Solved

policy based routing problem

Posted on 2011-09-30
5
393 Views
Last Modified: 2012-05-12
I need to come up with a way to route traffic around a content filter that is destined from my dmz to inside network and vice versa.  Ive attached a network diagram.  I have no experience with policy based routing.  My first dive into PBR has not been successfull.  Id appreciate it if you could provide me details / commands to make this happen.  See diagram Proposed network change
0
Comment
Question by:colonialiu20
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 36891713
This is really pretty straightforward.

You could create a static route on the bottom device that would route any traffic destined for 10.0.0.0/24 out the g0/2 interface.

Then on the top device, you would create a policy that routes any traffic from 10.0.0.0/24 out the g0/3 interface.

Do you need the commands?
0
 

Author Comment

by:colonialiu20
ID: 36891762
Thanks donjohnston!  Can you detail the commands for the top device?  Would it also be possible to carve out two ports in the bottom switch that already exists to act as the second switch?  Thanks!
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 36891837
Would it also be possible to carve out two ports in the bottom switch that already exists to act as the second switch?

What kind of switch is this? For that matter, what type of device is the top switch? It will have to support PBR.

As for the code, there are a couple of options.

1) You don't have to define the destination IP address. I did and used 192.168.1.0/24.
2) You can also set the next hop address instead of the exit interface.
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

route-map Stewie permit 10
 match ip address 101
 set interface g0/3

Open in new window

0
 

Author Comment

by:colonialiu20
ID: 36892423
The bottom switch is a 3560g switch.  The top switch doesn't exist yet.  That where I need to place another switch.  Rather than purchasing another switch to go on the top, I was wondering if I could carve two ports in the bottom switch into a separate vlan that would act as the switch on the top.  Make sense?  Or do I need another physical switch?  Sorry for the confusion.  I just dont want to have to buy another switch if it's not necessary.  Thanks again!
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 36892694
I noticed a slight problem.

The ASA interface and the bottom switch are on the same network. There is no routing. Which means that you can't solve this with PBR or any routing based solution as it is.

Think there are a couple of solutions.

1) Create an additional inside network on the ASA which bypasses the TC. Create an additional VLAN on the bottom switch to accommodate this network. Then you can use rules on the ASA and PBR on the 3560 to direct specific traffic around the TC.

2) Create three networks between the ASA and the networks on the bottom (those three switches at the very bottom). You could do this with the existing 3560 using VRFs. Then use PBR to direct the traffic accordingly.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSH setup on ASA 5505 17 116
Isolated network on ESXi 6.5 8 127
connect to cisco 2690 series 6 64
Dell SonicWall Connection 18 49
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question