cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Policy based routing help

Jump to solution

I have a Cisco Web Security Virtual Appliance that will be doing content filtering and monitoring.

I need help configuring policy based routing to send web traffic ports 80, 8080, 443, 3128 to appliance and all other traffic (DNS, UDP etc) to another GW.

Thanks,

Greg

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: Policy based routing help

Jump to solution

Create an access list:

ip access-list extended webfilter-list

  permit tcp any any eq 80

  permit tcp any any eq 443

  permit tcp any any eq 8080

  ....

Create a route map:

route-map webfilter-map permit 10

  match ip address webfilter-list

  set ip next-hop ip.of.filter.box

route-map webfilter-map permit 20


Apply that route-map to the inside interface where the browsers live.

interface eth 0/2

ip policy route-map webfilter-map


There is one more thing you will need to do, and we need more information about the appliance.  How does the filter appliance get to the Internet to pass the clean traffic through?  Does it have a separate interface?  Does it do NAT?  You'll need to take some action to ensure that the inspected traffic isn't subject to the route-map or it will just loop to itself.

Good luck.  John Gilmore's 1993 quote is still applicable today 21 years later.  John Gilmore - Wikiquote




View solution in original post

0 Kudos
3 Replies
Anonymous
Not applicable

Re: Policy based routing help

Jump to solution

That should be fairly easy. 

1.  You just need to configure the other gateway as the default route. 

2.  Then you need to create an ACL that matches the desired traffic you want to filter (80, 8080, 443, etc.). 

3.  Create a route-map.  Have the route map match the ACL you created.  Have the route-map set the next hop to be the address of the web filtering appliance.

4.  Assign the route map to the interface that the traffic is coming from.

There is pretty good documentation on PBR  https://supportforums.adtran.com/docs/DOC-3587

I can give you an example if you need one.  Keep in mind, that PBR does use CPU resources so it could impact the router's performance if we are looking at a high traffic volume.

R\

jayh
Honored Contributor
Honored Contributor

Re: Policy based routing help

Jump to solution

Create an access list:

ip access-list extended webfilter-list

  permit tcp any any eq 80

  permit tcp any any eq 443

  permit tcp any any eq 8080

  ....

Create a route map:

route-map webfilter-map permit 10

  match ip address webfilter-list

  set ip next-hop ip.of.filter.box

route-map webfilter-map permit 20


Apply that route-map to the inside interface where the browsers live.

interface eth 0/2

ip policy route-map webfilter-map


There is one more thing you will need to do, and we need more information about the appliance.  How does the filter appliance get to the Internet to pass the clean traffic through?  Does it have a separate interface?  Does it do NAT?  You'll need to take some action to ensure that the inspected traffic isn't subject to the route-map or it will just loop to itself.

Good luck.  John Gilmore's 1993 quote is still applicable today 21 years later.  John Gilmore - Wikiquote




0 Kudos
Anonymous
Not applicable

Re: Policy based routing help

Jump to solution

-

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor