How can I route certain internet based traffic to secondary ISP?

nasolsi1 · ‎11-13-2017

Hi Support,

I need your advise on how best to design our network infrastructure at China to meet our CEO's requirement. Our main aim is to give China's users access to Google Suite Apps and banned websites in China, so based on that we are looking to find a possible way to route certain internet based traffic (traffic to Google apps and banned China websites) through our secondary ISP (for example ISP2) and all other internet traffic to get routed through our primary ISP (ISP1).

Is there any way to route or split the Internet traffic based on certain applications or whitelisted sites?- if yes, then:

What model of cisco router/firewall will help us implementing that?

What would be the possible network diagram and configuration to accomplish that?

More info:

1 LAN network - 1 Cisco router/firewall- 2 ISPs (Google Suite Apps and China's banned websites traffic goes through ISP2 and all other Internet traffic remains routed through ISP1)

Thank you in advance.

Julio E. Moisa · ‎11-13-2017

Hi

You can use PBR, for example, imagine this scenario and the applications have the IP's 8.8.8.8 and 4.2.2.2 must be reachable through ISP 2 (2.2.2.2), your network is 172.16.0.0/24:

ISP1
ROUTER1 --- (g0/0) EDGER ROUTER _ /
\
ISP2

ip access-list extended MANIPULATION-ACL
permit ip 172.16.0.0 0.0.255 host 8.8.8.8
permit ip 172.16.0.0 0.0.255 host 4.2.2.2

route-map FILTER permit 5
match ip address MANIPULATION-ACL
set ip next-hop 2.2.2.2

route-map FILTER permit 100

interface g0/0
description [TO-ROUTER1]
ip policy route-map FILTER

** The sequence 100 is empty because the rest of the traffic will flow normally.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

nasolsi1 · ‎11-13-2017

Hi Julio,

Thanks for your quick response.

Your solution is to configure Policy Based Routing based on destination range of ip's on cisco dual wan edge router connected to internal LAN and two ISPs via its WANs ports.

What model of cisco router/firewall will help us implementing that?

Julio E. Moisa · ‎11-13-2017

Hi

That is correct, you will use the destination IP or network to manipulate the traffic, All the routers can execute PBR but I suggest verify the license and IOS before through this link:

http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/SearchBySoftware.jsp

You can select platform and see the supported features. The newest model is 4000 Series.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Georg Pauwen · ‎11-13-2017

Hello,

as an alternative to Julio's solution, you can also match on URL. Since you cannot do this directly with a route map, you need to mark the specific URL first with a DSCP value (I am using 1 since that isn't used by anything else, provided everything is mapped to the default values).

The entire configuration would look like this (I have used Facebook and Youtube as examples):

class-map match-any ALLOW_URL
match protocol http host "*.facebook.com"
match protocol http host "*.youtube.com"
!
policy-map URL_TO_DSCP
class ALLOW_URL
set ip dscp 1
!
access-list 100 permit ip any any dscp 1 log
!
route-map REDIRECT_URL permit 10
match ip address 100
set ip next-hop x.x.x.x <-- This is the IP address of ISP2
!
route-map REDIRECT_URL permit 20
!
interface GigabitEthernet0/0
description WAN interface
ip nbar protocol-discovery
ip policy route-map REDIRECT_URL
!
interface GigabitEthernetEthernet0/1
description LAN interface
ip nbar protocol-discovery
service-policy input URL_TO_DSCP

nasolsi1 · ‎11-17-2017

Hi Julio/Georg,

Thank you for all your help.

We will give it a test and let you know.

Could you please give me exactly Cisco router/firewall model which we can configure PBR on.

Thank you in advance.

Julio E. Moisa · ‎11-17-2017

Hi

Most of the devices and images support PBR, but you could verify that using this tool: http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/SearchBySoftware.jsp

Select platform then model and image, it will indicate if a license is required.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

nasolsi1 · ‎11-20-2017

Hi Julio/Georg,

Thank you both for your help.

Georg- we'll go for Julio's config to create PBR as it's more easier and understandable for me. Your configuration about creating a class map to mark network traffic is a bit complex for me and couldn't get it well.

Is there any way to create extended ACL to allow http traffic to Google/Facebook/Youtube based on destination URL? or

What is the best extended ACL configuration to allow http traffic to Google/Facebook/Youtube based on destination URL or destination IPs?

For example:

ip access-list 100 Match_HTTP_ACL

permit tcp 192.168.15.0 0.0.0.255 host 8.8.8.8 eq www or 80

or

permit tcp 192.168.15.0 0.0.0.255 host ''*.google.com'' eq www

Thank you in advance.

nasolsi1 · ‎11-21-2017

Hi Julio/Georg,

I've setup virtual lab using GNS3 to test PBR.

I did it test it for UDP and successfully worked but I don't know how to set http traffic from GNS3 VPCS command line interface to host 8.8.8.8 to test PBR.

Please see attached GNS3 vitrual lab and configuration.

Thank you in advance.

Julio E. Moisa · ‎11-21-2017

Hi,

It should be similar how you did for UDP traffic

ip access-list extended MATCH-HTTP-TRAFFIC

permit tcp any any eq 80

route-map FILTER permit 6
match ip address MATCH-HTTP-TRAFFIC
set ip next-hop 2.2.2.2

Basically you have to create other sequence to be included on the current route-map, you cannot apply 2 or more route-maps to a single interface so you must use the current. In real life you must take caution with that because the traffic can be disrupted for few seconds.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

nasolsi1 · ‎11-21-2017

Hi Julio,

Thank you for your quick response.

I'm not going to apply 2 or more route-maps to a single interface but only one with a one ACL specifying exactly source network and destination hosts (in that case for google.com and facebook.com).

Could you please confirm if ACL for web traffic to Google and Facebook is properly setup to meet our requirements.

Could you please also advised on what command line I need to use from GNS3 VPCS PC1 to test the applied route-map policy on R1's fa0/0 int.

Thank you in advance.

nasolsi1 · ‎11-21-2017

Hi Julio,

Just to clarify.

Forget about UDP policy as I deleted it already. I did create it because I managed to test UDP traffic by running trace cmd from GNS3 VPCS PC1 (PC1> trace 10.23.0.3) but I don't know how to test a web traffic over tcp port 80 to google.com or facebook.com from GNS3 VPCS PC1.

What is the best command to test that route-map policy?

Thank you.

Julio E. Moisa · ‎11-21-2017

Hi,

To verify the traffic it should be:

show route-map <route map name>

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

nasolsi1 · ‎11-21-2017

Hi Julio,

Yes, I used the same cmd to test UDP traffic but when I type in the following cmds on GNS3 PC1 cmd int:

trace 8.8.8.8 -6 (-6 is for tcp traffic) or ping 8.8.8.8 80 didn't work as an applied policy rejected UDP or ICMP traffic.

my question is how to simulate or test a web traffic to host 8.8.8.8 from GNS3 virtual simulator PC1 command line interface?

Thank you.

Julio E. Moisa · ‎11-21-2017

Hi

I only thing in mind is connect other server to ISP1 and 2 and enable a loopback and ip http server

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<