Redirecting the traffic with policy–based routing on CE6800

Hello guys! I want to present a little case of policy-based routing .

We all know that traditionally, devices search routing tables for routes of packets based on their destination addresses and then forward the packets, but sometimes this is not enough.  More often, users require that devices route packets based on other policies. Here comes in handy PBR, allowing us to change packet routes based on other criteria as source addresses, packet size or next hop.

To exemplify the use of policy-based routing I chose the following example.

Here JIM & TIM are part of the same company but they do not want to overwhelm one firewall with all their torrent downloads, web browsing and other traffic. So, after a while and some fierce discussions on this subject, they decided to use a different firewall each for the internet browsing, but still be able to access each other or the DMZ zone. They thought that PBR could be a good solution in this scenario.

Here is the configuration they applied on the CE6800:

First they carefully configured an ACL to select just the traffic they wanted to redirect. Since they wanted to redirect all the traffic destined to the internet, they made the following configuration:

acl name JIM_NETWORKS number 3001

rule 10 permit ip source 192.168.0.0 0.0.0.255 destination any

rule 15 permit ip source 192.168.1.0 0.0.0.255 destination any

#

acl name TIM_NETWORKS number 3002

rule 10 permit ip source 192.168.2.0 0.0.0.255 destination any

rule 15 permit ip source 194.168.3.0 0.0.0.255 destination any

After they defined the ACLs they configured the traffic classifiers

#

traffic classifier JIM_NETWORKS type or

if-match acl 3001

#

traffic classifier TIM_NETWORKS type or

if-match acl 3002

#

The next step was to choose what to do with the traffic they have just classified.

traffic behavior GO_TO_JIMFW

redirect nexthop 192.168.0.147

#

traffic behavior GO_TO_TIMFW

redirect nexthop 192.168.0.149

As you know after the classifier and the traffic behaviour are configured they have to be put together to make sense. And that is what they did as well.

#

traffic policy JIM_NETWORK_GOES_TO_JIMFW

classifier JIM_NETWORKS behavior GO_TO_JIMFW

#

traffic policy TIM_NETWORK_GOES_TO_TIMFW

classifier TIM_NETWORKS behavior GO_TO_TIMFW

Finally, the traffic policies were configured . The only thing that remained to do was to apply the traffic policies on the switch.

#

traffic-policy JIM_NETWORK_GOES_TO_JIMFW global inbound

#

traffic-policy TIM_NETWORK_GOES_TO_TIMFW global inbound

After this, the traffic destined to the internet was redirected according to the policy. Now, if you wonder what happened to JIM and TIM I don’t really know