policy routing

Answered Question
Jul 23rd, 2008
User Badges:

hi, i want to configure proxy interception feature on my network. There are about 10 vlans on my network and i want to configure policy routing so that the traffic for www should be intercepted and forwarded to the proxy server. For that i want to configure policy routing, is it possible to configure route-map and apply that route-map to interface VLAN. I have 3750 and 4948 switches.

Correct Answer by Giuseppe Larosa about 8 years 10 months ago

Hello,


well you need three interfaces:


one towards the customer/client where you do PBR on incoming packets


one ouside WAN interface towards the internet


one dmz / horizontal link where you place the proxy / web cache


Incoming packets from users will be sent to the proxy ,the proxy will go to the internet opening a TCP session on behalf of the customer.

So you will have two coordinated TCP sessions

user <-----> proxy TCP_A

proxy <-----> real web server TCP_B


Return path will be

outside -> proxy -> || proxy --> user

TCP_B || TCP_A



Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
Giuseppe Larosa Thu, 07/24/2008 - 00:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Waseem,

if you can configure multiple VLan interfaces on them and you can have all of them up/up = they can do multilayer switching.


If so the answer is yes. Multilayer switches are able to implement PBR in a very efficient way by modifying the action to be done on the TCAM table. (the ip next hop I mean)


Hope to help

Giuseppe

itdsmartnet Thu, 07/24/2008 - 02:28
User Badges:

hi giulsar

one thing which is confusing me is the placement of Proxy server, should i configure Layer3 port for the inside(LAN interface) and outside (WAN interface) network for the proxy server. Or should i place inside (LAN interface) network on some of the vlan and configure Layer 3 port for the outside (WAN interface). Then configure user on LAN having their default gatway ( ip address of interface VLAN) and apply route-map on interface VLAN to intercept the traffic for www.

Thanks

Correct Answer
Giuseppe Larosa Thu, 07/24/2008 - 10:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello,


well you need three interfaces:


one towards the customer/client where you do PBR on incoming packets


one ouside WAN interface towards the internet


one dmz / horizontal link where you place the proxy / web cache


Incoming packets from users will be sent to the proxy ,the proxy will go to the internet opening a TCP session on behalf of the customer.

So you will have two coordinated TCP sessions

user <-----> proxy TCP_A

proxy <-----> real web server TCP_B


Return path will be

outside -> proxy -> || proxy --> user

TCP_B || TCP_A



Hope to help

Giuseppe

harshi_lib Wed, 07/30/2008 - 01:16
User Badges:

Yes, Policy Routing works on these switches. You can configure route-map and apply it to interface VLAN.

But make sure that you should be having IPSERVICES image installed in the switch

Policy Routing doesn't works on BASE Image.

Actions

This Discussion