Solved: Source routing?

rsamuel708 · ‎03-04-2009

Is there a way to send traffic from a particular subnet, 172.22.0.0/16 for example, to a particular server for a specific service?

I'll explain more, at my organization the security guys use Trend Micros as our virus/trojan protection etc. We currently have just one server, but they are adding two more and would like to know if we could put policy in place to send particular traffic to a given server for just Trend Micros traffic. This is currently done with the one server with a registry edit pointing to the server.

I know we could implement this with a L4 load-balancing product, but is there a way to direct traffic similarly without it to that level of detail?

Thanks in advance.

Jon Marshall · ‎03-04-2009

Yes, you can use PBR

Source = 172.22.0.0/16

Destination server(s) = 192.168.5.10, 192.168.5.20

service = TCP 4400

access-list 101 permit tcp 172.22.0.0 0.0.255.255 host 192.168.5.10 eq 4400

access-list 101 permit tcp 172.22.0.0 0.0.255.255 host 192.168.5.20 eq 4400

route-map PBR permit 10

match ip address 101

set ip next-hop x.x.x.x

int fa0/0

ip policy route-map PBR

Notes

1) the next-hop must be reachable from this router

2) fa0/0 in the above example is the interface on which packets with a source address of 172.22.x.x arrive.

Jon

View solution in original post

Jon Marshall · ‎03-04-2009

Yes, you can use PBR

Source = 172.22.0.0/16

Destination server(s) = 192.168.5.10, 192.168.5.20

service = TCP 4400

access-list 101 permit tcp 172.22.0.0 0.0.255.255 host 192.168.5.10 eq 4400

access-list 101 permit tcp 172.22.0.0 0.0.255.255 host 192.168.5.20 eq 4400

route-map PBR permit 10

match ip address 101

set ip next-hop x.x.x.x

int fa0/0

ip policy route-map PBR

Notes

1) the next-hop must be reachable from this router

2) fa0/0 in the above example is the interface on which packets with a source address of 172.22.x.x arrive.

Jon

rsamuel708 · ‎03-04-2009

So, port 4400 in your example would be the port Trend listens on, so any other traffic from these subnets would not match, fall out of the route-map, and be routed as normal?

Just making sure I understand the flow.

Jon Marshall · ‎03-04-2009

"So, port 4400 in your example would be the port Trend listens on, so any other traffic from these subnets would not match, fall out of the route-map, and be routed as normal?"

Exactly.

Jon

rsamuel708 · ‎03-04-2009

Jon,

I have about 12 source submits that need to be directed to different servers. Should I be able to combine the acl like below? Also, 2 of the servers hang off the same switch so should I be able to use the same route map?

;GMC

access-list 101 permit tcp 172.22.0.0 0.0.255.255 eq

;DH

access-list 101 permit tcp 172.28.0.0 0.0.255.255 eq

;DMH

access-list 101 permit tcp 172.26.0.0 0.0.255.255 eq

;RMH

access-list 101 permit tcp 172.25.0.0 0.0.255.255 eq

;WMC

access-list 101 permit tcp 172.30.0.0 0.0.255.255 eq

;CBO

access-list 101 permit tcp 192.168.2.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.10.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.11.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.12.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.13.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.14.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.15.0 0.255.255.255 eq

!

route-map server01-pbr permit 10

match ip address 101

set ip next-hop x.x.x.x

!

route-map server02-pbr permit 15

match ip address 101

set ip next-hop x.x.x.x

!

route-map server03-pbr permit 20

match ip address 101

set ip next-hop x.x.x.x

!

Jon Marshall · ‎03-04-2009

"I have about 12 source submits that need to be directed to different servers. Should I be able to combine the acl like below?"

Yes you can do this. Bear in mind that you need to apply the policy route-map under the interface(s) on the router where the source traffic will arrive.

Jon

rsamuel708 · ‎03-04-2009

Great!Got it...Thanks for the great info.

Robert