PBR on my 4507

Unanswered Question
Mar 2nd, 2010

Hey Guys,

So I'm about to throw up some policy based routing on my core switch and wanted to ask for a second pair of eyes on my config so I don't really mess things up. This is what I'm planning to throw on my 4507 to send traffic for my specific host to ip 10.66.x.65. Do I have the ACLs done correctly? Am I applying it to the right interface? vlan50 is my dg.

Extended IP access list acl-routeASA
    10 deny ip any 10.0.0.0 0.255.255.255
    20 deny ip any 192.168.0.0 0.0.255.255
    30 deny ip any 172.16.0.0 0.15.255.255
    40 deny ip any 206.xxx.xxx.0 0.0.0.255
    50 deny ip any 206.xxx.xxx.0 0.0.0.255
    60 deny ip any 172.xx.0.0 0.0.255.255
    70 deny ip any 172.xx.0.0 0.0.255.255
    80 deny ip any 172.xx.0.0 0.0.255.255
    100 permit ip any host 10.66.4.57   
    200 deny ip any any

route-map routeASA permit 10
match ip address acl-routeASA
set ip next-hop 10.66.x.xx


int vlan50
ip policy route-map routeASA

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 03/02/2010 - 08:24

b.rockburn wrote:

Hey Guys,

So I'm about to throw up some policy based routing on my core switch and wanted to ask for a second pair of eyes on my config so I don't really mess things up. This is what I'm planning to throw on my 4507 to send traffic for my specific host to ip 10.66.x.65. Do I have the ACLs done correctly? Am I applying it to the right interface? vlan50 is my dg.

Extended IP access list acl-routeASA
    10 deny ip any 10.0.0.0 0.255.255.255
    20 deny ip any 192.168.0.0 0.0.255.255
    30 deny ip any 172.16.0.0 0.15.255.255
    40 deny ip any 206.xxx.xxx.0 0.0.0.255
    50 deny ip any 206.xxx.xxx.0 0.0.0.255
    60 deny ip any 172.xx.0.0 0.0.255.255
    70 deny ip any 172.xx.0.0 0.0.255.255
    80 deny ip any 172.xx.0.0 0.0.255.255
    100 permit ip any host 10.66.4.57   
    200 deny ip any any

route-map routeASA permit 10
match ip address acl-routeASA
set ip next-hop 10.66.x.xx


int vlan50
ip policy route-map routeASA

Brent

Can you clarify exactly what you want the PBR to do ie.

permit ip any host 10.66.4.57

will result in any traffic from any source  coming on in on vlan 50 will be sent to the next-hop IP of 10.66.x.x in your route-map ?

Edit - also what are all the rest of the lines in the acl meant to be doing ?

Jon

Brent Rockburn Tue, 03/02/2010 - 08:28

Hey Jon,

Sorry, should have clearified

I'm testing out PBR. This is supposed to allow only my IP address to go to the asa, while keeping all over thraffic passing normally throw the other paths.

I am removing a sonic firewall and I want to start to slowly point traffic to my ASA. I'm hoping this will do it,.

Jon Marshall Tue, 03/02/2010 - 08:32

b.rockburn wrote:

Hey Jon,

Sorry, should have clearified

I'm testing out PBR. This is supposed to allow only my IP address to go to the asa, while keeping all over thraffic passing normally throw the other paths.

I am removing a sonic firewall and I want to start to slowly point traffic to my ASA. I'm hoping this will do it,.

Brent

That's what confusing me ie.

permit ip any host 10.66.4.57

shouldn't that be -

permit ip host 10.66.4.57 any

What is your host address and what is 10.66.4.57 ?

Jon

Brent Rockburn Tue, 03/02/2010 - 08:38

yeah, sorry that's right ..

Should look more like this

Extended IP access list acl-routeASA
    10 deny ip 10.0.0.0 0.255.255.255 any
    20 deny ip 192.168.0.0 0.0.255.255 any
    30 deny ip 172.16.0.0 0.15.255.255 any
    40 deny ip 206.xxx.xxx.0 0.0.0.255 any
    50 deny ip 206.xxx.xxx.0 0.0.0.255 any
    60 deny ip 172.xx.0.0 0.0.255.255 any
    70 deny ip 172.xx.0.0 0.0.255.255 any
    80 deny ip 172.xx.0.0 0.0.255.255 any
    100 permit ip host 10.66.4.57 any

Jon Marshall Tue, 03/02/2010 - 08:44

b.rockburn wrote:

yeah, sorry that's right ..

Should look more like this

Extended IP access list acl-routeASA
    10 deny ip 10.0.0.0 0.255.255.255 any
    20 deny ip 192.168.0.0 0.0.255.255 any
    30 deny ip 172.16.0.0 0.15.255.255 any
    40 deny ip 206.xxx.xxx.0 0.0.0.255 any
    50 deny ip 206.xxx.xxx.0 0.0.0.255 any
    60 deny ip 172.xx.0.0 0.0.255.255 any
    70 deny ip 172.xx.0.0 0.0.255.255 any
    80 deny ip 172.xx.0.0 0.0.255.255 any
    100 permit ip host 10.66.4.57 any

Okay, that makes more sense. You don't need the other lines though because if there is no match in the acl then the traffic is routed normally. So assuming your host is 10.66.4.57 and the traffic from your host arrives on the vlan 50 interface of the 4500 your acl can simply be -

permit ip host 10.66.4.57 any

Jon

Brent Rockburn Tue, 03/02/2010 - 09:03

Ok .. so

Here is how I've rearranged things ... let me know what you think. I know the other lines under 10 don't need to be there buit I put them in just to give a visual of what's going on.

This should only affect my IP address and send me to the ASA which is 10.66.x.xx (ip next-hop)  when I do a trace the vlan50 ip is my first hop so I know I'm coming in on that interface.

Extended IP access list acl-routeASA
    10 permit ip host 10.66.4.57 any
    20 deny ip 192.168.0.0 0.0.255.255 any
    30 deny ip 172.16.0.0 0.15.255.255 any
    40 deny ip 206.xxx.xxx.0 0.0.0.255 any
    50 deny ip 206.xxx.xxx.0 0.0.0.255 any
    60 deny ip 172.xx.0.0 0.0.255.255 any
    70 deny ip 172.xx.0.0 0.0.255.255 any
    80 deny ip 172.xx.0.0 0.0.255.255 any
    90 deny ip 10.0.0.0 0.255.255.255 any

route-map routeASA permit 10
match ip address acl-routeASA
set ip next-hop 10.66.x.xx


int vlan50
ip policy route-map routeASA

Jon Marshall Tue, 03/02/2010 - 09:06

b.rockburn wrote:

Ok .. so

This should only affect my IP address and send me to the ASA which is 10.66.x.xx (ip next-hop)  when I do a trace the vlan50 ip is my first hop so I know I'm coming in on that interface.

Extended IP access list acl-routeASA
    10 permit ip host 10.66.4.57 any
    20 deny ip 192.168.0.0 0.0.255.255 any
    30 deny ip 172.16.0.0 0.15.255.255 any
    40 deny ip 206.xxx.xxx.0 0.0.0.255 any
    50 deny ip 206.xxx.xxx.0 0.0.0.255 any
    60 deny ip 172.xx.0.0 0.0.255.255 any
    70 deny ip 172.xx.0.0 0.0.255.255 any
    80 deny ip 172.xx.0.0 0.0.255.255 any
    90 deny ip 10.0.0.0 0.255.255.255 any

route-map routeASA permit 10
match ip address acl-routeASA
set ip next-hop 10.66.x.xx


int vlan50
ip policy route-map routeASA

Yes that should work fine, again assuming your host is 10.66.4.57.

For testing it's fine to leave those lines in if you want but i wouldn't do this for production. There is an implicit deny at the end of every acl so if i saw this acl i would wonder why those lines were there.

Jon

Actions

This Discussion