Okay, you may have noticed I have implemented a video conferencing system across the enterprise WAN. I had to do some network re-working, however, as the Watchguard Firebox does not play nicely with H.323 for internet-based traffic. However, I had a Pix Firewall that I had been meaning to implement.
Unfortunately, I cannot just remove the Firebox. It is doing web-blocking, SMTP proxying, and countless rules that would take time to rebuild on the Pix. I only wanted the Pix to firewall my H.323 gateway. So, I had to make sure both can play nice together.
Enter Policy-based Routing…..
Basically, I wanted my H.323 Gateway (say 172.16.1.25) to go through my Pix, but still allowing EVERYTHING ELSE (172.16.1.0/24) to go through the Watchguard Firewall. For now, anyway….. Here is a basic diagram:
(Click for larger image)
From here, you can see the flow. Since my default router (172.16.1.1) is in the middle, it will be the “Traffic Cop”. It is here, that we will place a policy on how it will route the packets.
First, we need to identify the packets. We do this by creating an access-list:
default_router(config)# access-list 10 permit 172.16.1.25
Next, we build a routing map that uses the access-list. We will also throw in some precedence, for soft-QoS identification:
default_router(config)# route-map VideoConf permit 10
default_router(config-route-map)# match ip address 10
default_router(config-route-map)# set ip precedence priority
default_router(config-route-map)# set ip next-hop 172.16.1.3
Okay, in our routing map, we are doing three things:
1). We see if it matches our access-list numbered 10
2). If it does, set the precedence bit to ‘priority’ (This is video, after all)
3). Route the packet to host 172.16.1.3 (That’s the PIX).
Once our map is complete, all we have to do is apply it to an interface. In our case, the packet is being received on the inside interface (FastEthernet 0/0).
default_router(config)# interface f0/0
default_router(config-if)# ip policy route-map VideoConf
Done! NOTE, you can only have one policy applied to an interface. This is where the ‘permit 10’ comes in, on the route-map definition. You can build multiple “groups” in a route map. For example, a ‘route-map newPolicy permit 20’.
Now, all packets NOT matching the access-list will still fall-back to the default route going to 172.16.1.2. If the traffic matches access-list 10 (i.e. host 172.16.1.25), it will be applied to the route-map VideoConf, which says to route it to 172.16.1.3.
All you have to do, is make sure 172.16.1.3 can handle the traffic (for example, the proper NAT, access-lists, etc).
Good Luck! Next, I’ll post the PIX rules needed for Polycom to receive inbound calls, and make outbound calls.
Technorati Tags: pbr, policy based routing, cisco
Powered by ScribeFire.