cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3455
Views
0
Helpful
6
Replies

Catalyst 3650 - PBR

SuhaibElziq
Level 1
Level 1

Dears,

I am testing a scenario where I have 3650 layer 3 switch as my core switch. I have 2 non-Cisco firewalls.

- Basically I have two different vlans (Vlan 7 and Vlan 12), each vlan should go to internet through one of the firewalls.

- I have configured PBR under the interface SVI to route the traffic to the firewall.

- Now I am able to reach the internet, but am facing an issue since the workstation unable to ping the SVI's IP (gateway) and I am also unable to ssh the switch. 

Note:

- Vlan 7, 12 for users.

- Vlan 200 for management.

- 192.168.7.1 the first firewall IP

- 192.168.4.3 the second firewall IP.

Please find a copy of the configuration below:


!
ip routing
!
no ip domain-lookup
!
!

!
interface Vlan1
no ip address

!
interface Vlan7
ip address 192.168.7.3 255.255.255.0
ip policy route-map VLAN7
!
interface Vlan12
ip address 192.168.12.1 255.255.255.0
ip policy route-map Vlan12
!

!
interface Vlan200
ip address 192.168.200.1 255.255.255.0
!

!
!
access-list 101 permit ip 192.168.7.0 0.0.0.255 any
access-list 102 permit ip 192.168.12.0 0.0.0.255 any
access-list 103 permit ip 192.168.12.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 103 permit ip 192.168.12.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 103 permit ip 192.168.12.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 104 permit ip 192.168.7.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 104 permit ip 192.168.7.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 104 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
!
route-map VLAN12 permit 10
match ip address 103 102
set ip default next-hop 192.168.4.3
!
route-map VLAN7 permit 10
match ip address 101
set ip default next-hop 192.168.7.1
!
!

Any Advice!

1 Accepted Solution

Accepted Solutions

a.alekseev
Level 7
Level 7
!
interface Vlan7
ip address 192.168.7.3 255.255.255.0
ip policy route-map VLAN7
!
interface Vlan12
ip address 192.168.12.1 255.255.255.0
ip policy route-map Vlan12
!

!
interface Vlan200
ip address 192.168.200.1 255.255.255.0
!
!
access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.7.0 0.0.0.255 any

access-list 102 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.12.0 0.0.0.255 any
!
!
route-map VLAN12 permit 10
match ip address 102
set ip default next-hop 192.168.4.3
!
route-map VLAN7 permit 10
match ip address 101
set ip default next-hop 192.168.7.1
!
!

View solution in original post

6 Replies 6

shaps
Level 3
Level 3

It is possible that you the route map you are using is forcing your workstation over to the firewall,   depending on how the routing is behaving it may be routing back and forth between the firewall and router.  You may need to add a deny statement in to stop the mgmt. dst being sent over to the firewall.  

A traceroute may let you see what is happening or you could look at a debugging the pbr and you would likely see whether your traffic is being policy routed.

Yes that is right  that the route map is forcing the traffic to the firewall, but on the other side of this the workstations and the gateway are in the same subnet so I should be able to access them without the need for the routes!

And also this should be the same for the other vlans since they are considered as a directly connected.

I already tried to use the below:

access-list 101 deny ip 192.168.7.0 0.0.0.255 host 192.168.7.1
access-list 101 permit ip 192.168.7.0 0.0.0.255 any

I got the same results.

a.alekseev
Level 7
Level 7
!
interface Vlan7
ip address 192.168.7.3 255.255.255.0
ip policy route-map VLAN7
!
interface Vlan12
ip address 192.168.12.1 255.255.255.0
ip policy route-map Vlan12
!

!
interface Vlan200
ip address 192.168.200.1 255.255.255.0
!
!
access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.7.0 0.0.0.255 any

access-list 102 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.12.0 0.0.0.255 any
!
!
route-map VLAN12 permit 10
match ip address 102
set ip default next-hop 192.168.4.3
!
route-map VLAN7 permit 10
match ip address 101
set ip default next-hop 192.168.7.1
!
!

It appears you have created a loop in the network when destination network is hanging off the switch. PBRs are configured to route all traffic to firewall regardless what the destination is. For example when destination network is 192.168.200.0 according to the pbr it will be sent over to fw and fw will send it back to switch and this will continue until ttl value expires. You need to create another sequence number under the same pbr and don't use next hop value for the destination traffic that is local to the switch or behind the firewalls.

let me know if I missed anything. 

Hello a.alekseev

I have actually tested the below two day ago, but I got the same issue:

access-list 101 deny ip 192.168.7.0 0.0.0.255 host 192.168.7.1
access-list 101 permit ip 192.168.7.0 0.0.0.255 any

But the above scenario that you have suggested is actually working.

Thanks mate.

rupeshdaga
Level 1
Level 1

Hi 

 

Can someone tell me if Cisco 3650-24PS-S supports OSPF 1000 routes, if yes then in which IOS XE version??

Review Cisco Networking for a $25 gift card