Hi Alessandro,

We're migrating from one firewall to another.  The default route points to our old firewall, and I'm wanting to migrate system by system (or group of systems) over.  We have quite a number of clinical and medical systems that need to maintain access.

The plan has been to use PBR on a group by group basis to migrate to the new firewall, and test/confirm access, rather than a big bang, and have a possibility of numerous issues.

Then finally migrate the default route for the user base.  However as I thought the policy needed to be on the ingress, it means I'll need to apply it to ~200 VLAN interfaces on a VSS 6800 pair.

Thanks.

Hi IT,

if your old firewall is PBR capable (e.g. Cisco 5500-X with 9.4(1) version) you could try to redirect traffic ingressing the old firewall to the new one, adding a source vlan one-by-one inside the acl using for redirection, this will also insert another hop between users and new firewall. If not i'm afraid you'have to apply PBR on every ingress vlan in your 6800.

I don't think it is capable.  It's an old checkpoint, we're upgrading to ASA.

I would like to comment on the initial response that "you can apply PBR only for ingress traffic and not for egress". It is certainly true that you must apply the PBR route map on the ingress interface and not supported to apply the PBR route map on the egress interface. But it may be quite possible to do PBR for egress traffic by matching on the destination address of traffic using that egress interface. Without knowing more about the topology of the network and the addressing involved we can not say how effective PBR for egress traffic would be.

HTH

Rick

That's sort of correct.

Attached image is a GNS test for PBR.

Topology shows PC1-4 as clients to a switch, then router depicting a 6800.  Servers run through nexus to the 6800.  Each segment is its own L2 domain so all routing is done at the 6800.

This has a default route to a checkpoint FW.

However the migration isn't a subnet by subnet basis.  We have a number of Systems on static NAT through the firewall, which suppliers have either remote access to, OR are used as fixed endpoints for access and clinical information flows.

It's these NAT's that I'm wanting to migrate.  The NAT and PBR with a fixed inbound interface router is easy.  However I was hoping that I'd have an easier solution of egress VLAN PBR, but doesn't seem that way.

Also in the live network the two firewalls are on different VLANs/Subnets.

I think I'll just settle for the ingress interface.   The only other option is a fixed gig router to pass the traffic via, and PBR that single ingress interface.

Thanks

** EDIT

Just had a thought. Anyone know the PBR throughput on a 3850?

I could add one to the topology and use it with "no ip redirects" as the DGW.  The Connection out of the organisation are only 200Mb

I believe that part of the issue is relatively straight forward. The PBR route map must be applied to the interface where the packets enter the 6800 and can not be on the exit interface. If you want to move groups of devices and not necessarily subnet by subnet then it should be quite possible. There are a number of things that you can match on in the PBR route map. You can match on source address, or destination address, or protocol port number. With 200 vlans and we done know how many devices but probably a lot, then the process of configuring and implementing PBR will be labor intensive and complex but it should be quite possible.

I am interested in this part of the recent post "However the migration isn't a subnet by subnet basis.  We have a number of Systems on static NAT through the firewall, which suppliers have either remote access to, OR are used as fixed endpoints for access and clinical information flows." Using PBR can address forwarding of packets inside your network and which firewall they get forwarded to. But transitioning NAT adds another level of complexity to what you need to do and I believe that PBR is not a factor in how to transition NAT from one firewall to another.

HTH

Rick