05-28-2015 03:00 AM - edited 03-08-2019 12:14 AM
Hi
I am building some firewalls alongside my existing firewall. For testing I have created a test subnet on my core switch and I want this subnet to use the new firewalls as their default gateway.
So the core subnet is 192.168.10.0/24 on VLAN 100. So any traffic sourced from this subnet should use the new firewalls as their default gateway. I am configuring a rouute map to achieve this. Can someone verify if this is the correct config please.
ip access-list extended TEST_SUBNET_GW
permit 192.168.10.0 0.0.0.255 any
Routemap REDIRECT_TEST_SUBNET permit 10
match ip address TEST_SUBNET_GW
set ip default next-hop 192.168.10.10
int vlan 100
ip policy route-map REDIRECT_TEST_SUBNET
The acl captures the test subnet. The routemap matches the acl and sets the GW address to 192.168.10.10. Then I am applying this policy to my layer 3 interface on the core switch
Thankyou
Solved! Go to Solution.
05-28-2015 03:04 AM
Yes it seems correct configuration.
05-28-2015 01:59 PM
My mistake and apologies to Bilal as well.
I thought that with the "set ip default next-hop .." command it would also use the default route that was already in the IP routing table pointing to your existing firewall(s).
But I just tested it and it doesn't ie. it uses the IP routing table for any specific routes but it doesn't use the default route that is in the routing table.
So yes it will do as you want and ignore my previous post except the bit about sending traffic back out of the same interface it came in on.
Learn something all the time on these forums :-)
Jon
05-28-2015 03:04 AM
Yes it seems correct configuration.
05-28-2015 07:04 AM
It won't work as it is ie. you have used "set ip default next-hop .." which tells the switch to use the IP routing table first then if there is no route found use the next hop.
You need to change it to -
"set ip next-hop 192.168.10.10."
which tells it to use that next hop first.
However there are a couple of other issues -
1) the next hop is in the same IP subnet so the switch has to send the traffic back out of the SVI for vlan 100 to get to it.
I have seen this work and not work depending on the hardware used ie. routers generally are okay with this, L3 switches not so much.
So it may or may not work.
If it doesn't work then the obvious solution is to put the firewall in a separate vlan.
2) because you have used "any" in your acl that means traffic from vlan 100 clients to any other vlans/IP subnets on the switch will also be redirected to the firewall which is probably not what you want.
Jon
05-28-2015 12:32 PM
Hi Jon
I have used the default command because I want the switch to use the routing table first, only if there are no matches I want the switch to send the traffic to my new firewall instead of using the default route to my existing firewalls.
This is so I can test internet connectivity through my new firewalls. Is this the right way of achieving this?
Thanks
05-28-2015 12:47 PM
I'm not sure I follow.
If there is a default route in the IP routing table pointing to your existing firewalls then that will be used but I thought you wanted to send the traffic from this specific subnet to your new firewalls.
Perhaps I have misunderstood ?
Jon
05-28-2015 01:22 PM
Hi Jon
I want this specific test subnet to use the new firewalls as their default gateway. I still want it to look at the routing table for specific routes within my internal network to allow it to get to internal networks, only when there are no matches, in normal circumstances it would at this point use the default route to my existing firewalls, but with PBR I want to change this next hop for this subnet to the new firewalls.
So If I ping 8.8.8.8 from the test subnet, it would not have a specific route to this ip in my routing table, so at this point I dont want it to go via my existing firewalls using that default route but instead via my new firewalls
I hope that makes it clearer
Thanks
05-28-2015 01:59 PM
My mistake and apologies to Bilal as well.
I thought that with the "set ip default next-hop .." command it would also use the default route that was already in the IP routing table pointing to your existing firewall(s).
But I just tested it and it doesn't ie. it uses the IP routing table for any specific routes but it doesn't use the default route that is in the routing table.
So yes it will do as you want and ignore my previous post except the bit about sending traffic back out of the same interface it came in on.
Learn something all the time on these forums :-)
Jon
05-28-2015 02:30 PM
Thanks Jon, Much appreciated :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide