Troubleshooting Route Maps and Policy-Based Routing - Troubleshooting Router Features - CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide (2015)

CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide (2015)

Part III. Troubleshooting Router Features

Chapter 16. Troubleshooting Route Maps and Policy-Based Routing

This chapter covers the following topics:

Image Troubleshooting Route Maps: This section explains how to read route maps and how they operate so that you can determine whether they are or are not the issue while troubleshooting other features that have them applied.

Image Troubleshooting Policy-Based Routing: In this section, you learn the different reasons that could cause PBR not to operate as expected. You will also learn the commands that are needed to successfully troubleshoot issues related to PBR.

Image Policy-Based Routing Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a reported problem.

There are many different uses for route maps. So much so that when I hear the word route map, I think of duct tape. That’s right; I said it, duct tape! Just like duct tape, route maps can fix anything. Therefore, when you need to fix routing problems by using policy-based routing (PBR), or manipulate the attributes of individual routes as they are being redistributed or learned via Border Gateway Protocol (BGP), you will use route maps.

This chapter begins by examining route maps. It gives you the opportunity to review how route maps are read and the commands that you can use to verify a route map’s configuration. The rest of the chapter is dedicated to PBR, which allows you to override the router’s default routing behavior. Because PBR relies on route maps, it makes sense to cover PBR at this point. Therefore, you will discover what could cause PBR not to behave as expected and how you can troubleshoot it.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 16-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”

Image

Table 16-1 “Do I Know This Already?” Section-to-Question Mapping


Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security.


1. What is the correct order of processing for a route map?

a. Top-down processing, implicit deny all at the end, immediate execution upon a match

b. Top-down processing, immediate execution upon a match, implicit deny all at the end

c. Immediate execution upon a match, implicit deny all at the end, top-down processing

d. Immediate execution upon a match, top-down processing, implicit deny all at the end

2. What will happen if none of the sequences match in a route map that is applied to redistribution?

a. The route will not be redistributed.

b. The route will be redistributed with default values.

c. The route will be redistributed based on the last permit sequence.

d. The route will be redistributed based on the values in the redistribute command.

3. What command enables you to verify the interfaces that have a PBR route map applied to them?

a. show ip route

b. show ip policy

c. show route-map

d. show ip local policy

4. What command enables you to verify the number of packets that have been policy-based routed?

a. show ip route

b. show ip policy

c. show route-map

d. show ip local policy

5. What command enables you to verify which PBR route map has been applied to locally generated packets?

a. show ip route

b. show ip policy

c. show route-map

d. show ip local policy

6. What will happen to packets that match a deny sequence in a route map that is used for PBR?

a. The packets will be routed normally.

b. The packets will be policy-based routed.

c. The packets will be dropped.

d. The packets will be routed upon approval by the admin.

7. Which Cisco IOS command enables you to verify that PBR is sending packets on the desired path?

a. traceroute

b. show ip route

c. show route-map

d. show ip policy

Foundation Topics

Troubleshooting Route Maps

Route maps are used with other services and features to provide a more granular level of control that was not available with the services or features by default. For example, when you redistribute routes from one routing protocol to another, all routes are redistributed and treated the same way. However, by attaching a route map to the redistribution process, you can treat each route or a group of routes differently when they are redistributed. In addition, route maps are heavily utilized with BGP for path manipulation, and they are the driving force behind PBR.

Therefore, when troubleshooting a service or feature that has a route map attached to it, you need to be able to troubleshoot the route map so that you can determine whether it is the cause of the issue. In this section, you learn how to read route maps.

How to Read a Route Map

A route map is identified by a name. Within the route map, there can be one or more sequences, which are defined by a number. Within each sequence, you can find match clauses and set clauses. Example 16-1 displays the output of show run | section route-map. It is a sample route map called TSHOOT_ROUTE_MAP. This route map is for illustrative purposes so that you can see the various options that a route map has to offer. You would not want to copy this route map for the real world because we have combined multiple features into one route map to give you various examples we will walk through. Example 16-2 displays the same route map but using the show route-map [map_name] command.

Example 16-1 Sample Route Map


R1#show run | section route-map
route-map TSHOOT_ROUTE_MAP permit 10
match ip address 10 11
set metric 500
route-map TSHOOT_ROUTE_MAP permit 20
match ip address prefix-list OSPF_ROUTE
set metric-type type-1
route-map TSHOOT_ROUTE_MAP permit 25
match interface FastEthernet3/0
set ip next-hop 10.1.12.2
route-map TSHOOT_ROUTE_MAP deny 30
match tag 88
route-map TSHOOT_ROUTE_MAP permit 100
set local-preference 150


Example 16-2 Output of show route-map TSHOOT_ROUTE_MAP


R1#show route-map TSHOOT_ROUTE_MAP
route-map TSHOOT_ROUTE_MAP, permit, sequence 10
Match clauses:
ip address (access-lists): 10 11
Set clauses:
metric 500
Policy routing matches: 0 packets, 0 bytes
route-map TSHOOT_ROUTE_MAP, permit, sequence 20
Match clauses:
ip address prefix-lists: OSPF_ROUTE
Set clauses:
metric-type type-1
Policy routing matches: 0 packets, 0 bytes
route-map TSHOOT_ROUTE_MAP, permit, sequence 25
Match clauses:
interface FastEthernet3/0
Set clauses:
ip next-hop 10.1.12.2
Policy routing matches: 0 packets, 0 bytes
route-map TSHOOT_ROUTE_MAP, deny, sequence 30
Match clauses:
tag 88
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map TSHOOT_ROUTE_MAP, permit, sequence 100
Match clauses:
Set clauses:
local-preference 150
Policy routing matches: 0 packets, 0 bytes


Image

Notice how a sequence can be permit or deny. In this case, sequence 10, 20, 25, and 100 are all permit sequences, and 30 is a deny sequence. This is usually the culprit of many troubleshooting issues that involve route maps. Admins sometimes forget to type deny and as a result the sequence defaults to permit. In addition, depending on what the route map is being used for will determine what permit or deny truly means. For redistribution, permit means redistribute the route, and deny means do not redistribute the route. For PBR, permit means policy-base route the packet, and deny means route the packet normally using the routing table.

Image

Review sequence 10. It is a permit statement that has a single match clause that matches IP address 10 and 11. What this truly means is match the IP addresses within access control list (ACL) 10 or ACL 11. When you see multiple match criteria within a single match clause, it means OR; therefore, ACL 10 OR 11. The traffic in question does not have to match both ACL 10 and 11, just 10 or 11. If the traffic in question matches sequence 10, the metric of the traffic in question will have its metric set to 500. Metrics are usually manipulated during the redistribution process; therefore, sequence 10 is an example of a route map entry that you might use during redistribution.

Review sequence 20. It is a permit statement that has a single match clause, which matches a prefix list called OSPF_ROUTE. If the traffic in question matches the prefix list used in sequence 20, the metric type of the traffic in question will be changed to E1. Changing the metric type is something you can do when redistributing routes into Open Shortest Path First (OSPF). Therefore, sequence 20 is an example of a route map entry that you might use when redistributing routes into OSPF so that you can manipulate the metric type.

Review sequence 25. It is a permit statement that has a single match clause, which is matching all packets that arrive inbound on interface Fast Ethernet 3/0. Those packets that arrive in Fa3/0 will be forwarded out the interface that reaches the next-hop IP address of 10.1.12.2. This is an example of a route map entry that you would use with PBR to manually control how packets will be forwarded.

Review sequence 30. It is a deny statement with a single match clause. The match clause is matching routes with a tag of 88. When this type of route map is applied to redistribution, all routes that have a route tag of 88 will not be redistributed because a deny sequence means do not redistribute.

Review sequence 100. This is an example of a route map that can be applied to BGP for attribute manipulation. Notice that there is no match clause. When the match clause is missing in a sequence, it means match all. Therefore, all routes in question would match sequence 100 because the match clause is missing. The set clause states that the local preference, which is a BGP attribute, will be changed to 150.

The logic of a route map is very similar to an ACL. The following steps outline the logic of a route map:

Image

1. Top-down processing: A route map is processed in order of sequence, starting with the lowest sequence in the route map to the highest sequence. In Examples 16-1 and 16-2, sequence 10 is processed first followed by 20, 25, 30, and then 100.

2. Immediate execution upon a match: During processing, a match clause in a sequence is evaluated. If the match clause matches the traffic in question, the processing stops and the actions defined in the set clauses in the sequence are executed in the order they are configured. If no match is found, the next sequence is checked. Note: If multiple match criteria are specified in the same match clause in a sequence, a logical OR algorithm is applied, which means that any of the match criteria can match for it to be considered a match. If multiple match criteria are specified in different match clauses in the same sequence, a logical AND algorithm is applied, which means that all of the match criteria must match for it to be considered a match.

3. Implicit deny all: If no sequence matches the traffic in question, the traffic is treated as though it matched a deny sequence, and is processed accordingly because there is an implicit deny all sequence at the end of every route map, just like ACLs and prefix lists.

Troubleshooting Policy-Based Routing

With PBR, you can create user-defined policies that manipulate how traffic will be routed through the network. By default, traffic is routed based on the destination IP address of a packet. However, with PBR you can override this behavior and have traffic routed based on different parameters matched in an ACL, or an inbound interface, for example. As a result, you can route based on source IP address or a destination port number, to name a few.

In this section, you learn the commands needed to troubleshoot issues related to PBR.

PBR

The driving force of PBR is route maps. Therefore, if you are not able to read route maps and understand what they are doing, you cannot troubleshoot PBR. Review Example 16-3, which shows a sample PBR configuration based on Figure 16-1. Although it is a small example, notice that multiple configurations are involved with PBR that you will have to review when troubleshooting (in this case, an ACL, a route map with match and set clauses, and the interface PBR is applied to).

Image

Figure 16-1 PBR Example Topology

Example 16-3 Sample PBR configuration


Branch#
access-list 100 permit ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
!
route-map PBR_EXAMPLE permit 10
match ip address 100
set ip next-hop 10.1.14.1
!
interface GigabitEthernet0/0
ip policy route-map PBR_EXAMPLE


When troubleshooting PBR, consider the following:

Image

Image How the policy has been applied: PBR is only applied to inbound packets on an interface or locally generated packets by the router. Therefore, you must ensure that you applied the correct PBR route map to the correct interface or the local router. You can use the show ip policycommand to verify which interfaces are enabled for PBR and which route map has been applied, as shown in Example 16-4. You can use the show ip local policy command to display the route map that has been applied for local policy routing (traffic generated by the router).

Image How the route map is ordered: Remember that route maps are processed from lowest sequence number to highest sequence number, and once a match is found within a sequence, the processing stops and the actions within that sequence are executed. Therefore, the order of the route map is important for proper execution. Use the show route-map command to verify the order of sequences within the route map, as shown in Example 16-5.

Image What permit and deny means: When a PBR route map sequence is permit, it means to policy-base route the packet according to the action defined in the set clause. When a PBR route map sequence is deny, it means do not policy-base route the packet; therefore, route the packet normally. If you fail to specify permit or deny when creating the sequence, it defaults to permit. If by accident you specify permit or deny when you needed the opposite, you will have an issue because the desired results will not be achieved. Also, always remember that there is an implicit deny sequence at the end of a route map. Therefore, if the traffic in question does not match any of the explicit sequences within the route map, it ends up matching the implicit deny sequence. The implicit deny sequence within a route map for PBR means to route the traffic normally. Use the show route-map command to verify the permit and deny sequences within the route map, as shown in Example 16-5.

Image What traffic is being matched: There are different methods of matching traffic for PBR within a route map. You can match ACLs, prefix lists, and inbound interfaces, to name a few. Based on the match clause, which you can verify with the show route-map command, as shown inExample 16-5, you need to verify whether the match criteria is correct using other show commands. For example, if the match clause is matching an IP ACL, you need to use the show ip access-list command to verify that the ACL is correct. If the match clause is matching an IP prefix list, you need to use the show ip prefix-list command to verify the prefix list is correct. Remember, if there is no match clause in the sequence, it means match all.

Image What action will be performed: Once traffic matches a certain sequence, the action defined in the set clause is executed. When troubleshooting PBR, use the show route-map command, as shown in Example 16-5, to verify that the correct set clause has been configured.

Image

Example 16-4 Example of the show ip policy Command


Branch#show ip policy
Interface Route map
Gi0/0 PBR_EXAMPLE


Image

Example 16-5 Example of the show route-map Command


Branch#show route-map
route-map PBR_EXAMPLE, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 10.1.14.1
Policy routing matches: 30 packets, 3420 bytes


When troubleshooting PBR, you will want to test the path that traffic is taking. You can accomplish this using a traceroute, as shown in Example 16-6. (On a PC, use tracert, and on a Cisco IOS device, use the traceroute command.) In this example, the packets destined to 10.1.1.1 are being policy-based routed to the next hop 10.1.14.1 even though the routing table entry states to use 10.1.24.2. All other packets are using 10.1.24.2 as the next hop because they are not being policy-based routed, as shown by the traceroute to 192.0.2.1. To verify that packets are being policy-based routed, use the show route-map command, as shown in Example 16-7. The output shows that 36 packets have been policy-based routed.

Image

Example 16-6 Example Traceroute to Verify the PBR Path


C:\>tracert 10.1.1.1
Tracing route to 10.1.1.1 over a maximum of 30 hops

1 6 ms 1 ms 2 ms 10.1.4.4
2 6 ms 1 ms 2 ms 10.1.14.1
Trace complete.

Branch#show ip route 10.1.1.1
Routing entry for 10.1.1.0/24
...output omitted...
Routing Descriptor Blocks:
* 10.1.24.2, from 10.1.24.2, 00:14:36 ago, via GigabitEthernet3/0
Route metric is 20480, traffic share count is 1
...output omitted...

C:\>tracert 192.0.2.1
Tracing route to 192.0.2.1 over a maximum of 30 hops

1 6 ms 1 ms 2 ms 10.1.4.4
2 6 ms 1 ms 2 ms 10.1.24.2
...output omitted...
Trace complete.


Image

Example 16-7 Using show route-map to Verify PBR Statistics


Branch#show route-map
route-map PBR_EXAMPLE, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 10.1.14.1
Policy routing matches: 36 packets, 3780 bytes


Image

To see policy routing in real time, use the debug ip policy command, as shown in Example 16-8. In this example, the traffic sourced from 10.1.4.1 arriving inbound on Gig0/0 and destined to 10.1.1.1 has been policy matched to route map PBR_EXAMPLE sequence 10. Because it is a permit sequence, the packet is being policy-based routed from Gig0/0 to Fa1/0 with a next-hop address of 10.1.14.1.

Example 16-8 Using debug ip policy to view PBR in Real Time


Branch#debug ip policy
Policy routing debugging is on
Branch#
IP: s=10.1.4.1 (GigabitEthernet0/0), d=10.1.1.1, len 28, policy match
IP: route map PBR_EXAMPLE, item 10, permit
IP: s=10.1.4.1 (GigabitEthernet0/0), d=10.1.1.1 (FastEthernet1/0), len 28, policy
routed
IP: GigabitEthernet0/0 to FastEthernet1/0 10.1.14.1


Policy-Based Routing Trouble Tickets

This section presents various trouble tickets relating to the topics discussed earlier in the chapter. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. All trouble tickets in this section are based on the topology depicted in Figure 16-2.

Image

Figure 16-2 PBR Trouble Tickets Topology

Trouble Ticket 16-1

Problem: Traffic from 10.1.4.0/24 to 10.1.1.0/24 is routed though R2 using Gi3/0 when it should be routed directly to R1 using Fa1/0.

You begin troubleshooting by verifying the problem with a trace from a PC in 10.1.4.0/24 with a destination of 10.1.1.1. As shown in Example 16-9, the path to R2 is taken based on the hop 10.1.24.2.

Example 16-9 Verifying the Problem with a Trace to 10.1.1.1


C:\>tracert 10.1.1.1
Tracing route to 10.1.1.1 over a maximum of 30 hops

1 6 ms 1 ms 2 ms 10.1.4.4
2 8 ms 3 ms 4 ms 10.1.24.2
3 12 ms 5 ms 8 ms 10.1.12.1
Trace complete.


You access Branch and issue the show ip route command. As shown in Example 16-10, the 10.1.1.0/24 network is reachable via a next hop of 10.1.24.2. However, as shown in Example 16-11, the Enhanced Interior Gateway Protocol (EIGRP) topology table indicates that there is another path that can be used via 10.1.14.1. It is not being used by EIGRP because it does not have the best feasible distance (metric). Therefore, you have confirmed that both paths exist and EIGRP is making the best decision. To force the traffic from 10.1.4.0 to 10.1.1.0 to use the Fast Ethernet link, PBR is being used. Therefore, you shift your attention to the PBR configuration.

Example 16-10 Verifying Routing Table Entries


Branch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 10.1.24.2 to network 0.0.0.0

D*EX 0.0.0.0/0 [170/15360] via 10.1.24.2, 01:10:05, GigabitEthernet3/0
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
D 10.1.1.0/24 [90/20480] via 10.1.24.2, 01:10:05, GigabitEthernet3/0
D 10.1.3.0/24 [90/20480] via 10.1.24.2, 01:10:05, GigabitEthernet3/0
C 10.1.4.0/24 is directly connected, GigabitEthernet0/0
L 10.1.4.4/32 is directly connected, GigabitEthernet0/0
D 10.1.12.0/24 [90/15360] via 10.1.24.2, 01:10:05, GigabitEthernet3/0
C 10.1.14.0/24 is directly connected, FastEthernet1/0
L 10.1.14.4/32 is directly connected, FastEthernet1/0
D 10.1.23.0/24 [90/15360] via 10.1.24.2, 01:10:05, GigabitEthernet3/0
C 10.1.24.0/24 is directly connected, GigabitEthernet3/0
L 10.1.24.4/32 is directly connected, GigabitEthernet3/0
192.0.2.0/32 is subnetted, 1 subnets
D EX 192.0.2.1 [170/573440] via 10.1.24.2, 00:00:06, GigabitEthernet3/0
203.0.113.0/29 is subnetted, 1 subnets
D 203.0.113.0 [90/15360] via 10.1.24.2, 01:10:05, GigabitEthernet3/0


Example 16-11 Verifying All EIGRP Routes


Branch#show ip eigrp topology
EIGRP-IPv4 VR(TSHOOT) Topology Table for AS(100)/ID(10.1.24.4)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 10.1.12.0/24, 1 successors, FD is 1966080
via 10.1.24.2 (1966080/1310720), GigabitEthernet3/0
via 10.1.14.1 (13762560/1310720), FastEthernet1/0
P 10.1.14.0/24, 1 successors, FD is 13107200
via Connected, FastEthernet1/0
P 10.1.3.0/24, 1 successors, FD is 2621440
via 10.1.24.2 (2621440/1966080), GigabitEthernet3/0
P 10.1.23.0/24, 1 successors, FD is 1966080
via 10.1.24.2 (1966080/1310720), GigabitEthernet3/0
P 203.0.113.0/29, 1 successors, FD is 1966080
via 10.1.24.2 (1966080/1310720), GigabitEthernet3/0
P 10.1.4.0/24, 1 successors, FD is 1310720
via Connected, GigabitEthernet0/0
P 10.1.24.0/24, 1 successors, FD is 1310720
via Connected, GigabitEthernet3/0
P 0.0.0.0/0, 1 successors, FD is 1966080
via 10.1.24.2 (1966080/1310720), GigabitEthernet3/0
P 192.0.2.1/32, 1 successors, FD is 73400320, U
via 10.1.24.2 (73400320/72744960), GigabitEthernet3/0
via 10.1.14.1 (78643200/72089600), FastEthernet1/0
P 10.1.1.0/24, 1 successors, FD is 2621440
via 10.1.24.2 (2621440/1966080), GigabitEthernet3/0
via 10.1.14.1 (13762560/1310720), FastEthernet1/0


Because PBR is applied to ingress traffic, you start verifying that Gig0/0 on Branch has a PBR route map attached by using the show ip policy command. As shown in Example 16-12, the route map named PBR_EXAMPLE has been applied.

Example 16-12 Verifying a PBR Route Map Is Applied to the Correct Interface


Branch#show ip policy
Interface Route map
Gi0/0 PBR_EXAMPLE


Next you issue the show route-map command to verify the route map, as shown in Example 16-13. There is only a single sequence, and it is a permit sequence that states any traffic matching the addresses in ACL 100 will be policy routed to a next-hop address of 10.1.14.1 if and only if there is no specific route in the routing table. Read that sentence again. Why is it if and only if there is no specific route in the routing table? This is because the ip default next-hop command was used. When this command is used, PBR examines the routing table, and if there is a specific route in the routing table, it is used. If there is no specific route in the routing table, the packet will be policy-based routed.

Example 16-13 Verifying Route Map Configuration


Branch#show route-map
route-map PBR_EXAMPLE, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip default next-hop 10.1.14.1
Policy routing matches: 0 packets, 0 bytes


Based on Example 16-10, there is a specific route in the routing table to reach 10.1.1.0/24. Therefore, the packets will not be policy-based routed. To solve this problem, you need to change the ip default next-hop command to ip next-hop. Example 16-14 provides the configuration needed to solve this issue.

Example 16-14 Modifying Route Map Configuration


Branch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#route-map PBR_EXAMPLE permit 10
Branch(config-route-map)#no set ip default next-hop 10.1.14.1
Branch(config-route-map)#set ip next-hop 10.1.14.1
Branch(config-route-map)#end


After the configuration has been modified, you verify the changes with the show route-map command, as shown in Example 16-15. Now it states ip next-hop 10.1.14.1.

Example 16-15 Verifying the New Route Map Configuration


Branch#show route-map
route-map PBR_EXAMPLE, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 10.1.14.1
Policy routing matches: 0 packets, 0 bytes


You issue the same trace from the client PC that you did at the start, and the trace confirms that packets are going across the Fast Ethernet link because of the hop with the IP 10.1.14.1, as shown in Example 16-16. To further confirm, you issue the command show route-map again on Branch, as shown in Example 16-17, and notice that packets have been successfully policy-based routed. Issue solved!

Example 16-16 Confirming Packets Are Taking the Correct Path


C:\>tracert 10.1.1.1
Tracing route to 10.1.1.1 over a maximum of 30 hops

1 6 ms 1 ms 2 ms 10.1.4.4
2 8 ms 3 ms 4 ms 10.1.14.1
Trace complete.


Example 16-17 Verifying Policy Matches


Branch#show route-map
route-map PBR_EXAMPLE, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 10.1.14.1
Policy routing matches: 6 packets, 360 bytes


Trouble Ticket 16-2

Problem: Traffic from 10.1.4.0/24 to 10.1.1.0/24 is routed though R2 using Gi3/0 when it should be routed directly to R1 using Fa1/0.

You begin troubleshooting by verifying the problem with a trace from a PC in 10.1.4.0/24 (Branch) with a destination of 10.1.1.1. As shown in Example 16-18, the path to R2 is used based on the hop 10.1.24.2.

Example 16-18 Verifying the Problem with a Trace to 10.1.1.1


C:\>tracert 10.1.1.1
Tracing route to 10.1.1.1 over a maximum of 30 hops

1 6 ms 1 ms 2 ms 10.1.4.4
2 8 ms 3 ms 4 ms 10.1.24.2
3 12 ms 5 ms 8 ms 10.1.12.1
Trace complete.


Because the traffic is supposed to be policy-based routed, you access Branch and issue the debug ip policy command. You then perform the traceroute on the client again and observe the output of the debug commands on Branch. As shown in Example 16-19, there is a policy match for the deny sequence of 10 in the PBR_EXAMPLE route map. The debug then states that the policy is rejected, and the packet is routed based on the routing table.

So, even though there is a match, the packet is being routed normally. This is because it is a deny sequence that is matched. A deny sequence means do not policy-base route, route normally instead.

Example 16-19 Observing debug ip policy output


Branch#debug ip policy
Policy routing debugging is on
Branch#
IP: s=10.1.4.1 (GigabitEthernet0/0), d=10.1.1.1, len 28, policy match
IP: route map PBR_EXAMPLE, item 10, deny
IP: s=10.1.4.1 (GigabitEthernet0/0), d=10.1.1.1, len 28, policy rejected -- normal
forwarding
Branch#


Next you issue the show route-map command to verify the route map, as shown in Example 16-20. There is only a single sequence, and it is a deny sequence that states any traffic matching the addresses in ACL 100 will be routed normally regardless of any set clauses because it is a deny sequence.

Example 16-20 Verifying Route Map Configuration


Branch#show route-map
route-map PBR_EXAMPLE, deny, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 10.1.14.1
Nexthop tracking current: 0.0.0.0
10.1.14.1, fib_nh:0,oce:0,status:0

Policy routing matches: 0 packets, 0 bytes


To solve this problem, you need to change sequence 10 so that it is permit instead of deny. Example 16-21 displays the configuration needed to solve this issue.

Example 16-21 Modifying Route Map Configuration


Branch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#route-map PBR_EXAMPLE permit 10
Branch(config-route-map)#end


After modifying the configuration, you verify the changes with the show route-map command, as shown in Example 16-22. Now sequence 10 is a permit sequence.

Example 16-22 Verifying the New Route Map Configuration


Branch#show route-map
route-map PBR_EXAMPLE, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 10.1.14.1
Policy routing matches: 0 packets, 0 bytes


You issue the same trace from the client PC that you did at the start, and the trace confirms that packets are going across the Fast Ethernet link because of the hop with the IP 10.1.14.1, as shown in Example 16-23. To further confirm, you observe the debug commands on Branch, as shown inExample 16-24, and it states that the traffic is being policy-based routed. Issue solved!

Example 16-23 Confirming Packets Are Taking the Correct Path


C:\>tracert 10.1.1.1
Tracing route to 10.1.1.1 over a maximum of 30 hops

1 6 ms 1 ms 2 ms 10.1.4.4
2 8 ms 3 ms 4 ms 10.1.14.1
Trace complete.


Example 16-24 Verifying PBR with debug Commands


Branch#debug ip policy
IP: s=10.1.4.1 (GigabitEthernet0/0), d=10.1.1.1, len 28, policy match
IP: route map PBR_EXAMPLE, item 10, permit
IP: s=10.1.4.1 (GigabitEthernet0/0), d=10.1.1.1 (FastEthernet1/0), len 28, policy
routed
IP: GigabitEthernet0/0 to FastEthernet1/0 10.1.14.1


Trouble Ticket 16-3

Problem: Traffic from 10.1.4.0/24 to 10.1.1.0/24 is routed though R2 using Gi3/0 when it should be routed directly to R1 using Fa1/0.

You begin troubleshooting by verifying the problem with a trace from a PC in 10.1.4.0/24 with a destination of 10.1.1.1. As shown in Example 16-25, the path to R2 is taken based on the hop 10.1.24.2. This traffic should have been policy-based routed to the next hop IP of 10.1.14.1.

Example 16-25 Verifying the Problem with a Trace to 10.1.1.1


C:\>tracert 10.1.1.1
Tracing route to 10.1.1.1 over a maximum of 30 hops

1 6 ms 1 ms 2 ms 10.1.4.4
2 8 ms 3 ms 4 ms 10.1.24.2
3 12 ms 5 ms 8 ms 10.1.12.1
Trace complete.


Because PBR is applied to ingress traffic, you start verifying that Gig0/0 on Branch has a PBR route map attached by using the show ip policy command. As shown in Example 16-26, the route map named PBR_EXAMPLE has been applied to interface Fa0/1. There is no route map applied to Gig0/0 for PBR. However, before you conclude that the route map PBR_EXAMPLE was applied to the wrong interface, make sure that it is the route map that is needed to accomplish the goal. It would be bad if you removed this route map from Fa1/0 and applied it to Gig0/0 when that is not the true solution to the problem.

Example 16-26 Verifying That the PBR Route Map Is Applied to the Correct Interface


Branch#show ip policy
Interface Route map
Fa1/0 PBR_EXAMPLE


Next you issue the show route-map PBR_EXAMPLE command to verify the route map, as shown in Example 16-27. There is only a single sequence, and it is a permit sequence that states any traffic matching the addresses in ACL 100 will be policy-base routed to a next-hop address of 10.1.14.1. Now it is time to verify ACL 100 with the show access-list 100 command, as shown in Example 16-28. ACL 100 is matching traffic sourced with any address from 10.1.4.0 to 10.1.4.255 and destined to any address from 10.1.1.0 to 10.1.1.255. You have verified that this is the correct ACL, and the route map is correct as well. Therefore, the route map has been applied to the wrong interface.

Example 16-27 Verifying Route Map Configuration


Branch#show route-map PBR_EXAMPLE
route-map PBR_EXAMPLE, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 10.1.14.1
Policy routing matches: 0 packets, 0 bytes


Example 16-28 Verifying ACL 100 Configuration


Branch#show access-lists 100
Extended IP access list 100
10 permit ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255


To solve this problem, you need to remove the ip policy route-map command from Fa1/0 and apply it to interface Gig0/0 instead. Example 16-29 provides the configuration needed to solve this issue.

Example 16-29 Modifying the ip policy route-map Configuration


Branch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#int fa1/0
Branch(config-if)#no ip policy route-map PBR_EXAMPLE
Branch(config-if)#int gig 0/0
Branch(config-if)#ip policy route-map PBR_EXAMPLE


After modifying the configuration, you verify the changes with the show ip policy command, as shown in Example 16-30. Now the route map PBR_EXAMPLE is applied to Gig0/0.

Example 16-30 Verifying That the Route Map Is Applied to the Correct Interface


Branch#show ip policy
Interface Route map
Gi0/0 PBR_EXAMPLE


You issue the same trace from the client PC that you did at the start, and the trace confirms that packets are going across the Fast Ethernet link because of the hop with the IP 10.1.14.1, as shown in Example 16-31. Issued solved!

Example 16-31 Confirming Packets Are Taking the Correct Path


C:\>tracert 10.1.1.1
Tracing route to 10.1.1.1 over a maximum of 30 hops

1 6 ms 1 ms 2 ms 10.1.4.4
2 8 ms 3 ms 4 ms 10.1.14.1
Trace complete.


Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have a couple of choices for exam preparation: the exercises here; Chapter 22, “Final Preparation;” and the exam simulation questions on the CD-ROM.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topic icon in the outer margin of the page. Table 16-2 lists a reference of these key topics and the page numbers on which each is found.

Image

Image

Table 16-2 Key Topics for Chapter 16

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

route map

match

set

implicit deny all

policy-based routing (PBR)

Command Reference to Check Your Memory

This section includes the most important show and debug commands covered in this chapter. It might not be necessary to memorize the complete syntax of every command, but you should be able to remember the basic keywords that are needed.

To test your memory of the commands, cover the right side of Table 16-3 with a piece of paper, read the description on the left side, and then see how much of the command you can remember.

Image

Table 16-3 show and debug commands

The 300-135 TSHOOT exam focuses on practical, hands-on skills that are used by a networking professional. Therefore, you should be able to identify the commands needed to successfully troubleshoot the topics and concepts covered in this chapter.