policy based routing in 6509

Unanswered Question
May 12th, 2010
User Badges:

hello all


let me tell the scenario first.


1. 6509 is the core switch for our organisation.

2. there are several vlan created and the internet traffic for the  vlans go to the internet via proxy server. the proxy server has connection to the internet

3. so we dont have a default gateway in the core switch

4. we connected a new device called fortinet for testing which is having a internet connection

5. we created a new vlan for testing and tried to forward only the internet traffic to the device through PBR and i was sucessful, but http service was internal servers was not working. below is the access list and PBR i created



interface Vlan10
description fortinet
ip address 172.35.0.1 255.255.0.0
ip policy route-map fortinet
end


access-list 101 permit tcp any any eq www


route-map fortinet permit 20
match ip address 101
set ip next-hop 172.35.0.2


the internal ip address for the fortinet device is 172.35.0.2


through the above PBR i am able to go to the internet, access internal servers through https, connect RDP any server, but not able to perform http access to internal servers. so i am trying to create more access lists but as of now i am not able to find any solution so need help on this..if any one have any suggestions please reply to this


thanks in advance

karthik

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 05/12/2010 - 19:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

karthikgopi wrote:




interface Vlan10
description fortinet
ip address 172.35.0.1 255.255.0.0
ip policy route-map fortinet
end


access-list 101 permit tcp any any eq www


route-map fortinet permit 20
match ip address 101
set ip next-hop 172.35.0.2


the internal ip address for the fortinet device is 172.35.0.2


through the above PBR i am able to go to the internet, access internal servers through https, connect RDP any server, but not able to perform http access to internal servers. so i am trying to create more access lists but as of now i am not able to find any solution so need help on this..if any one have any suggestions please reply to this


thanks in advance

karthik


Karthik


Could you clarify your setup ?


You have a device on vlan 10 which has it's own internet connection ie. the fortinet ?


You are then trying to send traffic to this fortinet ? If so applying the route-map to vlan 10 won't work. You need to apply it to the vlan that the clients are coming in from.


Perhaps you could explain a bit more.


Jon

karthikeyan gop... Thu, 05/13/2010 - 08:39
User Badges:

Hi jon


Thanks for replying the clients as well as the fortinet both are in the same network I means the same vlan 10.



Thanks

Karthik

Jon Marshall Thu, 05/13/2010 - 08:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Karthik


Then you can't use PBR because the clients will never go to the L3 vlan 10 interface to get to the fortinet. You need the clients in a different vlan and you need to apply your route-map to the client L3 vlan interface.


Jon

karthikeyan gop... Fri, 05/14/2010 - 08:55
User Badges:

hi i resolved the issue by adding deny acl

access-list 101 deny ip host 172.16.X.X

access-list 101 permit tcp any any eq www

Actions

This Discussion

Related Content