Solved: How to configure policy based routing on 3750

Jason Flory · ‎01-29-2013

Hello everyone

In our datacenter we have a 3750 stack with IP base image. I have enabled PBR and reloaded the switch. Show sdm prefer says i am using default template. The reason i want to use PBR is that we have 2 firewalls on the same work and want to be able to have granular control over which gateway out of the network they use but still be able to access all internal resouces accross wan and locally.

Created access list to identify traffic:

access-list 10 permit 10.2.3.59 (test workstation on vlan 3)

Created policy:

route-map TestASA permit 10

match ip address 10

set ip next-hop 10.2.0.3

Assigned policy to the user vlan3:

ip policy route-map TestASA

Results:

It changed the default gateway to the above gateway but i could not access any resources on any other vlan, could not access resouces accross wan.

Any help would be appreciated

andre.ortega · ‎02-01-2013

Jason, the deny statement will prevent that traffic of be select by PBR. Then that traffic will be forwarded by normal routing table.

But I did a mistake. The ACL must be:

access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_1

access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_4

access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_254

access-list 102 permit ip host 10.2.4.240 any

Regards.

View solution in original post

Anup Sasikumar · ‎02-01-2013

Hi Jason ,

Yes , There exists connectivity to all VLANs and it works perfectly , So I guess , as Andre pointed out and looking through the configurations at my end , the Deny access lists seems to be the one missing there.

Regards,
Anup

Don't forget to rate if you found this helpful !

Regards,
Anup

View solution in original post

andre.ortega · ‎01-29-2013

Hello Jason,

Is 3750 gateway for your workstation?

What is 3750 gateway?

Where are the internals resources? In another VLAN or behind firewalls?

Jason Flory · ‎01-29-2013

Thank you for quick response

The 3750 is the gateway for the workstation.

Here is our config:

4 vlans

User Vlan 3 10.2.3.x /24

Server vlan 4 10.2.4x /24

default vlan 1 192.168.100.1 /24

Internet transit vlan 254 10.2.0.x /24

We have mulitple offices on mpls and routing is done via ospf

Currently our default route to the internet is routes via transit vlan 245. On the transit vlan we have 2 firewalls. Production firewall is at 10.x.0.2 and the new firewall is .3 on the same vlan.

My plan is to use policies when i want traffic from a particular host to use the new firewall instead of what our current default route is pointing to.

thanks

andre.ortega · ‎01-29-2013

Jason,

your VLANs are routed by 3750 or by firewall?

cadet alain · ‎01-29-2013

Hi,

I think you should change your standard ACL to an extended one if you want to send traffic destined for the internet out a particular gateway. Also make sure that this gateway has a route back to your source VLAN.

Regards

Alain

Don't forget to rate helpful posts.

Jason Flory · ‎01-29-2013

I figured a standard ACL would cover all IP traffic. What is the reasoning to use extended? The new firewall has appropriate routes back to internal network. Like i siad it worked but did not allow me access to anything else only the gateway.

Jason Flory · ‎01-29-2013

I have tried extended access list with no luck. As soon as i turn it on i loose connection to host.

Any ideas

andre.ortega · ‎01-30-2013

Hello Jason,

your VLANs are routed by 3750 or by firewall?

Please, show your new extended acl.

Jason Flory · ‎01-30-2013

the workstation is directly connected to the 3750 and routes are configured on the 3750 as well. No routing is done on ASA.

Here is the acl

access-list 102 permit ip host 10.2.4.240 any

Created policy:

route-map TestASA permit 102

match ip address 10

set ip next-hop 10.2.0.3

Assigned policy to the user vlan3:

ip policy route-map TestASA

I also tried set ip default next-hop 10.2.0.3 which did nothing at all.

Thanks

Anup Sasikumar · ‎01-30-2013

Hi Jason ,

From the very limited exposure I have , I am not sure it would be of much help but I can list out some points !

set ip default next-hop 10.2.0.3 - This would never work as the routing order is as follows

set ip default next-hop command - the destination based routing method is used first then it will be passed to policy routing

set ip next hop command - policy routed first then passed onto a destination based routing method

So you should be using set ip next hop command itself

I manage an infrastructure where PBR is being used successfully. The user VLAN traffic to outside needs to be routed via an ISA Server ( in a different VLAN ) which regulates the levels of internet access (such as time based restrictions) based on AD user details. But some of the critical traffic such as email and all needs to be sent directly to the ASA

The PBR is configured on the Core Layer Catalyst 4503 Switch as follows

User VLANs - 172.17.X.X

Server VLAN - 10.55.X.X

ASA Inside Interface -10.55.66.100

ACL

access-list 101 deny ip 172.17.0.0 0.0.255.255 172.17.0.0 0.0.255.255

access-list 101 deny ip 172.17.0.0 0.0.255.255 10.55.0.0 0.0.255.255

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq pop3

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq smtp

Policy

route-map test permit 101

match ip address 101

set ip next-hop 10.55.66.100

Assigning Policy to a User VLAN

interface Vlan125

ip policy route-map test

I 'm not sure but still , could you try using deny statements on the ACL to select the traffic for which the new gateway is not not required and see if that makes any difference to accessing internal network resources?

Regards,

Anup

Regards,
Anup

andre.ortega · ‎01-31-2013

Jason,

try to change your acl:

access-list 102 permit ip host 10.2.4.240 any

access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_1

access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_4

access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_254

Regards.

Jason Flory · ‎01-31-2013

Ok

Wouldnt that deny the host access to the other vlans? My problem is that when i apply the policy to the vlan the host cannot communitate with any other vlan except the gateway.

I do see that Anup used deny's in his acl as well.

Anup

For the users using alternate routes can they still access all other internal resources?

andre.ortega · ‎02-01-2013

Jason, the deny statement will prevent that traffic of be select by PBR. Then that traffic will be forwarded by normal routing table.

But I did a mistake. The ACL must be:

access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_1

access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_4

access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_254

access-list 102 permit ip host 10.2.4.240 any

Regards.

Anup Sasikumar · ‎02-01-2013

Hi Jason ,

Yes , There exists connectivity to all VLANs and it works perfectly , So I guess , as Andre pointed out and looking through the configurations at my end , the Deny access lists seems to be the one missing there.

Regards,
Anup

Don't forget to rate if you found this helpful !

Regards,
Anup

Jason Flory · ‎02-27-2013

Sorry guys for late reply

Vacation

I tried it and it worked!! I am really having a hard time understanding what the hell i did. When i saw all the deny statements i honestly thought there is no way this will work but figured i had to at least try.

Here is what i ended up with. Insteand of calling out each vlan i did a blanket deny for 10.x.x.x and 192.168.x.x because these hosts have to communicate with all of our networks nationwide.

access-list 102 deny ip host 10.2.4.240 192.168.0.0 0.0.255.255

access-list 102 deny ip host 10.2.4.240 10.0.0.0 0.255.255.255

access-list 102 permit ip host 10.2.4.240 any

route-map TestASA permit 10

match ip address 102

set ip next-hop 10.2.0.3

Assigned policy to vlan 4 and worked like a charm

thanks everyone for your help