cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
894
Views
0
Helpful
8
Replies

AWS - Routing Traffic by Type/Port CSR 1000V

ElishaDean5574
Level 1
Level 1

I am trying to route traffic by port to an IPS. Web traffic, to be exact. I have my Transit VPC sub-netted to include a private and public subnet. I have my edge CSR sitting in the middle with one interface on the public side and one interface on the private side. I have an IDS sitting inside of the private subnet. And another CSR sits in the private subnet that routes out of my Transit VPC out to my service VPCs. I would like web traffic coming in from my public side to be routed to my IPS and all other traffic to be routed to my other CSR. As of right now, despite my efforts, web traffic is routing through normally. My current config is as follows:

!

ip access-list extended Web_To_IPS

permit tcp any any eq www

permit tcp any any eq 443

!

!

route-map Map_Web_IPS permit 100

match ip address Web_To_IPS

set ip next-hop xxx.xxx.xxx.xxx (IPS Address)

!

interface GigabitEthernet1

ip policy route-map Map_Web_IPS

!

 

 

Let me know what I am doing wrong, thank you.

8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello ,

PBR works only inbound on received packets.

Is ge1 the interface to the public internet or not ?

 

in addition the next-hop address specified should be reachable via a connected interface otherwise you need to add the recurvise keyword.

Also you need to consider that in extended ACL the TCP port parameter is positional aware:

with your ACL configuration it works for servers that are inside your network because the port at the end is considered destination port.

If you want to divert web traffic from the internet you would need an ACL like:

ip access-list WebServer-to-IPS

permit tcp any eq www any

permit tcp any eq 443 any

 

Hope to help

Giuseppe

 

GE0/1 is indeed on the public side. I have an interface, GE0/2, on the private side. 

I will definitely give that a try and let you know what I come up with.

Thanks.

Still not getting any hits even with your recommended changes. The access list is applied on the inbound Interface.

Hello


@ElishaDean5574 wrote:
I would like web traffic coming in from my public side to be routed to my IPS and all other traffic to be routed to my other CSR.

Just to confirm your default traffic is already being routed the the other csr and the web traffic is to be policy routed to the IDS device reachable via the next-hop specified?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

That is correct, yes.

Hello,

 

can you remove the match statement from the route map (which means all traffic is matched) and check if any traffic is matched at all (show ip cache policy) ?

 

route-map Map_Web_IPS permit 100

--> no match ip address Web_To_IPS

set ip next-hop xxx.xxx.xxx.xxx (IPS Address)

 

Hello

Can you post the running config of the router, its route table and indicate the IDS address within that route table please?.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello,

with the proposed ACL all traffic coming from web servers port www or from https servers port 443 should be redirected to the IPS because:

ge1 is the interface to the public internet

the PBR is applied inbound

the new ACL takes in account the direction of traffic (see above)

and the IPS is reachable out another interface.

May I ask you what is the normal routing next-hop for internal networks ?

It is an IP address out of ge2 ?

Is the IPS reachable out of ge2 too ?

if both natural next-hop and IPS are out of ge2 , you should be able to detect how much traffic is sent to the IPS MAC address  with ip accounting or with an IP ACL using the log-input  option (this option may be available or not in your platform if available you can see how many packets are sent to IPS MAC address)

 

There are some debug commands that could be used related to PBR like debug ip policing, however you should try to use it in combination with an ACL to limit the debug output to avoid execessive load on the router.

 

Hope to help

Giuseppe

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card