Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
911
Views
0
Helpful
8
Replies

AWS - Routing Traffic by Type/Port CSR 1000V

ElishaDean5574
Level 1
Level 1

‎08-05-2019 07:12 AM

I am trying to route traffic by port to an IPS. Web traffic, to be exact. I have my Transit VPC sub-netted to include a private and public subnet. I have my edge CSR sitting in the middle with one interface on the public side and one interface on the private side. I have an IDS sitting inside of the private subnet. And another CSR sits in the private subnet that routes out of my Transit VPC out to my service VPCs. I would like web traffic coming in from my public side to be routed to my IPS and all other traffic to be routed to my other CSR. As of right now, despite my efforts, web traffic is routing through normally. My current config is as follows:

!

ip access-list extended Web_To_IPS

permit tcp any any eq www

permit tcp any any eq 443

!

!

route-map Map_Web_IPS permit 100

match ip address Web_To_IPS

set ip next-hop xxx.xxx.xxx.xxx (IPS Address)

!

interface GigabitEthernet1

ip policy route-map Map_Web_IPS

!

 

 

Let me know what I am doing wrong, thank you.

Labels:
0 Helpful
8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-05-2019 07:47 AM

Hello ,

PBR works only inbound on received packets.

Is ge1 the interface to the public internet or not ?

 

in addition the next-hop address specified should be reachable via a connected interface otherwise you need to add the recurvise keyword.

Also you need to consider that in extended ACL the TCP port parameter is positional aware:

with your ACL configuration it works for servers that are inside your network because the port at the end is considered destination port.

If you want to divert web traffic from the internet you would need an ACL like:

ip access-list WebServer-to-IPS

permit tcp any eq www any

permit tcp any eq 443 any

 

Hope to help

Giuseppe

 

0 Helpful

ElishaDean5574
Level 1
Level 1
In response to Giuseppe Larosa

‎08-05-2019 08:10 AM - edited ‎08-05-2019 08:10 AM

GE0/1 is indeed on the public side. I have an interface, GE0/2, on the private side. 

I will definitely give that a try and let you know what I come up with.

Thanks.

0 Helpful

ElishaDean5574
Level 1
Level 1
In response to Giuseppe Larosa

‎08-05-2019 08:18 AM

Still not getting any hits even with your recommended changes. The access list is applied on the inbound Interface.
0 Helpful

paul driver
VIP
VIP
In response to ElishaDean5574

‎08-05-2019 08:28 AM

Hello

@ElishaDean5574 wrote:
I would like web traffic coming in from my public side to be routed to my IPS and all other traffic to be routed to my other CSR.

Just to confirm your default traffic is already being routed the the other csr and the web traffic is to be policy routed to the IDS device reachable via the next-hop specified?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

ElishaDean5574
Level 1
Level 1
In response to paul driver

‎08-05-2019 08:29 AM

That is correct, yes.

0 Helpful

Georg Pauwen
VIP
VIP
In response to ElishaDean5574

‎08-05-2019 12:34 PM

Hello,

 

can you remove the match statement from the route map (which means all traffic is matched) and check if any traffic is matched at all (show ip cache policy) ?

 

route-map Map_Web_IPS permit 100

--> no match ip address Web_To_IPS

set ip next-hop xxx.xxx.xxx.xxx (IPS Address)

 

0 Helpful

paul driver
VIP
VIP
In response to paul driver

‎08-05-2019 01:49 PM

Hello

Can you post the running config of the router, its route table and indicate the IDS address within that route table please?.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to ElishaDean5574

‎08-05-2019 11:45 AM - edited ‎08-05-2019 11:49 AM

Hello,

with the proposed ACL all traffic coming from web servers port www or from https servers port 443 should be redirected to the IPS because:

ge1 is the interface to the public internet

the PBR is applied inbound

the new ACL takes in account the direction of traffic (see above)

and the IPS is reachable out another interface.

May I ask you what is the normal routing next-hop for internal networks ?

It is an IP address out of ge2 ?

Is the IPS reachable out of ge2 too ?

if both natural next-hop and IPS are out of ge2 , you should be able to detect how much traffic is sent to the IPS MAC address  with ip accounting or with an IP ACL using the log-input  option (this option may be available or not in your platform if available you can see how many packets are sent to IPS MAC address)

 

There are some debug commands that could be used related to PBR like debug ip policing, however you should try to use it in combination with an ACL to limit the debug output to avoid execessive load on the router.

 

Hope to help

Giuseppe

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card