cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
455
Views
0
Helpful
6
Replies

Policy based routing

vinoth.kumar
Level 1
Level 1

Hi,

in our Lan network we are using Surfcontrol web filter to block certain iinternet access which is connected to 192.168.1.20 (default gateway for internet) the packet going through the gateway was catured and blocked by the server

Since all service traffic is inspected by surf control i thought of differentiating the traffic by service like port 80 traffic should go via 192.168.1.20 and all other service traffic should go via other gateway

i tried policy based routing in catalyst 6500 for that like below

#Access-list 101 permit ip any eq 80 any eq 80

# route-map access permit 10

#match address 101

#set ip nexthop 192.168.1.20

all other traffic will go to the default route

#ip route 0.0.0.0 0.0.0.0 192.168.1.4

is that right

please suggest me

Regards,

Vinoth

6 Replies 6

Tshi M
Level 5
Level 5

Hi,

Shouldn't your ACL allow TCP rather than IP? I mean:

access-list 101 permit tcp any any eq 80

JamesLuther
Level 3
Level 3

Hi,

Looks good apart from your access-list should be

access-list 101 permit tcp any any eq 80

You will also need to apply the PBR to the ingress interface of where the traffic is coming from, like below

interface Vlan 99

ip policy route-map MY_MAP

Or you can apply it globally like below

ip local policy route-map MY_MAP

Regards

sorry i have done the same also but still its not working

my doubt is whether we need to configure dummy route map pointing to null 0

why null0 is required

Hi,

Where have you applied the route-map? Have you applied it to an interface or the global routing table (with "ip local" shown above).

Remember route-maps only apply to traffic coming IN to a layer 3 interface.

Make sure the traffic that you're trying to match is coming in the interface that you've applied the route-map (or apply to global routing table).

Thanks

here is my config in 6500

interface Vlan195

ip address 10.195.1.1 255.255.255.0

ip policy route-map accesstoport80

interface Vlan211

ip address 10.195.21.1 255.255.255.0

ip policy route-map accesstoport80

access-list 101 permit tcp any any eq 80

route-map accesstoport80 permit 10

match ip address 111

set ip next-hop 10.195.1.20

ip route 0.0.0.0 0.0.0.0 10.195.1.4

suggest me were i went wrong

Vinoth

The obvious issue is the mismatch where you show us access list 101 but the route map is matching access list 111. Does access list 111 exist?

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: