Redirect HTTP traffic to a website with NBAR/PBR on 7206
I am having the following dilemma - I need to make sure that all the HTTP traffic with a specific source IP and a specific destination which is a FQDN is being redirected to a special server, different than the original destination.
WWW request incoming from Source IP address of 184.108.40.206 has a destination website of "test.com" and this traffic is going via my 7206 VXR. At the same time, WWW traffic from 220.127.116.11 to another website and also another type of traffic, FTP, and so on is coming from 18.104.22.168 to "test.com". Also, WWW trafic is coming towards "test.com" from many other source IP addresses.
I need to make sure I only match the HTTP traffic from exactly 22.214.171.124 to "test.com" and nothing else. After I match it, I need to redirect it to another exit point, rather than the default routing table decision. That would have been extremely easy with PBR if i only had the requirements for matching on source and destination IP and then setting the ip next-hop. But here we have to match not on destination IP because we don't know it (domain name will resolve to different IPs from a cloud, so not an option to use IPs), but we have to match on domain name as a destination. And we only have to match HTTP traffic and only from that specific source IP address.
We could use NBAR classification to match http traffic towards the website, something like this:
class-map match-all TestClass
match access-group SOURCE-IP
match protocol http host *test.com* ..................>> or i can use match protocol http url *smth more specific*
set ...........> and here comes the restriction that there is no way i can set ip next-hop like in a route-map for PBR.
On the other hand, if I use only PBR with route maps, etc, there is no such granularity in the match conditions so that i can match on the HTTP header... So i need something like a combination of both NBAR classification and PBR...
Any ideas how to do this on a single 7206VXR box with 12.2(31)SB18? Or do I need a more recent IOS?
Re: Redirect HTTP traffic to a website with NBAR/PBR on 7206
I was wondering if you could match the packets with NBAR and set the IP precedence/DCSP for example and then use an access-list in PBR to match on those settings. So i did quick search on this and found another post on CSC doing that very thing. Unfortunately it doesn't seem to work for the poster -
I thought it might be the IOS order operations but i believe that classification/marking comes before PBR so in theory it should have worked. Perhaps you could try it on your router.
Other than that PfR allows matching traffic with NBAR and setting a next hop IP (if you have the right IOS and i don't think you do at the moment). However i have never used PfR so i do not know that you can combine the two things to achieve what you want.
So please do not go out and upgrade your IOS for PfR without doing some further investigation because i only did a quick look at the PfR documentation.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...