Policy Based Routing: two gateways

Answered Question
Jan 13th, 2010

I have a LAN with a core router and two seperate internet-connected firewalls.  Currently the core router has a default route pointing to the old firewall.  I need to implement a policy-based route that allows traffic from several remote subnets to access the new firewall.

I understand that I will need to create an ACL specifying the remote subnet traffic.  I will then need to create a route-map referencing this ACL and setting the next hop to the new firewall address.  My questions are these:

1.  Will the default route still apply to traffic not specified in the ACL/route-map?

2.  Since this router has an ethernet interface in the same subnet as the two firewalls, do I apply the route map to that interface?

Thanks!

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 10 months ago

[email protected]

I have a LAN with a core router and two seperate internet-connected firewalls.  Currently the core router has a default route pointing to the old firewall.  I need to implement a policy-based route that allows traffic from several remote subnets to access the new firewall.

I understand that I will need to create an ACL specifying the remote subnet traffic.  I will then need to create a route-map referencing this ACL and setting the next hop to the new firewall address.  My questions are these:

1.  Will the default route still apply to traffic not specified in the ACL/route-map?

2.  Since this router has an ethernet interface in the same subnet as the two firewalls, do I apply the route map to that interface?

Thanks!

1) Yes it will

2) you apply the route-map to the interface that the traffic arrives on from the source.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 01/13/2010 - 12:41

[email protected]

I have a LAN with a core router and two seperate internet-connected firewalls.  Currently the core router has a default route pointing to the old firewall.  I need to implement a policy-based route that allows traffic from several remote subnets to access the new firewall.

I understand that I will need to create an ACL specifying the remote subnet traffic.  I will then need to create a route-map referencing this ACL and setting the next hop to the new firewall address.  My questions are these:

1.  Will the default route still apply to traffic not specified in the ACL/route-map?

2.  Since this router has an ethernet interface in the same subnet as the two firewalls, do I apply the route map to that interface?

Thanks!

1) Yes it will

2) you apply the route-map to the interface that the traffic arrives on from the source.

Jon

Chris Driggers Wed, 01/13/2010 - 13:23

One additional question.  Say the core router has routes to other remote subnets.  Will the next-hop command keep packets sourced from the remote networks (matching my ACL on the route-map) from following the routes to the other remote subnets?  Or will they be forced to take the next hop to the firewall?

Jon Marshall Wed, 01/13/2010 - 13:28

[email protected]

One additional question.  Say the core router has routes to other remote subnets.  Will the next-hop command keep packets sourced from the remote networks (matching my ACL on the route-map) from following the routes to the other remote subnets?  Or will they be forced to take the next hop to the firewall?

Sorry Chris, you've lost me

Could you perhaps give an example. Only when there is a match in the acl will the packet be PBRd. And the PBR only works inbound on the interface it is applied on.

Jon

Chris Driggers Wed, 01/13/2010 - 13:43

Sorry

OK here we go:

Lets say we have a subnet 10.10.10.0/24 at a remote site.  We also have 10.10.20.0/24 at another remote site.  In between these routers is the core router at 10.10.0.1.  We also have OldFirewall at 10.10.0.100 and NewFirewall at 10.10.0.254.

I set up a policy that says packets sourced from 10.10.10.0/24 next-hop to 10.10.0.254.  But I have a packet from 10.10.10.0/24 destined for 10.10.20.0/24.  There is a static route on the core that tells it how to get there.  Will this route be pre-empted by the policy that is telling it to hit the NewFirewall?  Do I need to add to my policy something that tells packets sourced from 10.10.10.0/24 destined for 10.10.20.0/24 to next-hop to the same IP that the static route would tell them to go?

I feel like I may be overcomplicating things.  I hope this explanation helps!

Armando Yesua G... Wed, 01/13/2010 - 13:48

Hi, if you look at the order of operation of the router,

policy preempts routing (even the static one)

  • 1. If IPSec then check input access list

  • 2. decryption - for CET (Cisco Encryption Technology) or IPSec

  • 3. check input access list

  • 4. check input rate limits

  • 5. input accounting

  • 6. redirect to web cache

  • 7. policy routing   <-----

  • 8. routing

    the pbr it will preempt the static route.

    you will need to deny the route in your ACL, so it can be forwarded via the RIB.

    hope this helps.

    Armando.

    Chris Driggers Wed, 01/13/2010 - 13:51

    Ah, I was afraid I'd have to do a permit for the route and then next-hop every single one.  Instead I just do a single round of denies in the ACL, then it will fail over to the static routes.

    Got it.  Thanks!

    Actions

    This Discussion

    Related Content