Route-Map PBR with SAS

1. Tested on a Cisco router with SAS and can confirm that this works!
2.  
3. Before you start the deployment, you want to make sure that the CACHEBOX is on it's own Layer 3 interface in a different subnet to everything else in the network, otherwise this won't work.
4.  
5. Here is the config I used to get this working in gns3:
6.  
7.  
8. Create an access list permitting client subnets to go to any destination via port 80:
9. config#ip access-list extended CACHEBOX80
10. config#permit tcp *subnet_ip* *wildcard_mask* any eq www (or http on Ruckus)
11.  
12. Create a route-map that will use this ACL and also redirect traffic to the CACHEBOX when traffic is going out of the network:
13. config#route-map CACHEBOX80-MAP permit 10
14. config#match ip address CACHEBOX80
15. config#set ip next-hop *cachebox_ip*
16.  
17. Apply this route-map to the client gateway interface of the Cisco/Ruckus device:
18. config#int *client_facing_interface*
19. config-if#ip policy route-map CACHEBOX80-MAP
20.  
21. If you aren't doing SAS, this is all of the config you will need. Now onto SAS:
22.  
23. Create an access list permitting traffic from any source to send traffic to your client subnets:
24. config#ip access-list extended CACHEBOX90
25. config#permit tcp any *subnet_ip* *wildcard_mask*
26.  
27. Create a route-map that will use this ACL and also redirect traffic to the CACHEBOX when traffic is coming back into the network:
28. config#route-map CACHEBOX90-MAP permit 10
29. config#match ip address CACHEBOX90
30. config#set ip next-hop *cachebox_ip*
31.  
32. Apply this route-map to the WAN interface of the Cisco/Ruckus device:
33. config#int *WAN_facing_interface*
34. config-if#ip policy route-map CACHEBOX90-MAP
35.  
36. As long as Source address Spoofing is enabled on the CACHEBOX, you should be good to go!