04-04-2018 03:34 PM - edited 03-03-2019 08:46 AM
I have a proxy on our network at 10.1.1.44 and all the wired devices use it with flawless authentication and it works 100%. The issue is with the 10.1.30.0/24 network that is for the wireless. All the endpoints are having trouble with applications not getting the proxy info and not being able to connect to the internet. I can still access the internet but the phones aren't setting the proxy globally across all apps.
What I wonder is if there is a way that I can forward all the data through the proxy before it goes out to the internet on the switch level or router level. So instead of configuring the end point (iPhone) it would be configured on the switch or router to make all data pass through the proxy before it went out.
Is this possible or can someone suggest another way of doing things?
04-05-2018 01:43 AM
Hi there,
What steps have you taken to segregate your wireless clients from your wired network? Is it contained within a separate VRF? If so, you could configure the default route for the VRF to be an interface on your proxy.
If your wireless and wired traffic are sharing the same routing table then, then you could use Policy Based Routing by applying a route-map to the wireless network SVI and setting the next-hop as the proxy IP.
cheers,
Seb.
04-05-2018 02:15 AM
@Seb Rupik wrote:
Hi there,
What steps have you taken to segregate your wireless clients from your wired network? Is it contained within a separate VRF? If so, you could configure the default route for the VRF to be an interface on your proxy.
If your wireless and wired traffic are sharing the same routing table then, then you could use Policy Based Routing by applying a route-map to the wireless network SVI and setting the next-hop as the proxy IP.
cheers,
Seb.
I just have them on different SVI"s and I have EIGRP setup so yes they are sharing a routing table, could I configure the next hop on the switch that connects to the router?
04-05-2018 02:57 AM
Hi there,
The route-map should be configured on the interface which routes the packets for the wireless subnet. This will be the router which has the wireless VLAN SVI configured.
cheers,
Seb.
04-05-2018 03:06 AM
@Seb Rupik wrote:
Hi there,
The route-map should be configured on the interface which routes the packets for the wireless subnet. This will be the router which has the wireless VLAN SVI configured.
cheers,
Seb.
The router doesn't have the SVI defined, it's not a router on a stick. I have 2 core switches that have link aggregation and HSRP, would I put this route map on both core switches? Could you give me an example of a route map that I could use in the scenario with random ip subnets?
04-05-2018 03:49 AM
Yes, PBR should work within an HSRP group. You will need to apply the route-map to the routed interfaces on both switches.
The config will look something like this:
! ip access-list ext 101 permit 10.1.30.0 0.0.0.255 any ! route-map PBR01 match ip address 101 set ip next-hop 10.1.1.4 ! int gi1/0/1 ip policy route-map PBR01 !
cheers,
Seb.
04-05-2018 04:15 AM
@Seb Rupik wrote:
Yes, PBR should work within an HSRP group. You will need to apply the route-map to the routed interfaces on both switches.
The config will look something like this:
! ip access-list ext 101 permit 10.1.30.0 0.0.0.255 any ! route-map PBR01 match ip address 101 set ip next-hop 10.1.1.4 ! int gi1/0/1 ip policy route-map PBR01 !cheers,
Seb.
Is gi1/0/1 the interface of the link aggregation on 'switch2' and then the link to the router on 'switch1'?
My network looks like this:
ROUTER
|
Single link
|
SWITCH1 =====LAGG==== SWITCH2
| |
So if I'm correct the config on switch 1 would be:
int port-channel1 - (the interface that goes to switch2)
ip policy route-map PBR01
And then on switch 2:
int fa1/0/1 - (The interface that goes up to the router)
ip policy route-map PBR01
Would that be correct?
04-05-2018 04:20 AM
You need to place the route-map on the interfaces which are routing your wireless subnet.
Can you please provide the configs of the switches and router to ensure we can give a precise answer?
cheers,
Seb.
04-05-2018 10:32 AM - edited 04-05-2018 11:47 AM
@Seb Rupik wrote:
You need to place the route-map on the interfaces which are routing your wireless subnet.
Can you please provide the configs of the switches and router to ensure we can give a precise answer?
cheers,
Seb.
ROUTER (CISCNET-RTR)
↓
↓
SWITCH1 (CISCNET.LOCAL.CORE.2) ======== SWITCH2 (CISCNET.LOCAL.CORE.1)
↓ ↓
The configs are attached.
Thanks
Nick
Edit: From SWITCH1 fa1/0/2 links to the router
04-06-2018 12:20 AM
Thanks for the configs. These are the additions you need to make:
!! CISCNET.LOCAL.CORE.2 ! ! ip access-list ext 101 permit 10.1.30.0 0.0.0.255 any ! route-map PBR01 match ip address 101 set ip next-hop 10.1.1.4 ! int vlan30 ip policy route-map PBR01 !
!! CISCNET.LOCAL.CORE.1 ! ! ip access-list ext 101 permit 10.1.30.0 0.0.0.255 any ! route-map PBR01 match ip address 101 set ip next-hop 10.1.1.4 ! int vlan30 ip policy route-map PBR01 !
cheers,
Seb.
04-06-2018 03:17 AM
@Seb Rupik wrote:
Thanks for the configs. These are the additions you need to make:
!! CISCNET.LOCAL.CORE.2 ! ! ip access-list ext 101 permit 10.1.30.0 0.0.0.255 any ! route-map PBR01 match ip address 101 set ip next-hop 10.1.1.4 ! int vlan30 ip policy route-map PBR01 !!! CISCNET.LOCAL.CORE.1 ! ! ip access-list ext 101 permit 10.1.30.0 0.0.0.255 any ! route-map PBR01 match ip address 101 set ip next-hop 10.1.1.4 ! int vlan30 ip policy route-map PBR01 !cheers,
Seb.
For some reason the 'ip policy' command is not on my switches, how can this be?
04-06-2018 03:46 AM - edited 04-06-2018 03:47 AM
ah, what image are you running? You need to have ipservices enabled.
You should also enable the SDM routing template:
! sdm prefer routing !
cheers,
Seb.
04-06-2018 03:53 AM
@Seb Rupik wrote:
ah, what image are you running? You need to have ipservices enabled.
You should also enable the SDM routing template:
! sdm prefer routing !cheers,
Seb.
Its just the base model so it will be IPBASE
04-06-2018 04:00 AM
If I remember rightly the 3750 should support evaluation/ right-to-use licensing.
Try issuing the following configuration commands on both switches:
conf t ! license boot level ipservices sdm prefer routing ! exit wr mem reload
cheers,
Seb.
04-06-2018 04:17 AM
@Seb Rupik wrote:
If I remember rightly the 3750 should support evaluation/ right-to-use licensing.
Try issuing the following configuration commands on both switches:
conf t ! license boot level ipservices sdm prefer routing ! exit wr mem reloadcheers,
Seb.
Evaluation being that I wont be able to use it forever? How long is the evaluation?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide