Prioritise traffic based on IP subnet

Similar Messages

• Possible to Route Traffic Based on AVC?

  Is it possible to route traffic, based on the Application Visibility Control functions that specific Cisco routers are capable of?  Here's my issue:  I have two ISP's.  One is at about 120% utilization.  The other isn't doing anything.  I can specify ip routes based on IP addresses.  For instance, I can ip route 173.252.110.27 255.255.255.255 10.x.x.x to point to our ISP2 firewall, which is our non-utilized provider, for Facebook traffic.  The problem is that sites like this have massive public subnets, so I won't be able to capture all of the traffic destined to Facebook.  Is there a way to route traffic based on application?  I know that Palo Alto firewalls have a way to do Policy Based Forwarding, based on application.  I was wondering if the same was possible with AVC.  Thanks for any help.

  Hello.
  Yes, it's possible and, actually, you have 2 ways.
  1. use manual load-balanace between links.
  2. use PfR to load-balance traffic automatically.
  PS: you also will need NAT with route-map.

• Prioritize traffic based on destination IP?

  Hi all, we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can help us prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
  Thanks!

  Jerry, i would try something like in the second config example I mentioned. keep in mind, if ISP doesn't support marking packets, it may be hard to QoS inbound. if you assign the VOIP traffic high priority, it should go out interface first during congestion. Don't need to dedicate a certain amount of bandwidth in any way. Make sure in the design to keep the VOIP traffic, VPN traffic and User PAT (outbound NAT) traffic on separate IP's. That will help when defining the access-lists. This QoS stuff is kind of tricky and is bit confusing. I have setup a few configs according to the above examples and they _seem_ to work. I ran a policing queue on the edge router for traffic leaving to ASA, and ran a priority queue on the ASA. When i test big download from a major site, which could consume all bandwidth, it doesn't appear to clobber VOIP traffic. The same results apply, when I test a big upload to internet. The QoS stuff is tricky though, and i _didn't_ see what I expected when i use the show QoS commands to see traffic drops, etc. so YMMV!
  Take a look at this link for ASA 7.X release, which may give you some ideas:
  "QoS based on ACL with VPN Configuration" You can change ACL to include the outside interface IP as long as you have separated the NAT's, VPN, etc. like i mentioend earlier.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
  Will

• Using OHS to redirect traffic based on intranet or internet URL

  Hello,
  we have a requirement where we have to launch our application on internet. Application is working fine on local intranet URL or internet URL but not working on both at same time.we have application developed with ADF and other fusion components.
  This is the topology we are using here :-
  SPS(secured proxy server to configure internet URL) --> OHS -> Managed server(1,2,3,4)
  We have to setup a URL redirect rule at OHS level where
  ---> if the incoming traffic is from intranet URL application work based on intranet URL's BUT
  -->if the traffic is coming from internet URL, OHS internally take care of URL redirect and work for external users too..
  Summery is, application should work for both internet and intranet URL, but pls note both the URL are different
  like
  intranet- https:\\abcd.intranet.xxx.com\abs\login
  internet - https:\\abcd.xxx.com\abs\login
  could someone pls help me on this and provide your valuable suggestion on how we can achieve this at OHS level...

  Thanks AMN,
  I was able to successfully get the redirect to work with the following Javascript code.
  In the folder: C:\OracleBI\oc4j_bi\j2ee\home\default-web-app
  I created the following OBIEE.html file
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <html lang="en,us">
  <HEAD>
  <TITLE>Test OBIEE Redirect Page<TITLE>
  </HEAD>
  <BODY>
  <script type="text/javascript">
  var agent = (navigator.userAgent).toLowerCase();
  var weburl = './analytics/';
  var moburl = './analyticsMobile/';
  var reg_exp = /(ipod|iphone|android|opera mini|blackberry|palm os|palm|hiptop|avantgo|plucker|xiino|blazer|elaine|windows ce; ppc;|windows ce; smartphone;|windows ce; iemobile|up.browser|up.link|mmp|symbian|smartphone|midp|wap|vodafone|o2|pocket|kindle|mobile|pda|psp|treo)/;
  if( reg_exp.test(agent) ) {
       window.location = moburl;
  else {
       window.location = weburl;
  </script>
  </BODY></HTML>
  The javascript gets the USER agent and does a regular expression match to see if its any popular handheld device. If so, it redirects them to the mobile address. Otherwise the user is directed to the standard site.
  All I need to do is pass around the URL:
  http://localhost:9704/OBIEE.html
  And users will be dynamically sent to the correct location.
  Thanks!
  -Joe

• Forwarding Traffic based on Domain name(Google).

  Hello ,
  Please let me know if this is possible.
  I have a asa5520 firewall with 8.2 version.I have two ISP's coming into my firewall for Internet. Currently I am forwarding all my traffic to one of the ISP. I would like to forward only traffic to Google to the second ISP. The reason I am trying to do this is Google reports my primary IP. The message users get is "
  When Google detects that a computer or phone on your network may be sending automated traffic to Google we may show the following message: "Our systems have detected unusual traffic from your computer network." after this message users will have to enter a captcha code.
  This is an intermittent issue. I would like to test it by forwarding only google traffic to my second ISP. I cannot forward all the traffic to my secondary IPS the reason is I am having site to site tunnels going on my default primary route and If I do it all my tunnels would go down.
  Any help regarding this issue or workaround would be appreciated.
  OR if I can actually find an IP/user on my inside network which is generating hight traffic to google which is resulting in entering the captcha code and sometimes opening multiple tabs. or if I can ratelimit to allow fixed number of connections to google.
  Thanks.

  Hello,
  First of all the ASA does not support PBR so thats our first wall.
  There are some tweaks that we could do with NAT but that would be based on the destination IP address. In this case you will be trying to do the NAT based on the FQDN which does not work.
  You will need to determine all of the IP address of google (I know..I know ) and then configure the NAT policies to tweak the Firewall behavior.
  How does this sound to you?
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• ACE and selection of traffic based on ACL

  Hi Folks,
  I have noticed on the ACE it is possible to select traffic to hit a chosen farm based on an ACL. On further look into the ACE ACL, i was not able to determine whether the ACL can match IP DSCP value, like you can on the IOS side.
  Can someone please confirm if its possible to have an ACE ACL matching a specific DSCP value in the packet.
  Best Regards
  Alan

  Alan,
  unfortunately this is not possible.
  Gilles.

• FireSIGHT FirePOWER controlling traffic based on AD users doesn't work

  Hi all,
  FirePOWER doesn't seam to be working for rules based on users from Active Directory.
  I was able to import users from AD, and I can see the users being matched with an IP (Analysis->Users->Users).
  I can say that the rule does work because if I build it to be IP based, traffic is blocked. But as soon as I add users to the rule, traffic stops being blocked.
  Can someone a bit more experient with FireSIGHT and/or FirePOWER help me out with this...
  thanks

  Hi all,
  FirePOWER doesn't seam to be working for rules based on users from Active Directory.
  I was able to import users from AD, and I can see the users being matched with an IP (Analysis->Users->Users).
  I can say that the rule does work because if I build it to be IP based, traffic is blocked. But as soon as I add users to the rule, traffic stops being blocked.
  Can someone a bit more experient with FireSIGHT and/or FirePOWER help me out with this...
  thanks

• Need to route traffic based on destination to 2 different routers

  I have a 4451X that has a default route of 10.10.48.1. I have 2 other internet routers at 10.10.48.15, and 172.31.1.3.
  The router at 172.31.1.3 is a VPN firewall and has a VPN to 3 specific IP networks. 172.31.252.0/24, 192.168.252.0/24, and 192.168.163.0/24.
  I need the traffic headed to the 3 VPN'd networks to route to 172.31.1.3, and the remaining traffic to route to 10.10.48.15.
  The source network is 172.31.0.0/23 and the gateway of the machines is 172.31.0.1.
  I tried creating a PBR but the internet traffic seems to go outbound through the router's default route of 10.10.48.1 and not 10.10.48.15.
  I am sure I am just missing something silly.
  Here are the relevant portions of the config:
  interface GigabitEthernet0/0/1
   ip address 172.31.0.20 255.255.254.0
   ip nat inside
   ip policy route-map Test
   negotiation auto
   vrrp 1 ip 172.31.0.1
   vrrp 1 priority 105
  interface GigabitEthernet0/0/1.2
   encapsulation dot1Q 2
   ip address 10.10.48.12 255.255.255.224
   ip nat inside
   ip access-group 199 in
   vrrp 1 ip 10.10.48.3
   vrrp 1 priority 105
   vrrp 2 priority 105
   no cdp enable
  ip route 0.0.0.0 0.0.0.0 10.10.48.1
  ip route 0.0.0.0 0.0.0.0 172.31.1.3 2
  access-list 116 permit ip 172.31.0.0 0.0.1.255 172.31.254.0 0.0.0.255
  access-list 116 permit ip 172.31.0.0 0.0.1.255 192.168.252.0 0.0.0.255
  access-list 116 permit ip 172.31.0.0 0.0.1.255 192.168.163.0 0.0.0.255
  route-map Test permit 19
   match ip address 116
   continue 20
   set ip next-hop 172.31.1.3
  route-map Test1 permit 20
   set ip next-hop 10.10.48.15
  Thanks in advance.
  Burton Hallman

  Firstly I'm not sure why you have two default routes if everything is meant go via 10.10.48.1 ?
  That aside in terms of your PBR -
  1) remove the continue statement. I don't know what it is meant to be doing but as far as i know it has no effect with PBR
  2) more importantly your second statement is using a different route map name ie Test1 which makes it a completely different route map so the one applied to the interface only has the first statement in it which is the one for VPN traffic.
  Jon

• CSS Bypassing farm traffic based on matching HTTP header

  Hi,
  I am trying to find out whether the CSS is able to bypass specific traffic.
  I have an existing content to match all HTTP and send to a farm. However, there are some HTTP flows i dont want to goto the farm, i just want CSS to route them onward to the destination. These specific HTTP packets are differentiated by the host field in the header. What config is needed to allow these host annotated packets to bypass the serverfarm?
  Thanks
  Alan

  Hi Gilles,
  Thanks for your response. The only thing you may have misread is that i need to select the host header field, as the URL's may not have host part in them, ie. raw http, not proxied. I guess then i need a header match rule linked to the new content, instead of the URL filter you mentioned.
  BR
  Alan

• How i can route the traffic based on destination address ?

  Dears,
  As you can see in the image i have two different setups.
  ISP A setup is completely dedicated for Production & ISP B setup is dedicated for whole staff internet.
  Below is the network information;
  Firewall:
  GigE0/0 - PUBLIC IP (PAT)
  GigE0/1 - 192.168.0.1/24  no dhcp
  ISP B Router:
  ATM 0 - PUBLIC IP (PAT)
  FaE0/0 - 192.168.0.2/24
  FaE0/1 - 192.168.92.1/24 dhcp
  Servers - 192.168.0.xxx/24
  Clients - 192.168.92.xxx/24
  All the clients have internet access through ISP B.
  If a client wants to connect to any of the server, what kind of configuration is required on ISP B rotuer. I though of route-maps or doing a static routing between Firewall & ISP B Router but i am not sure which is the best practice to do so.
  Kindly suggest with some suitable solutions.
  Regards
  @Mohammed

  Hi Shareef,
  Below is the example of PBR.
  ip access-list extended Redirect_PBR
  permit tcp host 192.168.92.10 host 192.168.0.10 eq 443
  permit tcp host 192.168.92.10 host 192.168.0.10 eq 21
  etc
  route-map Client_Server permit 10
   match ip address Redirect_PBR
   set ip next-hop 192.168.0.1 (Server LAN)
  int Fa E 0/1
  ip policy route-map Client_Server
  You can have the required filtered rule created as an ACL... you can restrict how ever you wan't.  Map that ACL to the route map and set a next hop to needed routing point. Then finally map that ACL to the interface of the router. In this case every traffic mentioned in route map and access-list will follow the PBR rule. All other traffic will route as usuall with the default route.
  Hope this helps
  Regards
  Karthik

• Redirecting traffic based on source address on CSS11503

  Hi all,
  I need to redirect HTTP traffic originating from a specific range of IPs to a specific farm of HTTP servers. More specifically, I need request comming to CSS's outside VIP address on port 80/tcp to be redirected to the HTTP farm (2 boxes with RFC1918 addresses) on port 30084/tcp.
  The trick is that this rule should only apply for a certain range of source IP addresses. The rest should be content switched normally. I.e. 80/tcp -> 80/tcp, etc.
  Is this possible with ACL or somthing similar?
  I'm running WebNS 7.20 on a CSS11503.
  Thanks,
  haver

  you could create a 2nd VIP like x.x.x.x:81 and
  a service like
  service redirect
  domain x.x.x.x:81
  type redirect
  keepalive type none
  Under the Vip x.x.x.x:81, you configure the 2 services with private ip addresses and port 30084.
  Then you create an ACL
  acl 10
  clause 10 permit tcp destination content prefer redirect
  clause 99 permit any any destination any
  apply circuit-VLAN...
  Don't forget you will need an ACL permit any any on all other interfaces to avoid blocking the rest of the traffic.
  What this will do is tell the browser to close the current connection to vip:80 and reopen a new one to vip:81 and this will be loadbalanced to the private servers.
  Gilles.

• HOWTO: load balance based on source subnet

  Hi Guys,
  We are currently working out if there is a way to load balance specific subnets to a specific rserver within a server farm behind the one VIP.
  For example (all Rservers within one serverfarm Serv_farm001):
  Subnet 10.10.10.0/24  load balance to Rserver A ( with Rserver B as backup )
  Subnet 20.20.20.0/24  load balance to Rserver B ( with Rserver A as backup )
  I can see from the configuration guide that you could maybe use sticky src IP to do this, but I haven't seen anything to confirm this.
  Any takers on this, I'm sure it would be a familar common thing that others are doing out there?
  Looking fwd to the responses!
  Cheers
  R

  Hi Rob,
  You can either do this on the incoming-interface ACL or for easier management you can do the following:
  class-map type http loadbalance match-any Subnet-A
    2 match source-address 10.10.10.0 255.255.255.0
  class-map type http loadbalance match-any Subnet-B
    2 match source-address 20.20.20.0 255.255.255.0
  policy-map type loadbalance first-match SLB
    class Subnet-A
      serverfarm A
    class Subnet-B
      Serverfarm B
  HTH
  Pablo

• How to control a Load Balanced set in IaaS VMs using Text files

  Hi,
  I would like to control the Load Balanced nodes Using a resource to probe like active.txt  in IIS than a Endpoint on the Management Portal.
  The reason i need this is because the engineers in my team will have access to VMs but not to Management servers.
  Any info on it is very helpful.
  Thanks

  Hi,
  You can Control the access to the Load Balanced Set by using Network ACL. A Network Access Control List (ACL) is a security enhancement available for your Azure deployment. An ACL provides the ability to selectively permit or deny traffic for a virtual machine
  endpoint. This packet filtering capability provides an additional layer of security. 
  Using Network ACLs, you can do the following:
  Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a virtual machine input endpoint. 
  Blacklist IP addresses
  Create multiple rules per virtual machine endpoint
  Specify up to 50 ACL rules per virtual machine endpoint
  Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to highest)
  Specify an ACL for a specific remote subnet IPv4 address.
  Network ACLs can be specified on a Load balanced set (LB Set) endpoint. If an ACL is specified for a LB Set, the Network ACL is applied to all Virtual Machines in that LB Set. For example, if a LB Set is created with “Port 80” and the LB Set contains 3 VMs,
  the Network ACL created on endpoint “Port 80” of one VM will automatically apply to the other VMs.
  Hope this helps !
  Regards,
  Sowmya

• Windows azure paas acls

  I am following  http://blogs.msdn.com/b/walterm/archive/2014/04/22/windows-azure-paas-acls-are-here.aspx  to add acls to my web and worker roles.
  Quetions
  1. If add only few IP address as allowed for end point then accos to that end point is blocked for rest of the world, correct ?
  2. How access controls I can add? I have list of 200+ different IP address for permit list.

  Hi,
  >>1. If add only few IP address as allowed for end point then accos to that end point is blocked for rest of the world, correct ?
  I agree with you, if you set the acls, the users out of your rules will not access the endpoint.
  >>2. How access controls I can add? I have list of 200+ different IP address for permit list.
  Please read this snippet from the article you provided.
  As with IaaS ACLs, PaaS ACLs allow you to do the following:
  Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a virtual machine input endpoint
  Blacklist IP addresses
  Create multiple rules per virtual machine endpoint
  Specify up to 50 ACL rules per virtual machine endpoint
  Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to highest)
  Specify an ACL for a specific remote subnet IPv4 address
  As far as I know, we only could set 50 acl rules, 200+ different is too more, so it is not suitable for this scenario.
  Best Regards,
  Jambor
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• How to route traffic across subnets when one NIC is a hyper-V virtual switch?

  Having a bit of a problem with a hyper-V environment which does not seem to route network traffic on two different subnets between each other.
  If it were a purely physical server with two NICs and a gateway set traffic would automatically be forwarded between the two different subnets.
  However when one of those NICs is a hyper-V virtual switch this simple routing no-longer seems to work and no traffic gets forwarded between subnets?
  Situation is:
  Hyper-V server with two NICs
  NIC 1 = 192.168.0/24 - main Internal company network.
  NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router
  Virtualized Domain Controller.
  One or two virtualiszed NICs as necessary
  How then does traffic get routed between these two subnets?  If RRAS has to be configured to do this where is the best place to do it, on the hyper-V host or on the virtualized domain controller?
  Thanks,

  Hi ,
  You can create an internal virtual switch and configure an IP for it (I assume it is 192.168.1.2/24) .
  After you enable RRAS in hyper-v host  there will be two gateways for different subnets  .
  " NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router "
  The problem is here ,if  these VMs need to access internet .
  So , these VMs can not configure their gateway same as the IP of internal virtual switch , you may set VM's gateway as the ADSL internet router's IP meanwhile add a static route entry for every VM .
  Please refer to the Syntax :
  route add -p 192.168.0.0 mask 255.255.255.0 192.168.1.2
  Hope this helps
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.