Redirecting the traffic with policy–based routing on CE6800 Highlighted

Latest reply: Sep 25, 2015 11:39:31 4453 2 1 0


Redirecting the traffic with policy–based routing on CE6800


Hello guys! I want to present a little case of policy-based routing .

We all know that traditionally, devices search routing tables for routes of packets based on their destination addresses and then forward the packets, but sometimes this is not enough.  More often, users require that devices route packets based on other policies. Here comes in handy PBR, allowing us to change packet routes based on other criteria as source addresses, packet size or next hop.

To exemplify the use of policy-based routing I chose the following example.

Here JIM & TIM are part of the same company but they do not want to overwhelm one firewall with all their torrent downloads, web browsing and other traffic. So, after a while and some fierce discussions on this subject, they decided to use a different firewall each for the internet browsing, but still be able to access each other or the DMZ zone. They thought that PBR could be a good solution in this scenario.


Redirecting the traffic with policy–based routing on CE6800-1266841-1

Here is the configuration they applied on the CE6800:

First they carefully configured an ACL to select just the traffic they wanted to redirect. Since they wanted to redirect all the traffic destined to the internet, they made the following configuration:


acl name JIM_NETWORKS number 3001

rule 10 permit ip source 192.168.0.0 0.0.0.255 destination any

rule 15 permit ip source 192.168.1.0 0.0.0.255 destination any

#

acl name TIM_NETWORKS number 3002

rule 10 permit ip source 192.168.2.0 0.0.0.255 destination any

rule 15 permit ip source 194.168.3.0 0.0.0.255 destination any

After they defined the ACLs they configured the traffic classifiers

#

traffic classifier JIM_NETWORKS type or

if-match acl 3001

#

traffic classifier TIM_NETWORKS type or

if-match acl 3002

#

The next step was to choose what to do with the traffic they have just classified.

traffic behavior GO_TO_JIMFW

redirect nexthop 192.168.0.147

#

traffic behavior GO_TO_TIMFW

redirect nexthop 192.168.0.149

 

As you know after the classifier and the traffic behaviour are configured they have to be put together to make sense. And that is what they did as well.

#

traffic policy JIM_NETWORK_GOES_TO_JIMFW

classifier JIM_NETWORKS behavior GO_TO_JIMFW

#

traffic policy TIM_NETWORK_GOES_TO_TIMFW

classifier TIM_NETWORKS behavior GO_TO_TIMFW


Finally, the traffic policies were configured . The only thing that remained to do was to apply the traffic policies on the switch.

#

traffic-policy JIM_NETWORK_GOES_TO_JIMFW global inbound

#

traffic-policy TIM_NETWORK_GOES_TO_TIMFW global inbound


After this, the traffic destined to the internet was redirected according to the policy. Now, if you wonder what happened to JIM and TIM I don’t really know











  • x
  • convention:

Sophoni
Created Jun 3, 2014 07:42:15 Helpful(0) Helpful(0)

thanks
  • x
  • convention:

sashokltd2
Created Sep 25, 2015 11:39:31 Helpful(0) Helpful(0)

Hi! 

Will work on this scheme on s6324?

Thank you

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login