cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
823
Views
13
Helpful
9
Replies

Question on Policy based routing !!!

Fernando_Meza
Level 7
Level 7

Hi netpros,

I need to control packet sourced by two proxies servers so that they take different paths. Example .. Proxy1 should send packets to Router1 and Proxy2 should send packets to Router2. At the same time I need to make sure that Proxy1 can send packets to Router2 if Router1 is not available (similar thing with Proxy2). I am hoping this can be achieved by using PBR. Please note the device (s) I will be using for policy based routing might not be directly connected to Router1 and Router2 and so some kind of IP reachability feature might need to be used in order to track the mentioned routers.

Your help is much appreciated

9 Replies 9

sachinraja
Level 9
Level 9

hello fernando

is router 1 and router 2 on the same LAN ? i mean connected to the same switch ? ya.. u gotta do policy based routing.. PBRs are normally done close to the exit point.. if your routers terminate on a layer 3 switch, like 6500, u can configure PBR on the incoming VLAN interface, and point the next hop to either router 1 or router 2.. the catch here is if the internet link goes down in router 1, the switch will not be aware of it, and will send it to router 1, since the next hop is reachable.. hence router 1 and router 2 should have some other connection to forward the packets to, like a B2B connection.. If R1 & R2 are in the same LAN, then you can configure PBR on router 1 itself, and point to Router 2,for Proxy 2 traffic

Note - In any case only the outgoing traffic is load shared between R1 & R2, using PBR.. the incoming traffic still would come through either R1 or R2, however u have advertised the route, which can cause asymmetric routing.. if you need ur incoming also to be load shared, then you should have proxy 1 on a different subnet than proxy 2, and use protocols like BGP to selectively advertise proxy1 subnet through R1, and proxy 2 subnet through R2 !! way to go....

Hope this helps..all the best..

Raj

Hi Raj,

Appreciate your comments. The idea is load shared both inbound and outbound traffic. I see what you mean by .. "if you need ur incoming also to be load shared, then you should have proxy 1 on a different subnet than proxy 2.." ..At the moment the proxies are on the same segment and on the Internal Network (not DMZ) .. but I will definitely keep your comments in mind when moving forward. The only challenge I am having difficulties to resolve is how to route outbound traffic to the other border router (R1 or R2) if one fails (not necessarily the ISP link itself which could be solved with BGP)using PBR because R1 and R2 belong to the same segment but are physically located on different buildings, terminating on two Catalysts 4K series respectively which are trunked by an Ethernet channel

Any ideas ..?

The only challenge I am having difficulties to resolve is how to route outbound traffic to the other border router (R1 or R2) if one fails

You mentioned in the initial post that R1 and R2 are not directly connected. You have an option on PBR to set the next-hop to be recursive.

Please refer to the documentation:

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi2.html#wp1012397

Depending on the IOS version and hardware used, this feature may not be supported.

HTH,

__

Edison.

Great link .. thanks Edison

rohitrattan
Level 1
Level 1

Hello Frenando,

I will take some assumptions to address your query but i hope that u will get the Idea....

if your proxy servers are connected to a device (i will assume a L3 Switch), you can apply PBR and IP SLA ICMP Echo Operation to track the path through the individual routers, this way you can track the routers as well as the internet connectivity also. Here's how u do it...

configure these routes on the switches:-

ip route 4.2.2.2 255.255.255.255

ip route 4.2.2.1 255.255.255.255

the configure the IP-SLA ICMP Echo Operation as follows

=============================================

ip sla 1

icmp-echo 4.2.2.2 !Ping through Router 1

timeout 2500

frequency 3

exit

track 1 ip sla 1 reachability

OR

track 1 rtr 1 reachablity

delay down 10

exit

ip sla schedule 1 life forever start-time now

=============================================

ip sla 2

icmp-echo 4.2.2.1 !Ping through Router 2

timeout 2500

frequency 3

exit

track 2 ip sla 2 reachability

OR

track 2 rtr 2 reachablity

delay down 10

exit

ip sla schedule 2 life forever start-time now

=============================================

configure two ACL's to match the IP Addresses of the Two Proxy Servers e.g.

access-list 101 permit ip any

access-list 102 permit ip any

you can configure specific port numbers e.g. http, ftp, smtp etc to be more specific as to what traffic you would send to internet...

Now configure PBR as usual but with the following next-hop config:

class-map One

match ip address 101

class-map Two

match ip address 102

policy-map PBR

class One

set ip next-hop verify-availability track 1

set ip next-hop verify-availability track 2

class Two

set ip next-hop verify-availability track 2

set ip next-hop verify-availability track 1

interface vlan

ip policy route-map PBR

IP SLA ICMP Echo Operation will poll or ping both the routers and the one which is up will be used...if your proxy servers are on different Vlans the apply one policy per Vlan..You would require Advance IP Services for the IP SLA feature..

Hope this Helps

and Rate if Helpful :-)

Regards

Rohit

Hello Fernando....

Sorry i did a configuration mistake (PBR) in my previous post....

Here's it----

route-map xyz

match ip addres 101

set ip next-hop verify-availability track 1

set ip next-hop verify-availability track 2

match ip address 102

set ip next-hop verify-availability track 2

set ip next-hop verify-availability track 1

Regards

Rohit

set ip next-hop verify-availability

Be careful with 'verify-availability'. This option employs CDP and if the next-hop is not directly connected, this option will cause adverse effects.

The track approach may be useful for the implementation, though.

__

Edison.

Hello Edison,

Yes you are right but there are two ways of tracking a PBR Next Hop..The 1st one being the "verify-availability" method which indeed uses CDP and the command looks like

set ip next-hop 1.1.1.1

set ip next-hop verify-availability

The second method is when you specify the the option 'Track'. This option dosen't rely on CDP rather uses the Track (IP SLA or RTR) configuration for verification and the command looks like

set ip next-hop verify-availability x.x.x.x 1 track 10

visit for more details

http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_s1gt.html#wp1091258

Regards

Rohit

Thanks Rohit .. that was very helpful .. It sounds it might do exactly what I was looking for. Appreciate your feedback

Review Cisco Networking for a $25 gift card