Cisco Cisco Web Security Appliance S360 Troubleshooting Guide

Contributed by Vladimir Sousa and Siddharth Rajpathak, Cisco TAC
Engineers.

Aug 05, 2014

How do I configure Policy Based Routing (PBR) on a Cisco Multilayer Switch or Router to forward traffic to
the WSA?

Environment:  Cisco Web Security appliance (WSA), transparent mode − L4 switch

When WSA is configured in transparent mode using a L4 switch, no configuration is needed on the WSA. The
redirection is controlled by the L4 switch (or router).

It is possible to use Policy Based Routing (PBR) to redirect web traffic to the WSA. This is achieved by
matching the correct traffic (based on tcp ports) and instructing the router/switch to redirect this traffic to the
WSA.

In the following example, WSA's data/proxy interface (either M1 or P1 depending on configuration) is on a
dedicated VLAN interface of the multilayer switch/router (Vlan 3) and the Internet router is on a dedicated
VLAN interface as well (Vlan4). Clients are on Vlan1 and Vlan2.

interface Vlan1
desc User VLAN 1
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
desc User VLAN 2
ip address 10.1.2.1 255.255.255.0
!
interface Vlan3
desc Cisco WSA dedicated VLAN
ip address 192.168.1.1 255.255.255.252
!