PBR / ACLs

Unanswered Question
Sep 8th, 2009
User Badges:

I have a scenario where we are evaluating the possibility of moving from Centralised Internet access model to Local breakout. We are using a Bluecoat Proxy SG local to the site. The proxy is not in transparent mode, therefore all clients Internet settings are configured with the IP address of the Proxy server. I have read various threads on the forum and as I understand, I can configure the local Layer 3 switch with PBR and ACLs to force all Port 80 traffic to an interface or IP address. Is this a correct assumption? If so, can you please give me some guidance on how to configure this.


Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 09/09/2009 - 03:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Raj


Yes you can use PBR.


Lets assume you local LAN is 192.168.5.0/24 and that is vlan 10 on your L3 switch


access-list 101 permit tcp 192.168.5.0 0.0.0.255 any eq www


route-map PBR permit 10

match ip address 101

set ip next-hop


int vlan 10

ip policy route-map PBR


Note if you have other www servers internal to your network that you don't want to go via the bluecoat then deny them in acl 101 before the permit for all www traffic.


Also depending on your switch you may need to change the SDM template ie. on a 3560/3750 you would need to use the SDM routing template ie.


3560(config)# sdm prefer routing


And you will need IP services if it is a 3560/3750 switch.


Jon

RVirdi Wed, 11/04/2009 - 09:07
User Badges:

Thanks Jon.


I applied the PBR:


access-list 101 permit tcp 192.168.218.128 0.0.0.31 any eq 80

access-list 101 permit udp 192.168.218.128 0.0.0.31 any eq 80


route-map LocalBreakout permit 10

match ip address 101

set ip next-hop 192.168.200.102


interface vlan 7

ip policy route-map LocalBreakout


However, vlan 7 can still access everything on the LAN when I just want vlan 7 to be restricted to port 80 only.

What have a done wrong?

Giuseppe Larosa Wed, 09/09/2009 - 03:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Raj,


PBR or WCCP version 2 can be used to redirect traffic to a web cache in transparent mode.


In your case the appliance is used in proxy-mode meaning that clients have all URLs resolved in the proxy ip address.

So you shouldn't need to redirect traffic because it is done at the application layer.


In your case you could deploy web caches in proxy mode in all sites:

routers will route traffic to the nearest "proxy ip address"

This is called anycast address where an ip address is not unique and is tied to a service.


The advantage of this approach is that clients can keep their current configuration.


Another possible approach is that of removing proxy settings on clients and to use transparent web caches/web filtering services.

In this second scenario you may need to divert traffic towards the internet to the web cache/web filter.

To do so you can use PBR or if supported by the appliance(s) (it is spoken between caches and routers) you can deploy WCCP version 2.


see


http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/wccp.html


or


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/wccp.html


WCCPv2 is more specific for HTTP traffic but not limited to it.

PBR is a more general tool to override natural destination based routing.




Hope to help

Giuseppe


RVirdi Wed, 09/09/2009 - 04:47
User Badges:

Thank You Jon & Giuseppe, I appreciate your feedback. We will be installing this in a location next Tuesday and will update the thread with the results. I guess we will go with the approach of Proxy mode without any PBR or WCCP? We use Scansafe Web Filering (SaS) so the proxies forward all traffic to their servers.


The follow on from this will be to configure Guest Wireless access using the same proxy, so I guess best practise in this case would be to use PBR to isolate the Guest user VLAN for internet traffic only. Guest users will need the ability to access the internet and also initiate VPN connections to their own corporate networks.

Actions

This Discussion