I need to setup my 6509 with PBR going to two different Firewalls. The 6509 has vlans and multiple serial interfaces. What/where do I install the policy-maps? I want to direct one of the vlans to one firewall and the other vlans and wan subnets to the other firewall.
Here is what I would do.
ip route 0/0 FW1(188.8.131.52)
ip access-list extended PBRoute
deny ip 10.133.3.0 0.0.0.255
permit ip 10.133.3.0 0.0.0.255 any
route-map SOME_RTE_MAP permit 10
match ip address PBRoute
set ip next-hop "FW2"
int vlan 30
ip policy route-map PBRoute
This is what I would do if I were you, apart from redoing the network in a better way.
Hope this helps
This is policy routing, deny on an ACL applied to policy means the deny line is NOT processed as part of policy, whatever the policy that may be, do not think of it as an ACL applied to access-group. As part of stop-gap measure I had to do the something this similar, but it required policy based routing with PAT.
so let me understand this:
the deny rule in the acl tells the policy to allow traffic from the
for configuration sake what would I put for: ??
Yep, you are correct.
Attributes like match, set parameters are LOGICAL AND statements in a route-map, if there is a deny on the ACL that is part of the match clause, nothing else is processed on the route-map and it exits the policy, there by no PBR i.e. it is a normal packet. That is my understanding and that is the way I've made this work before.
Hope this helps.
No, on your ACL:
deny ip 10.133.3.0/24
permit ip 10.133.3.0/24 any (Do PBR routing for packets going to anywhere but internal networks)
ok, I know I am struggling with this but I am confused about one line:
Ip access-list ext 150
deny ip 10.133.3.0/24 is not a Cisco option.....
so should the line look like this:
deny ip 10.133.3.0/24 10.133.2.0/24 10.133.1.0/24 10.133.4.0/23 ?
Oh Wow, I was under the impression that you would be able to expand /24 to its corresponding wildcard.
ip access-list ext 150
deny ip 10.133.3.0 0.0.0.255 10.133.2.0 0.0.0.255
so on and so forth.
I do not know how else you would like to acheive it apart from re-architecting the network in a better way, if all your internal routes are 10/8 (i.e. 10.0.0.0 255.0.0.0) then use that network instead of all your individual subnets. or use the entire RFC 1918 spectrum.