Solved: Re: Policy Based Routing to route VLAN to another gateway

AhmadZ · ‎04-19-2023

Dear All,

I have VLANs configured on a Cisco core switch (CBS350). Where the default gateway of this Coreswitch is Firewall 1. Lately, Firewall 2 was installed where I need one of the VLANs traffic to go outside Firewall 2.

interface Vlan10
ip address 172.16.10.1 255.255.255.0

interface Vlan20
ip address 172.16.20.1 255.255.255.0

interface Vlan30
ip address 172.16.30.1 255.255.255.0

interface Vlan100
ip address 172.16.100.1 255.255.255.0
ip policy route-map PBR

ip access-list extended ACL-PBR
   permit ip 172.16.100.0 0.0.0.255 any 10
route-map PBR 10
    match ip address access-list ACL-PBR
    set ip next-hop 172.16.100.2

ip default-gateway 172.16.10.14

I'm trying to route VLAN 100 to go through Firewall 2 which is 172.16.100.2 while keeping all other VLANS on the default gateway which is 172.16.10.14.

So I have configured such PBR, but once route-map is added on interface vlan 100, I have no ping or access to VLAN 100 from any other VLAN.

Is there any thing missing?

Thanks!

KJK99 · ‎04-20-2023

If I understand the manual correctly, you need to add some deny ACEs. Try something like this.

ip access-list extended ACL-PBR
   deny ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255 10
   deny ip 172.16.100.0 0.0.0.255 172.16.20.0 0.0.0.255 20
   deny ip 172.16.100.0 0.0.0.255 172.16.30.0 0.0.0.255 30
   permit ip 172.16.100.0 0.0.0.255 any 40

Kris K

View solution in original post

Flavio Miranda · ‎04-19-2023

Hi

Like if the ACL would be denying the traffic. Have you tried put a permit ip any any om the second line of the access list?

AhmadZ · ‎04-19-2023

Hello, yes I've tried so and same result

KJK99 · ‎04-20-2023

If I understand the manual correctly, you need to add some deny ACEs. Try something like this.

ip access-list extended ACL-PBR
   deny ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255 10
   deny ip 172.16.100.0 0.0.0.255 172.16.20.0 0.0.0.255 20
   deny ip 172.16.100.0 0.0.0.255 172.16.30.0 0.0.0.255 30
   permit ip 172.16.100.0 0.0.0.255 any 40

Kris K

AhmadZ · ‎04-20-2023

I think my problem is that after setting the route map, everything else should refer back to the routing table instead of the PBR. but this is not happening. I don't know if that works, but will try

KJK99 · ‎04-20-2023

Here’s my understanding of that.

What you have tells the switch to route any 172.16.100.0/24 traffic through the 172.16.100.2 gateway. That applies to both requests and replies. The regular routing table is not used for that traffic.

The use of ACLs in net maps is sort of creative in the sense that nothing is really permitted or denied. If there is a match on a permit ACE, the set ip next-hop is executed. If there is a match on a deny ACE, the set ip next-hop is omitted.

Kris K

AhmadZ · ‎04-20-2023

yeah, that worked, thanks!!, but now I have no internet on VLAN100, why?

Richard Burts · ‎04-20-2023

Kris K correctly identified your first issue. Now you have a second issue. And we do not have much information to work with about this second issue. Based on what we know so far I have these guesses about this issue:

- is there possibly a problem with Internet access from firewall 2? Does firewall 2 have a correct default route? From firewall 2 can you access anything on the Internet?

- is correct nat configured on firewall 2 for 172.16.100.0/24?

- is it possible that firewall 2 does not have the correct subnet mask and believes that 172.16.100.0 is smaller than /24?

HTH

Rick