09-08-2009 11:28 PM - edited 03-06-2019 07:38 AM
I have a scenario where we are evaluating the possibility of moving from Centralised Internet access model to Local breakout. We are using a Bluecoat Proxy SG local to the site. The proxy is not in transparent mode, therefore all clients Internet settings are configured with the IP address of the Proxy server. I have read various threads on the forum and as I understand, I can configure the local Layer 3 switch with PBR and ACLs to force all Port 80 traffic to an interface or IP address. Is this a correct assumption? If so, can you please give me some guidance on how to configure this.
Thank you.
09-09-2009 03:02 AM
Raj
Yes you can use PBR.
Lets assume you local LAN is 192.168.5.0/24 and that is vlan 10 on your L3 switch
access-list 101 permit tcp 192.168.5.0 0.0.0.255 any eq www
route-map PBR permit 10
match ip address 101
set ip next-hop
int vlan 10
ip policy route-map PBR
Note if you have other www servers internal to your network that you don't want to go via the bluecoat then deny them in acl 101 before the permit for all www traffic.
Also depending on your switch you may need to change the SDM template ie. on a 3560/3750 you would need to use the SDM routing template ie.
3560(config)# sdm prefer routing
And you will need IP services if it is a 3560/3750 switch.
Jon
11-04-2009 09:07 AM
Thanks Jon.
I applied the PBR:
access-list 101 permit tcp 192.168.218.128 0.0.0.31 any eq 80
access-list 101 permit udp 192.168.218.128 0.0.0.31 any eq 80
route-map LocalBreakout permit 10
match ip address 101
set ip next-hop 192.168.200.102
interface vlan 7
ip policy route-map LocalBreakout
However, vlan 7 can still access everything on the LAN when I just want vlan 7 to be restricted to port 80 only.
What have a done wrong?
09-09-2009 03:12 AM
Hello Raj,
PBR or WCCP version 2 can be used to redirect traffic to a web cache in transparent mode.
In your case the appliance is used in proxy-mode meaning that clients have all URLs resolved in the proxy ip address.
So you shouldn't need to redirect traffic because it is done at the application layer.
In your case you could deploy web caches in proxy mode in all sites:
routers will route traffic to the nearest "proxy ip address"
This is called anycast address where an ip address is not unique and is tied to a service.
The advantage of this approach is that clients can keep their current configuration.
Another possible approach is that of removing proxy settings on clients and to use transparent web caches/web filtering services.
In this second scenario you may need to divert traffic towards the internet to the web cache/web filter.
To do so you can use PBR or if supported by the appliance(s) (it is spoken between caches and routers) you can deploy WCCP version 2.
see
or
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/wccp.html
WCCPv2 is more specific for HTTP traffic but not limited to it.
PBR is a more general tool to override natural destination based routing.
Hope to help
Giuseppe
09-09-2009 04:47 AM
Thank You Jon & Giuseppe, I appreciate your feedback. We will be installing this in a location next Tuesday and will update the thread with the results. I guess we will go with the approach of Proxy mode without any PBR or WCCP? We use Scansafe Web Filering (SaS) so the proxies forward all traffic to their servers.
The follow on from this will be to configure Guest Wireless access using the same proxy, so I guess best practise in this case would be to use PBR to isolate the Guest user VLAN for internet traffic only. Guest users will need the ability to access the internet and also initiate VPN connections to their own corporate networks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide