Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Source routing?

Is there a way to send traffic from a particular subnet, 172.22.0.0/16 for example, to a particular server for a specific service?

I'll explain more, at my organization the security guys use Trend Micros as our virus/trojan protection etc. We currently have just one server, but they are adding two more and would like to know if we could put policy in place to send particular traffic to a given server for just Trend Micros traffic. This is currently done with the one server with a registry edit pointing to the server.

I know we could implement this with a L4 load-balancing product, but is there a way to direct traffic similarly without it to that level of detail?

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Source routing?

Yes, you can use PBR

Source = 172.22.0.0/16

Destination server(s) = 192.168.5.10, 192.168.5.20

service = TCP 4400

access-list 101 permit tcp 172.22.0.0 0.0.255.255 host 192.168.5.10 eq 4400

access-list 101 permit tcp 172.22.0.0 0.0.255.255 host 192.168.5.20 eq 4400

route-map PBR permit 10

match ip address 101

set ip next-hop x.x.x.x

int fa0/0

ip policy route-map PBR

Notes

1) the next-hop must be reachable from this router

2) fa0/0 in the above example is the interface on which packets with a source address of 172.22.x.x arrive.

Jon

6 REPLIES
Hall of Fame Super Blue

Re: Source routing?

Yes, you can use PBR

Source = 172.22.0.0/16

Destination server(s) = 192.168.5.10, 192.168.5.20

service = TCP 4400

access-list 101 permit tcp 172.22.0.0 0.0.255.255 host 192.168.5.10 eq 4400

access-list 101 permit tcp 172.22.0.0 0.0.255.255 host 192.168.5.20 eq 4400

route-map PBR permit 10

match ip address 101

set ip next-hop x.x.x.x

int fa0/0

ip policy route-map PBR

Notes

1) the next-hop must be reachable from this router

2) fa0/0 in the above example is the interface on which packets with a source address of 172.22.x.x arrive.

Jon

New Member

Re: Source routing?

So, port 4400 in your example would be the port Trend listens on, so any other traffic from these subnets would not match, fall out of the route-map, and be routed as normal?

Just making sure I understand the flow.

Hall of Fame Super Blue

Re: Source routing?

"So, port 4400 in your example would be the port Trend listens on, so any other traffic from these subnets would not match, fall out of the route-map, and be routed as normal?"

Exactly.

Jon

New Member

Re: Source routing?

Jon,

I have about 12 source submits that need to be directed to different servers. Should I be able to combine the acl like below? Also, 2 of the servers hang off the same switch so should I be able to use the same route map?

;GMC

access-list 101 permit tcp 172.22.0.0 0.0.255.255 eq

;DH

access-list 101 permit tcp 172.28.0.0 0.0.255.255 eq

;DMH

access-list 101 permit tcp 172.26.0.0 0.0.255.255 eq

;RMH

access-list 101 permit tcp 172.25.0.0 0.0.255.255 eq

;WMC

access-list 101 permit tcp 172.30.0.0 0.0.255.255 eq

;CBO

access-list 101 permit tcp 192.168.2.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.10.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.11.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.12.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.13.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.14.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.15.0 0.255.255.255 eq

!

route-map server01-pbr permit 10

match ip address 101

set ip next-hop x.x.x.x

!

route-map server02-pbr permit 15

match ip address 101

set ip next-hop x.x.x.x

!

route-map server03-pbr permit 20

match ip address 101

set ip next-hop x.x.x.x

!

Hall of Fame Super Blue

Re: Source routing?

"I have about 12 source submits that need to be directed to different servers. Should I be able to combine the acl like below?"

Yes you can do this. Bear in mind that you need to apply the policy route-map under the interface(s) on the router where the source traffic will arrive.

Jon

New Member

Re: Source routing?

Great!Got it...Thanks for the great info.

Robert

1058
Views
0
Helpful
6
Replies