cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1240
Views
0
Helpful
3
Replies

Redirect HTTP traffic to a website with NBAR/PBR on 7206

petrov761
Level 1
Level 1

Hello,

I am having the following dilemma - I need to make sure that all the HTTP traffic with a specific source IP and a specific destination which is a FQDN is being redirected to a special server, different than the original destination.

Example:

WWW request incoming from Source IP address of 1.1.1.1 has a destination website of "test.com" and this traffic is going via my 7206 VXR. At the same time, WWW traffic from 1.1.1.1 to another website and also another type of traffic, FTP, and so on is coming from 1.1.1.1 to "test.com". Also, WWW trafic is coming towards "test.com" from many other source IP addresses.

I need to make sure I only match the HTTP traffic from exactly 1.1.1.1 to "test.com" and nothing else. After I match it, I need to redirect it to another exit point, rather than the default routing table decision. That would have been extremely easy with PBR if i only had the requirements for matching on source and destination IP and then setting the ip next-hop. But here we have to match not on destination IP because we don't know it (domain name will resolve to different IPs from a cloud, so not an option to use IPs), but we have to match on domain name as a destination. And we only have to match HTTP traffic and only from that specific source IP address.

We could use NBAR classification to match http traffic towards the website, something like this:


class-map match-all TestClass

  match access-group SOURCE-IP

  match protocol http host *test.com* ..................>> or i can use match protocol http url *smth more specific*

policy-map TestPolicy

  class TestClass

  set ...........> and here comes the restriction that there is no way i can set ip next-hop like in a route-map for PBR.

On the other hand, if I use only PBR with route maps, etc, there is no such granularity in the match conditions so that i can match on the HTTP header... So i need something like a combination of both NBAR classification and PBR...

Any ideas how to do this on a single 7206VXR box with 12.2(31)SB18? Or do I need a more recent IOS?

Thanks a lot in advance!

BR,

Peter

3 Replies 3

petrov761
Level 1
Level 1

Guys, isn't there any way this can be done? That is kind of urgent for me and I would really appreciate any input here.

Thank you very much in advance!

Peter

Jon Marshall
Hall of Fame
Hall of Fame

Peter

I was wondering if you could match the packets with NBAR and set the IP precedence/DCSP for example and then use an access-list in PBR to match on those settings. So i did quick search on this and found another post on CSC doing that very thing. Unfortunately it doesn't seem to work for the poster -

https://supportforums.cisco.com/thread/2035564

I thought it might be the IOS order operations but i believe that classification/marking comes before PBR so in theory it should have worked. Perhaps you could try it on your router.

Other than that PfR allows matching traffic with NBAR and setting a next hop IP (if you have the right IOS and i don't think you do at the moment). However i have never used PfR so i do not know that you can combine the two things to achieve what you want.

So please do not go out and upgrade your IOS for PfR without doing some further investigation because i only did a quick look at the PfR documentation.

Sorry i couldn't be more help.

Jon

Thanks a bunch, Jon, let me try this and will come back early next week if it works for me before upgrading and trying the PfR.

Cheers,

Peter

Review Cisco Networking for a $25 gift card