01-17-2018 06:07 AM - edited 03-08-2019 01:27 PM
We are currently using Proxy servers to route outside traffic to the target Firewall. But we purchased firepower for our firewalls and we want to eliminate proxy servers and send targeted vlans to one of the two firewalls of our choice.
Currently we have Nexus 9000 with all the vlans and routes configed.
the two vlans that we want to send to a different firewall are these:
Solved! Go to Solution.
01-17-2018 07:12 AM
Thanks for the response guys
Peter
In the response you offered I see in your config example the following:
route-map PBR permit 20 set ip next-hop 10.49.1.2 interface Vlan56 ip policy route-map PBR interface Vlan60 ip policy route-map PBR
Since the target FW is the 10.52.23.252 ASA I assume I would i would change 10.49.1.2 to 10.52.23.252?
01-17-2018 07:38 AM
Hi John,
So if my understanding is correct, there is a standalone IP network between the N9K and the 3750X, and another standalone IP network between the 3750X and the ASA - is that correct? In other words, between the N9K and the ASA, the immediate L3 next hop is the 3750X, and if you perform traceroute 10.52.23.252 on the N9K, you get 2 hops (the 3750X, and the ASA itself). Note that if there is a VLAN that spans from N9K across the 3750X right to the ASA, and the N9K and the ASA share a single IP network, the 3750X is just an L2 switch for our purposes, and the PBR would only be configured on the N9K.
Keep in mind: PBR is like a static routing. It takes matching packets, and performs a predefined routing decision. PBR allows matching on more criteria than just the destination, and so when configuring the PBR on the 3750X, you again need to ask yourself: What is the traffic I want to route according to the normal routing table, and what is the specific traffic I want to forward to the ASA? The traffic-to-be-routed-normally should be specified in MyNetworks ACL. Depending on all traffic flows that hit the 3750X and the interface where you apply the PBR, you might need to make the MyNetworks ACL more specific - without knowing more about your network, I cannot provide any detailed suggestions. This is where your knowledge of your network comes in.
Best regards,
Peter
01-17-2018 06:21 AM
You may need to configure PBR if the 9ks support it. Here is an example for 7ks.
and here is a link to 9k's PBR.
HTH
01-17-2018 06:38 AM
Hi John,
The way I see it, this is an application for Policy Based Routing (PBR), as you want to make routing choices based not only on the destination IP address, but also on the source of the packet.
The difficulty is in distinguishing what kind of traffic is the internet-bound traffic, and which is the intra-site traffic - obviously, you only want the internet-bound traffic to be forwarded to the firewall. The Nexus 9000 support only a simple PBR where the ACLs must all be only of the permit style. This allows us to do exclusions only on the route-map level, not on the ACL level.
Based on this, an example configuration would be as follows:
feature pbr ip access-list MyNetworks permit ip 10.0.0.0/8 10.0.0.0/8 route-map PBR deny 10 match ip address MyNetworks route-map PBR permit 20 set ip next-hop 10.49.1.2 interface Vlan56 ip policy route-map PBR interface Vlan60 ip policy route-map PBR
In the configuration above, I am assuming that your internal IP address space is from within 10.0.0.0/8, and any communication within this space (sourced and destined to 10.x.x.x) is internal, and so should be routed according to the normal routing table. Anything else (obviously traffic going to destinations other than 10.x.x.x) and arriving to SVIs for VLAN56 and VLAN60 will be forwarded to 10.49.1.2.
It might be necessary to make the MyNetworks ACL more elaborate to more exactly match all traffic that is considered internal and therefore not subject to be passed through the firewall. Once again, the ACL must only use permit lines.
Do you think this would be applicable?
Best regards,
Peter
01-17-2018 07:12 AM
Thanks for the response guys
Peter
In the response you offered I see in your config example the following:
route-map PBR permit 20 set ip next-hop 10.49.1.2 interface Vlan56 ip policy route-map PBR interface Vlan60 ip policy route-map PBR
Since the target FW is the 10.52.23.252 ASA I assume I would i would change 10.49.1.2 to 10.52.23.252?
01-17-2018 07:15 AM
Peter
One other thing.
We have about ten 10.x.x.x vlans and only 2 of them (vlan 56 and 60) are to be targeted for FW 10.52.23.252.
The other 8 are currently using 10.49.1.2 and will continue to do so.
thanks
01-17-2018 07:18 AM
Hi John,
Oh yes, correct - I confused the IP address of the firewall you want to use. My bad - I apologize. The correct set ip next-hop line would point to 10.52.23.252. Please note that if the ASA is not directly connected to this N9K, you would need to point to the nearest next hop to that ASA, and that next hop would again need to be configured with PBR - that's the disadvantage of this approach.
Regarding the other VLANs, that's okay - since the PBR route-map would only be applied to interface Vlan56 and interface Vlan60, only these two VLANs would be affected by the PBR.
Best regards,
Peter
01-17-2018 07:21 AM
The next hop is L3 3750x.
is that capable of doing PBR?
01-17-2018 07:25 AM
Hi John,
Yes, the 3750X is capable of performing PBR, and the syntax is 99% the same - the only difference is in creating the ACL, as IOS uses a slightly different syntax (wildcard masks instead of netmasks, needs to specify whether the ACL is a standard or extended - the ACL would be extended).
Is the ASA attached directly to the 3750X?
Best regards,
Peter
01-17-2018 07:27 AM
Yes, the 10.52.23.252 is attached directly to the 3750x
01-17-2018 07:38 AM
Hi John,
So if my understanding is correct, there is a standalone IP network between the N9K and the 3750X, and another standalone IP network between the 3750X and the ASA - is that correct? In other words, between the N9K and the ASA, the immediate L3 next hop is the 3750X, and if you perform traceroute 10.52.23.252 on the N9K, you get 2 hops (the 3750X, and the ASA itself). Note that if there is a VLAN that spans from N9K across the 3750X right to the ASA, and the N9K and the ASA share a single IP network, the 3750X is just an L2 switch for our purposes, and the PBR would only be configured on the N9K.
Keep in mind: PBR is like a static routing. It takes matching packets, and performs a predefined routing decision. PBR allows matching on more criteria than just the destination, and so when configuring the PBR on the 3750X, you again need to ask yourself: What is the traffic I want to route according to the normal routing table, and what is the specific traffic I want to forward to the ASA? The traffic-to-be-routed-normally should be specified in MyNetworks ACL. Depending on all traffic flows that hit the 3750X and the interface where you apply the PBR, you might need to make the MyNetworks ACL more specific - without knowing more about your network, I cannot provide any detailed suggestions. This is where your knowledge of your network comes in.
Best regards,
Peter
01-17-2018 08:06 AM
Here is the path.
N9K>3850>LAN bridge>3750X
The 3850 is L2 switch but has capability of being L3.
The 3750x is running as L3.
The N9K is where all the SVI's are configed.
Vlan 56 and 60 are the wireless and data vlans for this location so the vlans do extend from N9K through the 3850 to the 3750X over a LAN bridge.
The ASA 10.52.23.252 is vlan 60 IP address.
What is the traffic I want to route according to the normal routing table, and what is the specific traffic I want to forward to the ASA?
The only traffic we wish to send through the FW is vlan 56 and 60. All the switch ports at this site are set as vlan 60. And all the AP's use vlan 56 for clients.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide