Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
232
Views
2
Helpful
9
Replies

Cisco switch IOS XE - fail deny policy route to firewall for security

netuser12
Level 1
Level 1

‎10-23-2024 03:02 AM

I am trying to configure the policy routing in Cisco layer 3 switch C9300-24UX-A. The policy will push all packets toward firewalls using set ip next-hop command (firewall ip address). If the firewall is disconnected, the routing policy should discard traffic in the switch including inter-VLAN traffic.
Currently, policy routing is working partially but it is capable drop the inter-VLAN traffic when firewall is disconnected.

interface Vlan10

ip address 172.16.1.1 255.255.255.0

ip policy route-map PBR1

interface Vlan20

ip address 172.16.2.1 255.255.255.0

ip policy route-map PBR1

interface Vlan99

ip address 10.0.1.1 255.255.255.0

route-map PBR1 permit 10

set ip next-hop 192.168.1.10

!

route-map PBR1 permit 20

set ip next-hop 10.0.1.1

!
Do you have any idea how to drop the packet in the layer 3 switch when the firewall (192.168.1.10) is down(or not reachable)?

Labels:
0 Helpful
9 Replies 9

DanielP211
VIP
VIP

‎10-23-2024 03:39 AM

Hello!

I would use IP SLA with route-maps (PBR). A guide for nexus(config is similar for IOS-XE) can be found here.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/IPSLA/configuration/guide/b_Cisco_Nexus_7000_Series_NX-OS_IP_SLAs_Configuration_Guide_rel_6-x/configuring_ip_sla_pbr_object_tracking.pdf

BR

****Kindly rate all useful posts*****

DanielP211
VIP
VIP

‎10-23-2024 03:40 AM

Another guide:
https://www.firewall.cx/cisco/cisco-routers/cisco-router-pbr-ipsla-auto-redirect.html


BR

****Kindly rate all useful posts*****
0 Helpful

netuser12
Level 1
Level 1

‎10-23-2024 04:11 AM - edited ‎10-23-2024 04:12 AM

Thanks for sharing url links @DanielP211 .  We would like the inter-VLAN traffic when the firewall is down to prevent any security violation since layer 3 allow to route freely all VLANs connected. Bascially, switch will do layer 3 routing while firewall is enforcing security. Firewall is disconnected, switch should drop all internal traffic. Moving all SVI to firewall is the solution but we want to keep layer 3 routing in cisco switch. Please let me know if you have idea to this requirements.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to netuser12

‎10-23-2024 11:09 AM

I am not sure that there is a good solution for what you want to implement. From my understanding there are 2 parts in your requirements:

1) detect if the firewall is not operating and if not operating do not Policy Forward traffic. In PBR there is an optional parameter verify-availability which checks on access to the device next hop. This functionality is supported on some platforms, not supported on other platforms. I am not clear whether your platform supports this or not.

2) if firewall is not functioning the switch should not do inter vlan routing. This is a much greater challenge. My suggestion is to configure an EEM script that will check on functioning of firewall and if it detects failure of firewall will disable ip routing on the switch.

HTH

Rick

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Richard Burts

‎10-23-2024 08:35 PM

Hello @Richard Burts ,

if there is a need for a distibuted in and sync PBR rules with muli swtich -snfwith FWs in the path all you is need is:small sdn controller.

 I know I have gone out of topic

Tkanks Giuseppe

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to netuser12

‎10-23-2024 11:39 AM

You can do many combination as other poster suggested, againg you need to test Failure scenarios that suites your environment.

yes you can retain the Layer 3 interface on Switch and you can route the traffic via Firewall and create PBR and IP SLA

as @Richard Burts suggested you can also have EEM Script running and create ACL and remove ACL between VLAN if the Firewall collapse or failure domain.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

dainalthomas01
Level 1
Level 1

‎10-23-2024 08:49 PM

I'm working on configuring policy-based routing (PBR) on a Cisco C9300 switch to ensure that all traffic is sent to a firewall. If the firewall becomes unreachable, I want the switch to drop the traffic instead of forwarding it.

To achieve this, I plan to use IP SLA to monitor the firewall's availability. If the firewall is down, a tracking object will allow the route-map to drop packets. Here’s a concise approach:

Set up IP SLA to ping the firewall.
Create a tracking object based on the IP SLA.
Modify the route-map to check the status of the firewall before routing traffic.
This way, if the firewall is not reachable, inter-VLAN traffic will be discarded, enhancing security.

If anyone has experience with this setup or tips for troubleshooting, I'd love to hear your insights!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to dainalthomas01

‎10-24-2024 08:00 AM

Your post and its objective are quite similar to the original post. The key point is this "Modify the route-map to check the status of the firewall before routing traffic" How would you intend to modify the route map? As I suggested in my previous response it seems that EEM might be the way to do this.

HTH

Rick
0 Helpful

MHM Cisco World
VIP
VIP

‎10-28-2024 11:45 AM

Debug ip policy <<- share this 

Also share topolgy 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card