Tuesday, June 21, 2011

Policy Based Routing: How To Configure A Route-Map On A Cisco 2800 Router To Make Traffic Go In Two Different Directions

Well, I'm excited tonight to post this posting.  Ive been doing ASA postings so far, but tonight I'd like to do a router post.   I have this customer that came to me and told me that they had this Nortel Contivity firewall, and that they felt it was overloaded and causing major performance issues for Internet traffic.  They initially wanted to just buy an ASA and let that be that.  However, upper management DIDN'T want them to do that, because they had a second Nortel Contivity sitting around, being of no use at all.  Their question: "How can we use that"?  Well, because they initially wanted me to put a Cisco 2800 in place of the firewall, I told them I could use that router to route some traffic to the current firewall, and the other traffic to the other firewall.  The topology would look like this:
So, with this topology above, I took the Cisco router and decided to route half of their traffic to the original Contivity firewall, and the rest of the traffic to the new (the used one sitting on the shelf) Contivity firewall.  Again, because of performance issues on the original Contivity.  How would I do this?  Route-Maps!  I remember on of my past bosses telling me that "thems the big boys".  I didn't understand what he meant then, but I do nowadays.  You can manipulate traffic almost anyway you want with these "big boys".  I've come to really like these route-maps a lot, so lets dive into what I did today for this customer.  Ive cut this down quite a bit just for this example.

First, I need to determine what traffic needs to go where.  I have two firewalls here, in parallel with each other.  So, what traffic do I want to go to the first firewall, and what do I want to go to the second firewall?  Well, lets define out traffic:
Access-list 170 is going to say this:  Any traffic from sourced from and and destined to any network is our target networks.  Also, I DON'T want any traffic sourced from networks and destined for networks to be a part of this, or any other traffic (specified by the deny ip any any).
access-list 170 deny   ip
access-list 170 permit   ip any
access-list 170 permit   ip any
access-list 170 deny   ip any any

My second access-list 171.  Similar to above, but different networks.
access-list 171 deny   ip
access-list 171 permit   ip any
access-list 171 permit   ip any
access-list 171 deny   ip any any

Now, the route-map.  The first three lines of the route-map LoadBal refer to access-list 170.  Anything that matches ACL 170 (the permits), the traffic is to be sent to the next-hop of  In the second set of three, anything that matches ACL 171 will be sent to (again, the permits only).
route-map LoadBal permit 10
 match ip address 170          
 set ip next-hop
route-map LoadBal permit 20
 match ip address 171
 set ip next-hop

Now, we have to apply this route-map to an interface.  Really easy to do.  Just reference the route-map name, which you gave in the first line and fourth line above.
interface fa0/0
ip policy route-map LoadBal

That's it.  Can you image how complex you can get with this?  Literally, your imagination is the limit.