISP1 -> R4 -> R3 -> R5) to 5.5.5.5
• Configure R3 to forward any traffic from R4 to R2

### Create route-map
R3(config)#route-map RM_GOTOR2 permit 10
R3(config-route-map)#set ip next-hop 10.0.23.2
R3(config-route-map)#set interface OutgoingInterfaceX/X
%Warning:Use P2P interface for routemap setinterface clause

### Apply route-map
R3(config-route-map)#int fa0/0
R3(config-if)#ip policy route-map RM_GOTOR2

### Verify ip policy
R3#show ip policy

Configuring Policy Based Routing

Must know how to configure while you are asleep!

### STEP1. Create route map
R3(config)#route-map RM_GOTOR2 permit 10

### STEP2. Set next hop (must be reachable or else fall back to normal routing)
R3(config-route-map)#set ip next-hop 10.0.23.2

### STEP3. Set outgoing interface
R3(config-route-map)#set int fa0/1

### STEP4. Apply route-map on the incoming interface
R3(config-route-map)#int fa0/0
R3(config-if)#ip policy route-map RM_GOTOR2

Customer Request

• On R7 configure and advertise the following loopbacks into OSPF area 27
  Loopback1 7.0.0.1/32
  Loopback2 7.0.0.2/32
• Configure routing on R2 as follows.
  If a packet from 7.0.0.1 is received, forward it to R1
  If a packet from 7.0.0.2 is received, forward it to R3

R7(config)#router ospf 7
R7(config-router)#network 10.0.27.0 0.0.0.15 area 27
R7(config-router)#network 7.0.0.0 0.0.0.255 area 27

R2(config)#route-map RM_SEVEN permit 10
R2(config-route-map)#match ip address 71
R2(config-route-map)#set ip next-hop 10.0.12.1
R2(config)#route-map RM_SEVEN permit 20
R2(config-route-map)#match ip address 72
R2(config-route-map)#set ip next-hop 10.0.23.3

R2(config)#access-list 71 permit 7.0.0.1 0.0.0.0
R2(config)#access-list 72 permit 7.0.0.2 0.0.0.0

### Apply to incoming interface
R2(config)#int fa1/0
R2(config-if)#ip policy route-map RM_SEVEN

### Test and confirm
R7#traceroute 8.8.8.8 source 7.0.0.1
R7#traceroute 8.8.8.8 source 7.0.0.2

R7#ping 8.8.8.8 source 7.0.0.1 repeat 1000000
R2#show route-map

PBR (Matching Protocols and Ports)

Example with TCP

### STEP1. Create route-map
R7(config)#route-map RM_TCP permit 10

### STEP2. Match
R7(config-route-map)#match ip address 101

### STEP3. Set next hop
R7(config-route-map)#set ip next-hop 9.9.9.9

### Complete access-list
R7(config)#access-list 101 permit tcp any any

Example with Telnet

### STEP 1 (create route-map)
R7(config)#route-map RM_TCP23 permit 10

### STEP 2 (Match)
R7(config-route-map)#match ip address 101

### STEP 3 (Set next hop)
R7(config-route-map)#set ip next-hop 9.9.9.9

### STEP 4 (create access-list to complete the route-map)
R7(config)#access-list 101 permit tcp any any eq telnet

Note*

• Policy Based Routing (PBR) takes precedence over routing protocols, administrative distance, and static routes
• If the next hop is not reachable, the router will fall back to destination-based routing
• An outgoing interface can be set instead of or in addition to a next hop IP
• PBR route maps are applied on the inbound interface

Summary

• Path control is about influencing packet forwarding decisions on a per-hop-basis
• GBP allows separate AS to share routes regardless of IGP
• Must know GBP session states and how to configure eGBP peerings
• Must know how to configure and use IP SLA with static routes
• Must know how to configure distribute and offset lists and modify interface costs and AD
• Must know how to configure GRE and mGRE tunnel and understand DMVPN & Cisco EVN