Teneo !!!

Aaron’s blog on Networking, and Enterprise Technology

Cisco Policy Based Routing (PBR)

Okay, you may have noticed I have implemented a video conferencing system across the enterprise WAN. I had to do some network re-working, however, as the Watchguard Firebox does not play nicely with H.323 for internet-based traffic. However, I had a Pix Firewall that I had been meaning to implement.

Unfortunately, I cannot just remove the Firebox. It is doing web-blocking, SMTP proxying, and countless rules that would take time to rebuild on the Pix. I only wanted the Pix to firewall my H.323 gateway. So, I had to make sure both can play nice together.

Enter Policy-based Routing…..

Basically, I wanted my H.323 Gateway (say 172.16.1.25) to go through my Pix, but still allowing EVERYTHING ELSE (172.16.1.0/24) to go through the Watchguard Firewall. For now, anyway….. Here is a basic diagram:

(Click for larger image)

From here, you can see the flow. Since my default router (172.16.1.1) is in the middle, it will be the “Traffic Cop”. It is here, that we will place a policy on how it will route the packets.

First, we need to identify the packets. We do this by creating an access-list:

default_router(config)# access-list 10 permit 172.16.1.25

Next, we build a routing map that uses the access-list. We will also throw in some precedence, for soft-QoS identification:

default_router(config)# route-map VideoConf permit 10
default_router(config-route-map)# match ip address 10

default_router(config-route-map)# set ip precedence priority

default_router(config-route-map)# set ip next-hop 172.16.1.3

Okay, in our routing map, we are doing three things:

1). We see if it matches our access-list numbered 10

2). If it does, set the precedence bit to ‘priority’ (This is video, after all)

3). Route the packet to host 172.16.1.3 (That’s the PIX).

Once our map is complete, all we have to do is apply it to an interface. In our case, the packet is being received on the inside interface (FastEthernet 0/0).

default_router(config)# interface f0/0
default_router(config-if)# ip policy route-map VideoConf

Done! NOTE, you can only have one policy applied to an interface. This is where the ‘permit 10’ comes in, on the route-map definition. You can build multiple “groups” in a route map. For example, a ‘route-map newPolicy permit 20’.

Now, all packets NOT matching the access-list will still fall-back to the default route going to 172.16.1.2. If the traffic matches access-list 10 (i.e. host 172.16.1.25), it will be applied to the route-map VideoConf, which says to route it to 172.16.1.3.

All you have to do, is make sure 172.16.1.3 can handle the traffic (for example, the proper NAT, access-lists, etc).

Good Luck! Next, I’ll post the PIX rules needed for Polycom to receive inbound calls, and make outbound calls.

Technorati Tags: , ,

Powered by ScribeFire.

Advertisements

5 responses to “Cisco Policy Based Routing (PBR)

  1. Kenny Rogers May 3, 2008 at 12:25 am

    hmmm, am I missing something with your network, can’t you simply point the default gateway of the video conferencing machine to the IP of the PIX?

    Or have you just oversimplified the concept by placing all devices on a flat network.

  2. Aaron Paxson May 5, 2008 at 4:55 am

    Obviously, you have missed something. 🙂

    If I point my video conferencing machine to the IP of the Pix, then I will lose all of my private networking routes via OSPF. I still have multiple locations on my private WAN (globally) using Video Conferencing as well.

    I do not have an oversimplified flat network, but rather, a fairly complex network consisting of over 50 locations worldwide.

    Plus, it was a good way to explain how to use PBR. At least, I thought it was.

    🙂

  3. Rik Irvine December 12, 2008 at 6:07 am

    Aaron,
    I am making some routing changes on a 3750 tonight. Although I do not plan to use pbr I always expect the unexpected. Having read your article, and gleaned elsewhere on the WWW that I need to change my sdm from defaul to router in order to do pbr I now feel ready. Thanks for the guidance.
    Rik

  4. Aaron Paxson December 12, 2008 at 9:40 pm

    Hi, Rik!

    I’m glad to see the post helped you feel better about your 3750 configs. Thanks for letting me know!

    Aaron

  5. Daniel March 21, 2009 at 12:56 am

    Thanks very much boss for your intuitive expalnation. I think this approach on PBR will resolve my problems.

    However, I have a layer 3 3750 with different vlans, and I want traffic from a subnet to be sent to an extream firewall via a vlan interface,

    Please how will the scenaro be like.

    Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: