Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1762
Views
0
Helpful
7
Replies

Policy Based Routing: two gateways

Go to solution
Chris Driggers
Level 1
Level 1

‎01-13-2010 12:39 PM - edited ‎03-06-2019 09:16 AM

I have a LAN with a core router and two seperate internet-connected firewalls.  Currently the core router has a default route pointing to the old firewall.  I need to implement a policy-based route that allows traffic from several remote subnets to access the new firewall.

I understand that I will need to create an ACL specifying the remote subnet traffic.  I will then need to create a route-map referencing this ACL and setting the next hop to the new firewall address.  My questions are these:

1.  Will the default route still apply to traffic not specified in the ACL/route-map?

2.  Since this router has an ethernet interface in the same subnet as the two firewalls, do I apply the route map to that interface?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-13-2010 12:41 PM 

chris.driggers@combest.com
I have a LAN with a core router and two seperate internet-connected firewalls.  Currently the core router has a default route pointing to the old firewall.  I need to implement a policy-based route that allows traffic from several remote subnets to access the new firewall.
I understand that I will need to create an ACL specifying the remote subnet traffic.  I will then need to create a route-map referencing this ACL and setting the next hop to the new firewall address.  My questions are these:
1.  Will the default route still apply to traffic not specified in the ACL/route-map?
2.  Since this router has an ethernet interface in the same subnet as the two firewalls, do I apply the route map to that interface?
Thanks!

1) Yes it will

2) you apply the route-map to the interface that the traffic arrives on from the source.

Jon

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-13-2010 12:41 PM 

chris.driggers@combest.com
I have a LAN with a core router and two seperate internet-connected firewalls.  Currently the core router has a default route pointing to the old firewall.  I need to implement a policy-based route that allows traffic from several remote subnets to access the new firewall.
I understand that I will need to create an ACL specifying the remote subnet traffic.  I will then need to create a route-map referencing this ACL and setting the next hop to the new firewall address.  My questions are these:
1.  Will the default route still apply to traffic not specified in the ACL/route-map?
2.  Since this router has an ethernet interface in the same subnet as the two firewalls, do I apply the route map to that interface?
Thanks!

1) Yes it will

2) you apply the route-map to the interface that the traffic arrives on from the source.

Jon

0 Helpful

Go to solution
Chris Driggers
Level 1
Level 1
In response to Jon Marshall

‎01-13-2010 12:43 PM

Perfect.  Just what I was looking for.

0 Helpful

Go to solution
Chris Driggers
Level 1
Level 1
In response to Chris Driggers

‎01-13-2010 01:23 PM

One additional question.  Say the core router has routes to other remote subnets.  Will the next-hop command keep packets sourced from the remote networks (matching my ACL on the route-map) from following the routes to the other remote subnets?  Or will they be forced to take the next hop to the firewall?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Chris Driggers

‎01-13-2010 01:28 PM 

chris.driggers@combest.com
One additional question.  Say the core router has routes to other remote subnets.  Will the next-hop command keep packets sourced from the remote networks (matching my ACL on the route-map) from following the routes to the other remote subnets?  Or will they be forced to take the next hop to the firewall?

Sorry Chris, you've lost me

Could you perhaps give an example. Only when there is a match in the acl will the packet be PBRd. And the PBR only works inbound on the interface it is applied on.

Jon

0 Helpful

Go to solution
Chris Driggers
Level 1
Level 1
In response to Jon Marshall

‎01-13-2010 01:43 PM

Sorry

OK here we go:

Lets say we have a subnet 10.10.10.0/24 at a remote site.  We also have 10.10.20.0/24 at another remote site.  In between these routers is the core router at 10.10.0.1.  We also have OldFirewall at 10.10.0.100 and NewFirewall at 10.10.0.254.

I set up a policy that says packets sourced from 10.10.10.0/24 next-hop to 10.10.0.254.  But I have a packet from 10.10.10.0/24 destined for 10.10.20.0/24.  There is a static route on the core that tells it how to get there.  Will this route be pre-empted by the policy that is telling it to hit the NewFirewall?  Do I need to add to my policy something that tells packets sourced from 10.10.10.0/24 destined for 10.10.20.0/24 to next-hop to the same IP that the static route would tell them to go?

I feel like I may be overcomplicating things.  I hope this explanation helps!

0 Helpful

Go to solution
Armando Yesua Garcia Calderon
Cisco Employee
Cisco Employee
In response to Chris Driggers

‎01-13-2010 01:48 PM

Hi, if you look at the order of operation of the router,

policy preempts routing (even the static one)

  • 1. If IPSec then check input access list

  • 2. decryption - for CET (Cisco Encryption Technology) or IPSec

  • 3. check input access list

  • 4. check input rate limits

  • 5. input accounting

  • 6. redirect to web cache

  • 7. policy routing   <-----

  • 8. routing

    the pbr it will preempt the static route.

    you will need to deny the route in your ACL, so it can be forwarded via the RIB.

    hope this helps.

    Armando.

    • 0 Helpful

    Go to solution
    Chris Driggers
    Level 1
    Level 1
    In response to Armando Yesua Garcia Calderon

    ‎01-13-2010 01:51 PM

    Ah, I was afraid I'd have to do a permit for the route and then next-hop every single one.  Instead I just do a single round of denies in the ACL, then it will fail over to the static routes.

    Got it.  Thanks!

    0 Helpful
    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

    Customers Also Viewed These Support Documents
    Review Cisco Networking products for a $25 gift card