our network consists of two routers , the first is cisco 6506-E , the second is cyberoam750 UTM
cyberoam = 188.8.131.52
all clients connected as seen in the pic below . and all clients have 184.108.40.206 as the default gateway
I want to forward pop3+smtp traffic from clients to cyberoam . I have done the following :
Core#access-list 101 permit tcp any any eq smtp
Core#access-list 101 permit tcp any any eq pop3
Core#interface vlan 1
Core#ip policy route-map cyber
Core#route-map cyber permit 10
Core#match ip address 101
Core#set ip next-hop 220.127.116.11
unfortunately it didn't work ,, probably because client,core switch , and cyberoam all are in the same vlan , vlan 1
what is the solution for my case ?
what's the configuration on core switch port which is connected to cyberoam?
There are may possibilities, but being in the same vlan is not a problem, as far as i know.
There are some things about this environment that we do not know and which could impact the ability to use PBR. The policy is applied to vlan 1. But we do not know whether vlan 1 is the only vlan configured and therefore can not be sure that PBR is applied on the correct interface. We also do not know where the clients are trying to send their Email packets. PBR can only work on packets that clients send to eh 6506 to be forwarded somewhere. So trying to do PBR where everything is in the same vlan will only catch traffic with a destination address that is external. If the client is sending Email to an address that is in the 132.1 network then the Email is sent directly to the server and the 6506 would never see that traffic and PBR would not work.
thank you for your reply .
there are other vlans in the c6506 switch , but they are not related and routing between vlans is working fine ,
clients are trying to send pop3 + smtp traffic to an external email server on the internet .
Thank you for the additional information. If the clients are connected in vlan 1 and have their default gateway configured with the IP address of the 6506 interface, and if the clients are sending Email to external mail servers then I would expect the PBR that you configured to work. Can you post the output of show route-map?
I made some changes to the access list
Core-Switch-A#sho access-lists cyber
Extended IP access list cyber
20 permit tcp any any eq pop3
21 permit udp any any eq domain (244 matches)
23 permit tcp any any eq domain
30 permit tcp any any eq 993
31 permit tcp any any eq 995
32 permit tcp any any eq 465
40 permit tcp any any eq smtp (4 matches)
Core-Switch-A#show route-map cyber
route-map cyber, permit, sequence 10
ip address (access-lists): cyber
ip next-hop 18.104.22.168
Policy routing matches: 1175 packets, 93858 bytes
Clients can access SMTP , but the problem now is with pop3 traffic
I simulated your situation in GNS0.1 beta3. I created vlan 2 on core switch and put link between core SW and cybroam on vlan 2.
after this change PBR became fully operational with your initial ACL.
Extended IP access list 101
10 permit tcp any any eq pop3 (1 match)
20 permit tcp any any eq smtp (2 matches)
route-map pol, permit, sequence 8
ip address (access-lists): 101
ip next-hop 192.168.2.1
Nexthop tracking current: 0.0.0.0
Policy routing matches: 3 packets, 180 bytes
I suspect that there are other protocols need to be included in the access list ,
Now I need to know a way to monitor all traffic from a specific IP .
there must be a debug command to show me all traffic forwarded to the 22.214.171.124 from a x.x.x.x IP .
I expect the output would be something like
132.1.x.x src port 5445 des port 110 --> external ip
could you help me with that ?
You can use following script:
(config)#access-list 199 permit ip any host <a.b.c.d>
(config)#access-list 199 permit ip host <a.b.c.d> any
#debug ip packet 199 detail
don't forget to use "no ip route-cache" on interfaces.
use carefully, might cause crash in congested devices
try taking the interface ip policy off and applying it locally for control plane PBR
Core# ip local policy route-map cyber