Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5610
Views
0
Helpful
3
Replies

PBR Based on Port / Traffic type

Go to solution
Fouad Ata
Level 1
Level 1

‎04-01-2013 05:27 AM - edited ‎03-07-2019 12:34 PM

Hi,

I am in process of installing a WebFilter between my Main router and my firewall.

I need to build a PBR based on Traffic type or port.

Can i do that?

For example i need all traffic that comes from subnet 10.10.0.1/21 to go to destination X if traffic is on port 80 or 443

Does PBR support traffic identification? or it is only based on source and destination IP?

Thx

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎04-01-2013 05:41 AM

Hello,

You can do this with PBR, an example is below:

conf t

!

ip access-list extended HTTP_ONLY

permit tcp 10.10.10.0 0.0.7.255 any eq 80

permit tcp 10.10.10.0 0.0.7.255 any eq 443

!

route-map HTTP_NEXTHOP permit 10

match ip address HTTP_ONLY

set ip next-hop x.x.x.x

!

interface gi0/1

ip policy route-map HTTP_NEXTHOP

You need to remember to set the policy on the interface with incoming traffic.

So my example says any traffic, coming in from interface gi0/1 which matches the IP in the 10.10.10.0/21 network that is port 80 or 443 then forward it on to the next hop router...

Under the route-map you can specify different actions:

Specifies the action(s) to take on the packets that match the criteria. You can specify any or all of the following:

  • precedence: Sets precedence value in the IP header. You can specify either the precedence number or name.
  • df: Sets the `Don't Fragment' (DF) bit in the ip header.
  • vrf: Sets the VPN Routing and Forwarding (VRF) instance.
  • next-hop: Sets next hop to which to route the packet.
  • next-hop recursive: Sets next hop to which to route the packet if the hop is to a router which is not adjacent.
  • interface: Sets output interface for the packet.
  • default next-hop: Sets next hop to which to route the packet if there is no explicit route for this destination.
  • default interface: Sets output interface for the packet if there is no explicit route for this destination.

for your reference:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎04-01-2013 05:31 AM

PBR does support identifying traffic by transport protocol port number such as 80 and 443. So it will do very well what you are asking.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Fouad Ata
Level 1
Level 1
In response to Richard Burts

‎04-01-2013 05:34 AM

thx Richard for your quick reply.

do u have an example on how can i write such a policy?

within the official PBR documentation it is not written.

Thx

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎04-01-2013 05:41 AM

Hello,

You can do this with PBR, an example is below:

conf t

!

ip access-list extended HTTP_ONLY

permit tcp 10.10.10.0 0.0.7.255 any eq 80

permit tcp 10.10.10.0 0.0.7.255 any eq 443

!

route-map HTTP_NEXTHOP permit 10

match ip address HTTP_ONLY

set ip next-hop x.x.x.x

!

interface gi0/1

ip policy route-map HTTP_NEXTHOP

You need to remember to set the policy on the interface with incoming traffic.

So my example says any traffic, coming in from interface gi0/1 which matches the IP in the 10.10.10.0/21 network that is port 80 or 443 then forward it on to the next hop router...

Under the route-map you can specify different actions:

Specifies the action(s) to take on the packets that match the criteria. You can specify any or all of the following:

  • precedence: Sets precedence value in the IP header. You can specify either the precedence number or name.
  • df: Sets the `Don't Fragment' (DF) bit in the ip header.
  • vrf: Sets the VPN Routing and Forwarding (VRF) instance.
  • next-hop: Sets next hop to which to route the packet.
  • next-hop recursive: Sets next hop to which to route the packet if the hop is to a router which is not adjacent.
  • interface: Sets output interface for the packet.
  • default next-hop: Sets next hop to which to route the packet if there is no explicit route for this destination.
  • default interface: Sets output interface for the packet if there is no explicit route for this destination.

for your reference:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card