cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
422
Views
2
Helpful
8
Replies

PBR VS CONNECTED

김선명
Level 1
Level 1

hello.

I understand that Connected routing has an AD value of 0.

The IP bands on the 1st and 2nd floors are different.

1st floor: 1.1.1.0/24
2nd floor: 2.2.2.0/24

There are two firewalls on top of the backbone.

The band will be 3.3.3.0/24.

If you configure the 2nd floor VLAN interface to send to a specific firewall using PBR, it seems that communication to the 1st floor is not possible. Is this correct?

1 Accepted Solution

Accepted Solutions

Thank you for the drawing which does provide some clarification. It is good to know that ip routing is enabled. There are still things that we do not know which impact how things would work (or not work). In particular we do not know how your PBR is set up. If PBR says that all traffic originating from 1.1.1.10 is forwarded to 3.3.3.1 then communication between 1.1.1.0 and 2.2.2.0 would not be possible.

HTH

Rick

View solution in original post

8 Replies 8

Richard Burts
Hall of Fame
Hall of Fame

I do not understand what you are describing. But based on what you provide I have these explanations:

- yes a connected network does have AD of 0.

- you describe 3 networks 1.1.1.0 2.2.2.0 3.3.3.0. We do not know how they are connected but you mention firewalls and perhaps we can assume that the networks are connected using those firewalls? In that case whether these networks can communicate will depend on the firewall policies.

- normally the hosts in each of the networks would have a default gateway. It is not clear in your description whether the firewall would be the default gateway or some other device would be the default gateway.

- PBR provides a way to specify packet forwarding that over rides the normal routing logic. You could certainly use PBR to specify how to forward traffic originating in vlan for floor 2. But whether those hosts could communicate with floor 1 depends on the firewall policies. PBR would not have any effect on whether communication was possible, this would depend on the firewall policies.

HTH

Rick

Hi @Richard Burts 

As shown in the topology below, traffic in the 2.2.2.0/24 band is directed to 3.3.3.1.

However, in the backbone, 1.1.1.0/24 and 2.2.2.0/24 are “connected IPs”.

And I also entered the ip routing command.

In this situation, communication between 2.2.2.0/24 and 1.1.1.0/24 is not possible.

What I'm curious about is "connected IP", so shouldn't there be communication between 2.2.2.0/24 and 1.1.1.0/24?

Or is it correct that I need to check the firewall policy because it goes to 3.3.3.1 according to the pbr policy?

 

 

PBR.png

Thank you for the drawing which does provide some clarification. It is good to know that ip routing is enabled. There are still things that we do not know which impact how things would work (or not work). In particular we do not know how your PBR is set up. If PBR says that all traffic originating from 1.1.1.10 is forwarded to 3.3.3.1 then communication between 1.1.1.0 and 2.2.2.0 would not be possible.

HTH

Rick

Hi @Richard Burts 

Thanks to this, I learned that PBR has higher priority than Connected or ARP.

Thank you

Only add staitc route in both FW for each 2.2.2.0 and 1.1.1.0.

If the 2.2.2.0 use FW1 then FW1 have route toward FW2 for 1.1.1.0

That it 

MHM

Thanks for the update. Yes PBR does have higher priority than connected. Having PBR send traffic from 1.1.1.0 to the firewall 3.3.3.1 does not necessarily mean that 1.1.1.0 can not communicate with 2.2.2.0. In configuring PBR you use an access list to identify which traffic gets special treatment. If that acl began with a statement denying 1.1.1.0 to 2.2.2.0 and then had a statement permitting other traffic then non local traffic would still be sent to firewall and 1.1.1.0 would communicate with 2.2.2.0. It might seem odd that the acl needs to deny 1.1.1.0 to 2.2.2.0 but if you think about the the acl is not denying traffic on the interface but is simply denying special treatment for that traffic.

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

Hello, 

post a schematic drawing of your topology, as well as the relevant configurations of the devices involved. That might give us a better understanding of what you are asking.

Hi @Georg Pauwen

 I created a topology according to your request.

PBR.png

Review Cisco Networking for a $25 gift card