Re: PBR with NAT

Coulombey · ‎05-01-2021

Hello Everyone

I have a router with 3 ports. The G 0/0 is for the Lan, the G 0/1 for my servers, and i use the G 0/2 to connect to two ISP through a switch with trunk configuration. G 0/2.2 for ISP1, G 0/2.2000 for ISP2.

All my LAN users must have access to servers (G 0/1), some of them have to get connected to internet by ISP1 G0/2.2 and some others by ISP2 G0/2.2000. I use translation on both virtual interfaces on G 0/2. I have two default routes, one for each ISP.

May you please help with a PBR configuration.

Thx

kubn2 · ‎05-01-2021

Hi,

First, you need to create 2 access lists,

deny source users_subnet destination server_subnet
permit ip 192.168.1.0 0.0.0.128 any

deny source users_subnet destination server_subnet
permit ip 192.168.1.128 0.0.0.128 any

Why deny? Because you will use PBR only for routing traffic towards the internet so deny statement will allow you to not match traffic from user lan to servers in route-map.

Why such permit? Well it's only an example I don't know how you would like to identify "some" users maybe by the destination port? It depends on you how you will match these users.

Now you have to create route-map where first allow sequence will have a match statement that points towards first access-list and have set ip next-hop statement that points towards the desired ISP let's say 0/2.2. Then you create a second allow sequence with a match statement that points towards second access-list and then you set up "set IP next-hop" statement that points to another ISP so for example 0/2.2000. Now you have to add 3rd allow sequence and leave it empty so all the traffic that didn't match first and second will be just forwarded normally as per router routing table. Then you apply this policy based routing on the user interface which is g0/0.

Coulombey · ‎05-02-2021

Dear Kubn2

What about the ip nat statement? Should i have two for the two categories of users????

balaji.bandi · ‎05-01-2021

Post the current configuration so we can suggest better, also do you need to Fail over if ISP 1 down to ISP2 and vice versa? or just black hole the traffic?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Coulombey · ‎05-02-2021

Hi Balaji Bandi,

No need of Failover configuration.

Here is my current configuration.

paul driver · ‎05-02-2021

Hello
Sounds like you don’t require two default routes, just the one would be applicable and this would point to the isp you designate as the primary isp also it will be a conditional default meaning if you lost connectivity towards that isp then an additional default will be applied pointing to the secondary isp.

As for your Policy based routing, the route-map should relate to only the traffic you wish to be policy routed via the secondary isp so then any other traffic which doesn’t relate to the PBR will be routed normally via the rtrs default path (primary isp)

Please see attached file.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Coulombey · ‎05-02-2021

Dear Paul,

Could you please check the attached configuration file.

I have only 1 default route to the principal ISP.

Once I apply the command ip policy route-map PBR to the users interface, users who are supposed to use ISP1 notice a increase of latency to internet (pinging 8.8.8.8) and servers.

Meanwhile the other one (who are supposed to use ISP2) have no internet acess.

paul driver · ‎05-02-2021

Hello
Okay you don't wish to have any resiliency (not recommended) so then based on just the configuration you've supplied you need to separate the PBR route-map and the NAT route-map also include a interface on your default static route.

no ip route 0.0.0.0 0.0.0.0 41.215.253.17
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2.2 41.215.253.17

no ip nat inside source list 2 interface GigabitEthernet0/2.2 overload
no ip nat inside source route-map PBR interface GigabitEthernet0/2.2000 overload

route-map NAT-ISP1
match ip address 2
match interface GigabitEthernet0/2.2

ip nat inside source route-map NAT-ISP1 interface GigabitEthernet0/2.2

route-map NAT-ISP2
match ip address 101
match interface GigabitEthernet0/2.2000

ip nat inside source route-map NAT-ISP2 interface GigabitEthernet0/2.2000

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Coulombey · ‎05-02-2021

Hello Paul

When i apply your config. Acl 2 users can reach internet and servers but Acl 101 can reach only servers, they dont have internet access.

paul driver · ‎05-02-2021

Hello
its all to do with the policy route at present you are applying PBR only to the lan user interface that match all traffic from hosts

192.168.29.130
192.168.29.101

Which will be pbr’d towards isp2 so if isp2 isn’t providing internet then these host won’t have it.However the policy map isn’t applied even to the server interface so all traffic from this interface is going via the default route and the nat acl via isp1 isn’t defined for these interface and any traffic originating from it.

If you don’t want all traffic from that interface or from certain specific hosts to go via isp2 then you need to be more specific in the pbr access list

So before providing an update to your configuration can you elaborate on exactly how you wish your routing for these host to be?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul