Is PBR my answer?

Answered Question
Jan 26th, 2010
User Badges:

I'm in the process of setting up a 3560G alongside an ASA 5505. What I'd like to do is have all traffic from vlan 10 to the internet be routed to 192.168.16.2 (the 'blue' inside interface), and all traffic from vlan 20 to the internet be routed to 192.168.17.2 (the 'green' inside interface), so that the traffic can be natted properly.  I'd also like to keep my interVLAN routing.  The problem is that currently, traffic from vlan 20 is being routed to 192.168.16.2 (which is on vlan 10) because of the route statement on the 3560, and the traffic doesn't get nat-translated.  Traffic from vlan 10 flows to the internet properly.  Is PBR on the switch my solution here?  How would I implement it?


My config looks similar to:


(3560)

interface vlan 10

ip address 192.168.16.1 255.255.255.0


interface vlan 20

ip address 192.168.17.1 255.255.255.0


ip route 0.0.0.0 0.0.0.0 192.168.16.2


(asa)

interface vlan 2

nameif outside

security-level 0

ip address 200.1.1.1 255.255.255.248


interface vlan 10

nameif blue

security-level 100

ip address 192.168.16.2 255.255.255.0


interface vlan 20

nameif green

security-level 100

ip address 192.168.17.2 255.255.255.0


global (outside) 1 interface

global (outside) 2 200.1.1.2

global (outside) 3 200.1.1.3


nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

nat (green) 3 192.168.17.0 255.255.255.0


route outside 0.0.0.0 0.0.0.0 200.1.1.6 1

Correct Answer by Jon Marshall about 7 years 5 months ago

sequoyatech wrote:


Ah - in actuality, I don't have to for the 192.168.17.0/24 network.  It could use global 1.


edit - just saw your edit.  Can you elaborate?  As I said before, I appreciate everyone's patience. I'm doing my damndest to learn this stuff!


Actually i think we have all missed a trick here. Your original post said you wanted to route the traffic from the 2 vlans to different interfaces on the ASA because you wanted to make sure the traffic got Natted properly.


But you don't need 2 interfaces on the ASA for that ie. lets say you just have one inside interface - blue, then your NAT statements would just be -


nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

nat (blue) 3 192.168.17.0 255.255.255.0


global (outside) 1 interface

global (outside) 2 200.1.1.2

global (outside) 3 200.1.1.3


So you definitely don't need PBR and you could if you wanted keep your existing NAT.


Or if you want to save a public IP just follow Raj's example.


Sometimes you just can't see the wood for the trees


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
sachinraja Tue, 01/26/2010 - 07:42
User Badges:
  • Red, 2250 points or more

Hi Nathan


Yes.. PBR is your answer.. What version of IOS is your switch running ? You need to have an EMI image for PBR to work..


you need to configure a route-map, and have a matching ACL for traffic from VLAN 20.. then set next hop as 192.168.17.2


route-map vlan20 permit 10

match ip address 1

set ip next-hop 192.168.17.2


access-list 1 permit x.x.x.x



ooops.. just saw  your config.. VLAN 20 has a subnet 192.168.17.x ? Is the router gateway 192.168.17.2 local to VLAN 20 ? ahh.. u dont want to change the gateway of your PC's to 192.168.17.2 since you need access to VLAN 10 , from vlan 20 ?


Raj

sequoyatech Tue, 01/26/2010 - 07:54
User Badges:

Raj,


I'm running c3560-ipservicesk9-mz.122-53.SE.  As far as the ACL goes, since the policy route gets applied before the static route, wouldn't the "access-list 1 permit xxxx" route ALL traffic from that subnet to 192.168.17.2?


And yes - vlan 20 is 192.168.17.0/24, 192.168.17.1 is the SVI on the switch, and 192.168.17.2 is the SVI on the ASA.

Mohamed Sobair Tue, 01/26/2010 - 07:52
User Badges:
  • Gold, 750 points or more

Hi,


PBR is not ur solution here,,,


why dont you have a trunk port to the ASA carries vlan 10 and 20, and make the ASA typically as Router on Stick so the GWs of vlan 10 and 20 hosts directly pointing to the ASA.  I mean you could have the 3560 perform purely as layer-2 and makes the job of routing and natting to the ASA.


Does this suffice or you have to have the 3560 do intervlan routing?




HTH

Mohamed

sequoyatech Tue, 01/26/2010 - 07:56
User Badges:

The 5505 won't do interVLAN routing, so it must be done on the switch.  I'm not terribly experienced in this stuff, so please bear with me

sachinraja Tue, 01/26/2010 - 08:00
User Badges:
  • Red, 2250 points or more

Well ASAs can forward traffic from one vlan to another... just like switches, but you would need to define appropriate security levels, rules,

nats or no-nats etc, which could add lots of other configurations on ASA.. if you want to do layer 3 on the switch, then you need to look at PBR.. if you are comfortable forwarding traffic to ASA (for layer3) then you can make that work too.. it depends..


btw, why have you put this in parallel to ASA ? Are you planning any kind of migration in future ? What are your plans ?


Raj

sequoyatech Tue, 01/26/2010 - 08:07
User Badges:

I'm not sure what you mean by "in parallel".  The idea was that the ASA does its firewall duties, and the 3560 handles internal routing.  I had no idea that I'd have to get into this PBR stuff, I'm still not quite sure why each L3 interface on the switch couldn't have its own routing table (i.e. each vlan has its own default route).

sachinraja Tue, 01/26/2010 - 08:12
User Badges:
  • Red, 2250 points or more

"in parallel" means running both the switch & ASA on the same subnet ? normally if you need to have ASA doing firewall, and switch doing L3, you will have a setup similar to this:


ASA 5505

|

switch L3

|

VLAN SVI on switch

|

PCs


so the PCs wouild have a default gateway towarsd the swtich and the swich would be connected on a different layer 3 segment to the ASA to make routing feasible.. but in your case you have ASA along side the switch... the layer 3 switch will just be having a single routing table to isolate routing loops .. if you need to have different routing policies for different vlans, you can still use policy based routing as described in my first post..


Raj

Mohamed Sobair Tue, 01/26/2010 - 08:13
User Badges:
  • Gold, 750 points or more

Nathan,


The simplest approach is to have the ASA be the GW for all vlans, with placing the Security level of all vlan Interfaces to the same, you are providing connectivity between vlans as long as connectivity to the Internet.


You dont need PBR here...



HTH

Mohamed

sachinraja Tue, 01/26/2010 - 09:02
User Badges:
  • Red, 2250 points or more

Hi Nathan


Since you already have a 3560, I would still go for a Layer 3 termination on the switch rather than trunking on the ASA... you will have better control and direct switching if you have layer 3 on the switch. Incase your switch does not have an EMI image (not to support PBR), you can have the ASA's terminating the layer 3 interface as given by the URL... im just thinking in terms of scalability.. Suppose you have 10 or 20 more vlans in future, it will be good to terminate the SVi's locally on the switch, rather than configuring 10 VLANs on the ASA, which would complicate things..


Raj

Jon Marshall Tue, 01/26/2010 - 10:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

sequoyatech wrote:


So this is what you'd recommend Mohamed?


http://www.cisco-tips.com/how-to-configure-a-cisco-layer-3-switch-intervlan-routing/


Apologies for jumping in but why do you need to NAT the 2 internal vlans to different public addresses ?


Personally given the choice i would do as Raj says and use the 3560G for inter-vlan routing because put simply that's what it was designed for and it's good at it. The ASA is not designed to be responsible for inter-vlan routing. It can do it but the config gets quite complex and to be honest it's best left to get on with what it was designed to do ie. firewall.


Plus if you route off the ASA and the ASA crashes you have lost internal and external connectivity which may be a little difficult to explain when you have a perfectly good L3 switch to use internally.


Jon

sequoyatech Tue, 01/26/2010 - 10:13
User Badges:

Jon, are you asking why I have


nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255


?


The answer is that the server at .6 is required to have its own dedicated WAN IP.


I'm going to try with Raj's method, as it seems the most robust (not that I don't appreciate Mohamed's advice - it's always nice to see different ways of doing things).  As you might have suspected, I have a question regarding the ACL for the route-map. In plain terms, I want to policy-route any traffic to destinations that do not live on the switch (in my case, you can assume this means the internet). Can someone give an example of what the correct ACL would look like?

Jon Marshall Tue, 01/26/2010 - 10:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

sequoyatech wrote:


Jon, are you asking why I have


nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255


?


The answer is that the server at .6 is required to have its own dedicated WAN IP.


I'm going to try with Raj's method, as it seems the most robust (not that I don't appreciate Mohamed's advice - it's always nice to see different ways of doing things).  As you might have suspected, I have a question regarding the ACL for the route-map. In plain terms, I want to policy-route any traffic to destinations that do not live on the switch (in my case, you can assume this means the internet). Can someone give an example of what the correct ACL would look like?


Nathan


No. i'm asking why you have to NAT 192.168.16.0/24 and 192.168.17.0/24 to different public IPs ?


It's actually quite an important question because if you don't need to then you don't need PBR.


Jon

sequoyatech Tue, 01/26/2010 - 10:19
User Badges:

Ah - in actuality, I don't have to for the 192.168.17.0/24 network.  It could use global 1.


edit - just saw your edit.  Can you elaborate?  As I said before, I appreciate everyone's patience. I'm doing my damndest to learn this stuff!

sachinraja Tue, 01/26/2010 - 10:25
User Badges:
  • Red, 2250 points or more

In that case you wouldnt require PBR right ? All packets hit your VLAN SVI, and are forwarded to the ASA inside interface (blue segment). ASA would then do a NAT for both the 16.x & 17.x outside on either the interface IP or 200.1.1.2 ! reverse traffic would come as expected through the firewall.. so simply you can remove the third NAT statement created for Green....


Raj

Correct Answer
Jon Marshall Tue, 01/26/2010 - 10:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

sequoyatech wrote:


Ah - in actuality, I don't have to for the 192.168.17.0/24 network.  It could use global 1.


edit - just saw your edit.  Can you elaborate?  As I said before, I appreciate everyone's patience. I'm doing my damndest to learn this stuff!


Actually i think we have all missed a trick here. Your original post said you wanted to route the traffic from the 2 vlans to different interfaces on the ASA because you wanted to make sure the traffic got Natted properly.


But you don't need 2 interfaces on the ASA for that ie. lets say you just have one inside interface - blue, then your NAT statements would just be -


nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

nat (blue) 3 192.168.17.0 255.255.255.0


global (outside) 1 interface

global (outside) 2 200.1.1.2

global (outside) 3 200.1.1.3


So you definitely don't need PBR and you could if you wanted keep your existing NAT.


Or if you want to save a public IP just follow Raj's example.


Sometimes you just can't see the wood for the trees


Jon

sachinraja Tue, 01/26/2010 - 10:17
User Badges:
  • Red, 2250 points or more

Hi Nathan


as said before


route-map vlan20 permit 10

match ip address 1

set ip next-hop 192.168.17.2


access-list 1 permit 192.168.17.0 0.0.0.255


or you can put an extended access-list specifying tcp port/destinatione tc


access-list 101 permit ip 192.168.17.0 0.0.0.255 any


Raj

sequoyatech Wed, 01/27/2010 - 11:53
User Badges:

Thanks to everyone for their help.  I used jon.marshall's method and it worked fine.  Helpful hint for anyone trying to solve the same problem - I did have to add a static route to the ASA for each network on the 3560 - for example,


route inside 192.168.17.0 255.255.255.0 192.168.1.2


where 192.168.1.2 is the routed port on the 3560.

sachinraja Wed, 01/27/2010 - 12:00
User Badges:
  • Red, 2250 points or more

Yes Nathan


You are right ..  this is because 192.168.17.0 is no more a directly connected network, as it was before, and goes through the routed port to the BLUE network.. Any more VLANs you would add here, would need similar routing configuration.. but as said before, you might want to reconsider yourself having a seperate broadcast domain of /30 for your connection between the Switch and firewall.. just to isolate the firewall from local broadcasts and a very good design for future development


Internet router

|                         outside (security level 0)

Firewall ----------- > NAT for internal networks and a route back to L3 switch..

|                         inside (security level 100)

Layer 3 switch

|                          various VLAN SVI's

PC's


Raj

sequoyatech Wed, 01/27/2010 - 12:36
User Badges:

Raj, if I'm understanding your post correctly, my solution implements that.

Jon Marshall Wed, 01/27/2010 - 12:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

sequoyatech wrote:


Raj, if I'm understanding your post correctly, my solution implements that.


Nathan


Based on your last post to me you have indeed implemented this solution. Glad you got it all working.


Jon

sachinraja Wed, 01/27/2010 - 12:52
User Badges:
  • Red, 2250 points or more

Ahh... You are right.. Didnt notice the next hop interface IP address of your route for 192.168.17.x  (192.168.1.x) which is a dedicated layer 3 interface.... I was thinking that you had used the same vlan 10 interface (192.168.16.1, 192.168.16.2) interfaces to route the VLAN 20 traffic... it looks good now...


Thanks & Regards

Raj

Jon Marshall Wed, 01/27/2010 - 12:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

sequoyatech wrote:


Thanks to everyone for their help.  I used jon.marshall's method and it worked fine.  Helpful hint for anyone trying to solve the same problem - I did have to add a static route to the ASA for each network on the 3560 - for example,


route inside 192.168.17.0 255.255.255.0 192.168.1.2


where 192.168.1.2 is the routed port on the 3560.


Nathan


Many thanks for getting back and letting us know.


So did you use just one public IP for both 192.168.16.x and 192.168.17.x addresses ?


And by the sounds of it you used just one link between the ASA and the switch ?


Just wanted to confirm for others who may read the post because i think it was a combination of Raj's suggestion (+5 Raj) and mine that was the final solution.


Jon

sequoyatech Wed, 01/27/2010 - 12:35
User Badges:

Regarding NAT, I have it set so that 192.168.16.x and 17.x both use the same public, while 192.168.16.6 uses a second public.  There shouldn't be any issues if I were to want to assign 17.x its own public IP though.  To answer your second question, yes, I now have a single link - the inside interface of the ASA is 192.168.1.1, the routed port of the 3560 is 192.168.1.2.  The 192.168.1.x network does not exist anywhere other than on those two interfaces.

sachinraja Wed, 01/27/2010 - 12:53
User Badges:
  • Red, 2250 points or more

Jon.. thanks a ton for your comments, and the points... this is the best 5 pointer i have ever taken


Thanks again


Raj

Actions

This Discussion

Related Content