Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
827
Views
0
Helpful
6
Replies

PBR / set ip next-hop

kgtnewmedia
Level 1
Level 1

‎07-02-2014 07:50 AM - edited ‎03-04-2019 11:16 PM

Hi,

 

could someone please advice how to change a next-hop for incoming SMTP traffic? I've successfully created PBR to redirect customer SMTP traffic to a different next-hop:

--------------------------------------------------

C6509#access-list 150 permit tcp 85.175.191.0 0.0.0.255 any eq smtp (customer LAN is 85.175.191.0/24; from customer to the internet)

C6509#access-list 160 permit tcp any 85.175.191.0 0.0.0.255 eq smtp (from the internet to customer LAN; doesn't work!)

 

C6509#route-map MAIL-Redirect permit 10

C6509#match ip address 150

C6509#set ip next-hop 20.10.10.10

C6509#route-map MAIL-Redirect permit 20

C6509#match ip address 160

C6509#set ip next-hop 20.10.10.10

 

C6509#interface Vlan100

C6509#ip address 85.175.191.1 255.255.255.0

C6509#ip policy route-map MAIL-Redirect

--------------------------------------------------

 

Redirect customer SMTP traffic from inside to the internet works as expected:

--------------------------------------------------

IP: s=85.175.191.111 (Vlan16), d=173.19.66.27, len 60, FIB policy match
IP: s=85.175.191.111 (Vlan16), d=173.19.66.27, len 60, PBR Counted
IP: s=85.175.191.111 (Vlan16), d=173.19.66.27, g=20.10.10.10, len 60, FIB policy routed

C6509#sh access-list 150
Extended IP access list 150
    10 permit tcp 85.175.191.0 0.0.0.255 any eq smtp (17 matches)

--------------------------------------------------

 

But the other direction (SMTP traffic coming in from the internet to 85.175.191.0/24) seems not working:

--------------------------------------------------

C6509#sh access-list 160
Extended IP access list 160
    10 permit tcp any 5.175.191.0 0.0.0.255 eq smtp

--------------------------------------------------

Any ideas?

 

Thanks,

 

Thomas

Labels:
0 Helpful
6 Replies 6

e.ciollaro
Level 4
Level 4

‎07-03-2014 01:16 AM

I think it's because PBR must be configured in interface receiving traffic; try configuring PBR on the  WAN interface (obviously you can split the route-map in the routemaps: one for incoming traffic (used on WAN inertf) and one for outgoing traffic (used on VLAN 100))

 

Let me know, bye,

enrico

 

PS: please rate if useful

0 Helpful

kgtnewmedia
Level 1
Level 1
In response to e.ciollaro

‎07-03-2014 02:08 AM

Hi,

thx, but the router has multiple WAN interfaces. (3x BGP full table)

 

 

Regards,

Thomas

0 Helpful

e.ciollaro
Level 4
Level 4
In response to kgtnewmedia

‎07-03-2014 04:11 AM

Why can't you configure PBR on all WAN interf ?

 

Another think I can't understand is why incoming and outgoing traffic has to be router to the same next-hop 20.10.10.10. Could you clarify ?

0 Helpful

kgtnewmedia
Level 1
Level 1
In response to e.ciollaro

‎07-03-2014 09:06 AM

The next-hop (same for IN and OUT traffic) is an Anti-SPAM gateway. Filtering SMTP traffic from customer out of the internet should pass the gateway and SPAM should be filtered out. SMTP traffic from the internet to the customer should prefiltered too. Thats the idea behind :-)

0 Helpful

e.ciollaro
Level 4
Level 4
In response to kgtnewmedia

‎07-04-2014 02:00 AM

Thx, did you fix the problem using Kazim suggestion ?

 

enrico

0 Helpful

syed kazim abbas
Level 3
Level 3

‎07-03-2014 06:01 AM

please change the acl:

no access-list 160 permit tcp any 85.175.191.0 0.0.0.255 eq smtp

access-list 160 permit tcp any eq smtp 85.175.191.0 0.0.0.255

HTH

kazim

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card