ip policy route-map

Unanswered Question
Oct 28th, 2008

Please read attached graph..

Problem:

1.) SMTP traffic is not forwarding to Barracda Spam Firewall.

2.) show access-list 180

Extended IP access list 180

10 permit tcp any host 64.162.231.120 eq smtp (19999 matches) I see matches....

3.) What could be wrong?

S0/0 :

67.120.20.66

255.255.255.252

ip policy route-map SMTP_MAP

!

access-list 180 remark All_Traffic routed SMTP_MAP (RM 80)

access-list 180 permit tcp any host 64.162.231.120 eq smtp

route-map SMTP_MAP permit 80

match ip address 180

set ip next-hop 64.162.231.123

!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Richard Burts Tue, 10/28/2008 - 13:17

David

I believe that the essence of your problem is that the destination address of the packet is an address in a locally connected subnet. Your route map is setting a next hop address. And if the router were forwarding to another router/gateway device then I believe that your route map would be working. But when the router has the route map but the destination is a local address then I believe that it just does an ARP for the destination address and forwards directly to 64.162.231.120.

HTH

Rick

guitarmajor Tue, 10/28/2008 - 14:05

Hi Rick,

I don't entirely understand your respond; but what you said about the ARP for the destination address and forwards directly to 64.162.231.120 that's what is doing. SMTP traffic was somehow bypass and send directly to our CkPoint firewall.

1.) If all traffic are coming in thru the border router S0/0 intereface. Why can't I forward/capture it? I do see access-list 180 counter increasing packets but nothing is forwarded next-hop to 64.162.231.123. Why?

What would you suggest a soultion to be?

Richard Burts Tue, 10/28/2008 - 15:03

David

Let me try to explain it this way: with PBR as the packet comes in the incoming interface PBR examines the packet and if it matches the access list then PBR makes its own routing decision. In your case your PBR will set the next hop (the next router or gateway address) as .123. But when the packet gets to the outbound interface the router realizes that the destination is a locally connected address. At that point it no longer uses the next hop address but looks for ARP to find the destination MAC address and forwards to the real destination.

If you want to have PBR work on this traffic then I suggest that you need a small re-design of the network to change the topology so that the Mail server address is not in the subnet of the LAN interface of the Internet facing router. If the outside router is forwarding to another router to reach the Mail server then PBR should work. Or perhaps you can change the topology of the network so that the Baracuda is in line as traffic is forwarded to the firewall and the Mail server.

HTH

Rick

Actions

This Discussion