Policy Based Routing (Suggestion Needed)

Unanswered Question


I've two 2800 series routers, one ADSL and one Leased Line. Two 515E Firewalls connected to each one. They are then connected to an L2 switch (2960G) for aggregation to two L3 Core switches (3750). I want all my traffic to use ADSL and all my mail (smtp) traffic to use LL. Do i need policy based routing here or just specifying the default gateway for the mail servers to be the firewall connected to the LL router.


Suggestion will be appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 05/01/2008 - 00:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If the mail servers are on a different subnet than the internal interface of the firewall that connects to the LL router then you will need PBR. Where is the L3 interface for the mail servers.


I'm assuming from your explanation that the firewalls are independent of each other ie. they are not running as a pair ?


Jon

@jon


Thanks for the prompt reply.


The mail servers are on the same subnet (vlan) as the firewall (inside). The firewalls are independent of each other as both are on different vlans.


Browsing is perfect, had a small glitch with few sites but was restored when I played a little with the mtu size. Now the problem lies with the mail going through the LL. Email is not bounced back but never reaches the other party.


Jon Marshall Thu, 05/01/2008 - 02:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Presumably you are Natting the mail servers to the public addresses in use on the LL firewall. You need to make sure these are the DNS MX records.


Jon

@jon


I tried the following config and all I got was a mail to my gmail account, the rest of them never reached.


My config shows;


static (inside,outside) tcp 83.x.x.195 smtp 192.168.1.206 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 83.x.x.196 https 192.168.1.206 https netmask 255.255.255.255 0 0


and ACL shows;


access-list acl_out permit tcp any host 83.x.x.195 eq smtp

access-list acl_out permit tcp any host 83.x.x.195 eq https

access-list acl_out permit icmp any any



Jon Marshall Thu, 05/01/2008 - 02:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

What is the DNS record for your mail server ie. if i looked up


83.x.x.195 on the Internet would it resolve to your mail server ?


Jon

@jon


No you can't resolve it as there is no DNS record for the mail servers. We need it only to send mails, not recieve (for the time being). We do have other servers to do the job in different locations.


By the way, the mail which arrived at gmail was through adsl as I traced it to the dynamic ip.


Still not clear what should be done.

Jon Marshall Thu, 05/01/2008 - 04:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Are you sure these are independant of each other. If the default-gateway of the mail server is the LL firewall and the leased line firewall only connects to the LL router then how is the mail server getting out via the ADSL link ?


Perhaps a diagram would help.


Jon

lamav Thu, 05/01/2008 - 04:52
User Badges:
  • Blue, 1500 points or more

Saj:


Just to reiterate, correct me if Im wrong.


MBX 1 and 2 are the email servers?


What are their default gateways set to?


What are the IP addresses of BOTH FW inside interfaces?


The switch that both FWs are connected to is an L2 switch, correct?


Victor



@lamav


MBX1 & 2 are mail servers but are dependent on CAS/HOB which is 192.168.1.206.


The LL Fw is 192.168.1.254, which is also defined as gateway for CAS/HOB. The Adsl Fw is 192.168.101.2 (diff vlan) and is gateway to all other trafiic through Core SW1 (192.168.101.1).


The switch which aggregates the firewalls with Core SW1 is an L2 (2960G, lanbase) switch. Respective Vlans are defined on the port of switch for LL Fw & Adsl Fw.



lamav Thu, 05/01/2008 - 04:56
User Badges:
  • Blue, 1500 points or more

Saj:


Just to reiterate, correct me if Im wrong.


MBX 1 and 2 are the email servers?


What are their default gateways set to?


What are the IP addresses of BOTH FW inside interfaces?


The switch that both FWs are connected to is an L2 switch, correct?


Victor



Jon Marshall Thu, 05/01/2008 - 05:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

if the mail servers have their default-gateway on SW1 then you will need to use PBR but you said that the mail servers default-gateway was the LL Fw.


If the mail server default-gateway is on SW1 then you have to set up PBR. Do your internal clients need to talk to the mail servers ? Lets assume they do and lets say your internal vlans are


192.168.1.0/24

192.168.2.0/24

192.168.3.0/24


access-list 101 deny ip host 192.168.1.0 0.0.0.255

access-list 101 deny ip host 192.168.1.0 0.0.0.255

access-list 101 deny ip host 192.168.2.0 0.0.0.255

access-list 101 deny ip host 192.168.2.0 0.0.0.255

access-list 101 deny ip host 192.168.3.0 0.0.0.255

access-list 101 deny ip host 192.168.3.0 0.0.0.255

access-list 101 permit ip host any

access-list 101 permit ip host any


route map MAIL permit 10

match ip address 101

set ip next-hop


Then apply it to the mail server vlan interface eg


int vlan 10

ip policy route-map MAIL


Edit - you may also need to enable the SDM routing template on the 3750 for PBR.


Jon

lamav Thu, 05/01/2008 - 06:00
User Badges:
  • Blue, 1500 points or more

Hey, Jon:


How are you, buddy?


Id like to ask a question about your route map. I dont want to hijack Saj's thread, though...I just want to understand your solution.


Can you please explain the logic of your route map? What's with the deny statements? I dont think Ive ever seen an ACL created for PBR that uses negative logic...what do those deny statements achieve?


Are you trying to say "dont policy route traffic between internal vlans and the mail servers"? And if so, doesnt the implicit deny at the end of the ACL take care of that? Anything that isnt PBR'd is routed normally...


Thanks


Victor





Jon Marshall Thu, 05/01/2008 - 06:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Victor


Doing fine, but busy as i'm leaving job at end of May so some loose ends to tie up.


You are right in what you say about the deny statements. These make sure that traffic from the mail servers to the internal vlans are not policy routed. The problem with relying on the implict deny at the end is that it would never get to that rule as you have a permit ip any in the access-list before that so without the explicit denies all traffic would be policy routed.


Jon


lamav Thu, 05/01/2008 - 06:17
User Badges:
  • Blue, 1500 points or more

Jon:


OK, I just wanted to make sure that I was on your page and no tmissing something. :-)


I never ask you questions to challenge you -- only to learn from you.


Good luck at your new job.


Victor



Jon Marshall Thu, 05/01/2008 - 06:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Victor


Thanks, no new job as yet, taking some time off.


You can challenge me any time as i make as many mistakes as the next man and i certainly don't take it personally.


Jon

Jon Marshall Thu, 05/01/2008 - 06:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

From 3750 Q&A


Q. What features are only supported on the IP Services Image?

A. The following features and functionality are supported with the IP Services Image:

• Dynamic IP routing protocols for load balancing and constructing scalable LANs:


- Open Shortest Path First (OSPF)


- Enhanced IGRP (EIGRP)


- Border Gateway Protocol (BGPv4)


• Equal-cost routing for load balancing and redundancy


• Fallback bridging for forwarding of non-IP traffic between two or more VLANs


• Protocol-Independent Multicast (PIM) for IP multicast routing within a network that enables the network to receive the multicast feed requested and for switches not participating in the multicast to be pruned-support for PIM sparse mode (PIM-SM), PIM dense mode (PIM-DM), and PIM sparse-dense mode


• Distance Vector Multicast Routing Protocol (DVMRP) tunneling for interconnecting two multicast-enabled networks across non-multicast


• Policy-based Routing (PBR) allows superior control by enabling flow redirection regardless of the routing protocol configured


• Private VLAN (PVLAN) provides the ability to restrict communications between hosts at layer 2 through the use of primary and secondary VLANs.


So you need IP Services for PBR and you would need to enable Routing SDM.


Jon

Jon Marshall Thu, 05/01/2008 - 06:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

No, if you did


switch(config)# sdm prefer routing


and then reloaded the switch if the "ip policy route-map ..." is not available under the interface then you need to use the IP Services image.


Jon

Actions

This Discussion