I am implementing PBR on an ISR 1921 router. I have created a route-map to match FTP, VPN, HTTPS and HTTP traffic and route this traffic outside a particular interface and another route-map to match SMTP traffic and route it via another interface. I am testing the route-map by generating for example FTP traffic, and checking that packets are marked as being matched when I run #show route-map and #show access-list. For VPN, FTP and SMTP, the show commands make sense and show that all is working as expected.
What is strange is that I am NOT generating any HTTP or HTTPS traffic but I am still getting the route-map and access-list counters continuously incrementing. I even installed wireshirk on the 3 laptops I am using for testing, and no HTTP/HTTPS traffic is being noticed. Any ideas what this could be? Is the router generating some traffic itself? (I did read that the router-generated traffic is NOT matched by the route-map unless specified and I have turned the Cisco Configuration Professional in case it is using HTTP/HTTPS).
Here is the related config:
description $ETH-LAN$ (this is the interface which is seeing the traffic)
ip address 192.168.11.1 255.255.255.0
ip policy route-map route_traffic_to_outside
ip access-list extended ISP1
permit tcp object-group Internal_Network any eq smtp
ip access-list extended ISP2
permit object-group FTP object-group Internal_Network any
permit object-group VPN object-group Internal_Network any
permit tcp object-group Internal_Network any eq www
route-map route_traffic_to_outside permit 1
match ip address ISP1
set interface FastEthernet0/0/0
route-map route_traffic_to_outside permit 2
match ip address ISP2
set interface FastEthernet0/0/1
Any clues would be appreciated as I cannot understand what is happening.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...