Cisco Cisco Web Security Appliance S360 Guía Para Resolver Problemas
interface Vlan4
desc Internet Router dedicated VLAN
ip address 192.168.2.1 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 192.168.2.2
desc Internet Router dedicated VLAN
ip address 192.168.2.1 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 192.168.2.2
Given the above example, and Cisco WSA having an IP address of 192.168.1.2, you would add the following
commands to set up Policy Based Routing (PBR):
commands to set up Policy Based Routing (PBR):
Step 1: Define Web traffic
! Match HTTP traffic
access−list 100 permit tcp 10.1.1.0 0.0.0.255 any eq 80
access−list 100 permit tcp 10.1.2.0 0.0.0.255 any eq 80
! Match HTTPS traffic
access−list 100 permit tcp 10.1.1.0 0.0.0.255 any eq 443
access−list 100 permit tcp 10.1.2.0 0.0.0.255 any eq 443
access−list 100 permit tcp 10.1.1.0 0.0.0.255 any eq 80
access−list 100 permit tcp 10.1.2.0 0.0.0.255 any eq 80
! Match HTTPS traffic
access−list 100 permit tcp 10.1.1.0 0.0.0.255 any eq 443
access−list 100 permit tcp 10.1.2.0 0.0.0.255 any eq 443
Step 2: Define a route map to control where packets are output.
route−map ForwardWeb permit 10
match ip address 100
set ip next−hop 192.168.1.2
match ip address 100
set ip next−hop 192.168.1.2
Step 3: Apply the route map to the correct interface.
!Note that this should be applied to the source interface (client side)
interface Vlan1
ip policy route−map ForwardWeb
!
interface Vlan2
ip policy route−map ForwardWeb
interface Vlan1
ip policy route−map ForwardWeb
!
interface Vlan2
ip policy route−map ForwardWeb
Note: This method of traffic redirection (PBR) has some limitations. The main problem with this method is
that traffic will always be redirected to the WSA even if the appliance is not reachable (due to network
problems for instance). So, there is no fail over option.
that traffic will always be redirected to the WSA even if the appliance is not reachable (due to network
problems for instance). So, there is no fail over option.
To workaround this deficiency, you may configure either of the following:
PBR with tracking options when using Cisco Routers. This feature is used to verify the availability of
the next hop before redirecting traffic.
the next hop before redirecting traffic.
More details on the following article:
Policy Based Routing with the Multiple Tracking Options Feature Configuration Example
Policy Based Routing with the Multiple Tracking Options Feature Configuration Example
1.
Tracking options are not available for Cisco Catalyst Switches. However, there's an advanced
workaround available to achieve the same behavior.
workaround available to achieve the same behavior.
Details can be found on the following Cisco Wiki:
Policy−based Routing (PBR) with tracking for Catalyst 3xxx switches − A workaround using EEM
Policy−based Routing (PBR) with tracking for Catalyst 3xxx switches − A workaround using EEM
2.
Updated: Aug 05, 2014
Document ID: 118156