Solved: Hi Masoud,

CiscoDOJones · ‎12-03-2015

Hello,

I require some help/advice.

We have a stack of 3750, which is the default gateway for all our Vlans. The gateway of last resort pointing to our external Firewall is 10.62.0.5 We are in transition to use another firewall from a different vendor and would like to perform some simple confidence tests and to minimise the downtime.

I believe setting up policy based routing (PBR) will allow me to direct a single server or servers to the new Firewall. As you know "the business" do not like interruptions, nor will "the business" pay for duplication of equipment to test with.

So, my proposed config for internal change control is below

! <ACL>
access-list 111 deny ip 10.55.111.111 0.0.0.0   10.0.0.0   0.255.255.255     <to allow this server to talk to all other servers in the business>
access-list 111 permit ip 10.55.111.111   0.0.0.0 any
access-list 111 deny any any (implicit deny)
!
! <Policy>
route-map PBR permit 111
match ip address 111
set ip next-hop 10.62.0.10
!      <does this mean the fallback will be gateway of last resort. 10.62.0.5 >

!
! < Assign >
interface vlan 20
ip policy route-map PBR
ip address 10.55.0.1 255.255.0.0
!

So what happens with all other traffic on the 10.55.0.0 subnet??

Will it be denied from the implicit deny ACL?

Or I guess (maybe finding the solution as I type) it will be denied from the next-hop 10.62.0.10 but will revert back to the default route paths or gateway (if Internet traffic) of 10.62.0.5.

Your thoughts, feedback advise would be most welcome.

regards

D Jones

Masoud Pourshabanian · ‎12-03-2015

1- traffic with source of 10.55.111.111 destined to 10.0.0.0-10.255.255.255 will be directed by global routing table

2- traffic with source of 10.55.111.111 destined to any other network will be directed by PBR( new firewall)

3-other traffic will be checked against global routing table.

Please let me with which part you have problem.

Masoud

View solution in original post

Masoud Pourshabanian · ‎12-03-2015

Hello,

Your route-map and ACL in PBR just matches the traffic. It does not deny(drop) any traffic. If a traffic comes and does not match with any of permit lines in route-map and ACL, it will be checked against routing table.

Let me know if it not clear.

Masoud

CiscoDOJones · ‎12-03-2015

Hi Masoud,

No sorry not clear.

access-list 111 deny ip 10.55.111.111 0.0.0.0 <test server> 10.0.0.0 0.255.255.255 <all trust networks>

access-list 111 permit ip 10.55.111.111 0.0.0.0 <test server> any <all other traffic, such as Internet>
access-list 111 deny any any <the implicit deny>

Dave

Masoud Pourshabanian · ‎12-03-2015

1- traffic with source of 10.55.111.111 destined to 10.0.0.0-10.255.255.255 will be directed by global routing table

2- traffic with source of 10.55.111.111 destined to any other network will be directed by PBR( new firewall)

3-other traffic will be checked against global routing table.

Please let me with which part you have problem.

Masoud

CiscoDOJones · ‎12-03-2015

Hi Masoud,

So if the match criteria is true, it will, in this case forward to our defined "next-hop" (the 10.62.0.10

else

It will go to the global route paths, in my case Intervlan routing, then Gateway of last resort 10.62.0.5.

excellent thx Masoud

Dave

Masoud Pourshabanian · ‎12-03-2015

That is correct.

Use show command for troubleshooting.

Show route-map PBR

show access-list 111 ( to check if you have any hit)

You are very welcome.

Masoud

Masoud Pourshabanian · ‎12-03-2015

I just explained the rule of PBR. If you sketch you totopolgy, I will be able to tell you where you need to put the PBR.

Masoud

Masoud Pourshabanian · ‎12-03-2015

adding to my previous comment

For example, you have a default route on 3750

ip route 0.0.0.0 0.0.0.0 10.55.0.50 (your current firewal)

You are going to dirrect some traffic to new firewall

route-map PBR permit 111
match ip address 111
set ip next-hop 10.62.0.10 [it is the IP of your new firewall]

access-list 111 permit ip 10.55.111.111 0.0.0.0 any

access-list 111 deny any any [ not needed. default id denied. Good for logging]

if traffic with the source of 10.55.111.111 comes from int VLAN 20, it will be directed to your new firewal.

If traffic with source 10.55.111.112( or any other traffic) comes, it will be directed to the currect firewall by global routing table

If you are going to to limit your critria, you can use deny statement on the top.

For example,

access-list 111 deny ip 10.55.111.111 0.0.0.0 host 70.70.70.70

access-list 111 permit ip 10.55.111.111 0.0.0.0 any

access-list 111 deny any any

traffic with source of 10.55.111.111 destined to 70.70.70.70 will be directed to current firewall(Global routing table)

traffic with source of 10.55.111.111 destined to any other network will be directed to new firewall

(PBR)

Other traffic will be diretced to current firewall. (Global routing table)

To sum up, ACL in PBR does not block any traffic. It just matches the traffic.

Hope it helps,

Masoud

Policy Based Routing - Assist