10-23-2024 03:02 AM
I am trying to configure the policy routing in Cisco layer 3 switch C9300-24UX-A. The policy will push all packets toward firewalls using set ip next-hop command (firewall ip address). If the firewall is disconnected, the routing policy should discard traffic in the switch including inter-VLAN traffic.
Currently, policy routing is working partially but it is capable drop the inter-VLAN traffic when firewall is disconnected.
interface Vlan10
ip address 172.16.1.1 255.255.255.0
ip policy route-map PBR1
interface Vlan20
ip address 172.16.2.1 255.255.255.0
ip policy route-map PBR1
interface Vlan99
ip address 10.0.1.1 255.255.255.0
route-map PBR1 permit 10
set ip next-hop 192.168.1.10
!
route-map PBR1 permit 20
set ip next-hop 10.0.1.1
!
Do you have any idea how to drop the packet in the layer 3 switch when the firewall (192.168.1.10) is down(or not reachable)?
10-23-2024 03:39 AM
Hello!
I would use IP SLA with route-maps (PBR). A guide for nexus(config is similar for IOS-XE) can be found here.
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/IPSLA/configuration/guide/b_Cisco_Nexus_7000_Series_NX-OS_IP_SLAs_Configuration_Guide_rel_6-x/configuring_ip_sla_pbr_object_tracking.pdf
BR
10-23-2024 03:40 AM
Another guide:
https://www.firewall.cx/cisco/cisco-routers/cisco-router-pbr-ipsla-auto-redirect.html
BR
10-23-2024 04:11 AM - edited 10-23-2024 04:12 AM
Thanks for sharing url links @DanielP211 . We would like the inter-VLAN traffic when the firewall is down to prevent any security violation since layer 3 allow to route freely all VLANs connected. Bascially, switch will do layer 3 routing while firewall is enforcing security. Firewall is disconnected, switch should drop all internal traffic. Moving all SVI to firewall is the solution but we want to keep layer 3 routing in cisco switch. Please let me know if you have idea to this requirements.
10-23-2024 11:09 AM
I am not sure that there is a good solution for what you want to implement. From my understanding there are 2 parts in your requirements:
1) detect if the firewall is not operating and if not operating do not Policy Forward traffic. In PBR there is an optional parameter verify-availability which checks on access to the device next hop. This functionality is supported on some platforms, not supported on other platforms. I am not clear whether your platform supports this or not.
2) if firewall is not functioning the switch should not do inter vlan routing. This is a much greater challenge. My suggestion is to configure an EEM script that will check on functioning of firewall and if it detects failure of firewall will disable ip routing on the switch.
10-23-2024 08:35 PM
Hello @Richard Burts ,
if there is a need for a distibuted in and sync PBR rules with muli swtich -snfwith FWs in the path all you is need is:small sdn controller.
I know I have gone out of topic
Tkanks Giuseppe
10-23-2024 11:39 AM
You can do many combination as other poster suggested, againg you need to test Failure scenarios that suites your environment.
yes you can retain the Layer 3 interface on Switch and you can route the traffic via Firewall and create PBR and IP SLA
as @Richard Burts suggested you can also have EEM Script running and create ACL and remove ACL between VLAN if the Firewall collapse or failure domain.
10-23-2024 08:49 PM
I'm working on configuring policy-based routing (PBR) on a Cisco C9300 switch to ensure that all traffic is sent to a firewall. If the firewall becomes unreachable, I want the switch to drop the traffic instead of forwarding it.
To achieve this, I plan to use IP SLA to monitor the firewall's availability. If the firewall is down, a tracking object will allow the route-map to drop packets. Here’s a concise approach:
Set up IP SLA to ping the firewall.
Create a tracking object based on the IP SLA.
Modify the route-map to check the status of the firewall before routing traffic.
This way, if the firewall is not reachable, inter-VLAN traffic will be discarded, enhancing security.
If anyone has experience with this setup or tips for troubleshooting, I'd love to hear your insights!
10-24-2024 08:00 AM
Your post and its objective are quite similar to the original post. The key point is this "Modify the route-map to check the status of the firewall before routing traffic" How would you intend to modify the route map? As I suggested in my previous response it seems that EEM might be the way to do this.
10-28-2024 11:45 AM
Debug ip policy <<- share this
Also share topolgy
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide