3 Replies Latest reply on Jul 10, 2014 12:48 PM by noor

    Policy based routing help

    greg.locke New Member

      I have a Cisco Web Security Virtual Appliance that will be doing content filtering and monitoring.


      I need help configuring policy based routing to send web traffic ports 80, 8080, 443, 3128 to appliance and all other traffic (DNS, UDP etc) to another GW.





        • Re: Policy based routing help
          vmaxdawg05 Past_Featured_Member

          That should be fairly easy. 

          1.  You just need to configure the other gateway as the default route. 

          2.  Then you need to create an ACL that matches the desired traffic you want to filter (80, 8080, 443, etc.). 

          3.  Create a route-map.  Have the route map match the ACL you created.  Have the route-map set the next hop to be the address of the web filtering appliance.

          4.  Assign the route map to the interface that the traffic is coming from.


          There is pretty good documentation on PBR  https://supportforums.adtran.com/docs/DOC-3587


          I can give you an example if you need one.  Keep in mind, that PBR does use CPU resources so it could impact the router's performance if we are looking at a high traffic volume.



          1 of 1 people found this helpful
          • Re: Policy based routing help
            jayh Hall_of_Fame

            Create an access list:


            ip access-list extended webfilter-list

              permit tcp any any eq 80

              permit tcp any any eq 443

              permit tcp any any eq 8080



            Create a route map:

            route-map webfilter-map permit 10

              match ip address webfilter-list

              set ip next-hop ip.of.filter.box

            route-map webfilter-map permit 20

            Apply that route-map to the inside interface where the browsers live.


            interface eth 0/2

            ip policy route-map webfilter-map

            There is one more thing you will need to do, and we need more information about the appliance.  How does the filter appliance get to the Internet to pass the clean traffic through?  Does it have a separate interface?  Does it do NAT?  You'll need to take some action to ensure that the inspected traffic isn't subject to the route-map or it will just loop to itself.


            Good luck.  John Gilmore's 1993 quote is still applicable today 21 years later.  John Gilmore - Wikiquote

              • Re: Policy based routing help

                greg.locke -

                I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.