Configuring Policy-Based Routing (PBR) with IP SLA Tracking - Aut...

1 sur 6

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/8...

(http://www.firewall.cx)

FIREWALL.CX TEAM

NEWS

ALTERNATIVE MENU

RECOMMENDED SITES

CONTACT US - FEEDBACK

(/MEET-THE-TEAM.HTML)

(/NEWS.HTML)

(/SITE-MAP.HTML)

(/RECOMMENDED-SITES.HTML)

(/CONTACT-US.HTML)

WEDNESDAY, 30 NOVEMBER 2016

HOT DOWNLOADS (http://clixtrac.com/goto/?235161)

FREE BANDWIDTH MONITORING (HTTP://CLIXTRAC.COM

(http://clixtrac.com/goto/?99229)

(http://clixtrac.com/goto/?99229)

NETWORK PATCH SCANNER (HTTP://CLIXTRAC.COM

NETWORK SECURITY SCANNER (HTTP://CLIXTRAC.COM

(/component/banners/click/1.html)

CONFIGURING POLICY-BASED ROUTING (PBR) WITH IP SLA TRACKING - AUTO REDIRECTING TRAFFIC WRITTEN BY ADMINISTRATOR. POSTED IN CISCO ROUTERS - CONFIGURING CISCO ROUTERS (/CISCO-TECHNICAL-KNOWLEDGEBASE/CISCOROUTERS.HTML) Rating 4.43 (23 Votes)

Share

Tweet

(//pinterest.com/pin/create/button/?url=http%3A%2F%2Fwww.firewall.cx%2Fcisco-technical-knowledgebase%2Fciscorouters%2F861-cisco-router-pbr-ipsla-auto-redirect.html&media=http%3A%2F%2Fwww.firewall.cx%2Fimages%2Fstories%2Fcisco-routerpbr-ipsla-1.gif&description=%26amp%3Bnbsp%3BWhat%20is%20Policy-Based%20Routing%3F%20Policy-Based%20Routing %20%28PBR%29%20is%20a%20very%20popular%20feature%20in%20Cisco%20routers %2C%20it%20allows%20the%20creation%20of...) Like

Share 118 people like this. Sign Up to see what your friends like.

 WHAT IS POLICY-BASED ROUTING? Policy-Based Routing (PBR) is a very popular feature in Cisco routers, it allows the creation of policies that can selectively alter the path that packets take within the network. Policy-Based Routing can be used to mark packets so that certain types of traffic are prioritized over the rest, sent to a different destination or exist via a different physical interface on the router. Classification of interesting traffic is performed using Access-Control Lists (ACLs). These can be standard, extended or named access lists as we know them. Once the interesting traffic is ‘matched’ with the use of ACLs, the router will perform the configured ‘set’ function which is defined by the Administrator. This ‘set’ function essentially tells the router what to do with the matched traffic and can include sending it to another gateway, dropping it, prioritizing it over other traffic, and much more.

POLICY-BASED ROUTING WITH IP SLA MONITORING FOR AUTOMATIC FAIL-OVER This article will show how to use Policy-Based Routing to mark a specific type of traffic, for example http, and redirect it to a web proxy (usually Linux Squid) so all network web traffic is automatically filtered through the proxy. In such setups, network users have no knowledge of the proxy’s existence as they are not required to configure their web browser to use the proxy. All user traffic is forwarded to a single gateway (Cisco ASA Firewall) and from there to router R1. This example is good solution for creating a transparent proxy with automatic failover.

30/11/2016 11:16

Configuring Policy-Based Routing (PBR) with IP SLA Tracking - Aut...

2 sur 6

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/8... NETWORK SECURITY SCANNER

(http://clixtrac.com /goto/?99232) Router R1, with the help of Policy-Based Routing, ‘marks’ all http traffic and then performs the appropriate ‘set’ function, which is to redirect the selected traffic to the Linux proxy with IP address 192.168.150.2.

FREE HYPER-V & VMWARE BACKUP

The Linux proxy accepts the traffic, makes the necessary checks defined by the Administrator and forwards it to the Internet via R2 router. To complement our solution we’ve added IP SLA tracking so that R1 will continuously monitor the Linux proxy to ensure it has not failed or gone offline. If for any reason router R1 loses connectivity with the Linux proxy, the IP SLA & Policy-Based Routing mechanism will stop redirecting http traffic to it and forward it directly to the Internet via R2, effectively bypassing the failed proxy. The next diagram shows how router R1 will respond to a failure of the Linux proxy as described above:

(http://clixtrac.com /goto/?210273)

RECOMMENDED DOWNLOADS Web Security (http://clixtrac.com /goto/?99233) Network Management Monitor & Alert (http://clixtrac.com /goto/?225994) This solution smartly combines Cisco's Policy-Based Routing with IP SLA tracking and provides a number of benefits, some of which are:

Free Hyper-V & VMware Backup (http://clixtrac.com

Automatic redirection of selected (http) traffic to the Linux Proxy.

/goto/?210270) Server AntiSpam (http://clixtrac.com /goto/?99234)

Transparent web proxy to all network users, with web filtering according to company policy.

Network Scanner (http://clixtrac.com /goto/?99235)

Automatic failover in case proxy fails. Near-zero downtime.

IDS Security Manager (http://clixtrac.com /goto/?99236)

Continuous monitoring of proxy after failure – automatic recovery if proxy is back online.

Web-Proxy Monitor (http://clixtrac.com /goto/?99237)

Note: More examples of IP SLA Tracking can be found in our Configuring Static Route Tracking using IP SLA (Basic) (/cisco-technicalknowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html) article.

Cisco VPN Client (/downloads/cisco-toolsa-applications.html)

 

Network Fax Server

HOW TO CONFIGURE IP SLA TRACKING FOR A HOST

(http://clixtrac.com /goto/?100607)

First step is to configure IP SLA tracking for the desired host. This will ensure R1 router will continuously monitor the Linux proxy and stop

Bandwidth Monitor

redirecting http traffic to it in the event it fails:

(http://clixtrac.com /goto/?235210)

R1(config)# ip sla 1 R1(config-ip-sla)# icmp-echo 192.168.150.2 R1(config-ip-sla)# frequency 4

BANDWIDTH MONITOR

R1(config-ip-sla)# timeout 2000 R1(config-ip-sla)# threshold 100 R1(config-ip-sla)# ip sla schedule 1 life forever start-time now The above configuration defines and starts an IP SLA probe on router R1. The ICMP Echo probe sends an ICMP Echo (ping) packet to IP 192.168.150.2 every 4 seconds, as defined by the frequency parameter. Timeout sets the amount of time (in milliseconds) the Cisco IOS IP SLAs operation waits for a response from its request packet. This has

(http://clixtrac.com

been set to 2000 milliseconds, or 2 seconds which gives the host ample time to respond.

/goto/?235160)

Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation. After defining the IP SLA operation, our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:

UNIFIED COMMUNICATIONS

R1(config)# track 1 ip sla 1 reachability The above command will track the state of the IP SLA operation. If there are no ping responses from the monitored IP address (192.168.150.2), the track will go down and it will come back up when the IP SLA operation starts receiving ping responses once again. To verify the track status, use the “show track” command as shown below:

30/11/2016 11:16

Configuring Policy-Based Routing (PBR) with IP SLA Tracking - Aut...

3 sur 6

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/8...

R1# show track 1 Track 1

(http://clixtrac.com /goto/?236328)

IP SLA 1 reachability Reachability is Up 30 changes, last change 1d08h Latest operation return code: OK

NETWORK MONITORING

Latest RTT (millisecs) 1 Tracked by: ROUTE-MAP 0 The command output verifies that the tracked object is UP and has a response time of 1ms. A closer look shows that ,for the duration of the tracking, the state has changed 30 times and the last change was 1 day and 8 hours ago. This information is extremely important should it be necessary to troubleshoot intermittent problems that might be reported by the users. (http://clixtrac.com /goto/?225541)

HOW TO CONFIGURE POLICY-BASED ROUTING TO REDIRECT SELECTED (HTTP) TRAFFIC JOIN US:

Once we have IP SLA up and running the next step is to configure PBR so we can redirect http traffic.

(http://www.linkedin.com (https://www.facebook.com (http://twitter.com (http://feeds.feedburner.co /groups?home=& /firewallcx) /firewallcx) /firewallcx)

First, we need to use Access-Control Lists to select the traffic we want to redirect. Keep in mind that PBR does not limit the type of ACL that can be used. This means you can use IP named ACLs, standard ACLs, extended ACLs, time-based ACLs and others. In our example we

gid=1037867) FACEBOOK - LIKE US!

are going to use IP named ACLs:

Firewal… R1(config)# ip access-list extended http-traffic R1(config)# permit tcp 192.168.5.0 0.0.0.255 any eq www We've decided to name our IP-named ACL 'http-traffic'. This unique ACL name will be used later in our route-map. By making the appropriate changes in the ACLs we can define different types of traffic that will be redirected. In our example all http traffic from the

CISCO PRESS REVIEW PARTNER

192.168.5.0 network that is destined to the Internet (any) is selected. Now we must create a route-map that will use the above defined ACLs and instruct the router to redirect the traffic to the Linux proxy: R1(config)# route-map linux-proxy permit 1

(/site-news/316-firewall-

R1(config-route-map)# match ip address http-traffic

ciscopress.html)

R1(config-route-map)# set ip next-hop verify-availability 192.168.150.2 1 track 1 The above command creates a permissive route-map named linux-proxy. The match IP address parameter within the route-map informs

Notify me of new articles

the router which set of ACLs defines the traffic we are interested in. Since we've defined our interesting traffic using IP named ACLs, all we need to do is reference the name of our ACL previously created. The last command configures the route map to verify the reachability of the tracked object (192.168.150.2). If the tracked object is reachable (IP SLA reports it is reachable), then our policy-based route will redirect the defined traffic to it. If the tracked object is not

Subscribe

reachable, (IP SLA reports the host is not reachable - down) then our policy-based route will stop redirecting traffic.

  APPLYING THE POLICY-BASED ROUTE We are almost done. The very last step is to enable and identify the route-map to be use for policy routing. This is performed by selecting the router interface for which the policy routing will be enabled, and applying the policy-route:

CISCO MENU CISCO ROUTERS (/cisco-technicalknowledgebase/cisco-

R1(config)# interface Vlan1 R1(config-int)# ip policy route-map linux-proxy

routers.html) CISCO SWITCHES (/cisco-technicalknowledgebase/cisco-

In our scenario, R1's VLAN1 interface is connected to the 192.168.150.0/24 network where our ASA and Linux proxy reside so we apply the policy routing to that.

switches.html) CISCO VOIP/CCME CALLMANAGER (/cisco-technical-

ROUTE-MAP & IP SLA STATISTICS Keeping a close eye on the router's route-map & IP SLA performance can be achieved with the use of a few simple commands. Monitoring your route-map's performance the first couple of days is a very good idea as it will help verify that traffic is still being redirected to the host.

knowledgebase/ciscovoice.html) CISCO FIREWALLS (/cisco-technical-

On the other hand, looking at IP SLA statistics will help identify possible failures or changes of state which were not noticed by anyone. The show route-map command is a favourite as it combines enough information to help verify everything is working as it should:

knowledgebase/ciscofirewalls.html) CISCO WIRELESS

R1# show route-map

(/cisco-technical-

route-map linux-proxy, permit, sequence 1

knowledgebase/cisco-

Match clauses: ip address (access-lists): http-traffic Set clauses: ip next-hop verify-availability 192.168.150.10 1 track 1 [up] Policy routing matches: 3864291 packets, 511957007 bytes

wireless.html) CISCO SERVICES & TECHNOLOGIES (/cisco-technicalknowledgebase/ciscoservices-tech.html) CISCO AUTHORS & CCIE INTERVIEWS

The numbers shown here verify immediately that our host is reachable (up) and that R1 has redirected more than 510MB of traffic through

(/cisco-technical-

the Linux proxy!

knowledgebase/ccie-

The show IP SLA statistics command provides in a similar way useful information that helps verify the object tracking is working correctly and the tracked host is up:

experts.html) CISCO DATA CENTER USER GROUP

R1# show ip sla statistics

(/cisco-technicalknowledgebase/cisco-

30/11/2016 11:16

Configuring Policy-Based Routing (PBR) with IP SLA Tracking - Aut...

4 sur 6

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/8...

IPSLAs Latest Operation Statistics

datacenter-user-group.html)

IPSLA operation id: 1 Latest operation start time: *21:36:47.855 UTC Tue Apr 3 2012

POPULAR CISCO ARTICLES

Latest operation return code: OK

DMVPN Configuration (/cisco-

Number of successes: 16

technical-knowledgebase

Number of failures: 0

/cisco-routers/901-cisco-

Operation time to live: Forever

router-dmvpn-

Latest RTT: 1 milliseconds

Back to Cisco Routers Section (/cisco-technical-knowledgebase/cisco-routers.html)

configuration.html) Cisco IP SLA (/cisco-technicalknowledgebase/cisco-routers

20 Comments

Sort by Oldest

/813-cisco-router-ipslabasic.html) VLAN Security (/ciscotechnical-knowledgebase /cisco-switches/818-ciscoswitches-vlan-security.html) 4507R-E Installation (/cisco-

Clint Young · The Ohio State University

technical-knowledgebase

Really nice article!

/cisco-switches/948-ciscoswitches-4507re-ws-x45-

Like · Reply · 16 April 2012 07:45

sup7l-e-installation.html)

Robert K Mwangi · Technical University Of Kenya

CallManager Express Intro

cool Stufff

(/cisco-technical-

Like · Reply · 8 May 2012 03:24

knowledgebase/ciscovoice/371-cisco-ccme-part-

Duy Tran

1.html)

Thanks for your help.

Secure CME - SRTP & TLS

Like · Reply · 15 June 2012 15:06

(/cisco-technicalknowledgebase/cisco-

Hà Đa Sĩ · Học viện Công nghệ Bưu chính Viễn thông

voice/956-cisco-voice-

Thanks.

cme-secure-voip.html)

Like · Reply · 4 July 2012 18:03

Cisco Password Crack (/ciscotechnical-knowledgebase

Shola Oni · Manager at Gogodrive Technologies Ltd Hello. My router won't accept the command track 1 ip sla 1 reachability. what could be the problem? send comment to [email protected]. Like · Reply · 4 August 2012 04:32

/cisco-routers/358-cisco-type7password-crack.html) Site-to-Site VPN (/ciscotechnical-knowledgebase

Ada Ezechi · Federal University of Technology Owerri

/cisco-routers/867-cisco-

You did not specify your router version ,also try updating your ios,i am using gns3 and it works fine on c7200

router-site-to-site-ipsecvpn.html)

Like · Reply · 15 August 2012 04:12

Ada Ezechi · Federal University of Technology Owerri hello shola, do you know about gns3,if u do,please have you tried to use ccp -cisco config pro in it....i tried but have issues

FREE CISCO LAB PARTNER

Like · Reply · 15 August 2012 04:14

Shola Oni · Manager at Gogodrive Technologies Ltd the model of the router is cisco 1800 series

(http://clixtrac.com

Like · Reply · 15 August 2012 05:26

/goto/?99238)

Show 1 more reply in this thread

POPULAR LINUX ARTICLES Linux Init & RunLevels (/linux-

Load 10 more comments

knowledgebase-tutorials/linuxadministration/845-linuxFacebook Comments Plugin

administration-runlevels.html) Linux Groups & Users (/linuxknowledgebase-tutorials/linuxadministration/842-linuxgroups-user-accounts.html)

ARTICLES TO READ NEXT:

Linux Performance Monitoring (/linux-knowledgebase-tutorials /linux-administration/837-linux-

CONFIGURING STATIC ROUTE TRACKING USING IP SLA (BASIC)... (/CISCO-TECHNICALKNOWLEDGEBASE/CISCO-ROUTERS /813-CISCO-ROUTER-IPSLABASIC.HTML)

CONFIGURING NAT OVERLOAD ON A CISCO ROUTER (/CISCO-TECHNICALKNOWLEDGEBASE/CISCO-ROUTERS /260-CISCO-ROUTERNAT-OVERLOAD.HTML)

CISCO ROUTER BASIC ISDN CONFIGURATION (/CISCO-TECHNICALKNOWLEDGEBASE/CISCO-ROUTERS /333-CISCO-ROUTERISDN-CONFIG.HTML)

system-resourcemonitoring.html) Linux Vim Editor (/linuxknowledgebase-tutorials/linuxadministration/836-linuxvi.html) Linux Samba (/linuxknowledgebase-tutorials /system-and-network-services /848-linux-servicessamba.html) Linux DHCP Server (/linuxknowledgebase-tutorials /system-and-network-services /849-linux-servicesdhcp-server.html) Linux Bind DNS (/generaltopics-reviews/linuxunixrelated/829-linux-

30/11/2016 11:16

Configuring Policy-Based Routing (PBR) with IP SLA Tracking - Aut...

5 sur 6

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/8...

bind-introduction.html) Linux File & Folder Permissions (/general-topicsreviews/linuxunix-related /introduction-to-linux/299-linuxfile-folder-permissions.html) Linux OpenMosix (/generaltopics-reviews/linuxunixrelated/openmosix-linuxsupercomputer.html) Linux Network Config (/linuxknowledgebase-tutorials/linuxadministration/851-linuxservices-tcpip.html)

BANDWIDTH MONITORING

(http://clixtrac.com /goto/?99758)

RSS SUBSCRIPTION Subscribe to Firewall.cx RSS Feed by Email (http://feedburner.google.com /fb/a/mailverify?uri=firewallcx& loc=en_US)

30/11/2016 11:16

Configuring Policy-Based Routing (PBR) with IP SLA Tracking - Aut...

6 sur 6

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/8...

CCENT/CCNA

CISCO ROUTERS

VPN SECURITY

CISCO HELP

WINDOWS 2012

LINUX

ROUTER BASICS (/CISCO-

SSL WEBVPN

UNDERSTAND DMVPN

VPN CLIENT WINDOWS 8

NEW FEATURES

FILE PERMISSIONS

TECHNICAL-

SECURING ROUTERS

GRE/IPSEC

VPN CLIENT WINDOWS 7

LICENSING

WEBMIN

KNOWLEDGEBASE/CISCO-

POLICY BASED ROUTING

CONFIGURATION

CCP DISPLAY PROBLEM

HYPER-V / VDI

GROUPS - USERS

ROUTERS/250-CISCO-

ROUTER ON-A-STICK

SITE-TO-SITE IPSEC VPN

CISCO SUPPORT APP.

INSTALL HYPER-V

SAMBA SETUP

ROUTER-BASICS.HTML)

IPSEC MODES

SUBNETTING OSI MODEL IP PROTOCOL

FIREWALL.CX TEAM (/MEET-THE-TEAM.HTML)

NEWS (/NEWS.HTML)

ALTERNATIVE MENU (/SITE-MAP.HTML)

RECOMMENDED SITES (/RECOMMENDED-SITES.HTML)

CONTACT US - FEEDBACK (/CONTACT-US.HTML)

© Copyright 2000-2016 Firewall.cx - All Rights Reserved Information and images contained on this site is copyrighted material. Firewall.cx - Cisco Networking, VPN - IPSec, Security, Cisco Switching, Cisco Routers, Cisco VoIP- CallManager Express & UC500, Windows Server, Virtualization, Hyper-V, Web Security, Linux Administration

30/11/2016 11:16