Search This Blog
Showing posts with label policy-based route. Show all posts
Showing posts with label policy-based route. Show all posts

Wednesday, July 20, 2016

HPE/Cisco Policy-based route


Here is an example of Cisco PBR:

ip access-list extended ACL_NET192
deny ip host 192.168.10.1 172.16.0.0 0.0.0.255
deny ip host 192.168.11.0 0.0.0.255 172.16.0.0 0.0.0.255
permit ip host 192.168.10.1 any
permit ip host 192.168.10.2 any
deny ip any any
!
route-map PBR_NET192 permit 10
 match ip address ACL_NET192
 set ip next-hop 1.1.1.1
!
interface Vlan192
 ip policy route-map PBR_NET192
!

This is an example of the same PBR on HPE Comware:

acl number 3001
rule 10 permit ip source 192.168.10.1 0 destination 172.16.0.0 0.0.0.255
rule 20 permit ip source 192.168.11.0 0.0.0.255 destination 172.16.0.0 0.0.0.255
#
acl number 3002
rule 10 permit ip source 192.168.10.1 0 destintion any
rule 20 permit ip source 192.168.11.0 0.0.0.255 destintion any
quit
#
policy-based-route PBR_NET192 deny node 5
if-match acl 3001
quit
#
policy-based-route PBR_NET192 permit node 10
if-match acl 3002
apply next-hop 1.1.1.1
quit
#
interface vlan 192
ip policy-based-route PBR_NET192
quit
#

Tested on HP Comware v7.1.045 R2418P01 / HP 5900AF-48XG-4QSFP+
Posted by at No comments:
Labels: , ,

Monday, April 15, 2013

Multiple ISP's and NAT load-balance



This lab I will show how we can load-balance traffic based on protocols between two ISP’s while using each ISP provided IP.

Device
Role
R1
Customer router
R2
ISP1
R3
ISP2
R4
Internet
R5
Emulate customer node on LAN

The customer requirements are:
1.  All HTTP and telnet traffic will go through ISP2
2. All other traffic will go through ISP1
3. In case of failure in one of the ISP’s all traffic will go through the other one

This is the network topology:



After configuring all interfaces with the correct IP’s we need to configure default route:

ip route 0.0.0.0 0.0.0.0 10.1.12.2 name PRIMARY
ip route 0.0.0.0 0.0.0.0 10.1.13.3 150 name BACKUP

Here I configured a default route to ISP1 as primary while configuring floating static route with AD of 150 to ISP2.

Next configuring ACL which will capture the appropriate traffic:

ip access-list extended ACL_HTTP
 permit tcp 192.168.15.0 0.0.0.255 any eq telnet
 permit tcp 192.168.15.0 0.0.0.255 any eq www
 deny   ip any any

This ACL will capture all HTTP and telnet traffic from network 192.168.15.0/24.

And configuring track object for ISP2 interface:

track 3 interface FastEthernet0/1 ip routing

Next configuring PBR (Policy-Based Route) with attached track object:

Route-map RM_HTTP_PBR permit 10
 match ip address ACL_HTTP
 set ip next-hop verify-availability 10.1.13.3 10 track 3
!
route-map RM_HTTP_PBR deny 20
!

In case of failure in ISP2 link the PBR won’t take in affect.

Now attach this PBR to interface Fa1/0 which connected to customer’s LAN:

interface FastEthernet1/0
 ip address 192.168.15.1 255.255.255.0
 ip virtual-reassembly
 ip policy route-map RM_HTTP_PBR
 speed 100
 full-duplex
!

Now for the NAT part, configuring two route-maps, one for each ISP with the corresponding interface:

route-map RM_ISP1 permit 10
 match interface FastEthernet0/0
!
route-map RM_ISP2 permit 10
 match interface FastEthernet0/1
!

And last configuring the NAT statements:

ip nat inside source route-map RM_ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map RM_ISP2 interface FastEthernet0/1 overload


The NAT statement will take place only if the interface, which I configured on the route-map, is matched else it will be ignored.



Summary
R1 will use IP 10.1.13.1 for NAT to all HTTP and telnet traffic from R5 and IP 10.1.12.1 for NAT to all traffic from R5 except HTTP and telnet.
In case of failure of ISP2, the PBR won’t work and R1 will use NAT IP 10.1.12.1 for all traffic. In case of failure of ISP1, the static route to ISP2 will take over and R1 will use NAT IP 10.1.13.1 for all traffic.

Verification

In case of both links are up, Ping from R5 (192.168.15.5) to R4 (192.168.41.1):

R5#ping 192.168.41.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.41.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/76/112 ms

Result:



Telnet from R5 (192.168.15.5) to R4 (192.168.41.1):

R5#telne           
R5#telnet 192.168.41.1
Trying 192.168.41.1 ... Open


User Access Verification

Username:

Result:


Note the source IP on each capture.

Now shutting down interface Fa0/1 on R1 and testing again, Ping from R5 (192.168.15.5) to R4 (192.168.41.1):

R5#ping 192.168.41.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.41.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/76/112 ms

Result:


Telnet from R5 (192.168.15.5) to R4 (192.168.41.1):

R5#telne           
R5#telnet 192.168.41.1
Trying 192.168.41.1 ... Open


User Access Verification

Username:

Result:


On the captures both source IP's are 10.1.12.1.

Now bring back interface Fa0/1 and shut down interface Fa0/0 on R1 and testing again, Ping from R5 (192.168.15.5) to R4 (192.168.41.1):
 
R5#ping 192.168.41.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.41.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/76/112 ms


Result:



Telnet from R5 (192.168.15.5) to R4 (192.168.41.1):

R5#telne           
R5#telnet 192.168.41.1
Trying 192.168.41.1 ... Open


User Access Verification

Username:

Result:





Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)