Confusing Policy Based Routing

Unanswered Question
Aug 21st, 2008
User Badges:

Hi.

I have a query regarding policy based routing.


I have a Catalyst 4510 Switch with the following 2 VLANS


VLAN / Subnet 10.101.1.0 / 24 VLAN Interface 10.101.1.254

VLAN / Subnet 10.101.2.0 / 24 VLAN Interface 10.101.2.254


I also have 2 firewalls also with VLANS on the 4510


Firewall IP 172.20.1.1 VLAN / Subnet 172.20.1.0 / 24 VLAN Interface 172.20.1.254

Firewall IP 172.20.2.1 VLAN / Subnet 172.20.2.0 / 24 VLAN Interface 172.20.2.254


Traffic from 10.101.2.0 is directed out through the 172.20.2.1 firewall by default route on the 4510.

Traffic from 10.101.1.0 is forced out via Policy Based Routing to 172.20.1.1.


This is done with the following PBR config and applied on the VLAN interface 10.101.1.254.


ip access-list extended PBR_VLAN10

deny ip 10.101.1.0 0.0.0.255 10.101.1.0 0.0.0.255

permit ip 10.101.1.0 0.0.0.255 any


route-map SIB_LIV_PBR permit 10

match ip address PBR_VLAN10

set ip next-hop 172.20.1.1


For the potential need for resiliency both firewalls have routes back to both subnets 10.101.1.0 and 10.101.2.0 via the 4510.


This works correctly.


However I am confused about the internal connectivity between the two subnets 10.101.1.0 and 10.101.2.0.


As I can follow it, if a device on 10.101.1.0 were to ping a device on 10.101.2.0 it would hit the PBR rule and head to the 172.20.1.1 firewall and would then be routed back to the 4510, which should then be able to reach the 10.101.2.0 subnet anyway. However this does not seem to happen.


As it happens I don't actually want the subnets to interact, but I didn't think I had configured anything yet to prohibit this!


I know its a long and complicated one but any thoughts?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 08/21/2008 - 09:53
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


There are aspects of your environment that we do not know or understand and they may have some impact on this question. But here are my thoughts on what you have posted:

- I am puzzled by the first line in the access list:

deny ip 10.101.1.0 0.0.0.255 10.101.1.0 0.0.0.255

which basically says do not policy route traffic where the source and the destination are both in the subnet of the interface. But why would traffic where the destination was in the same subnet as the source even get to the interface? It should just go local to the destination without needing a layer 3 interface.

- it would make a lot more sense to me if the destination address were slightly changed:

deny ip 10.101.1.0 0.0.0.255 10.101.2.0 0.0.0.255

this would say do not policy route if the source and destination are both on the 4510 and do not need any firewall.

- depending on what type of firewall it is and how it is configured, many firewalls do not want to forward a packet back out the same interface on which it was received (sometimes called hairpinning the traffic). Perhaps that is why traffic from 10.101.1.0 to 10.101.2.0 does not work.


If you do want to prevent traffic between the local subnets then you would need an access list on the interface to deny inter subnet traffic and permit other traffic.


HTH


Rick

Actions

This Discussion