Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

policy based routing problem

Posted on 2011-09-30
5
Medium Priority
?
406 Views
Last Modified: 2012-05-12
I need to come up with a way to route traffic around a content filter that is destined from my dmz to inside network and vice versa.  Ive attached a network diagram.  I have no experience with policy based routing.  My first dive into PBR has not been successfull.  Id appreciate it if you could provide me details / commands to make this happen.  See diagram Proposed network change
0
Comment
Question by:colonialiu20
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 36891713
This is really pretty straightforward.

You could create a static route on the bottom device that would route any traffic destined for 10.0.0.0/24 out the g0/2 interface.

Then on the top device, you would create a policy that routes any traffic from 10.0.0.0/24 out the g0/3 interface.

Do you need the commands?
0
 

Author Comment

by:colonialiu20
ID: 36891762
Thanks donjohnston!  Can you detail the commands for the top device?  Would it also be possible to carve out two ports in the bottom switch that already exists to act as the second switch?  Thanks!
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 2000 total points
ID: 36891837
Would it also be possible to carve out two ports in the bottom switch that already exists to act as the second switch?

What kind of switch is this? For that matter, what type of device is the top switch? It will have to support PBR.

As for the code, there are a couple of options.

1) You don't have to define the destination IP address. I did and used 192.168.1.0/24.
2) You can also set the next hop address instead of the exit interface.
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

route-map Stewie permit 10
 match ip address 101
 set interface g0/3

Open in new window

0
 

Author Comment

by:colonialiu20
ID: 36892423
The bottom switch is a 3560g switch.  The top switch doesn't exist yet.  That where I need to place another switch.  Rather than purchasing another switch to go on the top, I was wondering if I could carve two ports in the bottom switch into a separate vlan that would act as the switch on the top.  Make sense?  Or do I need another physical switch?  Sorry for the confusion.  I just dont want to have to buy another switch if it's not necessary.  Thanks again!
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 36892694
I noticed a slight problem.

The ASA interface and the bottom switch are on the same network. There is no routing. Which means that you can't solve this with PBR or any routing based solution as it is.

Think there are a couple of solutions.

1) Create an additional inside network on the ASA which bypasses the TC. Create an additional VLAN on the bottom switch to accommodate this network. Then you can use rules on the ASA and PBR on the 3560 to direct specific traffic around the TC.

2) Create three networks between the ASA and the networks on the bottom (those three switches at the very bottom). You could do this with the existing 3560 using VRFs. Then use PBR to direct the traffic accordingly.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question