04-17-2023
06:01 AM
- last edited on
04-27-2023
10:24 PM
by
Translator
Hello everyone,
I wonder if it's possible to set up PBR or any other means, to route traffic back via specific
IP/next-hop
based on ingress interface.
I have an IOS-XE router with two ISP uplinks. ISP1 is a traditional PAT with
default route
and everything is straight forward here. ISP2 on the other hand, will be used for only for incoming connections from outside world via static NAT (port forwards) and there is no way to route return traffic via static routes, as source public IP addresses are mostly dynamic. Is there any way to set up PBR to route back via ISP2 gateway, based on ingress traffic from its interface?
Solved! Go to Solution.
04-17-2023
06:38 AM
- last edited on
04-28-2023
02:41 AM
by
Translator
the key is ACL in PBR
you use static NAT for IP or UDP/TCP port?
use extended ACL with following
permit ip/udp/tcp <server inside private ip>
any
now when return traffic hit this it will use PBR not RIB to forward traffic
04-17-2023
06:16 AM
- last edited on
04-28-2023
03:11 AM
by
Translator
Hello @flanger,
Yes, it'spossible to set up PBR to route traffic back via a specific
IP/next-hop
based on the ingress interface. To achieve this, you can use the
[set ip next-hop]
command in a
route map
that is applied to the ingress interface.
Example:
ip access-list extended ISP2-ACL
permit ip any any
route-map ISP2-RM permit 10
match ip address ISP2-ACL
set ip next-hop <ISP2-Gateway-IP>
interface GigabitEthernet0/1
ip policy route-map ISP2-RM
The
access-list ISP2-ACL
is used to match traffic coming in from the interface connected to ISP2. The
route map ISP2-RM
is then used to apply the
[set ip next-hop]
command to the matching traffic. Finally, the interface connected to ISP2 is configured to use the
route map
for
policy-based
routing.
You will need to replace
ISP2-Gateway-IP
with the IP address of the
gateway
provided by ISP2.
--You may need to adjust the ACL to match the traffic you want to route back via ISP2.
04-17-2023
06:38 AM
- last edited on
04-28-2023
02:41 AM
by
Translator
the key is ACL in PBR
you use static NAT for IP or UDP/TCP port?
use extended ACL with following
permit ip/udp/tcp <server inside private ip>
any
now when return traffic hit this it will use PBR not RIB to forward traffic
04-17-2023 06:42 AM
Thank you for the answer!
I was thinking about something similar, but got confused how to construct flow logic correctly, as PBR doesn't have direction when attached to the interface. Yes I have one specific TCP port forwarded, that public clients will access. Guess I will match local server's RFC1918 IP with this forwarded port as a source port and it should work then.
Thanks again.
04-17-2023 11:50 AM - edited 04-17-2023 01:57 PM
Just to clarify I had to use PBR on interface on which server is connected not upstream interface. Otherwise return traffic hitting router from the server will follow defroute and never "reach" PBR. This might defeat the original purpose of route manipulation governed by ingress upstream interface, nevertheless as source port can be matched, it's still flexible enough to have server PAT/routed through one direction, while accepting requests on specific port from another.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide