Vaibhav Singh

Blog - vaibhavsingh.com

Identify client traffic-flow across a proxy

July 16, 2021

This happened over a decade ago when I was a budding L1 engineer, monitoring network infrastructure of a bank. This post is recollection of a memory when my team-lead (a great mentor) at the time, put me through a challenging exercise to meet a seemingly simple customer requirement.

Existing Topology

We had this typical topology – corporate user machines with a proxy server address configured for access to the Internet.

Internet access setup for general corporate users

The client requests reach proxy server with a source IP from 10.1.1.0/24 range. The proxy server would then perform a source NAT and replace the client source IP address with it’s outbound IP address 200.1.1.2.

Requirement

One fine day, the management decided to bring in an additional low-latency premium-tier Internet circuit for the 5th floor users. Particularly for the shares/stock department (10.2.2.0/24). This new circuit was terminated on the same router where the general-purpose Internet circuit was terminated.

Additional internet circuit dedicated to a sub-set of users

Proposal

At the time I was working on attaining CCNA certification. Naturally, the solution that occurred to me was something from the curriculum i.e. to use policy-based routing on the internet router.

!
ip access-list 5TH_FLOOR_USER_SEGMENT
	permit ip 10.2.2.0 0.0.0.255 any
!
route-map INTERNET_OUTBOUND_PBR permit 10
	match ip address 5TH_FLOOR_USER_SEGMENT
	set ip next-hop 100.2.2.1
!
route-map INTERNET_OUTBOUND_PBR permit 20
!

I noticed I didn’t have client source IP addresses to match in the policy! Every client was NAT’d by the proxy, therefore, the 10.x.x.x range will never make it to the Internet router. So, what shall I plug into the ‘match’ criteria?

I came up with a radical idea after a week-long deliberation. I proposed to mark 10.2.2.0/24 traffic with AF11 QoS tag right before it hits the proxy; then select the traffic matching the tag out of the flood of traffic egressing from the proxy!

On the downstream device to the Proxy

!
access-list 5 permit ip 10.2.2.0 0.0.0.255 any
!
policy-map SET_DSCP
	class SET_DSCP_5TH_FLOOR_USERS
		match ip access-group 5
		set dscp af11
!
interface Gi0/0/0
	service-policy output SET_DSCP
!
On the internet router

!
route-map INTERNET_OUTBOUND_PBR permit 10
	match dscp af11
	set ip next-hop 100.2.2.1
!
route-map INTERNET_OUTBOUND_PBR permit 20
!

Summary

Till date I’m not sure what to make of the expression on my colleague’s face when I, chirpingly, presented this idea to him. I thought he was awed by the ingenuity of it! No?

As an entry-level engineer, the happy feeling from a sense of achievement, combined with satisfaction of having done my ‘home-work’ with goal of impressing my mentor, was short-lived as he turned, nonchalantly, towards the white-board; began drawing a topology and explaining the ways of the ‘real-world’ to me.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top