cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2598
Views
0
Helpful
3
Replies
Highlighted
Beginner

PBR Based on Port / Traffic type

Hi,

I am in process of installing a WebFilter between my Main router and my firewall.

I need to build a PBR based on Traffic type or port.

Can i do that?

For example i need all traffic that comes from subnet 10.10.0.1/21 to go to destination X if traffic is on port 80 or 443

Does PBR support traffic identification? or it is only based on source and destination IP?

Thx

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Engager

Re: PBR Based on Port / Traffic type

Hello,

You can do this with PBR, an example is below:

conf t

!

ip access-list extended HTTP_ONLY

permit tcp 10.10.10.0 0.0.7.255 any eq 80

permit tcp 10.10.10.0 0.0.7.255 any eq 443

!

route-map HTTP_NEXTHOP permit 10

match ip address HTTP_ONLY

set ip next-hop x.x.x.x

!

interface gi0/1

ip policy route-map HTTP_NEXTHOP

You need to remember to set the policy on the interface with incoming traffic.

So my example says any traffic, coming in from interface gi0/1 which matches the IP in the 10.10.10.0/21 network that is port 80 or 443 then forward it on to the next hop router...

Under the route-map you can specify different actions:

Specifies the action(s) to take on the packets that match the criteria. You can specify any or all of the following:

  • precedence: Sets precedence value in the IP header. You can specify either the precedence number or name.
  • df: Sets the `Don't Fragment' (DF) bit in the ip header.
  • vrf: Sets the VPN Routing and Forwarding (VRF) instance.
  • next-hop: Sets next hop to which to route the packet.
  • next-hop recursive: Sets next hop to which to route the packet if the hop is to a router which is not adjacent.
  • interface: Sets output interface for the packet.
  • default next-hop: Sets next hop to which to route the packet if there is no explicit route for this destination.
  • default interface: Sets output interface for the packet if there is no explicit route for this destination.

for your reference:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

3 REPLIES 3
Highlighted
Hall of Fame Master

PBR Based on Port / Traffic type

PBR does support identifying traffic by transport protocol port number such as 80 and 443. So it will do very well what you are asking.

HTH

Rick

HTH

Rick
Highlighted
Beginner

PBR Based on Port / Traffic type

thx Richard for your quick reply.

do u have an example on how can i write such a policy?

within the official PBR documentation it is not written.

Thx

Highlighted
Engager

Re: PBR Based on Port / Traffic type

Hello,

You can do this with PBR, an example is below:

conf t

!

ip access-list extended HTTP_ONLY

permit tcp 10.10.10.0 0.0.7.255 any eq 80

permit tcp 10.10.10.0 0.0.7.255 any eq 443

!

route-map HTTP_NEXTHOP permit 10

match ip address HTTP_ONLY

set ip next-hop x.x.x.x

!

interface gi0/1

ip policy route-map HTTP_NEXTHOP

You need to remember to set the policy on the interface with incoming traffic.

So my example says any traffic, coming in from interface gi0/1 which matches the IP in the 10.10.10.0/21 network that is port 80 or 443 then forward it on to the next hop router...

Under the route-map you can specify different actions:

Specifies the action(s) to take on the packets that match the criteria. You can specify any or all of the following:

  • precedence: Sets precedence value in the IP header. You can specify either the precedence number or name.
  • df: Sets the `Don't Fragment' (DF) bit in the ip header.
  • vrf: Sets the VPN Routing and Forwarding (VRF) instance.
  • next-hop: Sets next hop to which to route the packet.
  • next-hop recursive: Sets next hop to which to route the packet if the hop is to a router which is not adjacent.
  • interface: Sets output interface for the packet.
  • default next-hop: Sets next hop to which to route the packet if there is no explicit route for this destination.
  • default interface: Sets output interface for the packet if there is no explicit route for this destination.

for your reference:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

CreatePlease to create content
Content for Community-Ad