Skip to main content

Cisco CCNP / BSCI Exam Tutorial: Introduction To Policy Routing

by: Chris Bryant, CCIE #12933

Policy routing is a major topic on your BSCI exam, and you'll find quite a bit of policy routing going on in today's production networks. But what exactly is policy routing?

Policy-based routing, generally referred to as "policy routing", is the use of route maps to determine the path a packet will take to get to its final destination. As you progress through your CCNP studies and go on to the CCIE (or to a Cisco Quality Of Service certification), you'll find that traffic can be "marked" by policy routing in order to give different levels of service to various classes of traffic. (This is done by marking the traffic and placing the different classes of traffic in different queues in the router, allowing the administrator to give some traffic higher priority for transmission.)

There are some basic policy routing rules you should know:

Policy routing doesn't affect the destination of the packet, but does affect the path that is taken to get there.

Policy routing can forward traffic based on the source IP address or the destination IP address (with the use of an extended ACL).

Policy routing can be configured at the interface level, or globally.

Applying policy routing on an interface affects only packets arriving on that interface:

R2(config)#int s0

R2(config-if)#ip policy route-map CHANGE_NEXT_HOP

Applying the policy globally applies the route map to packets generated on the router, not on all packets received on all interfaces.

Whether you're running policy routing at the interface level, on packets created locally, or both, always run the command show ip policy to make sure you've got the right route maps on the proper interfaces.

R2#show ip policy

Interface Route map

local CHANGE_NEXT_HOP

Serial0 CHANGE_NEXT_HOP

And here's the big rule to remember....

If a packet doesn't match any of the specific criteria in a route map, or does match a line that has an explicit deny statement, the data is sent to the routing process and will be processed normally. If you don't want to route packets that do not meet any route map criteria, the set command must be used to send those packets to the null0 interface. This set command should be the final set command in the route map.

There are four possibilities for an incoming packet when route maps are in use. The following example illustrates all of them.

R2(config)#access-list 29 permit host 20.1.1.1

R2(config)#access-list 30 permit host 20.2.2.2

R2(config)#access-list 31 permit host 20.3.3.3

R2(config)#access-list 32 permit host 20.4.4.4

R2(config)#route-map EXAMPLE permit 10

R2(config-route-map)#match ip address 29

R2(config-route-map)#set ip next-hop 40.1.1.1

R2(config-route-map)#route-map EXAMPLE permit 20

R2(config-route-map)#match ip address 30

Assuming the route map has been applied to the router's ethernet0 interface, a packet sourced from 20.1.1.1 would meet the first line of the route map and have its next-hop IP address set to 40.1.1.1.

A packet sourced from 20.2.2.2 would match the next permit statement (sequence number 20). Since there is no action listed, this packet would return to the routing engine to undergo the normal routing procedure. All traffic that did not match these two addresses would also be routed normally - there would be no action taken by the route map.

Perhaps we want to specifically block traffic sourced from 20.3.3.3 or 20.4.4.4. We can use multiple match statements in one single route map, and have packets matching those two addresses sent to the bit bucket - the interface null0.

R2(config)#route-map EXAMPLE permit 30

R2(config-route-map)#match ip address 31

R2(config-route-map)#match ip address 32

R2(config-route-map)#set ?

as-path Prepend string for a BGP AS-path attribute

automatic-tag Automatically compute TAG value

comm-list set BGP community list (for deletion)

community BGP community attribute

dampening Set BGP route flap dampening parameters

default Set default information

extcommunity BGP extended community attribute

interface Output interface

ip IP specific information

level Where to import route

local-preference BGP local preference path attribute

metric Metric value for destination routing protocol

metric-type Type of metric for destination routing protocol

origin BGP origin code

tag Tag value for destination routing protocol

weight BGP weight for routing table

R2(config-route-map)#set interface null0

Any traffic matching ACLs 31 or 32 will be sent to null0, resulting in its being discarded by the router. Any traffic that didn't match any of the route map statements will be returned to the routing engine for normal processing.

Knowing policy routing and how to apply it are essential skills for passing the BSCI exam, earning your CCNP, and becoming more valuable in today's job market. Get some hands-on practice in a CCNA / CCNP home lab or rack rental to go along with learning the theory, and you'll be writing and applying policy routing in no time at all.

About The Author

Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage (www.thebryantadvantage.com), home of free CCNP and CCNA tutorials! For my FREE "How To Pass The CCNA" or "CCNP" ebook, visit the website and download your copies. Pass your CCNP exam with The Bryant Advantage!

Comments

Popular posts from this blog

How to Hack a Website in Four Easy Steps

Every wondered how Anonymous and other hacktivists manage to steal the data or crash the servers of websites belonging to some of the world biggest organisations? Thanks to freely available online tools, hacking is no long the  preserve of geeks , so we've decided to show you how easy it is to do, in just four easy steps. Step 1: Identify your target While  Anonymous  and other online hacktivists may choose their targets in order to protest against perceived wrong-doing, for a beginner wanting to get the taste of success with their first hack, the best thing to do is to identify a any website which has a vulnerability. Recently a hacker posted a list of 5,000 websites online which were vulnerable to attack. How did he/she identify these websites? Well, the key to creating a list of websites which are likely to be more open to attack, is to carry out a search for what is called a Google Dork. Google Dorking , also known as Google Hacking, enables yo...

How to Hack Facebook Password in 5 Ways

Check out the following post from  fonelovetz blog  on facebook account hacking. This is one of the most popular questions which I'm asked via my email.And today I'm going to solve this problem one it for all.Even though i have already written a few ways of hacking a facebook password.Looks like i got to tidy up the the stuff here.The first thing i want to tell is.You can not hack or crack a facebook password by a click of a button.That's totally impossible and if you find such tools on the internet then please don't waste your time by looking at them! They are all fake.Ok now let me tell you how to hack a facebook account. I'll be telling you 5 of the basic ways in which a beginner hacker would hack.They are: 1.Social Engineering 2.Keylogging 3.Reverting Password / Password Recovery Through Primary Email 4.Facebook Phishing Page/ Softwares 5.Stealers/RATS/Trojans I'll explain each of these one by one in brief.If you want to know more about them just ...

How to Hack Someone's Cell Phone to Steal Their Pictures

Do you ever wonder how all these celebrities continue to have their private photos spread all over the internet? While celebrities' phones and computers are forever vulnerable to attacks, the common folk must also be wary. No matter how careful you think you were went you sent those "candid" photos to your ex, with a little effort and access to public information, your pictures can be snagged, too. Here's how. Cloud Storage Apple's iCloud service provides a hassle free way to store and transfer photos and other media across multiple devices. While the commercial exemplifies the G-rated community of iPhone users, there are a bunch of non-soccer moms that use their iPhones in a more..."free spirited" mindset. With Photo Stream enabled (requires OS X Lion or later, iOS 5 or later), pictures taken on your iPhone go to directly to your computer and/or tablet, all while being stored in the cloud. If you think the cloud is safe, just ask Gizmodo ...

How to Hack Samsung Phone Screen Lock

I have discovered  another  security flaw in Samsung Android phones. It is possible to completely disable the lock screen and get access to any app - even when the phone is "securely" locked with a pattern, PIN, password, or face detection. Unlike another recently released flaw, this doesn't rely quite so heavily on ultra-precise timing. Video . Of course, if you are unable to download a screen unlocker, this security vulnerability still allows you to  dial any phone number and run any app ! HOWTO From the lock screen, hit the emergency call button. Dial a non-existent emergency services number - e.g. 0. Press the green dial icon. Dismiss the error message. Press the phone's back button. The app's screen will be briefly displayed. This is just about long enough to interact with the app. Using this, you can run and interact with any app / widget / settings menu. You can also use this to launch the dialler. From there, you can dial any phone...