Sunday, August 17, 2014

Path-Control





1. Your organization is implementing a dual ISP setup should be tightly controlled. They have requested the following parameters:

- Client1 surfs the internet all day doing nothing productive. All traffic from this client should route out ISP2,
which is a slower internet connection. IfISP2 is down, Client1 should not be able to access the Internet.

ip access-list extended Client_1
 permit ip host 192.168.1.20 any

route-map POLICY permit 10
 match ip address Client_1
 set ip next-hop 201.1.1.2

(int f0/0
ip policy route-map POLICY)

- Client2 handles sophisticated transactions. Both Telnet and HTTPS traffic should route towards ISP1, which is the more reliable connection.
All other traffic from Client2 should route out ISP2.

ip access-list extended Client_2
 permit tcp host 192.168.1.21 any eq telnet
 permit tcp host 192.168.1.21 any eq 443

route-map POLICY permit 20
 match ip address Client_2
 set ip next-hop 200.1.1.2
(int f0/0
ip policy route-map POLICY)

- Traffic from other clients should route out ISP2.

route-map policy permit 30
 set ip next-hop 201.1.1.2
(int f0/0
ip policy route-map POLICY)

- Traffic originating from the PolicyRouter should prefer ISP1 but should fail over to ISP2 should ISP1 be unavailable.
Verify ISP1 is available using proactive testing techniques.

To accomplish these objectives, you may create no more than two route-maps and three access-lists.

conf t
ip sla 1
 icmp-echo 200.1.1.2
 timeout 1000
 frequency 3

ip sla schedule 1 life forever start-time now

track 1 rtr 1 reachability
       exit

ip access-list extended ROUTER
 permit ip any any
!
route-map ROUTER_TRAFFIC permit 10
 match ip address ROUTER
 set ip next-hop verify-availability 200.1.1.2 10 track 1
 set ip next-hop 201.1.1.2

ip local policy route-map ROUTER_TRAFFIC
!

========================================================
Configurations

PolicyRouter>

interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip policy route-map POLICY
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/2
 ip address 200.1.1.1 255.255.255.0
 clock rate 2000000
!
interface Serial0/3
 ip address 201.1.1.1 255.255.255.0
 clock rate 2000000
!
ip local policy route-map ROUTER_TRAFFIC
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended Client_1
 permit ip host 192.168.1.20 any
ip access-list extended Client_2
 permit tcp host 192.168.1.21 any eq telnet
 permit tcp host 192.168.1.21 any eq 443
ip access-list extended ROUTER
 permit ip any any
!
ip sla 1
 icmp-echo 200.1.1.2
 timeout 1000
 frequency 3
ip sla schedule 1 life forever start-time now
!
!
!
route-map POLICY permit 10
 match ip address Client_1
 set ip next-hop 201.1.1.2
!
route-map POLICY permit 20
 match ip address Client_2
 set ip next-hop 200.1.1.2
!
route-map policy permit 30
 set ip next-hop 201.1.1.2
!
route-map ROUTER_TRAFFIC permit 10
 match ip address ROUTER
 set ip next-hop verify-availability 200.1.1.2 10 track 1
 set ip next-hop 201.1.1.2

ISP1>
interface Serial0/1
 ip address 200.1.1.2 255.255.255.0
 clock rate 2000000
!
ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 Serial0/1
!
ip http server (test purpose)
ip http secure-server (test purpose)

ISP2>

interface Serial0/1
 ip address 201.1.1.2 255.255.255.0
 clock rate 2000000
!
ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 201.1.1.1
!
ip http server

ip http secure-server

No comments:

Post a Comment