01-13-2010 12:39 PM - edited 03-06-2019 09:16 AM
I have a LAN with a core router and two seperate internet-connected firewalls. Currently the core router has a default route pointing to the old firewall. I need to implement a policy-based route that allows traffic from several remote subnets to access the new firewall.
I understand that I will need to create an ACL specifying the remote subnet traffic. I will then need to create a route-map referencing this ACL and setting the next hop to the new firewall address. My questions are these:
1. Will the default route still apply to traffic not specified in the ACL/route-map?
2. Since this router has an ethernet interface in the same subnet as the two firewalls, do I apply the route map to that interface?
Thanks!
Solved! Go to Solution.
01-13-2010 12:41 PM
I have a LAN with a core router and two seperate internet-connected firewalls. Currently the core router has a default route pointing to the old firewall. I need to implement a policy-based route that allows traffic from several remote subnets to access the new firewall.
I understand that I will need to create an ACL specifying the remote subnet traffic. I will then need to create a route-map referencing this ACL and setting the next hop to the new firewall address. My questions are these:
1. Will the default route still apply to traffic not specified in the ACL/route-map?
2. Since this router has an ethernet interface in the same subnet as the two firewalls, do I apply the route map to that interface?
Thanks!
1) Yes it will
2) you apply the route-map to the interface that the traffic arrives on from the source.
Jon
01-13-2010 12:41 PM
I have a LAN with a core router and two seperate internet-connected firewalls. Currently the core router has a default route pointing to the old firewall. I need to implement a policy-based route that allows traffic from several remote subnets to access the new firewall.
I understand that I will need to create an ACL specifying the remote subnet traffic. I will then need to create a route-map referencing this ACL and setting the next hop to the new firewall address. My questions are these:
1. Will the default route still apply to traffic not specified in the ACL/route-map?
2. Since this router has an ethernet interface in the same subnet as the two firewalls, do I apply the route map to that interface?
Thanks!
1) Yes it will
2) you apply the route-map to the interface that the traffic arrives on from the source.
Jon
01-13-2010 12:43 PM
Perfect. Just what I was looking for.
01-13-2010 01:23 PM
One additional question. Say the core router has routes to other remote subnets. Will the next-hop command keep packets sourced from the remote networks (matching my ACL on the route-map) from following the routes to the other remote subnets? Or will they be forced to take the next hop to the firewall?
01-13-2010 01:28 PM
One additional question. Say the core router has routes to other remote subnets. Will the next-hop command keep packets sourced from the remote networks (matching my ACL on the route-map) from following the routes to the other remote subnets? Or will they be forced to take the next hop to the firewall?
Sorry Chris, you've lost me
Could you perhaps give an example. Only when there is a match in the acl will the packet be PBRd. And the PBR only works inbound on the interface it is applied on.
Jon
01-13-2010 01:43 PM
Sorry
OK here we go:
Lets say we have a subnet 10.10.10.0/24 at a remote site. We also have 10.10.20.0/24 at another remote site. In between these routers is the core router at 10.10.0.1. We also have OldFirewall at 10.10.0.100 and NewFirewall at 10.10.0.254.
I set up a policy that says packets sourced from 10.10.10.0/24 next-hop to 10.10.0.254. But I have a packet from 10.10.10.0/24 destined for 10.10.20.0/24. There is a static route on the core that tells it how to get there. Will this route be pre-empted by the policy that is telling it to hit the NewFirewall? Do I need to add to my policy something that tells packets sourced from 10.10.10.0/24 destined for 10.10.20.0/24 to next-hop to the same IP that the static route would tell them to go?
I feel like I may be overcomplicating things. I hope this explanation helps!
01-13-2010 01:48 PM
Hi, if you look at the order of operation of the router,
policy preempts routing (even the static one)
1. If IPSec then check input access list
2. decryption - for CET (Cisco Encryption Technology) or IPSec
3. check input access list
4. check input rate limits
5. input accounting
6. redirect to web cache
7. policy routing <-----
8. routing
the pbr it will preempt the static route.
you will need to deny the route in your ACL, so it can be forwarded via the RIB.
hope this helps.
Armando.
01-13-2010 01:51 PM
Ah, I was afraid I'd have to do a permit for the route and then next-hop every single one. Instead I just do a single round of denies in the ACL, then it will fail over to the static routes.
Got it. Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: