09-16-2024 08:27 PM
Hello,
On our branch i have 2 path to the internet, 1st via local internet on the site and 2nd via Head Office via WAN.
All traffic to other branch, Head Office should pass thru via Head Office via WAN and all internet traffic including to Microsoft Azure (using VPN site to site) should use local internet and will failover to HO via WAN if the local connection is down.
On the core switch i make route-map like below
ip access-list extended Internal-DC
1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
ip access-list extended INET-VIA-FORTI
10 permit ip any any
route-map PBR-INET deny 10
match ip address Internal-DC
!
route-map PBR-INET permit 20
match ip address INET-VIA-FORTI
set ip next-hop 10.102.173.2
then i apply in vlan interface
interface Vlan101
ip address 10.102.1.1 255.255.255.0
ip ospf 100 area 0.0.0.102
ip policy route-map PBR-INET
also i have static route to our azure (10.201.0.0/16) to local internet
ip route 10.201.0.0 255.255.0.0 10.102.173.2
With above configuration all hosts under vlan 101 can access to the internet via local internet, can access to azure via local internet and also can access to other branch, HO via WAN. So everything is run normally until then i realized i have ACL
ip access-list extended Internal-DC
1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
This ACL applied to the route map, and i my mind traffic to the azure with subnet 10.201.0.0/16 will match to this ACL and the traffic should be denied by route map
route-map PBR-INET deny 10
match ip address Internal-DC
This mean traffic to the azure should routed to the HO via WAN even i have static route to 10.201.0.0/16 via local internet, am i right?
Solved! Go to Solution.
09-17-2024 03:14 AM - edited 09-17-2024 03:19 AM
Hello @hs08 ,
read my previous post in this thread I think I have provided a possible configuration for PBR that will satisfy all your requirements:
VLAN 100 IP subnet : 10.100.0.0/16
VLAN 101 IP subnet: 10.101.0.0/16
Azure network IP subnet : 10.201.0.0/16
Edit :
if SVI Vlan101 and Vlan 100 are directly attached to the core switch you need two route-maps one to apply to SVI vlan 100 and one to be applied to SVI vlan 100.
looking at your first post I think this is your case. So you need to create two PBR route-maps they just change on setting the next-hop in last block
Alternatively you can apply the same PBR route-map on both SVIs for the way I have written the extended ACLs it will work.
Hope to help
Giuseppe
09-16-2024 11:08 PM
Hello @hs08 ,
traffic denied by PBR route-map is routed in standard manner using the available best route:
you have the following route:
>> ip route 10.201.0.0 255.255.0.0 10.102.173.2
So traffic to the Azure network will be routed to the specified next-hop 10.102.173.2, that is also the next-hop used by the route-map in the second clause.
So internet traffic and traffic to Azure are routed via the Forti Firewall using the local internet handoff.
Hope to help
Giuseppe
09-16-2024 11:32 PM
Hi,
you have the following route:
>> ip route 10.201.0.0 255.255.0.0 10.102.173.2
So traffic to the Azure network will be routed to the specified next-hop 10.102.173.2, that is also the next-hop used by the route-map in the second clause.
Can i say the traffic should use local internet with next hop 10.102.173.2 due on the route-map i denied traffic from 10.0.0.0/8 to 10.0.0.0/8?
ip access-list extended Internal-DC
1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
ip access-list extended INET-VIA-FORTI
10 permit ip any any
route-map PBR-INET deny 10
match ip address Internal-DC
!
route-map PBR-INET permit 20
match ip address INET-VIA-FORTI
set ip next-hop 10.102.173.2
09-16-2024 11:13 PM
ip access-list extended Internal-DC
1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 <<- to start solve issue explain this ACL? Keep in mind the pbr not use for traffic between same subnet but for traffic between different subnet' so can you more elaborate about this acl
route-map PBR-INET deny 10
match ip address Internal-DC
09-16-2024 11:48 PM
As i mention previously that i have 2 connection for each site, one is pure internet connection and the other is WAN. I set main traffic to internet and azure for mostly subnet using local internet connection and traffic to other branch or to HO should use WAN connection for all subnet.
Also WAN connection able to provide internet connection for backup if internet link on the site is down. Core switch on the HO have ospf configuration 'default-information originate' so routing to the internet 0.0.0.0/0 will distributed to all core switch on each site.
Let say i want VLAN 100 internet connection using HO internet, so i no need make any static route 0.0.0.0/0 due OSPF already distribute this route.
VLAN 101 internet connection and azure should using local internet, so i must make one PBR to accomplished this where the PBR will set next-hop ip address to local firewall in the site.
Main purpose of below ACL is to make sure traffic to HO or other branch under subnet 101 will use WAN link rather than internet link. Local internet connection is only for to internet connection for some subnet and to azure for all subnet.
ip access-list extended Internal-DC
1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
route-map PBR-INET deny 10
match ip address Internal-DC
With those configuration all traffic is working normally but when i check more details this morning, i can see traffic to the azure is use both link (i can see traffic log from 10.102.1.0/24 to azure 10.201.0.0/16 on local firewall and HO firewall).
Also my logic say because i have above ACL, traffic to the azure should use HO via WAN connection since traffic to Azure 10.201.0.0/16 will match with ACL Internal-DC and this traffic is denied on route-map.
Please share your opinion.
09-16-2024 11:56 PM
SubnetA-L2VPN-SubnetA
Same subnet in both site need l2vpn' it never use internet (Layer3) to connect each other.
MHM
09-17-2024 12:07 AM
I have no same subnet.
HO subnet : 10.100.0.0/16
Branch-1 : 10.101.0.0/16
Branch-2 : 10.102.0.0/16
Branch-3 : 10.103.0.0/16
Azure : 10.201.0.0/16
09-17-2024 01:10 AM - edited 09-17-2024 01:16 AM
Hello @hs08 ,
if you want that traffic to Azure go to the HQ office you need to remove the static route using the local Firewall as next-hop.
You can eventually change it to a floating static route to be used when OSPF is down.
Edit:
if you do not use OSPF on WAN links the same idea can work you will have a primary static route using the WAN link to HQ and the floating static route to use the local handoff or you can do the opposite if this is what you want to achieve.
You can do the following:
conf t
no ip route 10.201.0.0 255.255.0.0 10.102.173.2
ip route 10.201.0.0 255.255.0.0 10.102.173.2 150
the 150 is an AD that is greater then OSPF default AD 110. In this way the local static route will become a backup route.
note : This works if from HQ the branch office receive the same prefix in OSPF with the same prefix length.
The PBR is not involved in routing to Azure because the traffic flow packets match the first route-map block with deny action.
Hope to help
Giuseppe
09-17-2024 01:51 AM
What i want is :
09-17-2024 02:38 AM
Hello @hs08 ,
your current PBR configuration does not provide the desired goals.
For sake of simplicity let's suppose the following
VLAN 100 IP subnet : 10.100.0.0/16
VLAN 101 IP subnet: 10.101.0.0/16
Azure network IP subnet : 10.201.0.0/16
ip extended ACL ToAzure
ip access-list extended ToAZure
1 permit ip 10.100.0.0 0.1.255.255 10.201.0.0 0.0.255.255
! local subnets to Azure
ip access-list extended VL101-to-internet
permit ip 10.101.0.0 0.0.255.255 any
! above ACL for internet access of VLAN 101 subnet
ip access-list extended LOCAL-TO-DC
deny ip 10.100.0.0 0.1.255.255 10.201.0.0 0.0.255.255
permit ip 10.100.0.0 0.1.255.255 10.0.0.0 0.255.255.255
!
given the above ACLs you can build a multiple blocks route-map starting from most specific traffic flows
route-map PBR permit 10
match address ToAzure
set ip next-hop 10.102.173.2
route-map PBR permit 20
match address LOCAL-TO-DC
set ip next-hop <WAN-IP-next-hop>
route-map PBR permit 30
match address VL101-to-internet
set ip next-hop 10.102.173.2
route-map PBR permit 40
set ip next-hop <WAN-IP-next-hop>
Warning : this single PBR route-map can be applied inbound to a device where the VLAN 100 and VLAN 101 are not directly connected.
if these subnets are directly connected to your core switch you need to split the route-map and to use two different route-maps applied one to SVI Vlan100 and one to SVI vlan101
Hope to help
Giuseppe
09-17-2024 03:00 AM
Here my requirement.
VLAN 100 IP subnet : 10.100.0.0/16
VLAN 101 IP subnet: 10.101.0.0/16
Azure network IP subnet : 10.201.0.0/16
09-17-2024 03:14 AM - edited 09-17-2024 03:19 AM
Hello @hs08 ,
read my previous post in this thread I think I have provided a possible configuration for PBR that will satisfy all your requirements:
VLAN 100 IP subnet : 10.100.0.0/16
VLAN 101 IP subnet: 10.101.0.0/16
Azure network IP subnet : 10.201.0.0/16
Edit :
if SVI Vlan101 and Vlan 100 are directly attached to the core switch you need two route-maps one to apply to SVI vlan 100 and one to be applied to SVI vlan 100.
looking at your first post I think this is your case. So you need to create two PBR route-maps they just change on setting the next-hop in last block
Alternatively you can apply the same PBR route-map on both SVIs for the way I have written the extended ACLs it will work.
Hope to help
Giuseppe
09-17-2024 03:40 AM
check this if you have Q please ask
MHM
09-17-2024 01:39 AM
Hello
Note: as by default "set ip next-hop " ignores the route table so that static route will be ignored and PBR will take preference.
Easiest way to pbr would to policy route on your specific traffic and leave all other traffic to route via the default nexthop, However based on your OP it seems you performing PBR against your default routing traffic.
If correct - I would say you just need to append another roue-map stanza to permit that /24 traffic to also be policy routed then no need for the static route.
no ip access-list extended INET-VIA-FORTI
route-map PBR-INET permit 20
no match ip address INET-VIA-FORTI <--- not required to match any any it a catch stanza so ANY other traffic will match anyway
ip access-list extended NET
permit ip any 10.201.0.0 0.0.255 255
route-map PBR-INET permit 5
match ip address NET
set ip next-hop 10.102.173.2
09-17-2024 01:54 AM
Hi @paul driver
ip access-list extended NET
permit ip any 10.201.0.0 0.0.255 255
route-map PBR-INET permit 5
match ip address NET
set ip next-hop 10.102.173.2
With that configuration my logic say traffic only traffic to 10.201.0.0 will go to hop 10.102.173.2, am i correct?
What i want is :
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide