Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Policy Based Routing (Suggestion Needed)

I've two 2800 series routers, one ADSL and one Leased Line. Two 515E Firewalls connected to each one. They are then connected to an L2 switch (2960G) for aggregation to two L3 Core switches (3750). I want all my traffic to use ADSL and all my mail (smtp) traffic to use LL. Do i need policy based routing here or just specifying the default gateway for the mail servers to be the firewall connected to the LL router.

Suggestion will be appreciated.

21 REPLIES
Hall of Fame Super Blue

Re: Policy Based Routing (Suggestion Needed)

If the mail servers are on a different subnet than the internal interface of the firewall that connects to the LL router then you will need PBR. Where is the L3 interface for the mail servers.

I'm assuming from your explanation that the firewalls are independent of each other ie. they are not running as a pair ?

Jon

New Member

Re: Policy Based Routing (Suggestion Needed)

@jon

Thanks for the prompt reply.

The mail servers are on the same subnet (vlan) as the firewall (inside). The firewalls are independent of each other as both are on different vlans.

Browsing is perfect, had a small glitch with few sites but was restored when I played a little with the mtu size. Now the problem lies with the mail going through the LL. Email is not bounced back but never reaches the other party.

Hall of Fame Super Blue

Re: Policy Based Routing (Suggestion Needed)

Presumably you are Natting the mail servers to the public addresses in use on the LL firewall. You need to make sure these are the DNS MX records.

Jon

New Member

Re: Policy Based Routing (Suggestion Needed)

@jon

I tried the following config and all I got was a mail to my gmail account, the rest of them never reached.

My config shows;

static (inside,outside) tcp 83.x.x.195 smtp 192.168.1.206 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 83.x.x.196 https 192.168.1.206 https netmask 255.255.255.255 0 0

and ACL shows;

access-list acl_out permit tcp any host 83.x.x.195 eq smtp

access-list acl_out permit tcp any host 83.x.x.195 eq https

access-list acl_out permit icmp any any

Hall of Fame Super Blue

Re: Policy Based Routing (Suggestion Needed)

What is the DNS record for your mail server ie. if i looked up

83.x.x.195 on the Internet would it resolve to your mail server ?

Jon

New Member

Re: Policy Based Routing (Suggestion Needed)

@jon

No you can't resolve it as there is no DNS record for the mail servers. We need it only to send mails, not recieve (for the time being). We do have other servers to do the job in different locations.

By the way, the mail which arrived at gmail was through adsl as I traced it to the dynamic ip.

Still not clear what should be done.

Hall of Fame Super Blue

Re: Policy Based Routing (Suggestion Needed)

Are you sure these are independant of each other. If the default-gateway of the mail server is the LL firewall and the leased line firewall only connects to the LL router then how is the mail server getting out via the ADSL link ?

Perhaps a diagram would help.

Jon

New Member

Re: Policy Based Routing (Suggestion Needed)

@jon

I tried to simplify it as much as I can but i'm not good at drawing :)

The problem might be at the Core SW 1, where inter Vlan routing takes place. I'm not sure how to apply PBR on the core though.

Blue

Re: Policy Based Routing (Suggestion Needed)

Saj:

Just to reiterate, correct me if Im wrong.

MBX 1 and 2 are the email servers?

What are their default gateways set to?

What are the IP addresses of BOTH FW inside interfaces?

The switch that both FWs are connected to is an L2 switch, correct?

Victor

New Member

Re: Policy Based Routing (Suggestion Needed)

@lamav

MBX1 & 2 are mail servers but are dependent on CAS/HOB which is 192.168.1.206.

The LL Fw is 192.168.1.254, which is also defined as gateway for CAS/HOB. The Adsl Fw is 192.168.101.2 (diff vlan) and is gateway to all other trafiic through Core SW1 (192.168.101.1).

The switch which aggregates the firewalls with Core SW1 is an L2 (2960G, lanbase) switch. Respective Vlans are defined on the port of switch for LL Fw & Adsl Fw.

Blue

Re: Policy Based Routing (Suggestion Needed)

Saj:

Just to reiterate, correct me if Im wrong.

MBX 1 and 2 are the email servers?

What are their default gateways set to?

What are the IP addresses of BOTH FW inside interfaces?

The switch that both FWs are connected to is an L2 switch, correct?

Victor

Hall of Fame Super Blue

Re: Policy Based Routing (Suggestion Needed)

if the mail servers have their default-gateway on SW1 then you will need to use PBR but you said that the mail servers default-gateway was the LL Fw.

If the mail server default-gateway is on SW1 then you have to set up PBR. Do your internal clients need to talk to the mail servers ? Lets assume they do and lets say your internal vlans are

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

access-list 101 deny ip host 192.168.1.0 0.0.0.255

access-list 101 deny ip host 192.168.1.0 0.0.0.255

access-list 101 deny ip host 192.168.2.0 0.0.0.255

access-list 101 deny ip host 192.168.2.0 0.0.0.255

access-list 101 deny ip host 192.168.3.0 0.0.0.255

access-list 101 deny ip host 192.168.3.0 0.0.0.255

access-list 101 permit ip host any

access-list 101 permit ip host any

route map MAIL permit 10

match ip address 101

set ip next-hop

Then apply it to the mail server vlan interface eg

int vlan 10

ip policy route-map MAIL

Edit - you may also need to enable the SDM routing template on the 3750 for PBR.

Jon

New Member

Re: Policy Based Routing (Suggestion Needed)

Dear Jon

Although I can create a route map but unfortunately I can't apply it to the interface. There is no "ip policy" command available. Do it have to do something with my IOS as its ip base version.

Blue

Re: Policy Based Routing (Suggestion Needed)

Hey, Jon:

How are you, buddy?

Id like to ask a question about your route map. I dont want to hijack Saj's thread, though...I just want to understand your solution.

Can you please explain the logic of your route map? What's with the deny statements? I dont think Ive ever seen an ACL created for PBR that uses negative logic...what do those deny statements achieve?

Are you trying to say "dont policy route traffic between internal vlans and the mail servers"? And if so, doesnt the implicit deny at the end of the ACL take care of that? Anything that isnt PBR'd is routed normally...

Thanks

Victor

Hall of Fame Super Blue

Re: Policy Based Routing (Suggestion Needed)

Hi Victor

Doing fine, but busy as i'm leaving job at end of May so some loose ends to tie up.

You are right in what you say about the deny statements. These make sure that traffic from the mail servers to the internal vlans are not policy routed. The problem with relying on the implict deny at the end is that it would never get to that rule as you have a permit ip any in the access-list before that so without the explicit denies all traffic would be policy routed.

Jon

Blue

Re: Policy Based Routing (Suggestion Needed)

Jon:

OK, I just wanted to make sure that I was on your page and no tmissing something. :-)

I never ask you questions to challenge you -- only to learn from you.

Good luck at your new job.

Victor

Hall of Fame Super Blue

Re: Policy Based Routing (Suggestion Needed)

Victor

Thanks, no new job as yet, taking some time off.

You can challenge me any time as i make as many mistakes as the next man and i certainly don't take it personally.

Jon

Hall of Fame Super Blue

Re: Policy Based Routing (Suggestion Needed)

From 3750 Q&A

Q. What features are only supported on the IP Services Image?

A. The following features and functionality are supported with the IP Services Image:

• Dynamic IP routing protocols for load balancing and constructing scalable LANs:

- Open Shortest Path First (OSPF)

- Enhanced IGRP (EIGRP)

- Border Gateway Protocol (BGPv4)

• Equal-cost routing for load balancing and redundancy

• Fallback bridging for forwarding of non-IP traffic between two or more VLANs

• Protocol-Independent Multicast (PIM) for IP multicast routing within a network that enables the network to receive the multicast feed requested and for switches not participating in the multicast to be pruned-support for PIM sparse mode (PIM-SM), PIM dense mode (PIM-DM), and PIM sparse-dense mode

• Distance Vector Multicast Routing Protocol (DVMRP) tunneling for interconnecting two multicast-enabled networks across non-multicast

• Policy-based Routing (PBR) allows superior control by enabling flow redirection regardless of the routing protocol configured

• Private VLAN (PVLAN) provides the ability to restrict communications between hosts at layer 2 through the use of primary and secondary VLANs.

So you need IP Services for PBR and you would need to enable Routing SDM.

Jon

New Member

Re: Policy Based Routing (Suggestion Needed)

@jon

Thanks alot, infact I'm obliged with your prompt replies. I did enabled sdm routing (had to reload it) but am not sure if policy based routing could be enabled the way you described it.

Will the 'policy-map' or 'policy-manager' command help?

Hall of Fame Super Blue

Re: Policy Based Routing (Suggestion Needed)

No, if you did

switch(config)# sdm prefer routing

and then reloaded the switch if the "ip policy route-map ..." is not available under the interface then you need to use the IP Services image.

Jon

New Member

Re: Policy Based Routing (Suggestion Needed)

Thanks again @jon

I'll pursue my managers to get me upgrade for it. Thanks again and see you soon again! :P

182
Views
5
Helpful
21
Replies
CreatePlease to create content