Do you have any configuration examples?

can you send any configuration examples?

Hi,

Please find the below config what I have at one of my customer L3 switch. With this config the traffic will go from the specific network to the default next gateway which is 10.28.1.200

interface Vlan51
description MANAGEMENT NETWORK
ip address 10.246.2.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip policy route-map Net-access1

route-map Net-access1 permit 10
match ip address 171
set ip default next-hop 10.28.1.200

access-list 171 deny   ip 10.31.4.0 0.0.0.255 192.168.199.0 0.0.0.255
access-list 171 permit ip 10.31.6.0 0.0.0.255 any
access-list 171 permit ip 10.31.2.0 0.0.0.255 any

Hope the above helps you, if so please rate all the helpfull posts.

Regards,
Naidu.

This does help, except I have a 6509 with multiple interfaces and vlans.

I am uncertain as to where (vlan/interfaces) to apply the router-map

policies.

Hi,

As per the example config I provided in my last post.
You need to apply the route-map to which vlan traffic you want to send the specific firewall.
Still if you are not sure to where apply the route-map, post here your config so that I can advice you on that where to apply exactly.

Please rate the helpfull posts.
Regards,
Naidu.

Not sure if this is what you need, but here is the 6509 int and VLAN config.

The subnet (VLAN 30) 10.133.3.0/24 is to go to the UTM Firewall and all

traffic from the other serial connections as well the other VLANS are to

go to the IPSO firewall. Thank you.

interface Serial9/0/0:0

description Training Office DHZA802177

ip address 100.0.10.1 255.255.255.252

ip access-group 122 out

no fair-queue

!

interface Serial9/0/1:0

description Ventures DHZA845048

ip address 100.0.4.1 255.255.255.252

no fair-queue

!

interface Serial9/0/2:0

description FOCUS DHZA748373

ip address 10.15.0.58 255.255.255.252

no fair-queue

!

interface Serial9/0/3:0

description FN Multilink 1 dhza005310

no ip address

encapsulation ppp

ppp multilink

multilink-group 1

!

interface Serial9/0/4:0

description FN Multilink 2 dhza005311

no ip address

encapsulation ppp

ppp multilink

multilink-group 1

!

interface Serial9/0/5:0

description FSW Multilink 1 dhza005331

no ip address

encapsulation ppp

ppp multilink

multilink-group 2

!

interface Serial9/0/6:0

description FN Multilink 3 dhza005313

no ip address

encapsulation ppp

ppp multilink

multilink-group 1

!

interface Serial9/0/7:0

description FSW Multilink 2 dhza005309

no ip address

encapsulation ppp

ppp multilink

multilink-group 2

!

interface Vlan1

no ip address

no ip route-cache

no ip mroute-cache

shutdown

no mop enabled

!

interface Vlan10

description Phone network

ip address 10.133.1.1 255.255.255.0

arp timeout 240

!

interface Vlan20

description User network

ip address 10.133.2.1 255.255.255.0

arp timeout 240

!

interface Vlan30

description Server network

ip address 10.133.3.1 255.255.255.0

arp timeout 240

!

interface Vlan100

description Wireless network

ip address 100.1.200.1 255.255.255.252

!

interface Vlan101

description UTM1 Firewall

ip address 100.1.100.1 255.255.255.248

!

interface Vlan102

description IPSO Firewall

ip address 200.1.200.1 255.255.255.252

!

interface Vlan200

description AT&T OPTEMAN

ip address 10.10.10.1 255.255.255.248

!

interface Vlan300

description Aerohive WLAN

ip address 172.30.1.1 255.255.255.0

I would opt to define a default route towards the IPSO firewall (it will handle all other vlans and serial connections), and then use PBR for your exception of directing traffic from 10.133.3.0/24 to the UTM firewall.  I'm no expert on PBR, but I would try this config:

! default route towards the IPSO fw

ip route 0.0.0.0 0.0.0.0 200.1.200.2

interface Vlan30

ip policy route-map UTMPBRroute

access-list 100 permit ip 10.133.3.0 0.0.0.255

route-map UTMPBRroute permit 10

match ip address 100

set ip default next-hop 100.1.100.

-Jason

I tried this config and am still having problems:

I applied your config as follows:

FW1 - 100.1.100.2

FW2 - 200.1.200.2

Want 10.133.3.0/24 subnet to go to FW2 for internet usage

Want all other subnets to go through FW1 for internet

Gateway of last resort on core router: 0.0.0.0 0.0.0.0 100.1.100.2

ip access-list extended 150

permit ip 10.133.3.0 0.0.0.255 any

route-map TO-UTM1-FW

match ip address 150

set ip next-hop 200.1.200.2

Int Vlan30

ip policy route-map TO-UTM1-FW

When I do this I cannot access the servers on 10.133.3.0/24 subnet from

any other subnet. This is a problem

as all the other subnets need to access them as well.

Thanks

Why don't you do this.

ip access-list extended 150

   deny ip 10.133.3.0 0.0.0.255

   permit ip 10.133.3.0 0.0.0.255 any

The reason without knowing everything about our internal network, is because of TTL expiration of IP packets as it bounces between your router and firewall.

Traceroute of you reaching out to your other private subnet from 10.133.3.0 to your internal network would help debug this issue little bit more better in my opinion.

Hope this helps!

If I deny from 10.133.3.0 to my internal network(s), then no one will

get to any services. See 10.133.3.0 is our server network. I want to

segregate it's internet usage to a separate firewall.

There are about 15 other subets that need to access 10.133.3.0 internally.

Remember this is an ACL applied to route-map, not to access-group, so deny on the ACL that is applied to the route-map means, when the packet is destined to internet the next hop is your "FW2", when it is your Internal, the next hop is what ever is in your routing table, not what is given in the route-map

I only have one default route on the core router to FW1 100.1.100.2. Do

I need to add another to FW2? seemed when it was in place, it affected

all the subnets.