Solved: Route return traffic based on ingress interface

flanger · ‎04-17-2023

Hello everyone,

I wonder if it's possible to set up PBR or any other means, to route traffic back via specific

IP/next-hop

based on ingress interface.

I have an IOS-XE router with two ISP uplinks. ISP1 is a traditional PAT with

default route

and everything is straight forward here. ISP2 on the other hand, will be used for only for incoming connections from outside world via static NAT (port forwards) and there is no way to route return traffic via static routes, as source public IP addresses are mostly dynamic. Is there any way to set up PBR to route back via ISP2 gateway, based on ingress traffic from its interface?

MHM Cisco World · ‎04-17-2023

the key is ACL in PBR
you use static NAT for IP or UDP/TCP port?
use extended ACL with following

permit ip/udp/tcp <server inside private ip>

any
now when return traffic hit this it will use PBR not RIB to forward traffic

View solution in original post

M02@rt37 · ‎04-17-2023

Hello @flanger,

Yes, it'spossible to set up PBR to route traffic back via a specific

IP/next-hop

based on the ingress interface. To achieve this, you can use the

[set ip next-hop]

command in a

route map

that is applied to the ingress interface.

Example:

ip access-list extended ISP2-ACL
permit ip any any

route-map ISP2-RM permit 10
match ip address ISP2-ACL

set ip next-hop <ISP2-Gateway-IP>


interface GigabitEthernet0/1
ip policy route-map ISP2-RM

The

access-list ISP2-ACL

is used to match traffic coming in from the interface connected to ISP2. The

route map ISP2-RM

is then used to apply the

[set ip next-hop]

command to the matching traffic. Finally, the interface connected to ISP2 is configured to use the

 route map

for

policy-based

routing.

You will need to replace

ISP2-Gateway-IP

with the IP address of the

gateway

provided by ISP2.

--You may need to adjust the ACL to match the traffic you want to route back via ISP2.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎04-17-2023

the key is ACL in PBR
you use static NAT for IP or UDP/TCP port?
use extended ACL with following

permit ip/udp/tcp <server inside private ip>

any
now when return traffic hit this it will use PBR not RIB to forward traffic

flanger · ‎04-17-2023

Thank you for the answer!
I was thinking about something similar, but got confused how to construct flow logic correctly, as PBR doesn't have direction when attached to the interface. Yes I have one specific TCP port forwarded, that public clients will access. Guess I will match local server's RFC1918 IP with this forwarded port as a source port and it should work then.

Thanks again.

flanger · ‎04-17-2023

Just to clarify I had to use PBR on interface on which server is connected not upstream interface. Otherwise return traffic hitting router from the server will follow defroute and never "reach" PBR. This might defeat the original purpose of route manipulation governed by ingress upstream interface, nevertheless as source port can be matched, it's still flexible enough to have server PAT/routed through one direction, while accepting requests on specific port from another.