I have a query regarding policy based routing.
I have a Catalyst 4510 Switch with the following 2 VLANS
VLAN / Subnet 10.101.1.0 / 24 VLAN Interface 10.101.1.254
VLAN / Subnet 10.101.2.0 / 24 VLAN Interface 10.101.2.254
I also have 2 firewalls also with VLANS on the 4510
Firewall IP 172.20.1.1 VLAN / Subnet 172.20.1.0 / 24 VLAN Interface 172.20.1.254
Firewall IP 172.20.2.1 VLAN / Subnet 172.20.2.0 / 24 VLAN Interface 172.20.2.254
Traffic from 10.101.2.0 is directed out through the 172.20.2.1 firewall by default route on the 4510.
Traffic from 10.101.1.0 is forced out via Policy Based Routing to 172.20.1.1.
This is done with the following PBR config and applied on the VLAN interface 10.101.1.254.
ip access-list extended PBR_VLAN10
deny ip 10.101.1.0 0.0.0.255 10.101.1.0 0.0.0.255
permit ip 10.101.1.0 0.0.0.255 any
route-map SIB_LIV_PBR permit 10
match ip address PBR_VLAN10
set ip next-hop 172.20.1.1
For the potential need for resiliency both firewalls have routes back to both subnets 10.101.1.0 and 10.101.2.0 via the 4510.
This works correctly.
However I am confused about the internal connectivity between the two subnets 10.101.1.0 and 10.101.2.0.
As I can follow it, if a device on 10.101.1.0 were to ping a device on 10.101.2.0 it would hit the PBR rule and head to the 172.20.1.1 firewall and would then be routed back to the 4510, which should then be able to reach the 10.101.2.0 subnet anyway. However this does not seem to happen.
As it happens I don't actually want the subnets to interact, but I didn't think I had configured anything yet to prohibit this!
I know its a long and complicated one but any thoughts?