Sometimes.. when everything is failing, you’ll need to do some dirty hacks to get things the way you want. I’m going to show you how to modify the next-hop (where the packet is routed) with a route-map
Let’s say you want to redirect web-traffic to a local cache running for example squid, but let other traffic pass on to its intended destination. As usual I have created an imaginary scenario, but this time I have used my creative skills (yeah, right!) to draw a little network map in dia also.
The idea is to let all TCP port 80 traffic from all the clients to be sent to the web cache server on 10.0.0.2
To achieve this, we need to create an access-list to match web traffic from the clients.
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list extended webtraffic
Router(config-ext-nacl)#deny tcp host 10.0.0.2 any eq www
Router(config-ext-nacl)#permit tcp 10.0.0.0 0.0.0.255 any eq www
To verify that this access-list now exists, run this command
Router#sh ip access-list webtraffic
Extended IP access list webtraffic
10 deny tcp host 10.0.0.2 any eq www
20 permit tcp 10.0.0.0 0.0.0.255 any eq www
As you can see, I have a deny on 10.0.0.2, this is because we can’t match traffic coming from the web caching server and redirect it to itself, that would create a loop.
The next thing we need to do is to create a route-map which uses the webtraffic access-list to match packets and do the intended modifications to it.
Router(config)#route-map webcache-redirect permit 10
Router(config-route-map)#match ip address webtraffic
Router(config-route-map)#set ip next-hop 10.0.0.2
Router(config-route-map)#route-map webcache-redirect permit 200
You can now verify this route-map by doing this
Router#sh route-map webcache-redirect
route-map webcache-redirect, permit, sequence 10
Match clauses:
ip address (access-lists): webtraffic
Set clauses:
ip next-hop 10.0.0.2
Policy routing matches: 0 packets, 0 bytes
route-map webcache-redirect, permit, sequence 200
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
The last thing that needs to be done for this to have effect is to apply policy routing on the interface on which you receive the traffic from the clients (the interface which acts as a gateway for the clients, in this case the one with the IP address 10.0.0.1).
Router(config)#int vlan 1
Router(config-if)#ip policy route-map webtraffic-redirect
You can now use the sh route-map command again to see that your webtraffic now is being policy-routed.
Read about how to setup a squid as a transparent proxy here.
UPDATE: Eirik Hjelle poked me and told me that the squid tutorial that I am refering to is outdated, and it sure is!
The basics of the squid.conf should be (was not going to cover it here, since it’s a cisco blog, but since Eirik was a nice fellow and just gave me a paste of the required I’ll include it:
http_port 3128 transparent
acl internal_network src 10.0.0.0/24
http_access allow internal_network
The traffic will still be directed to port 80 so it might be needed to change the http_port to
http_port 10.0.0.2:80 transparent