08-04-2013 06:39 AM - edited 03-07-2019 02:44 PM
Hello. I have a Catalyst 3550-12T Switch, and I need some help regarding some configuration issues.
So i have a network with multiple vlans.
Actual configuration is like this:
2950 ---------> 3550 ------------------> Linux Server -------------------> ISP
Right now I use 3550 as a layer 2 switch, since all my vlan's gateways are on the linux server.
So in short lines my problem is:
I want to use 3550 as a layer 3, but in order to do that i need to make an ACL to do the following things:
I want to restrict (or redirect) access to the internet for a Network IP address (or more), straight from 3550, and direct it to a html page (that will tell the cliend that he didn't payed the bill).
So I need some help from you guys. I'am a noob regarding acl's.... Examples would be appreciated.
Thank you.
08-04-2013 03:43 PM
With ACL u can restrict Traffic but cannot disply web page from 3550, u can display external web form your proxy.
Porxy can do this work great if someone bandwidth is consumed web page can be displayed.
*** Do Rate Helpful Posts***
Jawad
08-05-2013 08:25 AM
With ACL u can restrict Traffic but cannot disply web page from 3550, u can display external web form your proxy.
From what I heard I do not need a proxy server.
I do not want to display the webpage from 3550, i want TO REDIRECT let's say 10 ip's from a vlan to that webpage that exist let's say on 10.10.15.11 .
Acl examples needed.... Please...
Thank you!
08-05-2013 10:11 AM
As Jawad stated, it cannot be done the way that you're wanting to do this. ACLs are used to restrict traffic, match on traffic, etc. They're not smart enough to redirect. What you can do is one of two things:
You can use route-maps or WCCP
WCCP will allow you to redirect everything to a caching server (possibly Squid on Linux supports this). WCCP may do what you want, but I'm not sure. Route-maps on the other hand, in your example for non-payment, will redirect everything that matches your policy. There is nothing built into Cisco IOS that I'm aware of that's smart enough to redirect based on non-payment.
That being said, you could manually intervene and add a host when you need to redirect someone. Create a route map like this:
access-list 10 permit ip host 192.168.1.10
access-list 10 permit ip host 192.168.1.20
route-map NonPayment permit 10
match ip address 10
set ip next-hop
int vlan
ip policy route-map NonPayment
I've not tested the above for your purposes, but this is the generic way to redirect traffic using an acl. You can't do it with just a simple acl...
HTH,
John
*** Please rate all useful posts ***
08-05-2013 11:00 AM
Your ideea is good. but:
%L3TCAM-3-SIZE_CONFLICT: PBR requires enabling extended routing.....
08-05-2013 11:22 AM
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00802135d3.shtml
Sent from Cisco Technical Support iPhone App
08-05-2013 12:04 PM
Need to restart the router... But I will do it in 2 hours...
let me show you what i done:
access-list 110 permit tcp any any eq www
access-list 110 permit udp any any eq domain
access-list 110 permit ip host 10.10.15.23 any
route-map Restricted permit 10
match ip address 110
set ip next-hop 10.10.15.3
!
So is it good?
Basicaly : The acl must redirect the ip to another server that will display a webpage.
08-05-2013 12:50 PM
From your configuration, here's what is going to happen:
Anything going out destined for port 80, any udp traffic destined for port 53, and the host addressed at 10.10.15.23 is going to be redirected to 10.10.15.3. Is that what you want? If so, the configuration looks fine. You'll need to apply it on the vlan that these hosts are coming in on....
HTH,
John
*** Please rate all useful posts ***
08-05-2013 02:00 PM
OK. Reloaded the router.I do not have the error anymore. You are right about the policy, its exactly what I want, but the sad part is that its not working.....
08-05-2013 02:09 PM
Where is it applied?
HTH,
John
*** Please rate all useful posts ***
08-06-2013 02:02 AM
The policy is applied on
Interface vlan 208
What am I doing wrong?
Thank you!
Sent from Cisco Technical Support iPhone App
08-06-2013 04:50 AM
Can you post the config of that interface?
HTH,
John
*** Please rate all useful posts ***
08-06-2013 07:48 AM
I don't see how this is going to work - all you are doing is redirecting specific traffic and changing the next hop - you are not altering the ulitmate destination of the packet, just where it goes next.
08-06-2013 09:45 AM
interface Vlan208
ip address 10.0.8.1 255.255.255.0 secondary
ip address 10.10.15.33 255.255.255.224
ip access-group 115 in
ip access-group 115 out
ip helper-address 10.10.15.1
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache cef
ip policy route-map Restrict
no ip mroute-cache
access-list 110 permit tcp any any eq www
access-list 110 permit udp any any eq domain
access-list 110 permit ip host 10.10.15.23 any
route-map Restricted permit 10
match ip address 110
set ip next-hop 10.10.15.3
!
This is the config.....
I don't see how this is going to work - all you are doing is redirecting specific traffic and changing the next hop - you are not altering the ulitmate destination of the packet, just where it goes next.
So what do you suggest? Can you give me an addvice?
08-06-2013 09:58 AM
The policy that you applied is Restrict, but your policy is named Restricted....
HTH,
John
*** Please rate all useful posts ***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide