Cisco - "route-map" multiple criteria
12-27-2011, 10:50 AM
#1
Cisco - "route-map" multiple criteria
We currently use a route-map to direct web traffic to our web filter. I discovered that the 3560 we are using that handles this route-map does not handle "deny" ACL statements in hardware when doing policy based routing.
This pretty much means that when traffic matches a deny statement, throughput is roughly 15 Mbps! Luckily this only affects traffic internally to our web server and mail server.
I want to tweak our route-map so that two conditions must be met before traffic is handled by it.
1) The traffic's next hop is to another network
2) The traffic is port 80 traffic
Is it as simple as this?
route-map squid permit 10
match ip next-hop 99
match ip address 101
set ip next-hop 10.1.1.3
access-list 99 permit 10.1.0.0 0.0.0.3
access-list 101 permit tcp any any eq www
Is the "match ip next-hop" condition and the "match ip address" condition an "AND" or an "OR"? I think it's an and, but I'm not sure.
This pretty much means that when traffic matches a deny statement, throughput is roughly 15 Mbps! Luckily this only affects traffic internally to our web server and mail server.
I want to tweak our route-map so that two conditions must be met before traffic is handled by it.
1) The traffic's next hop is to another network
2) The traffic is port 80 traffic
Is it as simple as this?
route-map squid permit 10
match ip next-hop 99
match ip address 101
set ip next-hop 10.1.1.3
access-list 99 permit 10.1.0.0 0.0.0.3
access-list 101 permit tcp any any eq www
Is the "match ip next-hop" condition and the "match ip address" condition an "AND" or an "OR"? I think it's an and, but I'm not sure.
12-27-2011, 11:24 AM
#3
OK, I was working on this for a bit before discovering the "match ip next-hop" command. It's crazy, but what if I do...
route-map squid permit 10
match ip address 123
set ip next-hop 10.1.1.3
access-list 123 permit tcp 10.10.0.0 0.0.127.255 any eq www
access-list 123 permit tcp 10.10.128.0 0.0.63.255 any eq www
access-list 123 permit tcp 10.10.192.0 0.0.31.255 any eq www
access-list 123 permit tcp 10.10.224.0 0.0.15.255 any eq www
access-list 123 permit tcp 10.10.240.0 0.0.7.255 any eq www
access-list 123 permit tcp 10.10.248.0 0.0.3.255 any eq www
access-list 123 permit tcp 10.10.252.0 0.0.1.255 any eq www
access-list 123 permit tcp 10.10.254.0 0.0.0.255 any eq www
access-list 123 permit tcp 10.11.0.0 0.0.255.255 any eq www
access-list 123 permit tcp 10.12.0.0 0.0.255.255 any eq www
The above looks extra crazy because I forgot I need some unfiltered IPs. The above should make 10.10.0.0 - 10.10.254.255 and 10.11.x.x - 10.12.x.x filtered and leave me 10.10.255.0 - 10.10.255.255 unfiltered. Way more than I need, but oh well.
However, wouldn't the explicit "deny" at the end of the ACL present me with the same problem? Hmmm...
route-map squid permit 10
match ip address 123
set ip next-hop 10.1.1.3
access-list 123 permit tcp 10.10.0.0 0.0.127.255 any eq www
access-list 123 permit tcp 10.10.128.0 0.0.63.255 any eq www
access-list 123 permit tcp 10.10.192.0 0.0.31.255 any eq www
access-list 123 permit tcp 10.10.224.0 0.0.15.255 any eq www
access-list 123 permit tcp 10.10.240.0 0.0.7.255 any eq www
access-list 123 permit tcp 10.10.248.0 0.0.3.255 any eq www
access-list 123 permit tcp 10.10.252.0 0.0.1.255 any eq www
access-list 123 permit tcp 10.10.254.0 0.0.0.255 any eq www
access-list 123 permit tcp 10.11.0.0 0.0.255.255 any eq www
access-list 123 permit tcp 10.12.0.0 0.0.255.255 any eq www
The above looks extra crazy because I forgot I need some unfiltered IPs. The above should make 10.10.0.0 - 10.10.254.255 and 10.11.x.x - 10.12.x.x filtered and leave me 10.10.255.0 - 10.10.255.255 unfiltered. Way more than I need, but oh well.
However, wouldn't the explicit "deny" at the end of the ACL present me with the same problem? Hmmm...
12-27-2011, 11:34 AM
#4
My idea above won't work because I also need to prevent traffic to our web server from being filtered.
Maybe someone has an idea. Here's what I need:
Any port 80 traffic destined to a private IP address is not routed to the web filter. In our case, 10.x.x.x and 192.168.4.x
Any port 80 traffic destined to a public IP address IS routed to the web filter.
All non port 80 traffic is NOT routed to the web filter.
The above needs to be done with "permit" statements. Is this even possible?
Maybe someone has an idea. Here's what I need:
Any port 80 traffic destined to a private IP address is not routed to the web filter. In our case, 10.x.x.x and 192.168.4.x
Any port 80 traffic destined to a public IP address IS routed to the web filter.
All non port 80 traffic is NOT routed to the web filter.
The above needs to be done with "permit" statements. Is this even possible?
Thread
Thread Starter
Forum
Replies
Last Post
