In the following lab I will demonstrate how to use PBR
(Policy-Based Route) along with 3 different exit points (next-hop) and NAT the
source IP accordingly.
Here is the network topology:
R5 is a host on our LAN (network 192.168.0.0/24) while R1 is
the gateway for this network.
When R5 tries to reach R7 (192.168.71.1) using ICMP he will
exit through R2, when trying to reach R7 on port 80 he will exit through R3 and
when using telnet through R4. The NAT will occur according to the exit point –
hence when going through R2 he will have 10.1.12.1, through R3 he will have
10.1.13.1 and through R4 – 10.1.14.1.
Using this scenario we can load-balance certain traffic type
through different upstream providers according to our demands (a next-hop verification
and redundancy can be added but I skipped this issues on this post).
R5 (relevant) configuration:
interface FastEthernet0/0
ip address 192.168.0.5 255.255.255.0
speed 100
full-duplex
!
ip route 0.0.0.0 0.0.0.0
192.168.0.1
|
Note that R2, R3, R4 and R7 are running OSPF between them.
R2 (relevant) configuration:
interface FastEthernet0/0
ip address 10.1.12.2 255.255.255.0
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 172.16.0.2 255.255.255.0
speed 100
full-duplex
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
|
R3 (relevant) configuration:
interface FastEthernet0/0
ip address 10.1.13.3 255.255.255.0
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 172.16.0.3 255.255.255.0
speed 100
full-duplex
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
|
R4 (relevant) configuration:
interface FastEthernet0/0
ip address 10.1.14.4 255.255.255.0
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 172.16.0.4 255.255.255.0
speed 100
full-duplex
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
|
R7 (relevant) configuration:
interface Loopback1
ip address 192.168.71.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback2
ip address 192.168.72.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback3
ip address 192.168.73.1 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.0.7 255.255.255.0
speed 100
full-duplex
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
|
And R1 basic configuration:
interface FastEthernet1/0
ip address 192.168.0.1 255.255.255.0
duplex full
speed 100
!
interface FastEthernet1/1
ip address 10.1.12.1 255.255.255.0
duplex full
speed 100
!
interface FastEthernet2/0
ip address 10.1.13.1 255.255.255.0
duplex full
speed 100
!
interface FastEthernet2/1
ip address 10.1.14.1 255.255.255.0
duplex full
speed 100
!
ip route 0.0.0.0 0.0.0.0
10.1.12.2
|
Now let’s start configure R1, first create access-lists
which will match the desired traffic for the PBR, here in my example I want to
match HTTP and telnet traffic:
ip access-list extended
ACL_PBR_HTTP
permit tcp 192.168.0.0 0.0.0.255 any eq www
deny
ip any any
!
ip access-list extended
ACL_PBR_TELNET
permit tcp 192.168.0.0 0.0.0.255 any eq
telnet
deny
ip any any
!
|
Then configure the PBR route-map:
route-map RM_PBR permit 10
match ip address ACL_PBR_HTTP
set ip next-hop 10.1.13.3
!
route-map RM_PBR permit 20
match ip address ACL_PBR_TELNET
set ip next-hop 10.1.14.4
!
route-map RM_PBR deny 999
!
|
In the following PBR I configure that all HTTP traffic will
go to next-hop 10.1.13.3 and all telnet traffic will go to next-hop 10.1.14.4,
all other traffic that the route-map didn’t catch will go through the normal
routing table, in this case to 10.1.12.2 (default route).
Configure the PBR under the LAN interface:
interface FastEthernet1/0
ip address 192.168.0.1 255.255.255.0
ip virtual-reassembly in
ip policy route-map RM_PBR
duplex full
speed 100
!
|
Now configure NAT inside on Fa1/0 (LAN interface) and NAT
outside on Fa1/1, Fa2/0 and Fa2/1 (WAN interfaces):
interface FastEthernet1/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map RM_PBR
duplex full
speed 100
!
interface FastEthernet1/1
ip address 10.1.12.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
!
interface FastEthernet2/0
ip address 10.1.13.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
!
interface FastEthernet2/1
ip address 10.1.14.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
!
|
Now configure 3 route-maps for NAT distinguish for each WAN interface:
route-map RM_NAT_R4 permit 10
match interface FastEthernet2/1
!
route-map RM_NAT_R2 permit 10
match interface FastEthernet1/1
!
route-map RM_NAT_R3 permit 10
match interface FastEthernet2/0
!
|
These route-maps will ensure that every packet that goes out
on a specific interface will get the correct outside NAT IP address.
And last configure the NAT statements:
ip nat inside source
route-map RM_NAT_R2 interface FastEthernet1/1 overload
ip nat inside source
route-map RM_NAT_R3 interface FastEthernet2/0 overload
ip nat inside source
route-map RM_NAT_R4 interface FastEthernet2/1 overload
!
|
Now let’s check:
R5#ping 192.168.71.1
|
Result:
R5#telnet 192.168.71.1
|
Result:
R5#telnet 192.168.71.1 80
|
Result:
When R5 ping 192.168.71.1 he made it using source IP 10.1.12.1,
when using HTTP he made it using 10.1.13.1 and when telnet he used 10.1.14.1.