Solved: Is PBR my answer?

sequoyatech · ‎01-26-2010

I'm in the process of setting up a 3560G alongside an ASA 5505. What I'd like to do is have all traffic from vlan 10 to the internet be routed to 192.168.16.2 (the 'blue' inside interface), and all traffic from vlan 20 to the internet be routed to 192.168.17.2 (the 'green' inside interface), so that the traffic can be natted properly. I'd also like to keep my interVLAN routing. The problem is that currently, traffic from vlan 20 is being routed to 192.168.16.2 (which is on vlan 10) because of the route statement on the 3560, and the traffic doesn't get nat-translated. Traffic from vlan 10 flows to the internet properly. Is PBR on the switch my solution here? How would I implement it?

My config looks similar to:

(3560)

interface vlan 10

ip address 192.168.16.1 255.255.255.0

interface vlan 20

ip address 192.168.17.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.16.2

(asa)

interface vlan 2

nameif outside

security-level 0

ip address 200.1.1.1 255.255.255.248

interface vlan 10

nameif blue

security-level 100

ip address 192.168.16.2 255.255.255.0

interface vlan 20

nameif green

security-level 100

ip address 192.168.17.2 255.255.255.0

global (outside) 1 interface

global (outside) 2 200.1.1.2

global (outside) 3 200.1.1.3

nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

nat (green) 3 192.168.17.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 200.1.1.6 1

Jon Marshall · ‎01-26-2010

sequoyatech wrote:

Ah - in actuality, I don't have to for the 192.168.17.0/24 network. It could use global 1.

edit - just saw your edit. Can you elaborate? As I said before, I appreciate everyone's patience. I'm doing my damndest to learn this stuff!

Actually i think we have all missed a trick here. Your original post said you wanted to route the traffic from the 2 vlans to different interfaces on the ASA because you wanted to make sure the traffic got Natted properly.

But you don't need 2 interfaces on the ASA for that ie. lets say you just have one inside interface - blue, then your NAT statements would just be -

nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

nat (blue) 3 192.168.17.0 255.255.255.0

global (outside) 1 interface

global (outside) 2 200.1.1.2

global (outside) 3 200.1.1.3

So you definitely don't need PBR and you could if you wanted keep your existing NAT.

Or if you want to save a public IP just follow Raj's example.

Sometimes you just can't see the wood for the trees

Jon

View solution in original post

sachinraja · ‎01-26-2010

Hi Nathan

Yes.. PBR is your answer.. What version of IOS is your switch running ? You need to have an EMI image for PBR to work..

you need to configure a route-map, and have a matching ACL for traffic from VLAN 20.. then set next hop as 192.168.17.2

route-map vlan20 permit 10

match ip address 1

set ip next-hop 192.168.17.2

access-list 1 permit x.x.x.x

ooops.. just saw your config.. VLAN 20 has a subnet 192.168.17.x ? Is the router gateway 192.168.17.2 local to VLAN 20 ? ahh.. u dont want to change the gateway of your PC's to 192.168.17.2 since you need access to VLAN 10 , from vlan 20 ?

Raj

sequoyatech · ‎01-26-2010

Raj,

I'm running c3560-ipservicesk9-mz.122-53.SE. As far as the ACL goes, since the policy route gets applied before the static route, wouldn't the "access-list 1 permit xxxx" route ALL traffic from that subnet to 192.168.17.2?

And yes - vlan 20 is 192.168.17.0/24, 192.168.17.1 is the SVI on the switch, and 192.168.17.2 is the SVI on the ASA.

Mohamed Sobair · ‎01-26-2010

Hi,

PBR is not ur solution here,,,

why dont you have a trunk port to the ASA carries vlan 10 and 20, and make the ASA typically as Router on Stick so the GWs of vlan 10 and 20 hosts directly pointing to the ASA. I mean you could have the 3560 perform purely as layer-2 and makes the job of routing and natting to the ASA.

Does this suffice or you have to have the 3560 do intervlan routing?

HTH

Mohamed

sequoyatech · ‎01-26-2010

The 5505 won't do interVLAN routing, so it must be done on the switch. I'm not terribly experienced in this stuff, so please bear with me

sachinraja · ‎01-26-2010

Well ASAs can forward traffic from one vlan to another... just like switches, but you would need to define appropriate security levels, rules,

nats or no-nats etc, which could add lots of other configurations on ASA.. if you want to do layer 3 on the switch, then you need to look at PBR.. if you are comfortable forwarding traffic to ASA (for layer3) then you can make that work too.. it depends..

btw, why have you put this in parallel to ASA ? Are you planning any kind of migration in future ? What are your plans ?

Raj

sequoyatech · ‎01-26-2010

I'm not sure what you mean by "in parallel". The idea was that the ASA does its firewall duties, and the 3560 handles internal routing. I had no idea that I'd have to get into this PBR stuff, I'm still not quite sure why each L3 interface on the switch couldn't have its own routing table (i.e. each vlan has its own default route).

sachinraja · ‎01-26-2010

"in parallel" means running both the switch & ASA on the same subnet ? normally if you need to have ASA doing firewall, and switch doing L3, you will have a setup similar to this:

ASA 5505

|

switch L3

|

VLAN SVI on switch

|

PCs

so the PCs wouild have a default gateway towarsd the swtich and the swich would be connected on a different layer 3 segment to the ASA to make routing feasible.. but in your case you have ASA along side the switch... the layer 3 switch will just be having a single routing table to isolate routing loops .. if you need to have different routing policies for different vlans, you can still use policy based routing as described in my first post..

Raj

Mohamed Sobair · ‎01-26-2010

Nathan,

The simplest approach is to have the ASA be the GW for all vlans, with placing the Security level of all vlan Interfaces to the same, you are providing connectivity between vlans as long as connectivity to the Internet.

You dont need PBR here...

HTH

Mohamed

sequoyatech · ‎01-26-2010

So this is what you'd recommend Mohamed?

http://www.cisco-tips.com/how-to-configure-a-cisco-layer-3-switch-intervlan-routing/

sachinraja · ‎01-26-2010

Hi Nathan

Since you already have a 3560, I would still go for a Layer 3 termination on the switch rather than trunking on the ASA... you will have better control and direct switching if you have layer 3 on the switch. Incase your switch does not have an EMI image (not to support PBR), you can have the ASA's terminating the layer 3 interface as given by the URL... im just thinking in terms of scalability.. Suppose you have 10 or 20 more vlans in future, it will be good to terminate the SVi's locally on the switch, rather than configuring 10 VLANs on the ASA, which would complicate things..

Raj

Jon Marshall · ‎01-26-2010

sequoyatech wrote:

So this is what you'd recommend Mohamed?

http://www.cisco-tips.com/how-to-configure-a-cisco-layer-3-switch-intervlan-routing/

Apologies for jumping in but why do you need to NAT the 2 internal vlans to different public addresses ?

Personally given the choice i would do as Raj says and use the 3560G for inter-vlan routing because put simply that's what it was designed for and it's good at it. The ASA is not designed to be responsible for inter-vlan routing. It can do it but the config gets quite complex and to be honest it's best left to get on with what it was designed to do ie. firewall.

Plus if you route off the ASA and the ASA crashes you have lost internal and external connectivity which may be a little difficult to explain when you have a perfectly good L3 switch to use internally.

Jon

sequoyatech · ‎01-26-2010

Jon, are you asking why I have

nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

?

The answer is that the server at .6 is required to have its own dedicated WAN IP.

I'm going to try with Raj's method, as it seems the most robust (not that I don't appreciate Mohamed's advice - it's always nice to see different ways of doing things). As you might have suspected, I have a question regarding the ACL for the route-map. In plain terms, I want to policy-route any traffic to destinations that do not live on the switch (in my case, you can assume this means the internet). Can someone give an example of what the correct ACL would look like?

Jon Marshall · ‎01-26-2010

sequoyatech wrote:

Jon, are you asking why I have

nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

?

The answer is that the server at .6 is required to have its own dedicated WAN IP.

I'm going to try with Raj's method, as it seems the most robust (not that I don't appreciate Mohamed's advice - it's always nice to see different ways of doing things). As you might have suspected, I have a question regarding the ACL for the route-map. In plain terms, I want to policy-route any traffic to destinations that do not live on the switch (in my case, you can assume this means the internet). Can someone give an example of what the correct ACL would look like?

Nathan

No. i'm asking why you have to NAT 192.168.16.0/24 and 192.168.17.0/24 to different public IPs ?

It's actually quite an important question because if you don't need to then you don't need PBR.

Jon

sequoyatech · ‎01-26-2010

Ah - in actuality, I don't have to for the 192.168.17.0/24 network. It could use global 1.

edit - just saw your edit. Can you elaborate? As I said before, I appreciate everyone's patience. I'm doing my damndest to learn this stuff!