Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1554
Views
0
Helpful
21
Replies

Proxy for subnet

AvidPontoon1
Level 1
Level 1

‎04-04-2018 03:34 PM - edited ‎03-03-2019 08:46 AM

I have a proxy on our network at 10.1.1.44 and all the wired devices use it with flawless authentication and it works 100%. The issue is with the 10.1.30.0/24 network that is for the wireless. All the endpoints are having trouble with applications not getting the proxy info and not being able to connect to the internet. I can still access the internet but the phones aren't setting the proxy globally across all apps.

 

What I wonder is if there is a way that I can forward all the data through the proxy before it goes out to the internet on the switch level or router level. So instead of configuring the end point (iPhone) it would be configured on the switch or router to make all data pass through the proxy before it went out.

 

Is this possible or can someone suggest another way of doing things?

Labels:
0 Helpful
21 Replies 21

Seb Rupik
VIP Alumni
VIP Alumni
In response to AvidPontoon1

‎04-06-2018 04:26 AM

The evaluation license lasts for 60 days, after which point it should transition to a right-to-use license. At this point you should have purchased a license from Cisco....this potentially will be a problem only if you use their support services, they will take a dim view if a sh tech reveals inadequate licenses.

0 Helpful

AvidPontoon1
Level 1
Level 1
In response to Seb Rupik

‎04-06-2018 04:31 AM

@Seb Rupik wrote:

The evaluation license lasts for 60 days, after which point it should transition to a right-to-use license. At this point you should have purchased a license from Cisco....this potentially will be a problem only if you use their support services, they will take a dim view if a sh tech reveals inadequate licenses.

Ah, I see.

 

Is there no way that what I need can be done on ipbase?

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to AvidPontoon1

‎04-06-2018 05:10 AM

No. It is part of the ipservices feature set.

 

You could change your L3 topology and move all of your routing to the router. Due the the PBR set ip next-hop command requiring the IP to be adjacent, this is what we need to move the routing of at the very least the wireless VLAN (3) and VLAN (1) hosting the proxy onto the router.

 

That device should support PBR. What model is it and what software release is it running?

0 Helpful

AvidPontoon1
Level 1
Level 1
In response to Seb Rupik

‎04-06-2018 05:21 AM

@Seb Rupik wrote:

No. It is part of the ipservices feature set.

 

You could change your L3 topology and move all of your routing to the router. Due the the PBR set ip next-hop command requiring the IP to be adjacent, this is what we need to move the routing of at the very least the wireless VLAN (3) and VLAN (1) hosting the proxy onto the router.

 

That device should support PBR. What model is it and what software release is it running?

I can issue the ip policy command on the router. Its a 2811.

 

How can I set this up on the router then? I havent changed configs so the existing ones are fine to use

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to AvidPontoon1

‎04-06-2018 05:54 AM

Do you have console access to these devices? We will keep VLAN1 UP/UP during this change so you should always be able to reach their VLAN1 SVI.

 

Try these:

!! router
!
ip access-list ext 101
  permit 10.1.30.0 0.0.0.255 any
!
route-map PBR01
  match ip address 101
  set ip next-hop 10.1.1.4
!
default int fa0/0
!
int fa0/0.1
  encapsulation dot1q 1
  ip address 10.1.1.252 255.255.255.0
  ip helper-address 10.1.100.65
  ip nat inside
!
int fa0/0.10
  encapsulation dot1q 10
  ip address 10.1.10.252 255.255.255.0
  ip helper-address 10.1.100.65
  ip nat inside
!
int fa0/0.20
  encapsulation dot1q 20
  ip address 10.1.20.252 255.255.255.0
  ip helper-address 10.1.100.65
  ip nat inside
  ip policy route-map PBR01
!
int fa0/0.30
  encapsulation dot1q 30
  ip address 10.1.30.252 255.255.255.0
  ip helper-address 10.1.100.65
  ip nat inside
!
int fa0/0.100
  encapsulation dot1q 100
  ip address 10.1.100.252 255.255.255.0
  ip helper-address 10.1.100.65
  ip nat inside
!
no router eigrp 100
!
spanning-tree vlan 1,10,20,30,100 root primary
!
!! switch1
!
no int range vlan 10,20,30,100
!
int fa1/0/2
  desc UPLINK
  switchport trunk encap dot1q
  switchport mode trunk
  switchport trunk allowed vlan 1,10,20,30,100
!
no router eigrp 100
!
!! switch2
!
no int range vlan 10,20,30,100
!
no router eigrp 100
!

cheers,

Seb.

0 Helpful

AvidPontoon1
Level 1
Level 1
In response to Seb Rupik

‎04-06-2018 07:43 AM

@Seb Rupik wrote:

Do you have console access to these devices? We will keep VLAN1 UP/UP during this change so you should always be able to reach their VLAN1 SVI.

 

Try these:

!! router
!
ip access-list ext 101
  permit 10.1.30.0 0.0.0.255 any
!
route-map PBR01
  match ip address 101
  set ip next-hop 10.1.1.4
!
default int fa0/0
!
int fa0/0.1
  encapsulation dot1q 1
  ip address 10.1.1.252 255.255.255.0
  ip helper-address 10.1.100.65
  ip nat inside
!
int fa0/0.10
  encapsulation dot1q 10
  ip address 10.1.10.252 255.255.255.0
  ip helper-address 10.1.100.65
  ip nat inside
!
int fa0/0.20
  encapsulation dot1q 20
  ip address 10.1.20.252 255.255.255.0
  ip helper-address 10.1.100.65
  ip nat inside
  ip policy route-map PBR01
!
int fa0/0.30
  encapsulation dot1q 30
  ip address 10.1.30.252 255.255.255.0
  ip helper-address 10.1.100.65
  ip nat inside
!
int fa0/0.100
  encapsulation dot1q 100
  ip address 10.1.100.252 255.255.255.0
  ip helper-address 10.1.100.65
  ip nat inside
!
no router eigrp 100
!
spanning-tree vlan 1,10,20,30,100 root primary
!
!! switch1
!
no int range vlan 10,20,30,100
!
int fa1/0/2
  desc UPLINK
  switchport trunk encap dot1q
  switchport mode trunk
  switchport trunk allowed vlan 1,10,20,30,100
!
no router eigrp 100
!
!! switch2
!
no int range vlan 10,20,30,100
!
no router eigrp 100
!

cheers,

Seb.

Are my core switches not very useful now though? With all the routing bring done on the router?

 

You have made the router the root Bridge for all vlans, do I have to alter this on the switches? Finally can I still run HSRP between the core switches?

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to AvidPontoon1

‎04-06-2018 08:01 AM

To use the PBR on the router, you need VLAN1 and VLAN30 to be routed on the same device. You will not need HSRP for these VLANs since there is only one routing device.

 

Arguably we could leave the remaining VLANs on the two 3750 switches, and run EIGRP between the switches and the router. If you wanted to do this properly it would require an new Layer3 link between the router and switch2. Doing this would also make better use of your HSRP setup. Currently if switch1 fails, switch2 would become the HSRP group master but would have no way of routing to the internet. A new L3 link to the router would fix this.

 

cheers,

Seb.

0 Helpful
Customers Also Viewed These Support Documents