cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2264
Views
0
Helpful
13
Replies

PBR on Cisco 3750 Switches

Anvar Mohammed
Level 1
Level 1

hi,

i have one Cisco 3750, am using it as Core Switch where i have 6 more access switches are connected deirectly, and we are using VLANs in our network with the IP reange of 172.16.0.0 , now we had a new Internet connection which is dedicated to Exchange Server only.

So we have TWO internet connection One for internet access to all users and another one for only Exchange Server.

internet connection for the users is termiated at a Cisco 1700 Series Router and Internet for Exchage Server is terminated at a Cisco ASA Firewall.

Now the problem is how can i write an access list, which says that all packets from Exchange server should be routed to ASA Firewall , and all other packets shoulde route to Cisco Router.

IP address os Exchange server is 172.16.2.1, 172.16.2.2

please help me to define an accesslist were i can use it for policy based routing.

thanks,

Anvar

13 Replies 13

lgijssel
Level 9
Level 9

Perhaps the easiest way is to change the default gateway on the Exchange box.

Together with a few static routes for the internal network, this could work quite nicely.

It will depend on your topology of course but please note that you need advipservices image to do PBR on the 3750 when you are running 12.2 IOS.

regards,

Leo

But i Second Leo's suggestion.

Point to the ASA as the Exchange Server's Default Gateway add static routes on the firewall. It will make the auditors smile as well

Hi Daniel,

I am aware this may not be the best solution from a security perspective.

Point is that OP may not be able to use PBR because of software restrictions.

I may be wrong about this, in which case he already got plenty of help regarding ACL configuration.

The sneaky thing with the 3750-ipbase is that it lets you configure PBR as you would expect it to but then subsequently it doesn't work. Thought it better to make him aware of this in advance.

regards,

Leo

sir,

please find below my current Image

Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)

Thanks Leo ,

presently this PBR is using only for Exchange servers , but in future for the whole Server's Subnet i mean 172.16.2.0/24

Anvar

Create a Extended ACL permitting the IP address of the exchange server then apply it to a route-map.

ip access-list extended PBR_TEST

permit ip host 10.64.68.35 any         <----- what ever IP your exchange server is.  

route-map TEST permit 10

match ip address PBR_TEST

set interface Serial0/0                              <---- the interface you want it to go out of.

HTH

Geert Reijnders
Level 1
Level 1

you could use route-maps.

I think it should look a bit like this:

1st step is to create a access list which has as source your exchange server:

ip access-list 1 permit any

step 2 is to create a policy which routes the traffic to your asa

route-map exchange-internet permit 10

match ip addres 1

set ip next-hop

route-map exchange-internet permit 20

the final stape is to apply the route-map to the correct interface. This should be the L3 interface to which your

exchange server is connected:

ip policy route-map exchange-internet

hi all,

if i imlemented this Policy Maps at my VLAN-2 interface then i will lose my connection with all other devices at my Local Network, i mean if i use the access-list

  access-list 110 permit ip host 172.16.2.1 any and applied this to my policy and let say next hope is my ASA, then the Core Switch will not look into Routing table rather it will forward all the packets from 172.16.2.1 to to my policy next hope which is ASA.

its need an access-list like any destination (except 172.16.0.0 )

thanks,

Anvar

i have local users within the Network as 172.16.3.0 ( LAN users ) , 172.16.5.0 ( WLAN Users ) and so on..

Anvar

You can narow down the ACL.

access-list 110 permit TCP host 172.16.2.1  host eq smtp

hi Daniel,

my ultimate target is to route all packets from my Exchange Server to ASA, not only SMTP traffic.

thanks,

Anvar

Hi Anvar,

Can this suffice your requirement

access-list 110 permit tcp 172.16.2.1 any

This is match the traffic with source as 172.16.2.1 .. Infact you can use the standard access list since you are looking only at the source ip.

Then apply this access list to the route-map statement defining the next hop as ASA.

-Vijay

Hi Vijay,

theoretically all you guys are correct , but if i applied any of the above access list with-in a route map end applied this route map at my VLAN-2 interface ( Server VLAN ) my Exchange server will not be able to communicate with any other devices at my local network or LAN , because of once match criteria is applied at an interface if any packets matching the access-list it will forward the packets directly to next hope ip address ( without looking the Routing Table ) , even I will not be able to ping from my Exchange Server to its default gateway ( which is VLAN-2 IP Address -172.16.2.254 )

am using below image

Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: