PBR / ACLs

Unanswered Question
Sep 8th, 2009

I have a scenario where we are evaluating the possibility of moving from Centralised Internet access model to Local breakout. We are using a Bluecoat Proxy SG local to the site. The proxy is not in transparent mode, therefore all clients Internet settings are configured with the IP address of the Proxy server. I have read various threads on the forum and as I understand, I can configure the local Layer 3 switch with PBR and ACLs to force all Port 80 traffic to an interface or IP address. Is this a correct assumption? If so, can you please give me some guidance on how to configure this.

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 09/09/2009 - 03:02

Raj

Yes you can use PBR.

Lets assume you local LAN is 192.168.5.0/24 and that is vlan 10 on your L3 switch

access-list 101 permit tcp 192.168.5.0 0.0.0.255 any eq www

route-map PBR permit 10

match ip address 101

set ip next-hop

int vlan 10

ip policy route-map PBR

Note if you have other www servers internal to your network that you don't want to go via the bluecoat then deny them in acl 101 before the permit for all www traffic.

Also depending on your switch you may need to change the SDM template ie. on a 3560/3750 you would need to use the SDM routing template ie.

3560(config)# sdm prefer routing

And you will need IP services if it is a 3560/3750 switch.

Jon

RVirdi Wed, 11/04/2009 - 09:07

Thanks Jon.

I applied the PBR:

access-list 101 permit tcp 192.168.218.128 0.0.0.31 any eq 80

access-list 101 permit udp 192.168.218.128 0.0.0.31 any eq 80

route-map LocalBreakout permit 10

match ip address 101

set ip next-hop 192.168.200.102

interface vlan 7

ip policy route-map LocalBreakout

However, vlan 7 can still access everything on the LAN when I just want vlan 7 to be restricted to port 80 only.

What have a done wrong?

Giuseppe Larosa Wed, 09/09/2009 - 03:12

Hello Raj,

PBR or WCCP version 2 can be used to redirect traffic to a web cache in transparent mode.

In your case the appliance is used in proxy-mode meaning that clients have all URLs resolved in the proxy ip address.

So you shouldn't need to redirect traffic because it is done at the application layer.

In your case you could deploy web caches in proxy mode in all sites:

routers will route traffic to the nearest "proxy ip address"

This is called anycast address where an ip address is not unique and is tied to a service.

The advantage of this approach is that clients can keep their current configuration.

Another possible approach is that of removing proxy settings on clients and to use transparent web caches/web filtering services.

In this second scenario you may need to divert traffic towards the internet to the web cache/web filter.

To do so you can use PBR or if supported by the appliance(s) (it is spoken between caches and routers) you can deploy WCCP version 2.

see

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/wccp.html

or

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/wccp.html

WCCPv2 is more specific for HTTP traffic but not limited to it.

PBR is a more general tool to override natural destination based routing.

Hope to help

Giuseppe

RVirdi Wed, 09/09/2009 - 04:47

Thank You Jon & Giuseppe, I appreciate your feedback. We will be installing this in a location next Tuesday and will update the thread with the results. I guess we will go with the approach of Proxy mode without any PBR or WCCP? We use Scansafe Web Filering (SaS) so the proxies forward all traffic to their servers.

The follow on from this will be to configure Guest Wireless access using the same proxy, so I guess best practise in this case would be to use PBR to isolate the Guest user VLAN for internet traffic only. Guest users will need the ability to access the internet and also initiate VPN connections to their own corporate networks.

Actions

This Discussion