cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4947
Views
0
Helpful
26
Replies

Policy Based Routing on 6509

mccmhtac1
Level 1
Level 1

I need to setup my 6509 with PBR going to two different Firewalls. The 6509 has vlans and multiple serial interfaces. What/where do I install the policy-maps? I want to direct one of the vlans to one firewall and the other vlans and wan subnets to the other firewall.

26 Replies 26

Here is what I would do.

ip route 0/0 FW1(100.1.100.2)

ip access-list extended PBRoute

  deny ip 10.133.3.0 0.0.0.255

  permit ip 10.133.3.0 0.0.0.255 any

route-map SOME_RTE_MAP permit 10

  match ip address PBRoute

  set ip next-hop "FW2"

int vlan 30

  ip policy route-map PBRoute

This is what I would do if I were you, apart from redoing the network in a better way.

Hope this helps

This line I am stuggling with: deny ip 10.133.3.0 0.0.0.255

I have so many

This is policy routing, deny on an ACL applied to policy means the deny line is NOT processed as part of policy, whatever the policy that may be, do not think of it as an ACL applied to access-group. As part of stop-gap measure I had to do the something this similar, but it required policy based routing with PAT.

so let me understand this:

the deny rule in the acl tells the policy to allow traffic from the

other subnets?

for configuration sake what would I put for: ??

Yep, you are correct.

Attributes like match, set parameters are LOGICAL AND statements in a route-map, if there is a deny on the ACL that is part of the match clause, nothing else is processed on the route-map and it exits the policy, there by no PBR i.e. it is a normal packet. That is my understanding and that is the way I've made this work before.

Hope this helps.

so last question,

for this statement: deny ip 10.133.3.0 0.0.0.255

should I write as: deny ip 10.133.3.0 0.0.0.255 any

No, on your ACL:

deny ip 10.133.3.0/24 (Do normal routing for packets destined to internal networks)

permit ip 10.133.3.0/24 any (Do PBR routing for packets going to anywhere but internal networks)

ok, I know I am struggling with this but I am confused about one line:

Ip access-list ext 150

deny ip 10.133.3.0/24 is not a Cisco option.....

so should the line look like this:

deny ip 10.133.3.0/24 10.133.2.0/24 10.133.1.0/24 10.133.4.0/23 ?

Oh Wow, I was under the impression that you would be able to expand /24 to its corresponding wildcard.

Example:

ip access-list ext 150

deny ip 10.133.3.0 0.0.0.255 10.133.2.0 0.0.0.255

so on and so forth.

The problem I have with your solution is I would have to deny all subnets except 10.133.3.0/24 not sure how to go about that

I do not know how else you would like to acheive it apart from re-architecting the network in a better way, if all your internal routes are 10/8 (i.e. 10.0.0.0 255.0.0.0) then use that network instead of all your individual subnets. or use the entire RFC 1918 spectrum.

That is what I was thinking. We have 10/8 and 172/16 rfc1918 subnets.

I am going to test this Wednesday night.

Review Cisco Networking for a $25 gift card