PBR

Unanswered Question
Sep 30th, 2010

Hi There,

I have a site that has two internet connections; and i'm using Policing Based Routing to force a particular host to go out to the internet via the secondary link. The configuration is pretty straight forward as shown below,

route-map backup-link-route permit 10
match ip address 100
set ip default next-hop 10.10.10.249

access-list 100 deny   ip host 10.10.10.101 10.10.10.0 0.0.255.255
access-list 100 permit ip host 10.10.10.101 any

interface Fa0/0

ip address 10.10.10.254

ip policy route-map backup-link-route

This configuration is working fine for outbound connections but i'm not sure how it works for inbound connections. I'm having some difficulty trying to access this host externally using RDP. I have checked the static nat rule in place for this and it seems to be fine. I'm not sure how PBR works for inbound connections

Can anyone provide any feedback?

Cheers,

Esteban

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 09/30/2010 - 09:46

egua5261 wrote:

Hi There,

I have a site that has two internet connections; and i'm using Policing Based Routing to force a particular host to go out to the internet via the secondary link. The configuration is pretty straight forward as shown below,

route-map backup-link-route permit 10
match ip address 100
set ip default next-hop 10.10.10.249

access-list 100 deny   ip host 10.10.10.101 10.10.10.0 0.0.255.255
access-list 100 permit ip host 10.10.10.101 any

interface Fa0/0

ip address 10.10.10.254

ip policy route-map backup-link-route

This configuration is working fine for outbound connections but i'm not sure how it works for inbound connections. I'm having some difficulty trying to access this host externally using RDP. I have checked the static nat rule in place for this and it seems to be fine. I'm not sure how PBR works for inbound connections

Can anyone provide any feedback?

Cheers,

Esteban

Esteban

PBR only works in one direction. So if you want to influence the return traffic you would need to either -

1) NAT the source address as it leaves your router to the external router interface so that the return traffic goes to the right interface. This may or may be possible depending on your topology and also what applications you are running.

2) Use PBR at the other end of the link as well to force the return traffic to take the same path.

Jon

egua5261 Mon, 10/04/2010 - 20:11

Hi John,

Thanks for your response. I decided to go for the second option of your recommendation, however i still cant connect to the server from outside.

>>2) Use PBR at the other end of the link as well to force the return traffic to take the same path.

So this is what i added in the router that terminates the secondary link, which the inbound connection is coming through. With the idea to force the return traffic back the same path.

access-list 110 permit ip any host 10.10.10.101

route-map machine101-route permit 10
match ip address 110
set ip default next-hop 10.10.10.254

interface FastEthernet0/1
ip address
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip policy route-map machine1-route

interface FastEthernet0/0
ip address 10.10.10.249 255.255.0.0
ip nat inside
ip virtual-reassembly

ip nat inside source static tcp 10.10.10.101 3389 interface FastEthernet0/1 64444 (this line was not added; it was already in the config)

Running a debug in this router to capture packets traversing the access-list 110 i get the following,

*Oct  5 14:12:23.085: IP: tableid=0, s=203.XX.XX.XX (FastEthernet0/1), d=210.XX.XX.XX (FastEthernet0/1), routed via RIB
*Oct  5 14:12:23.089: IP: s=203.XX.XX.XX (FastEthernet0/1), d=210.XX.XX.XX (FastEthernet0/1), len 128, rcvd 3

Can you shed some light? What does routed via RIB mean?

Regards,

Esteban

Jon Marshall Tue, 10/05/2010 - 01:28

The RIB is simply the routing table.

Can you post a quick topology diagram of how the routers are connected, the addressing involved and the router configs at both ends.

Jon

egua5261 Wed, 10/06/2010 - 00:14

Hi Jon,

See the diagram attached. The topology is very simple. It is set up using only static routes, not routing protocols involved. I have only changed the public IPs in the diagram for privacy matters.

Following is the output from the show ip nat translations command in router B, when i try to remote desktop to host (10.10.10.249) from an outside connection. I have changed the public IPs in the output to reflect the change made in the diagram and i altered the last octects of the public ip i was connecting for privacy matters as mentioned above.

sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 203.1.1.1.:64444 10.10.10.101:3389 203.39.XX.XX:22562 203.39.XX.XX:22562
tcp 203.1.1.1:64444 10.10.10.101:3389 ---                ---

Please let me know if it is clear and what to try next?

Cheers,

Esteban

Attachment: 

Actions

This Discussion