Actions

Cisco PBR - send traffic via 2 ISPs with NAT Overload (PAT)

From Ever changing code

Introduction

This scenario shows how to manipulate IP traffic routes based on the source using PBR (Policy Based Routing) and route-map command. This scenario does not cover a fail-over, backup internet access - it simply:

  • sends all VLAN10 traffic via ISP1
  • sends all VLAN20 traffic via ISP2

Design

Traffic is flowing from C2 (VLAN10) and C3 (VLN20) via WAN router which acts as a access edge router to Internet and does NAT Overload (PAT) on its relevant wan side links. There are 2 independent service providers ISP1 and ISP2. For purpose of this lab ISPs wan side links are bridged to the host laptop network Ethernet card.

The company wants that all traffic directed to Internet from VLAN10 flows via ISP1 and VLAN20 traffic is sent via ISP2. This will be achieved using PBR route-map.

  1. Extended ACLs will catch specific traffic based on a source IP
  2. Route-map statement sets up default next-hop ip address. Policy Based Routing included in route-map statements overrides a routing table.
  3. PBR policy is applied to the incoming interfaces. Here Gi1/0 for VLAN10 traffic and Gi2/0 for VLAN20 traffic.
  4. NAT Overload is applied between relevant interfaces eg. VLAN10: inside Gi1/0 -> outside Fa0/0
CiscoPBR-2x-ISPs-PAT Route-map

Configuration

WAN#sh running-config
version 15.1
!
hostname WAN
!
ip source-route
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
redundancy
!
interface FastEthernet0/0
 description -> WAN link to ISP1
 ip address 198.100.200.2 255.255.255.248
 ip nat enable                                ! PAT, this is outside interface to ISP1
 duplex full                                  ! required for GNS3
 speed 100                                    ! required for GNS3
!
interface FastEthernet0/1
 description -> WAN link to ISP2
 ip address 35.100.200.2 255.255.255.248
 ip nat enable                                ! PAT, this is outside interface to ISP1
 duplex full
 speed 100
!
interface GigabitEthernet1/0
 description -> VL10 Users
 ip address 10.0.10.1 255.255.255.0           ! GW for VLAN10 hosts
 ip nat enable                                ! PAT, inside interface for ISP1
 ip policy route-map isp1                     ! PBR policy 'isp1' applied to the interface
 negotiation auto
!
interface GigabitEthernet2/0
 description -> VL20 Guest
 ip address 10.0.20.1 255.255.255.0           ! GW for VLAN20 hosts
 ip nat enable                                ! PAT, inside interface for ISP2
 ip policy route-map isp2                     ! PBR policy 'isp2' applied to the interface
 negotiation auto
!
ip forward-protocol nd
!
ip nat source list fromVLAN10 interface FastEthernet0/0 overload    ! PAT of all VLAN10 traffic on Fa0/0 connected to ISP1
ip nat source list fromVLAN20 interface FastEthernet0/1 overload    ! PAT of all VLAN20 traffic on Fa0/1 connected to ISP2
!
ip access-list extended fromVLAN10
 permit ip 10.0.10.0 0.0.0.255 any     ! Catch all traffic if is coming from VLAN10 10.0.10.0/24 network
!
ip access-list extended fromVLAN20
 permit ip 10.0.20.0 0.0.0.255 any     ! Catch all traffic if is coming from VLAN20 10.0.20.0/24 network
!
route-map isp1 permit 10               ! Policy to send VLAN10 traffic via ISP1
 description Set next hop via ISP1
 match ip address fromVLAN10           ! Applies action statements below if matches extended ACL named 'fromVLAN10'
 set ip default next-hop 198.100.200.1 ! Sets next hop to ISP1 router, overrides a routing table statements
!
route-map isp2 permit 10               ! Policy to send VLAN20 traffic via ISP2
 description Set next hop via ISP2
 match ip address fromVLAN20           ! Applies action statements below if matches extended ACL named 'fromVLAN20'
 set ip default next-hop 35.100.200.1  ! Sets next hop to ISP2 router, overrides a routing table statements

Additional theory

A router makes a difference between traffic that is originating from the router and traffic that is flowing through the router. The command below will activate policy based routing for traffic that is originated by the router itself

WAN(config)#ip local policy route-map PBR

In my example I activated policy based routing for traffic flowing through router WAN therefore I applied to the ingress interface:

WAN(config)#interface GigabitEthernet1/0
WAN(config-if)#ip policy route-map isp1

Troubleshooting

debug ip policy    ! enables PBR debugging
Example

Ping from VPCS[1] 10.0.10.10 (C2 on the topology diagram above) to a server on Internet 212.77.100.101

VPCS[1]> ping 212.77.100.101
*212.77.100.101 icmp_seq=1 ttl=254 time=40.181 ms (ICMP type:3, code:1, Destination host unreachable)

Enable PBR debugging

WAN#debug ip policy 

*Aug 24 20:18:39.615: IP: s=10.0.10.10 (GigabitEthernet1/0), d=212.77.100.101, len 92, FIB policy match
*Aug 24 20:18:39.619: IP: s=10.0.10.10 (GigabitEthernet1/0), d=212.77.100.101, len 92, PBR Counted
*Aug 24 20:18:39.623: IP: s=10.0.10.10 (GigabitEthernet1/0), d=212.77.100.101, len 92, FIB policy match
*Aug 24 20:18:39.643: IP: s=10.0.10.10 (GigabitEthernet1/0), d=212.77.100.101, len 92, policy match
*Aug 24 20:18:39.647: IP: route map isp1, item 10, permit
*Aug 24 20:18:39.651: IP: s=10.0.10.10 (GigabitEthernet1/0), d=212.77.100.101 (FastEthernet0/0), len 92, policy routed
*Aug 24 20:18:39.655: IP: GigabitEthernet1/0 to FastEthernet0/0 198.100.200.1

Dump of a routing table, please notice that there is no default route. Any other than locally connected traffic that does not match ACL will not be forwarded.

WAN#sh ip route | exclude L
<--- output omitted ---->
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C        10.0.10.0/24 is directly connected, GigabitEthernet1/0
C        10.0.20.0/24 is directly connected, GigabitEthernet2/0
      35.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        35.100.200.0/29 is directly connected, FastEthernet0/1
      198.100.200.0/24 is variably subnetted, 2 subnets, 2 masks
C        198.100.200.0/29 is directly connected, FastEthernet0/0

References