Cisco PBR - send traffic via 2 ISPs with NAT Overload (PAT)
From Ever changing code
This scenario shows how to manipulate IP traffic routes based on the source using PBR (Policy Based Routing) and route-map command. This scenario does not cover a fail-over, backup internet access - it simply:
- sends all VLAN10 traffic via ISP1
- sends all VLAN20 traffic via ISP2
Traffic is flowing from C2 (VLAN10) and C3 (VLN20) via WAN router which acts as a access edge router to Internet and does NAT Overload (PAT) on its relevant wan side links. There are 2 independent service providers ISP1 and ISP2. For purpose of this lab ISPs wan side links are bridged to the host laptop network Ethernet card.
The company wants that all traffic directed to Internet from VLAN10 flows via ISP1 and VLAN20 traffic is sent via ISP2. This will be achieved using PBR route-map.
- Extended ACLs will catch specific traffic based on a source IP
- Route-map statement sets up default next-hop ip address. Policy Based Routing included in route-map statements overrides a routing table.
- PBR policy is applied to the incoming interfaces. Here Gi1/0 for VLAN10 traffic and Gi2/0 for VLAN20 traffic.
- NAT Overload is applied between relevant interfaces eg. VLAN10: inside Gi1/0 -> outside Fa0/0
WAN#sh running-config version 15.1 ! hostname WAN ! ip source-route ip cef no ipv6 cef ! multilink bundle-name authenticated redundancy ! interface FastEthernet0/0 description -> WAN link to ISP1 ip address 184.108.40.206 255.255.255.248 ip nat enable ! PAT, this is outside interface to ISP1 duplex full ! required for GNS3 speed 100 ! required for GNS3 ! interface FastEthernet0/1 description -> WAN link to ISP2 ip address 220.127.116.11 255.255.255.248 ip nat enable ! PAT, this is outside interface to ISP1 duplex full speed 100 ! interface GigabitEthernet1/0 description -> VL10 Users ip address 10.0.10.1 255.255.255.0 ! GW for VLAN10 hosts ip nat enable ! PAT, inside interface for ISP1 ip policy route-map isp1 ! PBR policy 'isp1' applied to the interface negotiation auto ! interface GigabitEthernet2/0 description -> VL20 Guest ip address 10.0.20.1 255.255.255.0 ! GW for VLAN20 hosts ip nat enable ! PAT, inside interface for ISP2 ip policy route-map isp2 ! PBR policy 'isp2' applied to the interface negotiation auto ! ip forward-protocol nd ! ip nat source list fromVLAN10 interface FastEthernet0/0 overload ! PAT of all VLAN10 traffic on Fa0/0 connected to ISP1 ip nat source list fromVLAN20 interface FastEthernet0/1 overload ! PAT of all VLAN20 traffic on Fa0/1 connected to ISP2 ! ip access-list extended fromVLAN10 permit ip 10.0.10.0 0.0.0.255 any ! Catch all traffic if is coming from VLAN10 10.0.10.0/24 network ! ip access-list extended fromVLAN20 permit ip 10.0.20.0 0.0.0.255 any ! Catch all traffic if is coming from VLAN20 10.0.20.0/24 network ! route-map isp1 permit 10 ! Policy to send VLAN10 traffic via ISP1 description Set next hop via ISP1 match ip address fromVLAN10 ! Applies action statements below if matches extended ACL named 'fromVLAN10' set ip default next-hop 18.104.22.168 ! Sets next hop to ISP1 router, overrides a routing table statements ! route-map isp2 permit 10 ! Policy to send VLAN20 traffic via ISP2 description Set next hop via ISP2 match ip address fromVLAN20 ! Applies action statements below if matches extended ACL named 'fromVLAN20' set ip default next-hop 22.214.171.124 ! Sets next hop to ISP2 router, overrides a routing table statements
A router makes a difference between traffic that is originating from the router and traffic that is flowing through the router. The command below will activate policy based routing for traffic that is originated by the router itself
WAN(config)#ip local policy route-map PBR
In my example I activated policy based routing for traffic flowing through router WAN therefore I applied to the ingress interface:
WAN(config)#interface GigabitEthernet1/0 WAN(config-if)#ip policy route-map isp1
debug ip policy ! enables PBR debugging
Ping from VPCS 10.0.10.10 (C2 on the topology diagram above) to a server on Internet 126.96.36.199
VPCS> ping 188.8.131.52 *184.108.40.206 icmp_seq=1 ttl=254 time=40.181 ms (ICMP type:3, code:1, Destination host unreachable)
Enable PBR debugging
WAN#debug ip policy *Aug 24 20:18:39.615: IP: s=10.0.10.10 (GigabitEthernet1/0), d=220.127.116.11, len 92, FIB policy match *Aug 24 20:18:39.619: IP: s=10.0.10.10 (GigabitEthernet1/0), d=18.104.22.168, len 92, PBR Counted *Aug 24 20:18:39.623: IP: s=10.0.10.10 (GigabitEthernet1/0), d=22.214.171.124, len 92, FIB policy match *Aug 24 20:18:39.643: IP: s=10.0.10.10 (GigabitEthernet1/0), d=126.96.36.199, len 92, policy match *Aug 24 20:18:39.647: IP: route map isp1, item 10, permit *Aug 24 20:18:39.651: IP: s=10.0.10.10 (GigabitEthernet1/0), d=188.8.131.52 (FastEthernet0/0), len 92, policy routed *Aug 24 20:18:39.655: IP: GigabitEthernet1/0 to FastEthernet0/0 184.108.40.206
Dump of a routing table, please notice that there is no default route. Any other than locally connected traffic that does not match ACL will not be forwarded.
WAN#sh ip route | exclude L <--- output omitted ----> Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks C 10.0.10.0/24 is directly connected, GigabitEthernet1/0 C 10.0.20.0/24 is directly connected, GigabitEthernet2/0 220.127.116.11/8 is variably subnetted, 2 subnets, 2 masks C 18.104.22.168/29 is directly connected, FastEthernet0/1 22.214.171.124/24 is variably subnetted, 2 subnets, 2 masks C 126.96.36.199/29 is directly connected, FastEthernet0/0