01-06-2009 03:21 PM - edited 03-06-2019 03:16 AM
Hi netpros,
I need to control packet sourced by two proxies servers so that they take different paths. Example .. Proxy1 should send packets to Router1 and Proxy2 should send packets to Router2. At the same time I need to make sure that Proxy1 can send packets to Router2 if Router1 is not available (similar thing with Proxy2). I am hoping this can be achieved by using PBR. Please note the device (s) I will be using for policy based routing might not be directly connected to Router1 and Router2 and so some kind of IP reachability feature might need to be used in order to track the mentioned routers.
Your help is much appreciated
01-06-2009 04:59 PM
hello fernando
is router 1 and router 2 on the same LAN ? i mean connected to the same switch ? ya.. u gotta do policy based routing.. PBRs are normally done close to the exit point.. if your routers terminate on a layer 3 switch, like 6500, u can configure PBR on the incoming VLAN interface, and point the next hop to either router 1 or router 2.. the catch here is if the internet link goes down in router 1, the switch will not be aware of it, and will send it to router 1, since the next hop is reachable.. hence router 1 and router 2 should have some other connection to forward the packets to, like a B2B connection.. If R1 & R2 are in the same LAN, then you can configure PBR on router 1 itself, and point to Router 2,for Proxy 2 traffic
Note - In any case only the outgoing traffic is load shared between R1 & R2, using PBR.. the incoming traffic still would come through either R1 or R2, however u have advertised the route, which can cause asymmetric routing.. if you need ur incoming also to be load shared, then you should have proxy 1 on a different subnet than proxy 2, and use protocols like BGP to selectively advertise proxy1 subnet through R1, and proxy 2 subnet through R2 !! way to go....
Hope this helps..all the best..
Raj
01-11-2009 02:50 AM
Hi Raj,
Appreciate your comments. The idea is load shared both inbound and outbound traffic. I see what you mean by .. "if you need ur incoming also to be load shared, then you should have proxy 1 on a different subnet than proxy 2.." ..At the moment the proxies are on the same segment and on the Internal Network (not DMZ) .. but I will definitely keep your comments in mind when moving forward. The only challenge I am having difficulties to resolve is how to route outbound traffic to the other border router (R1 or R2) if one fails (not necessarily the ISP link itself which could be solved with BGP)using PBR because R1 and R2 belong to the same segment but are physically located on different buildings, terminating on two Catalysts 4K series respectively which are trunked by an Ethernet channel
Any ideas ..?
01-11-2009 09:05 AM
The only challenge I am having difficulties to resolve is how to route outbound traffic to the other border router (R1 or R2) if one fails
You mentioned in the initial post that R1 and R2 are not directly connected. You have an option on PBR to set the next-hop to be recursive.
Please refer to the documentation:
http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi2.html#wp1012397
Depending on the IOS version and hardware used, this feature may not be supported.
HTH,
__
Edison.
01-12-2009 05:16 PM
Great link .. thanks Edison
01-12-2009 02:45 AM
Hello Frenando,
I will take some assumptions to address your query but i hope that u will get the Idea....
if your proxy servers are connected to a device (i will assume a L3 Switch), you can apply PBR and IP SLA ICMP Echo Operation to track the path through the individual routers, this way you can track the routers as well as the internet connectivity also. Here's how u do it...
configure these routes on the switches:-
ip route 4.2.2.2 255.255.255.255
ip route 4.2.2.1 255.255.255.255
the configure the IP-SLA ICMP Echo Operation as follows
=============================================
ip sla 1
icmp-echo 4.2.2.2 !Ping through Router 1
timeout 2500
frequency 3
exit
track 1 ip sla 1 reachability
OR
track 1 rtr 1 reachablity
delay down 10
exit
ip sla schedule 1 life forever start-time now
=============================================
ip sla 2
icmp-echo 4.2.2.1 !Ping through Router 2
timeout 2500
frequency 3
exit
track 2 ip sla 2 reachability
OR
track 2 rtr 2 reachablity
delay down 10
exit
ip sla schedule 2 life forever start-time now
=============================================
configure two ACL's to match the IP Addresses of the Two Proxy Servers e.g.
access-list 101 permit ip
access-list 102 permit ip
you can configure specific port numbers e.g. http, ftp, smtp etc to be more specific as to what traffic you would send to internet...
Now configure PBR as usual but with the following next-hop config:
class-map One
match ip address 101
class-map Two
match ip address 102
policy-map PBR
class One
set ip next-hop verify-availability
set ip next-hop verify-availability
class Two
set ip next-hop verify-availability
set ip next-hop verify-availability
interface vlan
ip policy route-map PBR
IP SLA ICMP Echo Operation will poll or ping both the routers and the one which is up will be used...if your proxy servers are on different Vlans the apply one policy per Vlan..You would require Advance IP Services for the IP SLA feature..
Hope this Helps
and Rate if Helpful :-)
Regards
Rohit
01-12-2009 04:03 AM
Hello Fernando....
Sorry i did a configuration mistake (PBR) in my previous post....
Here's it----
route-map xyz
match ip addres 101
set ip next-hop verify-availability
set ip next-hop verify-availability
match ip address 102
set ip next-hop verify-availability
set ip next-hop verify-availability
Regards
Rohit
01-12-2009 06:02 AM
set ip next-hop verify-availability
Be careful with 'verify-availability'. This option employs CDP and if the next-hop is not directly connected, this option will cause adverse effects.
The track approach may be useful for the implementation, though.
__
Edison.
01-12-2009 10:58 AM
Hello Edison,
Yes you are right but there are two ways of tracking a PBR Next Hop..The 1st one being the "verify-availability" method which indeed uses CDP and the command looks like
set ip next-hop 1.1.1.1
set ip next-hop verify-availability
The second method is when you specify the the option 'Track'. This option dosen't rely on CDP rather uses the Track (IP SLA or RTR) configuration for verification and the command looks like
set ip next-hop verify-availability x.x.x.x 1 track 10
visit for more details
http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_s1gt.html#wp1091258
Regards
Rohit
01-12-2009 05:00 PM
Thanks Rohit .. that was very helpful .. It sounds it might do exactly what I was looking for. Appreciate your feedback
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide