Cisco: Dual Routing Policy Based WAN Connection

Dual WAN connection on Cisco with Policy-based routing

Original: pierky.wordpress.com/2009/03/28/dual-wan-connection-on-cisco-with-policy-based-routing-pbr
Article changed by me, because the sequence of actions described in the original article did not give a positive result.

I believe that this article may be useful to people who still do not know what policy-based routing is. You can begin to study this topic by reading the official documentation on Cisco.com, but personally it is much more convenient for me to begin learning a new technology with a specific example of its implementation. This allows you to immediately understand what you are dealing with and how it can be used in the future.

We have:

1. Cisco router with two WAN connections to the provider.
2. “Bronze” link - narrow channel, subnet with mask / 30.
3. The golden link is a wide channel, there is a point-to-point subnet with a mask / 30 and a subnet with a mask / 24 for its own needs.

Note that we cannot send the subnet 1.1.1.0/24 traffic through the "bronze" link.
')
Goals:

1. LAN users must have access to the Internet.
2. Traffic that is important for us must be transmitted through a golden link.
3. Our server platform should be accessible from the outside through "white" IP addresses.

For simplicity, in our example Telnet will be important traffic. In real life, this could be RTP, database traffic, and so on.

In this topology there are 5 traffic directions of interest to us:

• LAN -> Critical Services [Golden Link]
• LAN -> WAN ["Bronze" link]
• LAN -> Server farm
• ServerFarm -> WAN [Golden Link]
• ServerFarm -> LAN

Traffic from the LAN in the direction of the WAN or Critical Services must be translated via NAT, but remember that traffic is first routed, and only then transmitted by NAT. So first of all, let's turn our attention to setting up packet routing. To configure NAT'a back later.

Normal routing simply forwards packets based on the destination address, it does not care about Layer 4 information (OSI model transport layer) or the source IP address. How in this case to organize the routing based on other parameters, for example, on the TCP port number of the destination port? For the implementation of such functionality, policy -based Routing was created . PBR can make decisions based on a number of parameters: source address, destination port, QoS tag.

Let's start the configuration.

First, we give the initial configuration of our router:
interface Serial2/0
description Bronze
ip address 2.2.2.2 255.255.255.252
!
interface Serial2/1
description Gold
ip address 3.3.3.2 255.255.255.252
!
interface FastEthernet0/0
description LAN
ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet1/0
description ServerFarm
ip address 1.1.1.1 255.255.255.0

Simply assign IP addresses to the interfaces and “raise” them (no shutdown). Synchronization on the Serial interfaces is issued by ISP.

Set the default route for our router (GW) through the "bronze" link:
ip route 0.0.0.0 0.0.0.0 Serial2/0

Now we are going to deploy Policy Based Routing (PBR).

Let's create an extended named access control list (ACL) in which we define which traffic will be prioritized:
ip access-list extended GoldServices
deny ip any 1.1.1.0 0.0.0.255 // IP 1.1.1.0/24
permit tcp any any eq telnet // TCP 23(Telnet)
deny ip any any // IP
This access list is used to allocate telnet traffic not directed to the server site.

We define a route map (route-map) which will intercept the traffic of interest (telnet to the external network) and direct it to the required interface (the “golden” link):
route-map PBR_LAN permit 10
match ip address GoldServices //
set interface Serial2/1 Serial2/0 //

Apply the created map to the interface connected to the LAN segment:
interface FastEthernet0/0
description LAN
ip policy route-map PBR_LAN //""
If the package does not fall under any routing map, then it is simply routed based on standard rules (in our case it will be sent to the “bronze” link).

It should be noted that we specified two interfaces in the set interface Serial2 / 1 Serial2 / 0 command - in this case, if the channel through Serial2 / 1 fails, the router will start using the Serial2 / 0 interface to forward important traffic. This gives us some redundancy and resiliency with respect to important traffic.
It is possible to provide redundancy for traffic that is not a priority (traffic going through the "bronze" link):
ip route 0.0.0.0 0.0.0.0 Serial2/1 10 // 10, ""

We repeat the same steps for traffic between the server platform and the external network.
ip access-list extended ServerFarm-To-WAN
deny ip 1.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255 // IP 1.1.1.0/24 192.168.0.0/24
permit ip any any // IP
!
route-map PBR_ServerFarm permit 10
match ip address ServerFarm-To-WAN //
set interface Serial2/1 //
!
interface FastEthernet1/0
description ServerFarm
ip policy route-map PBR_ServerFarm //""
These commands will allow us to send traffic from servers to external sites exclusively through the "golden" link. The traffic going from the servers to our local users will not get into external channels. Unfortunately, we will not be able to add a second interface for fault tolerance, since Our provider will not accept traffic from the 1.1.1.0/24 subnet on its “armored” link.

This completes the routing setup. Let's get down to setting up NAT.

We have 1 internal interface (inside) and two external (outside):
interface FastEthernet0/0
description LAN
ip nat inside
!
interface Serial2/0
description Bronze
ip nat outside
!
interface Serial2/1
description Gold
ip nat outside

Create a pool of addresses for broadcast packets going to the "golden" link:
ip nat pool LAN-to-Gold 1.1.1.20 1.1.1.20 netmask 255.255.255.0 // 1.1.1.20/24

Create an access control list in order to allocate traffic from the LAN to the external network.
ip access-list extended Trivial
permit ip 192.168.0.0 0.0.0.255 any // 192.168.0.0/24
deny ip any any // IP

We define two route maps that will be used in address translation:
route-map NAT_Gold permit 10
match ip address GoldServices //
match interface Serial2/1 //
!
route-map NAT_Bronze permit 15
match ip address Trivial //
match interface Serial2/0 //

And the last:
ip nat inside source route-map NAT_Gold pool LAN-to-Gold overload // "" NAT_Gold
ip nat inside source route-map NAT_Bronze interface Serial2/0 overload // "" Serial2/0