Solved: Re: policy routing on 3750

ericgarnel · ‎07-24-2006

I seem to be missing something here:

Here is the setup:

3750G-24-TS 12.2(25)SEA

I want to route ports 80,443 out 1 gateway and all other traffic out another gateway. Currently, all traffic goes out the 2nd gateway including ports 80,443. What am I missing?

Thanks

interface GigabitEthernet1/0/9

no switchport

ip address 192.168.20.6 255.255.255.0

!

interface GigabitEthernet1/0/10

no switchport

ip address 192.168.48.1 255.255.255.0

ip policy route-map WEB-TRaffic

access-list 100 permit tcp any eq 443 any

access-list 100 permit tcp any eq www any

access-list 100 permit tcp any any eq www

access-list 100 permit tcp any any eq 443

access-list 101 permit ip any any

route-map WEB-Traffic permit 10

match ip address 100

set ip next-hop 192.168.20.4

!

route-map WEB-Traffic permit 20

match ip address 101

set ip next-hop 192.168.20.10

ip route 0.0.0.0 0.0.0.0 192.168.20.10

sh sdm prefer

The current template is "desktop routing" template.

The selected template optimizes the resources in

the switch to support this level of features for

8 routed interfaces and 1024 VLANs.

(switch has been reloaded since)

sh ip route

<snip>

Gateway of last resort is 192.168.20.10 to network 0.0.0.0

172.20.0.0/24 is subnetted, 1 subnets

C 172.30.12.0 is directly connected, Vlan17

C 192.168.20.0/24 is directly connected, GigabitEthernet1/0/9

C 192.168.48.0/24 is directly connected, GigabitEthernet1/0/10

S* 0.0.0.0/0 [1/0] via 192.168.20.10

sh route-map

route-map WEB-Traffic, permit, sequence 10

Match clauses:

ip address (access-lists): 100

Set clauses:

ip next-hop 192.168.20.4

Policy routing matches: 0 packets, 0 bytes

route-map WEB-Traffic, permit, sequence 20

Match clauses:

ip address (access-lists): 101

Set clauses:

ip next-hop 192.168.20.10

Policy routing matches: 0 packets, 0 bytes

sh access-lists

Extended IP access list 100

10 permit tcp any eq 443 any

20 permit tcp any eq www any

30 permit tcp any any eq www

40 permit tcp any any eq 443

Extended IP access list 101

10 permit ip any any

Richard Burts · ‎07-24-2006

Eric

I see that typo now that I look carefully - too bad we did not notice it before. While Cisco IOS is not case sensitive about most commands there are a few things, including passwords, names of access lists, and names of route maps where it is case sensitive. I have been bit by that before and now so have you. This is how we learn many of our best lessons.

Congratulations on finding your problem.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎07-24-2006

Eric

You have provided information about the platform and the version information but have not indicated which feature set of the code you are running. I have looked at the Cisco Feature Navigator on the Cisco web site and it looks like Policy Based Routing is not supported in the SMI image but is supported in the EMI image. So which image are you running?

As a side note the configuration looks ok. There is one optimization that I might suggest. You do not need access list 101 and the second instance of the route map can be written this way:

route-map WEB-Traffic permit 20

set ip next-hop 192.168.20.10

a route map instance with no match clause will match everything and the set will be performed.

HTH

Rick

HTH

Rick

ericgarnel · ‎07-24-2006

I believe it is the standard ip-services

System image file is "flash:c3750-i5-mz.122-25.SEA/c3750-i5-mz.122-25.SEA.bin.

Richard Burts · ‎07-24-2006

Eric

That image name should be the EMI image and the Feature Navigator says that Policy Based Routing should be supported in that image.

So we need to look for something else to explain why Policy Based Routing is not working. Can you supply a bit more detail about the topology of the network? Is the ip policy route-map configured on the interface where the traffic is entering the 3750?

HTH

Rick

HTH

Rick

ericgarnel · ‎07-24-2006

client PC (192.168.48.25) --> gateway 192.168.48.1 {3750 switch}

3750 switch: gig 1/0/10 192.168.48.1 -- gig 1/0/9 192.168.20.6 route 0.0.0.0 0.0.0.0 192.168.20.10[pix]

pix: dmz3_20 192.168.20.10

global (outside) 20 198.204.205.20

nat (dmz3_20) 20 0.0.0.0 0.0.0.0

So the client traffic enters thru gig 1/0/10 (192.168.48.1) which has the policy-map applied

interface GigabitEthernet1/0/10

no switchport

ip address 192.168.48.1 255.255.255.0

ip policy route-map WEB-TRaffic

ericgarnel · ‎07-24-2006

Ok. I fixed a typo. the policy had WEB-TRaffic instead

of WEB-Traffic, although I was not aware that IOS was case sensitive in some areas - good to know! I am about halfway there.

Web traffic is now being directed towards 192.168.20.4

and all other traffic is being pushed thru the firewall. 192.168.20.4 is a BSD based Web splash page server. Looking at the logs on a vpn device, I see successful incoming connections from the test pc behind

the 3750 with the routing policies with the correct global address from the PIX (192.168.20.10) and not from the other gateway (192.168.20.4) Now, I just have to tweak the splash server

Richard Burts · ‎07-24-2006

Eric

I see that typo now that I look carefully - too bad we did not notice it before. While Cisco IOS is not case sensitive about most commands there are a few things, including passwords, names of access lists, and names of route maps where it is case sensitive. I have been bit by that before and now so have you. This is how we learn many of our best lessons.

Congratulations on finding your problem.

HTH

Rick

HTH

Rick

ericgarnel · ‎07-24-2006

A quick add for tcp port 8000 for the portal redirect page to access-list 100 and it works like a champ. All

http & https traffic gets pushed thru the splash page server so clients see the acceptible usage policy and all other traffic gets pushed thru a PIX. The reason for all this effort is the simple fact that it is much easier to allow for multiple vpn connections to originate from networks behind a PIX nat than iptables nat.