Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

policy based routing in 6509

hello all

let me tell the scenario first.

1. 6509 is the core switch for our organisation.

2. there are several vlan created and the internet traffic for the  vlans go to the internet via proxy server. the proxy server has connection to the internet

3. so we dont have a default gateway in the core switch

4. we connected a new device called fortinet for testing which is having a internet connection

5. we created a new vlan for testing and tried to forward only the internet traffic to the device through PBR and i was sucessful, but http service was internal servers was not working. below is the access list and PBR i created


interface Vlan10
description fortinet
ip address 172.35.0.1 255.255.0.0
ip policy route-map fortinet
end

access-list 101 permit tcp any any eq www

route-map fortinet permit 20
match ip address 101
set ip next-hop 172.35.0.2

the internal ip address for the fortinet device is 172.35.0.2

through the above PBR i am able to go to the internet, access internal servers through https, connect RDP any server, but not able to perform http access to internal servers. so i am trying to create more access lists but as of now i am not able to find any solution so need help on this..if any one have any suggestions please reply to this

thanks in advance

karthik

Everyone's tags (1)
4 REPLIES
Hall of Fame Super Blue

Re: policy based routing in 6509

karthikgopi wrote:



interface Vlan10
description fortinet
ip address 172.35.0.1 255.255.0.0
ip policy route-map fortinet
end

access-list 101 permit tcp any any eq www

route-map fortinet permit 20
match ip address 101
set ip next-hop 172.35.0.2

the internal ip address for the fortinet device is 172.35.0.2

through the above PBR i am able to go to the internet, access internal servers through https, connect RDP any server, but not able to perform http access to internal servers. so i am trying to create more access lists but as of now i am not able to find any solution so need help on this..if any one have any suggestions please reply to this

thanks in advance

karthik

Karthik

Could you clarify your setup ?

You have a device on vlan 10 which has it's own internet connection ie. the fortinet ?

You are then trying to send traffic to this fortinet ? If so applying the route-map to vlan 10 won't work. You need to apply it to the vlan that the clients are coming in from.

Perhaps you could explain a bit more.

Jon

Re: policy based routing in 6509

Hi jon

Thanks for replying the clients as well as the fortinet both are in the same network I means the same vlan 10.

Thanks

Karthik

Hall of Fame Super Blue

Re: policy based routing in 6509

Karthik

Then you can't use PBR because the clients will never go to the L3 vlan 10 interface to get to the fortinet. You need the clients in a different vlan and you need to apply your route-map to the client L3 vlan interface.

Jon

Re: policy based routing in 6509

hi i resolved the issue by adding deny acl

access-list 101 deny ip host 172.16.X.X

access-list 101 permit tcp any any eq www

3292
Views
0
Helpful
4
Replies
CreatePlease to create content