Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
5
Helpful
3
Replies

Policy-Based Routing Problems on Supervisor IV/4506-E

ringsidecreative
Level 1
Level 1

‎01-18-2017 06:03 AM - edited ‎03-08-2019 08:57 AM

Hi there.  I am trying to test out a new firewall in our environment and I would like to direct my PC only through the test firewall.

Here is the current LAN structure:

My PC: 10.1.25.253 on Vlan 25 (this is the only PC on this VLAN)

New firewall: 10.1.2.8 on Vlan 2

Current firewall: 10.1.2.10 on Vlan 2

The Cisco 4506/Supervisor IV serving as the gateway: 10.1.2.254 on Vlan 2; 10.1.25.254 on Vlan 25

Here is my current config (edited for privacy/brevity).  Can anyone tell me why my route-map "testfirewall" is not working?

Current configuration : 23482 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
service sequence-numbers
!
hostname RSC-Core
!
boot system flash bootflash:cat4000-i9k91s-mz.122-20.EWA.bin
no logging buffered
aaa new-model

clock timezone EST -5
ip subnet-zero
ip name-server 10.1.2.4
ip name-server 10.1.2.5
ip name-server 10.1.2.9

!
ip dhcp snooping vlan 2
ip dhcp snooping
ip ssh time-out 100
ip address-pool local
ipx routing 0012.80c6.7080
ipx internal-network ACE00002
!
no file verify auto
errdisable recovery cause dhcp-rate-limit
errdisable recovery interval 30
spanning-tree mode pvst
spanning-tree extend system-id
power redundancy-mode redundant
!
!
!
!
vlan access-map core 10
action forward
vlan internal allocation policy ascending
vlan dot1q tag native

!-----This is the port my computer is on

interface GigabitEthernet4/18
description ADMIN_PORT
switchport access vlan 25
switchport mode access

!-----This is the port that the new firewall is on

interface GigabitEthernet4/46
switchport access vlan 2
switchport mode access

interface Vlan1
no ip address
!
interface Vlan2
ip address 10.1.2.254 255.255.252.0
ip directed-broadcast
!
interface Vlan5
ip address 10.1.5.1 255.255.255.0
ip helper-address 10.1.2.4
ip helper-address 10.1.2.5
ip directed-broadcast
!
interface Vlan10
ip address 10.10.1.254 255.255.255.0
ip policy route-map 10
!
interface Vlan25
ip address 10.1.25.254 255.255.255.0
ip policy route-map testfirewall
!
interface Vlan128
no ip address
shutdown
!
interface Vlan193
ip address 10.1.10.254 255.255.255.0
ip helper-address 10.1.2.4
shutdown
!
interface Vlan196
ip address 192.168.255.253 255.255.255.0
!
ip default-gateway 10.1.2.10
ip route 0.0.0.0 0.0.0.0 10.1.2.10
ip route 30.16.18.0 255.255.255.0 10.1.2.191
ip route 172.16.205.0 255.255.255.0 10.1.2.10
ip route 172.18.0.0 255.255.255.0 10.1.2.252
ip http server
ip http authentication local
!
!
!
access-list 10 permit any
access-list 10 deny 10.1.0.0 0.0.255.255
access-list 100 deny ip any 10.1.0.0 0.0.255.255
access-list 100 permit ip any any
access-list 101 permit ip any host 10.1.2.10
access-list 125 permit ip any any
!
route-map 10 permit 10
match ip address 100
set ip next-hop 10.10.1.252
!
route-map testfirewall permit 125
match ip address 125
set ip next-hop 10.1.2.8
!
route-map pbr permit 10
match ip address 10
set ip next-hop 10.10.1.252
!
!
!
!
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 90 0
!
end

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎01-18-2017 08:43 AM

I have looked at the config and do not see a problem there. The route map is applied on the correct interface (which is a very common problem) and the route map logic looks correct. I wonder if the issue might be with the feature set/license or perhaps the template being used (though if that were the issue I am surprised that the commands were accepted in the config). Perhaps you can supply some details about this 4506?

HTH

Rick

HTH

Rick

ringsidecreative
Level 1
Level 1
In response to Richard Burts

‎01-18-2017 02:03 PM

It turns out that it was defaulting me back to the old firewall (through a static route) because the new firewall was rejecting my traffic.  This was due to a misconfiguration on the new firewall.  Good suggestions, though.  Thanks for your help.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ringsidecreative

‎01-18-2017 02:56 PM

Thanks for posting back to the forum to let us know that you have it sorted out and working now. I am glad that my suggestions were helpful even if the issue turned out to be something different.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents