Using PBR on Cisco 3850 to only allow certain VLANs to be routed

amanuelk · ‎10-17-2022

Hello friends

I am trying my best to understand routing and apply it to real network infrastructure, but am still having a problem with it. Let me share the network structure am trying on.

I am trying to use the OPNsense system as a gateway for my all internal networks to monitor traffic. Currently, I just wanted to test through VLAN 22 only, a VLAN am connected to, I didn't want to make trouble for other networks for now.

This is what am thinking, all traffic from VLAN 22 goes to OPNsense, and from the OPNsense server I will route some traffics destined to specific IP let's say 10.122.20.71 through Cisco Router, and other traffics routed to ASA for accessing the Internet. This is exactly what I trying to achieve. I tried to use PBR to only pass VLAN 22 interface on Cisco 3850 to OPNsense but I couldn't access the OPNsense directly from my computer in order to configure it.

Can someone please guide me with this, thank you.

paul driver · ‎10-17-2022

Hello

@amanuelk wrote:
I will route some traffics destined to specific IP let's say 10.122.20.71 through Cisco Router, and other traffics routed to ASA

Suggest by default all traffc is routed towards the ASA and then pollicy route any specific traffic via any alternatve next-hop.

Lastly can you elaborate a little on your topology?
What device is currenlty perfroming the routing for the vlans, as its there where you need to apply any policy route.

.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

amanuelk · ‎10-19-2022

@paul driverthanks

@paul driver wrote:
Suggest by default all traffc is routed towards the ASA and then pollicy route any specific traffic via any alternatve next-hop.

Actually, in my case, I am using OSPF on both Cisco 3850 switch and ASA [Internet], and a static route on Cisco 3850 switch to the next hop which is Cisco Router [another WAN]. I tried to show the current route on dotted lines in the above picture.

@paul driver wrote:
Lastly can you elaborate a little on your topology?
What device is currenlty perfroming the routing for the vlans, as its there where you need to apply any policy route.

The Cisco Switch 3850 where I have created the VLANs and the routing is done there too. As you said I tried to apply the policy on this switch, but specifically for VLAN 22 because that is the traffic I wanted to monitor for now as test.

Joseph W. Doherty · ‎10-17-2022

"I tried to use PBR to only pass VLAN 22 interface on Cisco 3850 to OPNsense but I couldn't access the OPNsense directly from my computer in order to configure it."

Your PC is in VLAN 22?

Does your OPNsense "know" how to route back to VLAN 22?

amanuelk · ‎10-19-2022

@Joseph W. Doherty wrote:
Your PC is in VLAN 22?

Yes.

@Joseph W. Doherty wrote:
Does your OPNsense "know" how to route back to VLAN 22?

That I didn't think of, since I couldn't connect to the OPNsense when I tried PBR on Core Switch 3850.