Hmm, CLI access is a non

ryan07512 · ‎05-04-2016

I have an interesting application I'm prototyping, but have some questions as to it's feasibility using current IOS software.

Essentially, I have a Cisco router with a LAN interface. By default, all web traffic received on that interface hits a route-map which matches on TCP:80 and TCP:443. Traffic that matches that route-map gets forward over a tunnel interface to my application.

My application makes a decision on the traffic: trusted, or untrusted. If the traffic is untrusted, I do some accounting in my application, it's forwarded along and everything works fine.

For trusted traffic, I'd like to "tell the router" that for this IP address, send the traffic to a different interface.

I managed to publish BGP (/32) routes for these addresses to the Cisco. Now, what I would like to do is have the Cisco use a route-map on two different interfaces.

On one interface, I'd like the Cisco to match any address that matches the source of the published route, and on the other, the destination.

I will then set the egress interface appropriately.

Is this possible? I see ways to do matching based on BGP community, but I fear that would only let me match on destination.

Philip D'Ath · ‎05-04-2016

Untested.

Lets pretend you are BGP AS 65534, and that is what the routes you are advertising appear to come from.

ip access-list extended fromVLAN1
 permit tcp any any eq www
 permit tcp any any eq 443

ip as-path access-list 1 permit ^65534$ 

route-map fromVLAN1 permit 10
 match as-path 1
 set ip next-hop a.b.c.d

route-map fromVLAN1 permit 20
 match ip address fromVLAN1
 set ip next-hop e.f.g.h

milan.kulik · ‎05-05-2016

Hi,

I'm afraid this would not work.

IMHO, you can't match as-path within a route-map used for PBR, as the data packet does not include any as-path info?

BR,

Milan

Philip D'Ath · ‎05-05-2016

I thought of another approach. It requires that your router have no routes configured by default, and purely uses policy routing for select the next hop.

If you used the action "set ip default next-hop a.b.c.d" the router will only use the PBR if there is no route already in the routing table. So to begin with, it will send it to a.b.c.d (because there are not routes). If you then inject a /32 the PBR will stop working for that destination, since that route is now in the routing table.

ryan07512 · ‎05-05-2016

Hmm, interesting.

Is there any other way (other than a routing protocol) to "inject" what is essentially a dynamic ACL?

milan.kulik · ‎05-05-2016

Hi,

possibly you could tell in more details what you are trying to achieve exactly?

And what is your application capable of?

I guess using more than one router (or multiple VRFs on one physical router) could make it still using a routing protocol?

If not, SNMP could be used possibly or a CLI access as the last chance?

BR,

Milan

ryan07512 · ‎05-05-2016

Hmm, CLI access is a non-starter. BGP or OSPF might be the only way.

The application is basically making a decision based on the SNI headers, sending the flow either direct, or instructing the router to send it to an external secure web gateway.

Possible to use BGP routes as match criteria for PBR?