03-04-2019 09:19 AM - edited 03-04-2019 09:24 AM
I just installed a pair of Nexus 7 k's as our network core. Our default route sends traffic out to an ASA 5545 (10.60.10.30) which uses WCCP to redirect traffic to Websense for web filtering. As part of a Security ELA we signed with Cisco, we are going to test out the Web Security Appliance.
To start, I would like to send the web traffic from a couple of hosts out our secondary Internet pipe (ASA 5525 - 10.60.10.21) and use WCCP to send the traffic to the WSA.
On the 7k's I've entered the following:
config t
feature pbr
ip access-list PBR-ACL
permit ip 10.60.240.50 255.255.255.255 any
permit ip 10.60.240.62 255.255.255.255 any
permit ip 10.60.240.68 255.255.255.255 any
ip policy route-map PBR-Route-Map
route-map PBR-Route-Map permit 10
match ip address PBR-ACL
set ip next-hop 10.60.10.21
!
However, I'm not sure what interface to apply the route map to. The IT VLAN is vlan 701 and when I apply the route map to that interface, all traffic from IT goes out the VLAN. Eventually that will be OK, but we don't want to interrupt daily operations. I thought about applying the route-map to the inbound port channel but I'm not sure if that's the best location. Can anyone provide some assistance?
Ryan
Solved! Go to Solution.
03-04-2019 09:33 AM
Hello,
ip policy route-map PBR-Route-Map
route-map PBR-Route-Map permit 10
match ip address PBR-ACL
try it
set ip default next-hop 10.60.10.21
!
03-04-2019 09:33 AM
Hello,
ip policy route-map PBR-Route-Map
route-map PBR-Route-Map permit 10
match ip address PBR-ACL
try it
set ip default next-hop 10.60.10.21
!
03-04-2019 10:24 AM
Hi,
Thanks for your response.
Wouldn't that set all ip traffic to go to 10.60.10.21 though? Also, on which interface do I place the route-map?
Ryan
03-04-2019 10:51 AM - edited 03-04-2019 10:52 AM
If you use "set ip next-hop x.x.x.x" then all traffic is sent to x.x.x.x without checking the IP routing table whereas if you use "set ip default next-hop x.x.x.x" the routing table is checked first and if there is a matching route (but not a default route as that does not count) then that route is used, otherwise traffic is sent to x.x.x.x.
So you would usually use the default next-hop if you wanted traffic between vlans on the switch to be routed via the routing table but other traffic that would use the default route to use your PBR default instead.
You apply your PBR route map to the L3 interface on your switch where the traffic arrives from so if the clients are in vlan 701 you would apply it to the L3 interface for that vlan.
Jon
03-04-2019 11:18 AM
03-05-2019 04:51 AM
That didn't work. I applied the following and all traffic on vlan 701 went through 10.60.10.21. The route-map only specifies that 3 hosts are supposed to go through that gateway while the rest of the traffic should go through the default gateway of 10.60.10.30. Any other ideas?
03-05-2019 04:56 AM
I'm using Nexus 7706 with software 7.3(3)D1(1).
Here is the config that I used:
IP access list PBR-ACL
10 permit ip 10.60.240.50 255.255.255.255 any
20 permit ip 10.60.240.62 255.255.255.255 any
30 permit ip 10.60.240.68 255.255.255.255 any
route-map PBR-Route-Map permit 10
match ip address PBR-ACL
set ip default next-hop 10.60.10.21
int vlan 701
ip policy route-map PBR-Route-Map
Am I missing something?
03-05-2019 07:03 AM - edited 03-05-2019 07:05 AM
Hello ryan
IP access list PBR-ACL
10 permit ip 10.60.240.50 255.255.255.255 any
20 permit ip 10.60.240.62 255.255.255.255 any
30 permit ip 10.60.240.68 255.255.255.255 any
extendend acls and standards, use wild mask for configuration.
IP access list PBR-ACL
10 permit ip 10.60.240.50 0.0.0.0 any
20 permit ip 10.60.240.62 0.0.0.0 any
30 permit ip 10.60.240.68 0.0.0.0 any
Now, just the hosts will be allowed to use this PBR
03-05-2019 08:55 AM
That worked!!! Thanks to both of you for your help.
03-05-2019 08:59 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide