Re: Policy Based Routing on 6509 - Page 2

mccmhtac1 · ‎03-07-2012

I need to setup my 6509 with PBR going to two different Firewalls. The 6509 has vlans and multiple serial interfaces. What/where do I install the policy-maps? I want to direct one of the vlans to one firewall and the other vlans and wan subnets to the other firewall.

pgurumu77 · ‎03-10-2012

Here is what I would do.

ip route 0/0 FW1(100.1.100.2)

ip access-list extended PBRoute

deny ip 10.133.3.0 0.0.0.255

permit ip 10.133.3.0 0.0.0.255 any

route-map SOME_RTE_MAP permit 10

match ip address PBRoute

set ip next-hop "FW2"

int vlan 30

ip policy route-map PBRoute

This is what I would do if I were you, apart from redoing the network in a better way.

Hope this helps

mccmhtac1 · ‎03-10-2012

This line I am stuggling with: deny ip 10.133.3.0 0.0.0.255

I have so many

pgurumu77 · ‎03-10-2012

This is policy routing, deny on an ACL applied to policy means the deny line is NOT processed as part of policy, whatever the policy that may be, do not think of it as an ACL applied to access-group. As part of stop-gap measure I had to do the something this similar, but it required policy based routing with PAT.

mccmhtac1 · ‎03-10-2012

so let me understand this:

the deny rule in the acl tells the policy to allow traffic from the

other subnets?

for configuration sake what would I put for: ??

pgurumu77 · ‎03-10-2012

Yep, you are correct.

Attributes like match, set parameters are LOGICAL AND statements in a route-map, if there is a deny on the ACL that is part of the match clause, nothing else is processed on the route-map and it exits the policy, there by no PBR i.e. it is a normal packet. That is my understanding and that is the way I've made this work before.

Hope this helps.

mccmhtac1 · ‎03-10-2012

so last question,

for this statement: deny ip 10.133.3.0 0.0.0.255

should I write as: deny ip 10.133.3.0 0.0.0.255 any

pgurumu77 · ‎03-10-2012

No, on your ACL:

deny ip 10.133.3.0/24 (Do normal routing for packets destined to internal networks)

permit ip 10.133.3.0/24 any (Do PBR routing for packets going to anywhere but internal networks)

mccmhtac1 · ‎03-10-2012

ok, I know I am struggling with this but I am confused about one line:

Ip access-list ext 150

deny ip 10.133.3.0/24 is not a Cisco option.....

so should the line look like this:

deny ip 10.133.3.0/24 10.133.2.0/24 10.133.1.0/24 10.133.4.0/23 ?

pgurumu77 · ‎03-10-2012

Oh Wow, I was under the impression that you would be able to expand /24 to its corresponding wildcard.

Example:

ip access-list ext 150

deny ip 10.133.3.0 0.0.0.255 10.133.2.0 0.0.0.255

so on and so forth.

mccmhtac1 · ‎03-10-2012

The problem I have with your solution is I would have to deny all subnets except 10.133.3.0/24 not sure how to go about that

pgurumu77 · ‎03-10-2012

I do not know how else you would like to acheive it apart from re-architecting the network in a better way, if all your internal routes are 10/8 (i.e. 10.0.0.0 255.0.0.0) then use that network instead of all your individual subnets. or use the entire RFC 1918 spectrum.

mccmhtac1 · ‎03-11-2012

That is what I was thinking. We have 10/8 and 172/16 rfc1918 subnets.

I am going to test this Wednesday night.