Escolar Documentos
Profissional Documentos
Cultura Documentos
routing PBR
Posted on February 6, 2012
1. Basic ACL (number ranges from 2000 to 2999) classifies packets based on a source
address
2. Advanced ACL (number ranges from 3000 to 3999) source address, destination
address, source port number, destination port number, and protocol type
3. Interface-based ACL (number ranges from 1000 to 1999) classifies packets based on
the interface from which the packets are received
4. Ethernet Frame Header ACL (number ranges from 4000 to 4099) classifies packets
based on source and destination MAC addresses
5. User ACL (number ranges from 6000 to 9999) classifies packets based on user groups.
The rules order depends on rule ID and rule matching order. There are two matching orders:
Configuration order ACL rules are matched based on their configuration order.
Rules IDs can be configured by user or generated by system automatically according
to ACL step. By default the system generates 5 as the first rule ID. So the next rule ID
will be 10, 15 and so on. Anytime you can configure rule ID manually, for example
rule 1 and this rule will be placed before 5. You do not have to delete the whole ACL.
Each time you can delete a specific rule without deleting the whole ACL.
Automatic order the most precise rule is taking as the first. This is implemented
through the comparison of wildcard masks. The system assigns rule IDs automatically.
Actually an ACL is used to classify packets. It is not used itself for packets filtering, but we
can use it with conjunction with some other functions, such as policy-based routing, firewall
and in traffic classification to filter packets.
A simple example of using ACL is to limit incoming calls for VTY user interfaces:
user-interface vty 0 4
acl 2500 inbound
What we have to do is to force router CX_1 to choose interface G7/5/0 and next hop 10.0.2.2
to forward traffic from source IP 5.5.5.5 to destination IP 15.15.15.15. Rest of traffic should
go through interface G7/5/7.
Please use OSPF protocol to ensure communication in tested network. Lets take
CX_1 as an example:
Increase OSPF cost of one of the links between CX_1 and CX_2 to exclude load-
load
balancing:
interface GigabitEthernet7/5/0
ospf cost 100
Display routing-table
table of AR29 to check if all necessary subnets are available through
th
OSPF (display
display ip routing-table).
routing
interface GigabitEthernet7/5/5
traffic-policy labnario inbound
Lets check now what the result of such traffic policy is. On AR29 router we can use
tracert command to check how traffic is going to 15.15.15.15.
As we can see traffic policy is working correctly choosing 10.0.2.2 as the IP next hop.
tracert 15.15.15.15
traceroute to 15.15.15.15(15.15.15.15), max hops: 30, packet length: 40,
press CTRL_C to break
1 10.0.0.1 3 ms 1 ms 1 ms
2 10.0.1.2 3 ms 2 ms 2 ms
We can see that policy-based routing is working properly for traffic classified in ACL 3000.
Rest of traffic is choosing a route based on IP routing table.
We can also check statistics for this traffic policy. We can use ping for such purposes.
Use ping from AR29 and check statistics on CX_1:
You can also configure policy-based routing in MPLS L3VPN to allow some IP traffic (based
on ACL) from one VPN to be redirected to another VPN. Maybe I will show you such
configuration in the future.
Any questions or comments are welcome.