cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1475
Views
20
Helpful
10
Replies
john.wright
Participant

vlan routing to different firewalls on the LAN

We are currently using Proxy servers to route outside traffic to the target Firewall. But we purchased firepower for our firewalls and we want to eliminate proxy servers and send targeted vlans to one of the two firewalls of our choice.

Currently we have Nexus 9000 with all the vlans and routes configed. 

the two vlans that we want to send to a different firewall are these:

interface Vlan56
no shutdown
ip address 10.52.15.237/23
ip router eigrp 200
ip passive-interface eigrp 200
ip router ospf 20 area 0.0.0.0
hsrp 90
preempt delay minimum 30
priority 110
timers 2 10
ip 10.52.15.254
ip dhcp relay address 10.52.20.3
ip dhcp relay address 10.52.20.15
ip dhcp relay address 10.52.20.2
 
interface Vlan60
no shutdown
ip address 10.52.23.237/22
ip router eigrp 200
ip passive-interface eigrp 200
ip router ospf 20 area 0.0.0.0
hsrp 110
preempt delay minimum 300
priority 110
timers 2 10
ip 10.52.23.254
ip dhcp relay address 10.51.93.253
ip dhcp relay address 10.51.93.252
ip dhcp relay address 10.52.20.15
 
This is our current route statement that sends all traffic to one of the firewals
ip route 0.0.0.0/0 10.49.1.2
 
we want  Vlan 56 and 60 to send outside traffic to our other firewall 10.52.23.252.
 
This other firewall is connected to a L3 switch over a LAN bridge. But the Nexus 9000 is where all the vlans and routes are configed.
How do we config our LAN to send these two vlans to the targeted firewall?
 
 
 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

Thanks for the response guys

 

Peter

In the response you offered I see in your config example the following:

route-map PBR permit 20
  set ip next-hop 10.49.1.2
interface Vlan56
  ip policy route-map PBR
interface Vlan60
  ip policy route-map PBR

 Since the target FW is the 10.52.23.252 ASA I assume I would i would change 10.49.1.2 to 10.52.23.252?

View solution in original post

Peter Paluch
Hall of Fame Cisco Employee

Hi John,

So if my understanding is correct, there is a standalone IP network between the N9K and the 3750X, and another standalone IP network between the 3750X and the ASA - is that correct? In other words, between the N9K and the ASA, the immediate L3 next hop is the 3750X, and if you perform traceroute 10.52.23.252 on the N9K, you get 2 hops (the 3750X, and the ASA itself). Note that if there is a VLAN that spans from N9K across the 3750X right to the ASA, and the N9K and the ASA share a single IP network, the 3750X is just an L2 switch for our purposes, and the PBR would only be configured on the N9K.

Keep in mind: PBR is like a static routing. It takes matching packets, and performs a predefined routing decision. PBR allows matching on more criteria than just the destination, and so when configuring the PBR on the 3750X, you again need to ask yourself: What is the traffic I want to route according to the normal routing table, and what is the specific traffic I want to forward to the ASA? The traffic-to-be-routed-normally should be specified in MyNetworks ACL. Depending on all traffic flows that hit the 3750X and the interface where you apply the PBR, you might need to make the MyNetworks ACL more specific - without knowing more about your network, I cannot provide any detailed suggestions. This is where your knowledge of your network comes in.

Best regards,
Peter

View solution in original post

10 REPLIES 10
Reza Sharifi
Hall of Fame Expert

Peter Paluch
Hall of Fame Cisco Employee

Hi John,

The way I see it, this is an application for Policy Based Routing (PBR), as you want to make routing choices based not only on the destination IP address, but also on the source of the packet.

The difficulty is in distinguishing what kind of traffic is the internet-bound traffic, and which is the intra-site traffic - obviously, you only want the internet-bound traffic to be forwarded to the firewall. The Nexus 9000 support only a simple PBR where the ACLs must all be only of the permit style. This allows us to do exclusions only on the route-map level, not on the ACL level.

Based on this, an example configuration would be as follows:

feature pbr
ip access-list MyNetworks
  permit ip 10.0.0.0/8 10.0.0.0/8
route-map PBR deny 10
  match ip address MyNetworks
route-map PBR permit 20
  set ip next-hop 10.49.1.2
interface Vlan56
  ip policy route-map PBR
interface Vlan60
  ip policy route-map PBR

In the configuration above, I am assuming that your internal IP address space is from within 10.0.0.0/8, and any communication within this space (sourced and destined to 10.x.x.x) is internal, and so should be routed according to the normal routing table. Anything else (obviously traffic going to destinations other than 10.x.x.x) and arriving to SVIs for VLAN56 and VLAN60 will be forwarded to 10.49.1.2.

It might be necessary to make the MyNetworks ACL more elaborate to more exactly match all traffic that is considered internal and therefore not subject to be passed through the firewall. Once again, the ACL must only use permit lines.

Do you think this would be applicable?

Best regards,
Peter

Thanks for the response guys

 

Peter

In the response you offered I see in your config example the following:

route-map PBR permit 20
  set ip next-hop 10.49.1.2
interface Vlan56
  ip policy route-map PBR
interface Vlan60
  ip policy route-map PBR

 Since the target FW is the 10.52.23.252 ASA I assume I would i would change 10.49.1.2 to 10.52.23.252?

View solution in original post

Peter

One other thing.

We have about ten 10.x.x.x vlans and only 2 of them (vlan 56 and 60) are to be targeted for FW 10.52.23.252.

The other 8 are currently using 10.49.1.2 and will continue to do so.

thanks

 

Peter Paluch
Hall of Fame Cisco Employee

Hi John,

Oh yes, correct - I confused the IP address of the firewall you want to use. My bad - I apologize. The correct set ip next-hop line would point to 10.52.23.252. Please note that if the ASA is not directly connected to this N9K, you would need to point to the nearest next hop to that ASA, and that next hop would again need to be configured with PBR - that's the disadvantage of this approach.

Regarding the other VLANs, that's okay - since the PBR route-map would only be applied to interface Vlan56 and interface Vlan60, only these two VLANs would be affected by the PBR.

Best regards,
Peter

The next hop is L3 3750x. 

is that capable of doing PBR?

Peter Paluch
Hall of Fame Cisco Employee

Hi John,

Yes, the 3750X is capable of performing PBR, and the syntax is 99% the same - the only difference is in creating the ACL, as IOS uses a slightly different syntax (wildcard masks instead of netmasks, needs to specify whether the ACL is a standard or extended - the ACL would be extended).

Is the ASA attached directly to the 3750X?

Best regards,
Peter

Yes, the 10.52.23.252 is attached directly to the 3750x

 

Peter Paluch
Hall of Fame Cisco Employee

Hi John,

So if my understanding is correct, there is a standalone IP network between the N9K and the 3750X, and another standalone IP network between the 3750X and the ASA - is that correct? In other words, between the N9K and the ASA, the immediate L3 next hop is the 3750X, and if you perform traceroute 10.52.23.252 on the N9K, you get 2 hops (the 3750X, and the ASA itself). Note that if there is a VLAN that spans from N9K across the 3750X right to the ASA, and the N9K and the ASA share a single IP network, the 3750X is just an L2 switch for our purposes, and the PBR would only be configured on the N9K.

Keep in mind: PBR is like a static routing. It takes matching packets, and performs a predefined routing decision. PBR allows matching on more criteria than just the destination, and so when configuring the PBR on the 3750X, you again need to ask yourself: What is the traffic I want to route according to the normal routing table, and what is the specific traffic I want to forward to the ASA? The traffic-to-be-routed-normally should be specified in MyNetworks ACL. Depending on all traffic flows that hit the 3750X and the interface where you apply the PBR, you might need to make the MyNetworks ACL more specific - without knowing more about your network, I cannot provide any detailed suggestions. This is where your knowledge of your network comes in.

Best regards,
Peter

View solution in original post

Here is the path.

N9K>3850>LAN bridge>3750X

The 3850 is L2 switch but has capability of being L3.

The 3750x is running as L3.

The N9K is where all the SVI's are configed.

Vlan 56 and 60 are the wireless and data vlans for this location so the vlans do extend from N9K through the 3850 to the 3750X over a LAN bridge.

The ASA 10.52.23.252 is vlan 60 IP address.

What is the traffic I want to route according to the normal routing table, and what is the specific traffic I want to forward to the ASA?

The only traffic we wish to send through the FW is vlan 56 and 60. All the switch ports at this site are set as vlan 60. And all the AP's use vlan 56 for clients.