Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

same vlan PBR to redirect pop3+smtp traffic to another ip

hi

our network consists of two routers , the first is cisco 6506-E , the second is cyberoam750 UTM

c6506=132.1.99.1

cyberoam = 132.1.1.214

all clients connected as seen in the pic below . and all clients have 132.1.99.1 as the default gateway

I want to forward pop3+smtp traffic from clients to cyberoam . I have done the following :

 

Core#access-list 101 permit tcp any any eq smtp
Core#access-list 101 permit tcp any any eq pop3

Core#interface vlan 1

Core#ip policy route-map cyber

Core#route-map cyber permit 10

Core#match ip address 101

Core#set ip next-hop 132.1.1.214

 

unfortunately it didn't work ,, probably because client,core switch , and cyberoam all are in the same vlan , vlan 1

what is the solution for my case ?

 

12 REPLIES

what's the configuration on

what's the configuration on core switch port which is connected to cyberoam?

There are may possibilities, but being in the same vlan is not a problem, as far as i know.

its L2 port ,, just like any

its L2 port ,, just like any port from 132.1.0.0/16 LAN

check your 101 ACL statistics

check your 101 ACL statistics, if it hits the packets or not?

 

Hall of Fame Super Silver

There are some things about

There are some things about this environment that we do not know and which could impact the ability to use PBR. The policy is applied to vlan 1. But we do not know whether vlan 1 is the only vlan configured and therefore can not be sure that PBR is applied on the correct interface. We also do not know where the clients are trying to send their Email packets. PBR can only work on packets that clients send to eh 6506 to be forwarded somewhere. So trying to do PBR where everything is in the same vlan will only catch traffic with a destination address that is external. If the client is sending Email to an address that is in the 132.1 network then the Email is sent directly to the server and the 6506 would never see that traffic and PBR would not work.

 

HTH

 

Rick

thank you for your reply

thank you for your reply .

there are other vlans in the c6506 switch , but they are not related and routing between vlans is working fine ,

clients are trying to send pop3 + smtp traffic to an external email server on the internet .

 

Hall of Fame Super Silver

Thank you for the additional

Thank you for the additional information. If the clients are connected in vlan 1 and have their default gateway configured with the IP address of the 6506 interface, and if the clients are sending Email to external mail servers then I would expect the PBR that you configured to work. Can you post the output of show route-map?

 

HTH

 

Rick

I made some changes to the

I made some changes to the access list
Core-Switch-A#sho access-lists cyber
Extended IP access list cyber
    20 permit tcp any any eq pop3
    21 permit udp any any eq domain (244 matches)
    23 permit tcp any any eq domain
    30 permit tcp any any eq 993
    31 permit tcp any any eq 995
    32 permit tcp any any eq 465
    40 permit tcp any any eq smtp (4 matches)

 


Core-Switch-A#show route-map cyber
route-map cyber, permit, sequence 10
  Match clauses:
    ip address (access-lists): cyber
  Set clauses:
    ip next-hop 132.1.1.214
  Policy routing matches: 1175 packets, 93858 bytes
Core-Switch-A#

 

 

Clients can access SMTP , but the problem now is with pop3 traffic

I simulated your situation in

I simulated your situation in GNS0.1 beta3. I created vlan 2 on core switch and put link between core SW and cybroam on vlan 2. 

after this change PBR became fully operational with your initial ACL.

 

#show access-list

Extended IP access list 101
    10 permit tcp any any eq pop3 (1 match)
    20 permit tcp any any eq smtp (2 matches)

 

#show route-map

route-map pol, permit, sequence 8
  Match clauses:
    ip address (access-lists): 101
  Set clauses:
    ip next-hop 192.168.2.1
Nexthop tracking current: 0.0.0.0
192.168.2.1, fib_nh:0,oce:0,status:0

  Policy routing matches: 3 packets, 180 bytes

 

 

 

I suspect that there are

I suspect that there are other protocols need to be included in the access list ,

Now I need to know a way to monitor all traffic from a specific  IP .
there must be a debug command to show me all traffic forwarded to the 132.1.1.214 from a x.x.x.x IP .

I expect the output would be something like
132.1.x.x src port 5445 des port 110 --> external ip

 

could you help me with that ?

You can use following script

You can use following script:

 

(config)#access-list 199 permit ip any host <a.b.c.d>

(config)#access-list 199 permit ip host <a.b.c.d> any

 

#debug ip packet 199 detail

 

don't forget to use "no ip route-cache" on interfaces.

use carefully, might cause crash in congested devices

 

 

Hello try taking the

Hello

try taking the interface ip policy off and applying it locally for control plane PBR

Core# ip local policy route-map cyber

 

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.

no hits when i issue " show

no hits when i issue " show route-map cyber "

 

159
Views
35
Helpful
12
Replies
CreatePlease to create content