10-16-2019 05:49 AM
Hello!
The main objective is to redirect the traffic of all VLANs to an inter-vlan Firewall.
Can I do that with PBR?
The idea is to forward all packets to the firewall without looking on the routing table (Routing table override).
Configuration would be like that:
ip access-list standard acl-anyip
permit any
interface Vlan10
description Network to firewall
ip address 172.16.0.1 255.255.255.0
ip policy route-map ivsec
interface Vlan100
ip address 172.16.1.1 255.255.255.0
ip policy route-map ivsec
interface Vlan200
ip address 172.16.2.1 255.255.255.0
ip policy route-map ivsec
route-map ivsec permit 10
match ip address acl-anyip
set ip next-hop 172.16.0.2 !Firewall IP Address
Please do not be too strict about the config... I took it direct out of my head as an idea.
Thanks a lot in advanced.
Lanello Carrau
Switch# show version
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.06.02.E RELEASE SOFTWARE (fc1)
Solved! Go to Solution.
10-16-2019 06:37 AM
Yes PBR is the feature to bypass routing table and force the traffic to a different next hop.
your config logic also looks good. here is a link for PBR on 4500 as well
10-16-2019 07:36 AM - edited 10-16-2019 07:38 AM
Hi Lanello,
Yes, this should work. Tried in lab:
Extended IP access list ALL_TRAFFIC
10 permit ip any any
R2#sh route-map
route-map ALL_TRAFFIC, permit, sequence 10
Match clauses:
ip address (access-lists): ALL_TRAFFIC
Set clauses:
ip next-hop 10.10.23.2
Policy routing matches: 18 packets, 1290 bytes
R2#
interface FastEthernet1/1.10
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip policy route-map ALL_TRAFFIC
end
R2(config-subif)#
ip route 0.0.0.0 0.0.0.0 10.10.12.2
Trace from a 'PC' without route-map:
PC#trace 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.10.1 76 msec 32 msec 28 msec
2 10.10.12.2 28 msec 48 msec 32 msec
3 10.21.10.2 40 msec 52 msec 44 msec
PC#
Trace from a 'PC' with route-map applied:
PC#trace 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.10.1 96 msec 16 msec 28 msec
2 10.10.23.2 64 msec 60 msec 60 msec
3 10.20.10.1 72 msec 60 msec 68 msec
PC#
10-16-2019 06:37 AM
Yes PBR is the feature to bypass routing table and force the traffic to a different next hop.
your config logic also looks good. here is a link for PBR on 4500 as well
10-16-2019 06:42 AM
Hi,
You can do the same with PBR and PBR will precedence over the routing table. Keep in mind that all source and destination networks must match in the ACL "acl-anyip" otherwise nonmatching traffic will route through the normal routing table.
10-16-2019 07:36 AM - edited 10-16-2019 07:38 AM
Hi Lanello,
Yes, this should work. Tried in lab:
Extended IP access list ALL_TRAFFIC
10 permit ip any any
R2#sh route-map
route-map ALL_TRAFFIC, permit, sequence 10
Match clauses:
ip address (access-lists): ALL_TRAFFIC
Set clauses:
ip next-hop 10.10.23.2
Policy routing matches: 18 packets, 1290 bytes
R2#
interface FastEthernet1/1.10
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip policy route-map ALL_TRAFFIC
end
R2(config-subif)#
ip route 0.0.0.0 0.0.0.0 10.10.12.2
Trace from a 'PC' without route-map:
PC#trace 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.10.1 76 msec 32 msec 28 msec
2 10.10.12.2 28 msec 48 msec 32 msec
3 10.21.10.2 40 msec 52 msec 44 msec
PC#
Trace from a 'PC' with route-map applied:
PC#trace 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.10.1 96 msec 16 msec 28 msec
2 10.10.23.2 64 msec 60 msec 60 msec
3 10.20.10.1 72 msec 60 msec 68 msec
PC#
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: