CCNP Route Notes Path Control
In general, link redundancy is a good thing, but it can also lead to some network problems. You might want to manually control the route taken by some or all of your traffic to provide a predictable and deterministic traffic flow. Path control can prevent suboptimal routing, ensure path availability, provide optimized performance for specific applications, and provide load sharing among various paths.
A good path control strategy understands that traffic is bidirectional and considers both inbound and outbound traffic. Asymmetric routing—where traffic exits via one link and enters via another—is not inherently bad. But you might need to minimize it when using stateful devices such as firewalls, or with sensitive applications such as voice. A good routing plan requires a good design. Design IP addresses that can be summarized and use redistribution and passive interfaces appropriately.
The previous chapter covered several ways to influence paths: route maps, prefix lists, distribute lists, administrative distance, and route tags. This chapter covers some others: Offset-lists, IP SLA, Policy-based Routing (PBR), Optimized Edge Routing, and Virtual Routing and Forwarding (VRF).
Using Offset-lists
An offset-list is a way to increase the metric of routes. You might do this to cause a router to choose what it would normally consider a less desirable path, or to load balance over paths that would normally have unequal methods. The command uses an access list, so you can also use this command to send a subset of traffic over a different path. Historically, offset-lists were used with RIP because it only looked at hop count, and thus might choose a slow path that had a lower hop count than a fast path. Only RIP and EIGRP support offset-lists.
Configure an offset-list with the command offset-list { access-list-number | access-list-name} { in | out} offset [interfacetype interface-number]. This command is given in router configuration mode. The offset amount is added to the hop count in RIP and is added to the delay value in EIGRP. Be careful when changing an EIGRP metric value and test thoroughly. The following example shows a delay value of 2000 added to the EIGRP metric of the two routes permitted in access list Offset, when they are advertised in interface FastEthernet 0/0.
R1(config)# ip access-list standard Offset R1(config-std-nacl)# permit 172.31.1.0 0.0.0.255 R1(config-std-nacl)# permit 172.16.1.0 0.0.0.255 ! R1(config)# router eigrp 100 R1(config-router)# offset-list Offset in 2000 fa0/0
You can configure more than one offset-list. If you specify an interface, the offset-list is considered an extended offset-list
and has precedence over a normal offset-list.
Using IOS IP SLA
IP SLA is a feature that enables a Cisco router or switch to simulate specific types of traffic and send it either to an IP address or to a receiver, called a “responder.” IP SLA probes can simulate various types of traffic, such as HTTP, FTP, DHCP, UDP jitter, UDP echo, HTTP, TCP connect, ICMP echo, ICMP path echo, ICMP path jitter, and DNS, and can report statistics such as path jitter. It has highly granular application configuration options such as TCP/UDP port numbers, TOS byte, and IP prefix bits. With IP SLA you can measure network performance and host reachability. This is useful for path control because it enables you to switch to a backup path if network performance on the primary path degrades, or if a link failure occurs someplace in the primary path.
To use IP SLA for path control, you must
- Create a monitor session on the probe source device.
- Define the probe by specifying traffic type, destination IP address, and any other desired variables such as DSCP value.
- Schedule the probe beginning and ending times.
- Define a tracking object that is linked to the monitor session.
- Link the tracking object to a static route.
The destination can be any trusted device that responds to the traffic you send. To use IP SLA for bringing up a backup link, choose a destination that will reflect problems in the ISP’s network. One benefit of using a Cisco device as the responder is that it can add time stamps to help measure latency and jitter. These time stamps take into account the device processing time so that the measurement reflects only network latency. The configuration of a Cisco responder is simple.
Use the global command ip sla responder.
Figure 5-1 shows a network with two connections to the Internet, one primary and one backup. The edge router has a static default route pointing to each provider.
FIGURE 5-1 Using IP SLA for Path Control
In the following example, router R1 is configured to conditionally announce a default route based on the IP SLA probe response. Two IP SLA monitor sessions are configured to send a ping every 10 seconds to a DNS server within each ISP’s network. A separate tracking object tracks reachability to each server. The two default route statements tell the router to give the primary route an administrative distance of 2 if the tracked object is reachable. The backup route is assigned an administrative distance of 3 if its tracked object is reachable.
R1(config)# ip sla 1 R1(config-ip-sla)# icmp-echo 10.1.1.50 R1(config-ip-sla-echo)# frequency 10 ! R1(config)# ip sla 2 R1(config-ip-sla)# icmp-echo 171.22.2.52 R1(config-ip-sla-echo)# frequency 10 ! R1(config)# ip sla schedule 1 life forever start-time now R1(config)# ip sla schedule 2 life forever start-time now ! R1(config)# track 1 ip sla 1 reachability R1(config)# track 2 ip sla 2 reachability ! !Primary route R1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1 2 track 1 !Backup route R1(config)# ip route 0.0.0.0 0.0.0.0 172.22.2.2 3 track 2
Under normal circumstances, the default route with an AD of 2 would be installed in the IP routing table instead of the one with an AD of 3. But when the primary DNS server is not reachable, the primary route is withdrawn, and the backup route with an AD of 3 is installed in the routing table.
Additionally, you can combine IP SLA tracking with policy-based routing to provide redundancy for specific traffic types on a per-interface basis. For instance, after an access list permitting the interesting traffic is specified, a route-map such as the following can be configured. In the example route-map, x.x.x.x and y.y.y.y represent different next hops to send the traffic specified in ACL 101. The track 1 and track 2 keywords tie the configuration back to the SLA groups configured in the previous example. You then apply the policy map under the incoming interfaces just as with normal policy routing.
route-map REDUNDANT permit 10 match ip address 101 set ip next-hop verify-availability x.x.x.x 10 track 1 set ip next hop verify-availability y.y.y.y 20 track 2 ! interface FastEthernet0/1 description LAN Interface ip policy route-map REDUNDANT
Policy-Based Routing
Normal IP routing chooses a path based on the destination IP address. Policy-based routing (PBR) lets you route traffic based on other variables. It uses a route-map to match traffic and then sets either a next-hop address or an exit interface. It can also mark the traffic that it policy routes. Any traffic not matched in the route-map is routed normally. Policy-based routing can be applied both to traffic entering the router and to traffic originated by the router.
Some benefits of policy routing include
- Ability to route based on traffic source, and other attributes
- Ability to set QoS markings
- Ability to force load sharing between unequal paths
- Ability to allocate traffic among multiple paths based on traffic attributes
Use the following steps to configure policy-based routing:
- Configure a route-map that matches the desired traffic and uses the set command to define the actions for that traffic.
- Optionally enable fast-switched PBR. CEF-switched PBR is enabled automatically whenever CEF is enabled.
- Apply the route map either to an incoming interface or to traffic generated by the router.
- Verify the configuration.
Some typical attributes to match in the route map include source or destination address with an access list and packet length. If no match criteria are specified, all packets are considered a match.
You can choose to set IP precedence, but the most typical setting determines how the traffic leaves the router. There are
four ways to do this. If there are multiple set statements, the router evaluates them in this order:
- . set ip next-hop ip-address: When this command is given, the router checks to see if the next-hop address is reachable. If so, it forwards the traffic toward that address. If not, it uses the routing table.
- . set interface interface-type interface-number: Multiple interfaces can be listed. When this command is given, the router checks that it has an explicit route for the destination network in its routing table before forwarding the traffic out the specified interface. If it does not, this command is ignored. A default route is not considered an explicit route. Listing multiple interfaces under the set command allows for redundancy if the first interface fails or goes down. The router uses the first active interface listed.
- . set ip default next-hop ip-address: If the routing table contains an explicit route for the destination network, that
route is used and this command is ignored. If no explicit route exists, this command is executed. A default route is not considered an explicit route. - . set default interface interface-type interface-number: If the routing table contains an explicit route for the destination network, that route is used and this command is ignored. If no explicit route exists, traffic is forwarded out the specified interface. A default route is not considered an explicit route.
To apply the PBR route-map to an interface, use the interface command ip policy route-map name. To apply PBR to packets originated by the router itself, use the global command ip local policy route-map name. The following example shows a PBR route map that matches traffic in access list 101, and policy routes it to a next hop of 10.1.1.1. The policy is applied to interface fa0/0, so all traffic entering that interface is evaluated against the route-map. Packets not permitted by access list 101 are routed normally (destination routed.)
route-map Policy permit 10 match ip address 101 set ip next hop 10.1.1.1 ! interface FastEthernet0/0 ip policy route-map Policy
PBR can also use IP SLA tracking, described previously in the IP SLA section. Verify your configuration with the commands show ip policy and show route-map { name}.
OER and VRF
With OER, Border Routers monitor WAN performance and report the information to a Master Controller router. If WAN performance falls within configured ranges, no change is made to the default routing. If performance begins to degrade for a specific link or network, the Controller notifies its Border Routers to reroute traffic, perhaps by adding a static route or changing routing protocol parameters.
VRFs are a way to segment traffic. You might think of them as Layer 3 VLANs. Just as VLANs create virtual switches with segregated CAM tables, VRFs create virtual routers with segregated routing tables. This lets you separate guest traffic from employee traffic, for instance. Traffic for different VRFs can be routed over different paths.
More Resources
- CCNP Route Notes
- CCNP Route Lab Manual with Solutions
- CCNP Security VPN FAQ
- CCNP Secure IPS FAQ
- CCNP Switch FAQ
- CCNP Switch Lab Manual with Solutions
- CCNA Security Lab Manual With Solutions
- CCNA Security FAQ
- 210-451 CCNA Cloud CLDFND FAQ
- Cisco Network Mgmt Protocol FAQ
- Network Security FAQ
- CCDA FAQ
- CCNA Cloud FAQ
- CCNA RSE Lab