The solution in this scenario is to use something called policy based routing:

Policy-based routing provides a tool for forwarding and routing data packets based on policies defined by network administrators. In effect, it is a way to have the policy override routing protocol decisions. Policy-based routing includes a mechanism for selectively applying policies based on access list, packet size or other criteria. The actions taken can include routing  packets on user-defined routes, setting the precedence, type of service bits, etc.

Consider the following diagram:

Host 1 and 2 both have a default gateway of the defaultRouter, which has the address of 192.168.1.1.  The default route/next hop address in defaultRouter for all traffic is 192.168.2.1, which is named LanRouter.  When Host1 pings Host3 the full path looks like:

Host1 –> defaultRouter –> LanRouter –> Host3

Host1#traceroute 192.168.3.100

Type escape sequence to abort.
Tracing the route to 192.168.3.100

  1 192.168.1.1 152 msec 168 msec 144 msec
  2 192.168.2.1 288 msec 256 msec 172 msec
  3 192.168.3.100 264 msec 260 msec 255 msec
Host1#

Let’s say we want Host1 to take an alternate path in the network, but leave Host2 alone and allow it to continue through the original route.  A policy route will be configured on defaultRouter to look for the source address of Host1 and re-route that traffic over altLanRouter.  Any traffic sourced from Host2 will remain going through the original path via LanRouter.

First thing to configure is the access list that will be used to match the desired source address.

defaultRouter(config)#ip access-list extended hosts-to-redirect
defaultRouter(config-ext-nacl)#permit ip ?
A.B.C.D  Source address
any      Any source host
host     A single source host

defaultRouter(config-ext-nacl)#permit ip 192.168.1.100 ?
A.B.C.D  Source wildcard bits

defaultRouter(config-ext-nacl)#permit ip 192.168.1.100 0.0.0.0 ?
A.B.C.D  Destination address
any      Any destination host
host     A single destination host

defaultRouter(config-ext-nacl)#permit ip 192.168.1.100 0.0.0.0 any

Next, create the route map and configure what to use for matching traffic, which is the access list that was previously created.  Also, configure what action to take on the traffic that is matched.

defaultRouter(config-route-map)#match ip address ?
  <1-199>      IP access-list number
  <1300-2699>  IP access-list number (expanded range)
  WORD         IP access-list name
  prefix-list  Match entries of prefix-lists

defaultRouter(config-route-map)#match ip address hosts-to-redirect
defaultRouter(config-route-map)#set ?
  as-path           Prepend string for a BGP AS-path attribute
  automatic-tag     Automatically compute TAG value
  clns              OSI summary address
  comm-list         set BGP community list (for deletion)
  community         BGP community attribute
  dampening         Set BGP route flap dampening parameters
  default           Set default information
  extcommunity      BGP extended community attribute
  interface         Output interface
  ip                IP specific information
  ipv6              IPv6 specific information
  level             Where to import route
  local-preference  BGP local preference path attribute
  metric            Metric value for destination routing protocol
  metric-type       Type of metric for destination routing protocol
  mpls-label        Set MPLS label for prefix
  nlri              BGP NLRI type
  origin            BGP origin code
  tag               Tag value for destination routing protocol
  traffic-index     BGP traffic classification number for accounting
  vrf               Define VRF name
  weight            BGP weight for routing table
defaultRouter(config-route-map)#set ip ?
  address     Specify IP address
  default     Set default information
  df          Set DF bit
  next-hop    Next hop address
  precedence  Set precedence field
  qos-group   Set QOS Group ID
  tos         Set type of service field
defaultRouter(config-route-map)#set ip next-hop 192.168.2.2

Once the route map is configured the only thing left is to apply it to the interface where the traffic comes into the router, which is FastEthernet1/0.

defaultRouter(config)#int fa1/0
defaultRouter(config-if)#ip policy ?
  route-map  Policy route map

defaultRouter(config-if)#ip policy route-map ?
  WORD  Route map name

defaultRouter(config-if)#ip policy route-map altRouterRedirect

Now let’s take a look at the path Host1 takes to connect to Host3:

Host1#traceroute 192.168.3.100

Type escape sequence to abort.
Tracing the route to 192.168.3.100

  1 192.168.1.1 112 msec 168 msec 72 msec
  2 192.168.2.2 192 msec 312 msec 336 msec
  3 192.168.3.100 288 msec 288 msec 288 msec
Host1#

Now, verify that host 2 still takes the original path via LanRouter:

Host2#traceroute 192.168.3.100

Type escape sequence to abort.
Tracing the route to 192.168.3.100

  1 192.168.1.1 140 msec 144 msec 144 msec
  2 192.168.2.1 192 msec 212 msec 172 msec
  3 192.168.3.100 432 msec 384 msec 360 msec
Host2#

This configuration has successfully changed the path in the network of Host 1 and left the traffic sourced from Host 2 untouched. Keep in mind that the reply traffic from R3 is going back across defaultRouter in both scenarios, this is because Host3 has a default gateway of 192.168.3.1, which is assigned to defaultRouter. If we wanted the reply traffic from Host 3 destined to host 1 sent via altLanRouter, a policy map would need to be applied to match the destination ip address of Host 1.

In this example R0 and R1 are owned by a fictitious business, running EIGRP as the routing protocol between them.  R2 is a vendor who has placed their router at the premises in order to establish a connection to a server (172.32.16.100) providing a service to the business.

Since this is a single location, most likely the network person at the business and the vendor of the new service will agree to use simple static routing between R1 and R2.  The network person for the business will configure a static route on R1 to 172.32.16.100 with a next hop address of 10.200.5.1 .  This will work just fine, except the rest of his network will need to know how to reach this new server.  Here again, another simple solution, R1 needs to redistribute the static route into the EIGRP process running between R0 and R1.

In most instances the network administrator for the business will simply insert the ‘redistribute static’  command under the routing protocol configuration:

router eigrp 10
network 10.200.4.1 0.0.0.0
no auto-summary

r1#conf t
r1(config)#router eigrp 10
r1(config-router)#redistribute static

If we look at the routes on R0, the route to the new server is being advertised to it via the EIGRP process.

r0#show ip route
Gateway of last resort is not set

     172.32.0.0/32 is subnetted, 1 subnets
D EX    172.32.16.100 [170/30720] via 10.200.4.1, 00:00:03, FastEthernet0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.200.4.0 is directly connected, FastEthernet0/0
r0#

Mission accomplished right? Well maybe, but this is a very small network in this example. What if this same scenario happened in a much larger network? In a larger network, R1 would most likely be a distribution router that contains much of the traffic flow for that location. If this is the case, you probably want a little more control over what routes get advertised to the rest of the network. There are many scenarios where R1 may contain static routes that you would not want to advertise into a routing protocol. So, how can we be selective with witch static routes get put into the routing instance?

The answer: route maps

Let’s back up a bit and remove the redistribute static command from R1, so now the config looks like this:

router eigrp 10
 network 10.200.4.1 0.0.0.0
 no auto-summary

Now, let’s define a route map that will tell the router specifically which routes to redistribute into EIGRP:

! Define a route map named static-into-eigrp
!
R1(config)#route-map static-into-eigrp
!
! Tell the route map to match and ip addresses contained in the prefix list static-redist
!
R1(config-route-map)#match ip address prefix-list static-redist
R1(config-route-map)#exit
!
! Define/Add entry to the prefix list with the route allowed into the routing protocol
!
R1(config)#ip prefix-list static-redist permit 172.32.16.100/32
!
R1(config)#router eigrp 10
!
! Tell the routing process to only redistribute static routes controlled by the route map
!
R1(config)#redistribute static route-map static-into-eigrp

As static routes are added to R1, they will not be automatically redistributed into the routing protocol – hence more control. All that is needed to add another existing static route into eigrp would be:

R1(config)#ip prefix-list static-redist permit x.x.x.x/xx

Once the prefix-list entry is entered the static route is immediately added into the routing protocol.

interface xxxxxxX/X
ip accounting

The router will only record packets that goes through the router.  Any connections initiated from the router or terminates to the router are not counted.  To view the accounting table:

Router#show ip accounting
 192.168.194.20   192.168.39.19                22549             1894116
 192.168.39.19    192.168.194.20               22617             1899828
 192.168.99.34    192.168.194.20                4825              321528
 192.168.194.20   192.168.99.34                20823             1488977
 192.168.32.32    192.168.196.7               117118            15584552
 192.168.196.7    192.168.32.32               696129            41071611
 192.168.50.106   192.168.196.7               232694            30100216
 192.168.196.7    192.168.50.106              234880            13857920
 192.168.194.75   192.168.99.34                14023             1486289
 192.168.99.34    192.168.194.72                3848              238759
 192.168.194.72   192.168.99.34                18431             1709778

The first column is the source IP address, second is the destination, third is the number of packets, and fourth is the total number of bytes.  The source and destination is from the perspective of the interface configured for IP accounting.  The traffic would be recorded as what is leaving that particular interface.

Let’s say ip accounting was configured on the Serial interface of a router.  Look at the accounting output above, the first line indicates 192.168.194.20 as the source and 192.168.39.19 as the destination.  The host configured as 192.168.194.20 would be behind this router and 192.168.39.19 would be the host reachable via the serial interface that IP accounting is configured on.

You also will notice that every two lines contain the same IP addresses, they are just flipped in the source and destination fields.  This represents two way traffic between the hosts.  If you were troubleshooting a problem and only saw the counters incrementing on one line and not the other, that could indicate the traffic is being successfully to the destination, but is never receiving the response.

• Obviously, routing protocol table entries can be sourced from various routing protocols.
• Connected Interfaces
• Static entries contained in the router’s configuration

So let’s say we have a host route of 10.2.101.1/32 on the network which has been learned by multiple routing protocols running on a single router. How does the router decide which source to use for adding the destination into the route table? The decision is made using something called an Administrative distance. Basically, the administrative distance (AD) is a trust value assigned to each potential source. Cisco has pre-assigned these trust values in the router’s operating system. These trust values can be manipulated, but typically are left to the default, since the modification is locally significant to each router. Listed below are the administrative distances for each source:

Source                      Administrative Distance
Connected Interface         0
Static Route                1
EIGRP Summary Route         5
External BGP                20
Internal EIGRP              90
IGRP                        100
OSPF                        110
IS-IS                       115
RIP                         120
Exterior Gateway Protocol   140
On-Demand Routing           160
External EIGRP              170
Internal BGP                200
Unknown                     255

As you can see, not only does each routing source have unique trust values, but also different types inside the same source have unique trust values. For example, there are three different trust values assigned to various EIGRP table entries:

• EIGRP Summary Routes are the most trusted (AD of 5)
• EIGRP Internal Routes are the second most trusted (AD of 90)
• EIGRP External Routes are the least trusted of the three types (AD of 170)

So let’s say our router was running an OSPF process and an EIGRP Process. The OSPF routing process has an established neighbor that knows about the destination 10.2.101.1/32. Our same router has an established EIGRP neighbor who also knows how to reach the 10.2.101.1/32 host. We can view the routing process database containing these entries with the following commands:

show ip eigrp topology

R1#sh ip eigrp topology
IP-EIGRP Topology Table for AS(10)/ID(10.1.101.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 10.2.101.1/32, 0 successors, FD is Inaccessible
via 10.1.101.2 (2174976/2172416), FastEthernet1/0
P 192.168.1.4/30, 1 successors, FD is 2172416
via 10.1.101.2 (2172416/2169856), FastEthernet1/0
P 10.1.101.0/24, 1 successors, FD is 28160
via Connected, FastEthernet1/0

show ip ospf database

R1#sh ip ospf databaseOSPF Router with ID (10.1.101.1) (Process ID 10)

Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link coun
10.1.101.1      10.1.101.1      1477        0x80000003 0x0003E7 2
192.168.1.1     192.168.1.1     1501        0x80000003 0x00A4D1 1

Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksu
10.1.100.2      192.168.1.1     1501        0x80000002 0x00DDA1

Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksu
192.168.1.0     192.168.1.1     1501        0x80000002 0x002207

Summary ASB Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksu
192.168.1.6     192.168.1.1     1501        0x80000002 0x00E935

Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Ta
10.2.101.1      192.168.1.6     1191        0x80000003 0x00CF9B 0

Even though the destination host route (10.2.101.1) shows up in the previous route process databases, that is not where the router sources it’s information from when it comes time to forward a packet to the destination. When a new entry appears in any given route source (in this example, it’s the OSPF and EIGRP tables) – the router analyses the entry and decides whether or not to add it to the only source of truth: the route table. The route table is displayed with the following command:

show ip route

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O E2    10.2.101.1/32 [110/100] via 10.1.100.2, 00:54:19, FastEthernet0/0
C       10.1.101.0/24 is directly connected, FastEthernet1/0
C       10.1.100.0/24 is directly connected, FastEthernet0/0
192.168.1.0/30 is subnetted, 2 subnets
O IA    192.168.1.0 [110/65] via 10.1.100.2, 01:00:52, FastEthernet0/0
D       192.168.1.4 [90/2172416] via 10.1.101.2, 01:05:55, FastEthernet1/0

Notice above that when displaying the route table, each entry has listed which source the route was learned from. Having this information displayed for each route is very useful when diagnosing routing problems.

Let’s focus on the previously mentioned host route 10.2.101.1. This route shows up in both the EIGRP table and the OSPF database. However, in the route table we see the route was installed from the OSPF database. The table above shows EIRGP as a more trusted source for routes, so why did the router believe OSPF over EIGRP? Let’s remove the ‘redistribute static’ under the OSPF process running on R5, this will remove the 10.2.101.1 entry from the OSPF database. Now, let’s look at the route table on R1 again:

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 mask
D EX    10.2.101.1/32 [170/2174976] via 10.1.101.2, 00:00:08, FastEthernet1/0
C       10.1.101.0/24 is directly connected, FastEthernet1/0
C       10.1.100.0/24 is directly connected, FastEthernet0/0
192.168.1.0/30 is subnetted, 2 subnets
O IA    192.168.1.0 [110/65] via 10.1.100.2, 01:13:45, FastEthernet0/0
D       192.168.1.4 [90/2172416] via 10.1.101.2, 01:18:48, FastEthernet1/0

It’s easy to understand why OSPF is more trusted now that only the EIRGP process knows about the 10.2.101.1/32 route. Look at the routing table, notice now the route has been installed using EIRGP as the source. Look at the letters out to the left of the route, what do they mean? D = EIGRP EX = EIGRP External

Question: What Administrative distance is assigned to EIGRP External routes? The answer: 170 instead of 90 which is only for internal EIGRP routes. Why is this route marked as an External EIGRP route? Because it was redistributed from another source (static routing table) on R4. So, when OSPF knows about this same route, it’s installed into the route table using OSPF because the AD of OSPF is 110 vs. 170 for external EIGRP routes.

interface Multilink1
 description Telco CKT: DS1NT-99999
 ip address 1.1.1.1 255.255.255.252
 ppp multilink
 ppp multilink fragment disable
 ppp multilink links minimum 1
 ppp multilink group 1

As you can see, the layer 3 configuration now goes on the Multilink interface, along with the number/identifier of the multilink group. The ppp multilink links minimum command, the Network Control Protocols for an MLP bundle are disabled until the bundle has the minimum number of configured links. By default, packet fragmentation is enabled on the multilink interface, you can disable this behavior if fragmentation causes performance degradation.

The serial interfaces that are participating in the group now just have the ppp encapsulation and group membership configured.

interface Serial0/0/0:0
 description Telco CKT: DS1NT-99999 / LEC: ABCDE
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
interface Serial0/0/1:0
 description Telco CKT: DS1NT-99999 / LEC: ABCDE
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1

The following is an entire serial configuration with two dual port serial wics install into a 2800 series router.

card type t1 0 0
card type t1 0 1
!
controller T1 0/0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
 description Telco CKT: DS1NT-99999 / LEC: ABCDE
!
controller T1 0/0/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
 description Telco CKT: DS1NT-99999 / LEC: ABCDE
!
controller T1 0/1/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
 description Telco CKT: DS1NT-99999 / LEC: ABCDE
!
controller T1 0/1/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
 description Telco CKT: DS1NT-99999 / LEC: ABCDE
!
interface Multilink1
 description Telco CKT: DS1NT-99999
 ip address 1.1.1.1 255.255.255.252
 ppp multilink
 ppp multilink fragment disable
 ppp multilink links minimum 1
 ppp multilink group 1
!
interface Serial0/0/0:0
 description Telco CKT: DS1NT-99999 / LEC: ABCDE
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
interface Serial0/0/1:0
 description Telco CKT: DS1NT-99999 / LEC: ABCDE
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1/0:0
 description Telco CKT: DS1NT-99999 / LEC: ABCDE
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1/1:0
 description Telco CKT: DS1NT-99999 / LEC: ABCDE
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1

OSPF can be as simple or as complicated as one wants to make it. In this example, we will enable OSPF in a simple network that one might find in small office environments.

First let’s start with a basic network containing three routers. The Lan and Wan Routers are in the same ‘Main’ office with the BranchRouter located at a secondary location. Even though this network could be routed easily with static routes, we want to go ahead and start with a routing protocol to be prepared for future expansions..

hostname LanRouter
!
interface FastEthernet0/0
description Infrastructure Subnet
ip address 10.0.1.1 255.255.255.0
!
interface FastEthernet1/0
description Employee Subnet
ip address 10.0.2.1 255.255.255.0

hostname WanRouter
!
interface FastEthernet0/0
description Infrastructure Subnet
ip address 10.0.1.2 255.255.255.0
!
interface Serial1/0
description Point to Point link to Branch Office
ip address 192.168.1.1 255.255.255.252

hostname BranchRouter
!
interface FastEthernet0/0
description Branch Employee Subnet
ip address 10.1.2.1 255.255.255.0
!
interface Serial1/0
description Point to Point link to Main Office
ip address 192.168.1.2 255.255.255.252

If we want to route between these two offices, here is all the routing configuration that is needed:

LanRouter(Config)#router ospf 1
LanRouter(Config)#network 10.0.1.0 0.0.0.255 area 0
LanRouter(Config)#network 10.0.2.0 0.0.0.255 area 1

The purpose of network statements is to tell the router, that any interfaces it has defined which is covered under the configured network statements, put them into the OSPF process in the area contained in the matching network statement. Notice the network statements contains the inverse mask, instead of written in the subnet mask format. As a good practice, I usually match the network statements with my OSPF interfaces. This means that for ever interface defined that I want in OSPF, there will be a matching network statement. Does it have to be done this way? No… However, this leads into best practice configuration methods, which will be covered in a future article.

WanRouter(Config)#router ospf 1
WanRouter(Config)#network 10.0.1.0 0.0.0.255 area 0
WanRouter(Config)#network 192.168.1.0 0.0.0.3 area 2

BranchRouter(Config)#router ospf 1
BranchRouter(Config)#network 10.1.2.0 0.0.0.255 area 2
BranchRouter(Config)#network 192.168.1.0 0.0.0.3 area 2

The big difference between the OSPF configuration shown above and the EIGRP configuration in the other article is the ‘area’ keyword. OSPF uses areas to segment the routing protocol throughout your network. If a change in the network occurs, all areas do not recalculate automatically. It is the responsibility of certain OSPF routers in the network to determine whether of not some areas need any type of notification. This behavior is meant to improve the efficiency of the routing protocol and improve performance of things such as link failover times.

All OSPF networks are required to have an area 0. In the example above; area 0 is placed in the ‘core’ of network, which is the Main Office, specifically the 10.0.1.0 subnet. This network is the shared subnet between the Lan and Wan routers, which is where area 0 should be placed in this example. Area 1 is configured for the local subnet(s) used at the Main Office for PCs. Area 2 is configured for the Branch Router network, which includes the serial subnet used between the WanRouter and BranchRouter.

Any router that has an interface in Area 0 and at least one other area is called an Area Border Router (ABR) in OSPF. In this example, the LanRouter and WanRouter are both ABRs. These two routers have the responsibility mentioned earlier of determining whether routers in other areas (outside of area 0) need notification to recalculate their routing table.

With all of this said, a network this small can have all of the router interfaces in area 0. This will work just fine, the downfall is as the network grows – every router will be doing re-calculations anytime a network change occurs. There are much larger networks that exist in production environments today using nothing but Area 0, but it is very inefficient and does not provide for optimal failover response times, among other things.

Configuring this protocol can be the same story, the basic setup needed is very simple to configure – but has the options for configuring the advanced features used in larger networks.

First let’s start with a basic network containing three routers. The Lan and Wan Routers are in the same ‘Main’ office with the BranchRouter located at a secondary location. Even though this network could be routed easily with static routes, we want to go ahead and start with a routing protocol to be prepared for future expansions..

hostname LanRouter
!
interface FastEthernet0/0
description Infrastructure Subnet
ip address 10.0.1.1 255.255.255.0
!
interface FastEthernet1/0
description Employee Subnet
ip address 10.0.2.1 255.255.255.0

hostname WanRouter
!
interface FastEthernet0/0
description Infrastructure Subnet
ip address 10.0.1.2 255.255.255.0
!
interface Serial1/0
description Point to Point link to Branch Office
ip address 192.168.1.1 255.255.255.252

hostname BranchRouter
!
interface FastEthernet0/0
description Branch Employee Subnet
ip address 10.1.2.1 255.255.255.0
!
interface Serial1/0
description Point to Point link to Main Office
ip address 192.168.1.2 255.255.255.252

If we want to route between these two offices, here is all the routing configuration that is needed:

LanRouter(Config)#router eigrp 1
LanRouter(Config)#network 10.0.1.0 0.0.0.255
LanRouter(Config)#network 10.0.2.0 0.0.0.255
LanRouter(Config)#no auto-summary

WanRouter(Config)#router eigrp 1
WanRouter(Config)#network 10.0.1.0 0.0.0.255
WanRouter(Config)#network 192.168.1.0 0.0.0.3
WanRouter(Config)#no auto-summary

BranchRouter(Config)#router eigrp 1
BranchRouter(Config)#network 10.1.2.0 0.0.0.255
BranchRouter(Config)#network 192.168.1.0 0.0.0.3
BranchRouter(Config)#no auto-summary

For the EIGRP configuration, the network statements encompass the interface IP addresses, which tells the router you want to run EIGRP on any connected interface that falls within that network statement.  It is considered best practice to specify host network statements, instead of an entire classless/classfull statements (as was done above). The reason not to do this is because a new interface could be created inside a specified classless network statement – which would enable the routing protocol for that interface. The result may or may not be desired, so the alternative is to specifically specify the interface IP’s.  By doing this, you know exactly which interfaces belong to a particular routing protocol instance.

To enable just the FastEthernet0/0 interface in the EIGRP routing process, the appropriate network statement would look like:

LanRouter(Config)#router eigrp 1
LanRouter(Config)#network 10.0.1.1 0.0.0.0

The no auto summary command used above is needed to prevent EIGRP from automatically summarizing the routing advertisements at the classful boundary. For example, without the no auto-summary command, the LanRouter would send the 10.0.1.0 network advertisement as 10.0.0.0/8, instead of 10.0.1.0/24.

The configuration explained in this article can be simulated/tested by using the following Dynamips lab:

Dynagen Configuration using Three 1721 Routers

Let’s assume there are three vlans configured for this small office scenario:

Vlan 2 – Cisco device management
Vlan 3 – Office Workstations
Vlan 4 – Servers

The vlan usage is pretty self explanatory with the descriptions above. The office PCs running Windows XP will be configured for Vlan 3. The office file/mail/print servers will be configured for Vlan 4. Lastly, Vlan 2 will be used as the management vlan for all managed network devices.

There will also be a vlan 999 for the native/untagged vlan traffic, since it is best practice not to use Vlan1 for this purpose.

Here is what the configurations would look like:

On the Cisco access switch:

hostname OfficeSwitch-001
vtp mode transparent
!
vlan 2
 name Management
vlan 3
 name Workstations
vlan 4
 name Servers
vlan 999
 name Native-Trunk
!
interface GigabitEthernet0/1
description Connected to OfficeRouter-001 Fa0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 10.1.2.10 255.255.255.0
!
ip default-gateway 10.1.2.1

On the 2811 router:

interface FastEthernet0/1
description Connected to OfficeSwitch-001 Gig0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.2
description Management L3 Interface
encapsulation dot1Q 2
ip address 10.1.2.1 255.255.255.0
!
interface FastEthernet0/1.3
description Workstation L3 Interface
encapsulation dot1Q 3
ip address 10.1.3.1 255.255.255.0
!
interface FastEthernet0/1.4
description Server L3 Interface
encapsulation dot1Q 4
ip address 10.1.4.1 255.255.255.0
!
interface FastEthernet0/1.999
description Native Vlan
encapsulation dot1Q 999 native
no ip address

Prerequisites for Configuring NetFlow and NetFlow Data Export

Before you enable NetFlow you must:

• Configure the router for IP routing
• Ensure that one of the following is enabled on your router, and on the interfaces that you want to configure NetFlow on
  • Cisco Express Forwarding (CEF)
  • distributed CEF
  • fast switching

Special notes for specific IOS versions:

• If your router is running a version of Cisco IOS prior to releases 12.2(14)S, 12.0(22)S, or 12.2(15)T the ip route-cache flow command is used to enable NetFlow on an interface.
• If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S, 12.2(15)T, or later the ip flow ingress command is used to enable NetFlow on an interface.

To configure netflow, here are the steps:

router>enable
router# configure terminal
router(config)# interface interface-type interface-number
router(config-if)# ip flow {ingress | egress}
router(config-if)# end
router# copy run start

Repeat interface command on any others you want to see traffic statistics on.

Commands to verify Netflow configuration:

Router# show ip flow interface (shows which interfaces netflow is configured on)
Router# show ip cache flow (shows a summary of capture statistics)

Now that netflow is collecting, configure an export destination:

router>enable
router# configure terminal
router(config)# ip flow-export source interface-type interface-number
router(config)# ip flow-export destination ip address of collector source port <optional>
router(config)# ip flow-export version number

Command to verify Netflow data export

router# ip flow-export version

Router(config)# time-range DAY (creates a new time range)
Router(config-time-range)# periodic weekdays 6:00 to 22:00 (matches weekdays from 6:00am to 10:00pm)
Router(config-time-range)# periodic weekend 6:00 to 22:00 (matches weekends from 6:00am to 10:00pm)
Router(config-time-range)# exit
Router(config)# ip access-list extended CLIENTS
Router(config-ext-nacl)# permit ip 192.168.100.0 0.0.0.255 any time-range DAY
Router(config-ext-nacl)# exit
Router(config)#

Create a class-map (used for QoS) that matches the CLIENTS access-list we just created.

Router(config)# class-map MATCH_CLIENTS (MATCH_SERVER is just the name)
Router(config-class-map)# match access-group name CLIENTS (ties in the access-list above)
Router(config-class-map)# exit
Router(config)#

Create a policy-map (used for QoS) that throttles the bandwidth.

Router(config)# policy-map LIMIT_CLIENTS (creates the policy)
Router(config-pmap)# class MATCH_CLIENTS (applies policy to this class)
Router(config-pmap-c)# police 80000 (limits bandwidth to 80Kbps)
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)#

Apply the new policy to the incoming interface, which is the internal network.

Router(config)# interface fa0/0
Router(config-if)# service-policy input LIMIT_CLIENTS