05-03-2019 10:31 AM
Hi guys
I've been asked to put in a transparent proxy to web filter certain vlans. Im trying to set my vlans to use different static routes.
If I set my global static route to the below everything works fine.
If I set per vlan im not able to ping out to the gateway
is there any other switch configurations I need to set?
05-03-2019 01:44 PM
Let leave the Default route and add The policy based routing set next-hop address of the gateway for that respective VLAN 100
if this still issue, post the full configuration
05-03-2019 04:17 PM
You will have use policy based routing for individual VLANs to choose a different gateway. Make sure you only specify on relevant traffic through ACL that should be redirected to the proxy. This can be done for all the relevant VLANs.
Please rate this post if you find it helpful.
05-04-2019 03:32 AM
Do you have any examples on how to do this?
05-04-2019 04:04 AM
Hello,
here is an example:
ip access-list extended VLAN_10_ACL
permit ip 192.168.10.0 0.0.0.255 any
!
route-map VLAN_10_RM permit 10
match ip address VLAN_10_ACL
set ip next-hop x.x.x.x
!
int vlan 10
ip add 192.168.10.1 255.255.255.0
ip policy route-map VLAN_10_RM
05-07-2019 02:49 AM
05-07-2019 02:47 AM
does this seems correct?
VLAN 50 already has a ACL I have used that.
I have two routing ports
192.168.120.80 - gi1/0/24 Patched into Sonicwall X3 192.168.120.254
192.168.121.80 - gi1/0/23 Patched into draytech X2 192.168.121.254
route-map techSupport-ACL permit 50
match ip address techSupport-ACL
set ip next-hop 192.168.121.80 192.168.121.254
05-07-2019 10:18 AM
route-map techSupport-ACL permit 50 ( what is is ACL content techSupport-ACL)
match ip address techSupport-ACL
set ip next-hop 192.168.121.80 192.168.121.254 ( if you looking to send techSupport-ACL to draytech X2 192.168.121.254)
then set ip next-hop 192.168.121.254
05-15-2019 02:00 AM
Ill try this today.
techSupport-ACL is a acl to prevent vlan access to other vlans
05-16-2019 03:41 AM
ive managed to get the policy base routing working but it has stopped by ip helper from getting dhcp leases form my server.
anyone have any ideas?
05-16-2019 04:15 AM - edited 05-16-2019 04:15 AM
Can you post the latest configuration to have a look ?
05-16-2019 05:47 AM
So i used your exmaple but applied it to vlan 21
!
hostname Core
!
boot-start-marker
boot-end-marker
!
enable secret 5 0
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
aaa session-id common
clock timezone gmt 1
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name
ip name-server 8.8.8.8
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.20.1 192.168.20.200
!
ip dhcp pool Voice
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool CCTV
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool techSupport
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool Network
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 8.8.8.8 8.8.4.4
!
!
!
!
crypto pki trustpoint TP-self-signed-1562173568
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1562173568
revocation-check none
rsakeypair TP-self-signed-1562173568
!
!
crypto pki certificate chain TP-self-signed-1562173568
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353632 31373335 3638301E 170D3933 30333031 30303031
33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35363231
37333536 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A476 DA036124 20128049 28B4D1E7 607FAC0B 772389D0 A437DA1F 1BB1801A
1807FB3D 7AB1C838 D498724E 16D5C9E1 27549732 E25FEF98 BE773D29 DE622F18
F0CDAD27 2C7FA223 1E549829 158090DE FCAB8A2B 1A5F0C12 94BD29BC 1980C84E
BE330F03 43DD70C1 2C60800C EA1402D0 A487ADF3 4BA34158 C8251FF8 654775B2
C7210203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 144F542D 436F7265 2E6F7374 6563682E 6C6F6361 6C301F06
03551D23 04183016 8014827C 73A7E6F7 B888685B D2C751E5 34D7CA6E 5FD9301D
0603551D 0E041604 14827C73 A7E6F7B8 88685BD2 C751E534 D7CA6E5F D9300D06
092A8648 86F70D01 01040500 03818100 5A377815 1BCB6B3C 2F15C819 29009248
205219A2 994CE4DD 545A18BD 9081D4C8 670C6670 72CB55D2 641FF71E 5CC59B0D
88D9CF1A B7ACCF95 DDCDD862 4EBD97D3 CD7ED523 B1EA7F86 5168FCA2 6CDD44DA
63D7EC27 FEFB58A4 5647091F B1E96609 E32FAA39 AAF4DF8A AC5F5E71 44B6ADDB
BF151018 31F4D61D 0B8728A9 2C1C52BC
quit
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
spanning-tree vlan 10,20-21,50,60,99 priority 4096
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 99
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
switchport access vlan 20
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
switchport access vlan 20
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
switchport access vlan 20
!
interface GigabitEthernet1/0/17
switchport access vlan 20
!
interface GigabitEthernet1/0/18
switchport access vlan 20
!
interface GigabitEthernet1/0/19
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/20
switchport access vlan 20
!
interface GigabitEthernet1/0/21
switchport access vlan 20
!
interface GigabitEthernet1/0/22
switchport access vlan 20
!
interface GigabitEthernet1/0/23
no switchport
ip address 192.168.121.80 255.255.255.0
!
interface GigabitEthernet1/0/24
no switchport
ip address 192.168.120.80 255.255.255.0
!
interface GigabitEthernet1/0/25
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,19-21,30,50,60,99,100
switchport mode trunk
!
interface GigabitEthernet1/0/26
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,19-21,30,50,60,99,100
switchport mode trunk
!
interface GigabitEthernet1/0/27
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,19-21,30,50,60,99,100
switchport mode trunk
!
interface GigabitEthernet1/0/28
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,19-21,30,50,60,99,100
switchport mode trunk
!
interface Vlan1
ip address 10.1.1.50 255.255.255.0
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip access-group Security-ACL out
!
interface Vlan21
ip address 192.168.21.1 255.255.255.0
ip helper-address 192.168.16.6
ip policy route-map vlan_21_RM
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip access-group 30 out
!
interface Vlan50
ip address 192.168.50.1 255.255.255.0
ip access-group Support-ACL out
shutdown
!
interface Vlan60
ip address 192.168.60.1 255.255.255.0
ip access-group Network-ACL in
ip access-group Network-ACL out
!
interface Vlan99
ip address 192.168.99.1 255.255.255.0
ip access-group 99 out
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip access-group 10 out
!
ip default-gateway 192.168.120.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.120.254
ip http server
ip http secure-server
!
!
ip access-list extended Network-ACL
deny ip 192.168.20.0 0.0.0.255 any
deny ip 192.168.16.0 0.0.3.255 any
permit ip any any
ip access-list extended Security-ACL
permit ip host 192.168.18.103 any
permit ip host 192.168.18.104 any
permit ip host 192.168.16.190 any
permit ip host 192.168.17.69 any
permit ip host 192.168.17.197 any
deny ip 192.168.16.0 0.0.3.255 any
permit ip any any
ip access-list extended Support-ACL
permit ip host 192.168.17.197 any
permit ip any any
ip access-list extended vlan_21_ACL
permit ip 192.168.16.0 0.0.0.3 any
permit ip 192.168.21.0 0.0.0.255 any
!
access-list 1 deny 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.16.13
access-list 10 deny 192.168.16.0 0.0.3.255
access-list 10 permit any
access-list 10 deny 192.168.100.0 0.0.0.255
access-list 10 permit 192.168.50.0 0.0.0.3
access-list 21 deny 192.168.16.0 0.0.3.254
access-list 30 deny 192.168.16.0 0.0.3.255
access-list 30 permit any
access-list 30 deny 192.168.100.0 0.0.0.255
access-list 99 deny 192.168.16.0 0.0.3.254
route-map vlan_21_RM permit 21
match ip address vlan_21_ACL
set ip next-hop 192.168.121.254
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password *******
logging synchronous
line vty 0 4
exec-timeout 0 0
password ******
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
password *******
logging synchronous
transport input ssh
!
end
also show ip route map
show route-map vlan_21_RM
route-map vlan_21_RM, permit, sequence 21
Match clauses:
ip address (access-lists): vlan_21_ACL
Set clauses:
ip next-hop 192.168.121.254
Nexthop tracking current: 192.168.121.254
192.168.121.254, fib_nh:3E2B95C,oce:47A0150,status:1
ip default next-hop 192.168.121.254
Policy routing matches: 18 packets, 1914 bytes
05-16-2019 06:09 AM
I would not have thought that your PBR would impact DHCP and helper-address since it is looking for IP packet source addresses in specified subnets and the DHCP request source address should be 0.0.0.0. But if it is impacting the assignment of IP addresses then you need to add a statement at the beginning of your ACL that denies traffic for DHCP.
HTH
Rick
05-16-2019 06:20 AM
Hi
If i remove the PBR then i get a DHCP lease from my server.
I want VLAN 21 to get leases from my DHCP Server (192.168.16.6).
Im guessing this is access list related but wouldnt denying traffic for dhcp stop the devices on vlan 21 gettin ip addresses? this would be the opposite fo what im trying to do.
05-16-2019 09:02 AM
If you deny DHCP in the ACL used for PBR it would not stop your devices from getting IP addresses using DHCP. We need to be clear about how ACLs are used. If you apply an ACL on an interface using ip access-group then yes denying DHCP would stop devices from getting IP addresses using DHCP. But apply the ACL in PBR and it works differently. You are just denying DHCP from receiving the special routing in PBR and allowing that traffic to use normal routing. A deny in the ACL for PBR does not deny the packet from being forwarded but only deny for the special routing.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide