Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
15
Helpful
7
Replies

PBR to change default GW

Go to solution
Mokhalil82
Level 4
Level 4

‎05-28-2015 03:00 AM - edited ‎03-08-2019 12:14 AM

Hi

I am building some firewalls alongside my existing firewall. For testing I have created a test subnet on my core switch and I want this subnet to use the new firewalls as their default gateway.

So the core subnet is 192.168.10.0/24 on VLAN 100. So any traffic sourced from this subnet should use the new firewalls as their default gateway. I am configuring a rouute map to achieve this. Can someone verify if this is the correct config please.

 

ip access-list extended TEST_SUBNET_GW
permit 192.168.10.0 0.0.0.255 any

Routemap REDIRECT_TEST_SUBNET permit 10
match ip address TEST_SUBNET_GW
set ip default next-hop 192.168.10.10

int vlan 100
ip policy route-map REDIRECT_TEST_SUBNET

 

The acl captures the test subnet. The routemap matches the acl and sets the GW address to 192.168.10.10. Then I am applying this policy to my layer 3 interface on the core switch

 

Thankyou

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎05-28-2015 03:04 AM

Yes it seems correct configuration.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎05-28-2015 01:59 PM

My mistake and apologies to Bilal as well.

I thought that with the "set ip default next-hop .." command it would also use the default route that was already in the IP routing table pointing to your existing firewall(s).

But I just tested it and it doesn't ie. it uses the IP routing table for any specific routes but it doesn't use the default route that is in the routing table.

So yes it will do as you want and ignore my previous post except the bit about sending traffic back out of the same interface it came in on.

Learn something all the time on these forums :-)

Jon

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎05-28-2015 03:04 AM

Yes it seems correct configuration.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-28-2015 07:04 AM

It won't work as it is ie. you have used "set ip default next-hop .." which tells the switch to use the IP routing table first then if there is no route found use the next hop.

You need to change it to -

"set ip next-hop 192.168.10.10."

which tells it to use that next hop first.

However there are a couple of other issues -

1) the next hop is in the same IP subnet so the switch has to send the traffic back out of the SVI for vlan 100 to get to it.

I have seen this work and not work depending on the hardware used ie. routers generally are okay with this, L3 switches not so much.

So it may or may not work.

If it doesn't work then the obvious solution is to put the firewall in a separate vlan.

2) because you have used "any" in your acl that means traffic from vlan 100 clients to any other vlans/IP subnets on the switch will also be redirected to the firewall which is probably not what you want.

Jon

Go to solution
Mokhalil82
Level 4
Level 4
In response to Jon Marshall

‎05-28-2015 12:32 PM

Hi Jon

I have used the default command because I want the switch to use the routing table first, only if there are no matches I want the switch to send the traffic to my new firewall instead of using the default route to my existing firewalls. 

This is so I can test internet connectivity through my new firewalls. Is this the right way of achieving this? 

Thanks

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎05-28-2015 12:47 PM

I'm not sure I follow.

If there is a default route in the IP routing table pointing to your existing firewalls then that will be used but I thought you wanted to send the traffic from this specific subnet to your new firewalls.

Perhaps I have misunderstood ?

Jon

Go to solution
Mokhalil82
Level 4
Level 4
In response to Jon Marshall

‎05-28-2015 01:22 PM

Hi Jon

I want this specific test subnet to use the new firewalls as their default gateway. I still want it to look at the routing table for specific routes within my internal network to allow it to get to internal networks, only when there are no matches, in normal circumstances it would at this point use the default route to my existing firewalls, but with PBR I want to change this next hop for this subnet to the new firewalls.

So If I ping 8.8.8.8 from the test subnet, it would not have a specific route to this ip in my routing table, so at this point I dont want it to go via my existing firewalls using that default route but instead via my new firewalls

I hope that makes it clearer

 

Thanks

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎05-28-2015 01:59 PM

My mistake and apologies to Bilal as well.

I thought that with the "set ip default next-hop .." command it would also use the default route that was already in the IP routing table pointing to your existing firewall(s).

But I just tested it and it doesn't ie. it uses the IP routing table for any specific routes but it doesn't use the default route that is in the routing table.

So yes it will do as you want and ignore my previous post except the bit about sending traffic back out of the same interface it came in on.

Learn something all the time on these forums :-)

Jon

0 Helpful

Go to solution
Mokhalil82
Level 4
Level 4
In response to Jon Marshall

‎05-28-2015 02:30 PM

Thanks Jon, Much appreciated :-)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card