04-09-2010 12:50 PM - edited 03-06-2019 10:33 AM
I am trying to route all traffic from a PC to an alternative
firewall for all internet traffic but the policy does not appear to be working
The PC sits in VLAN 100 and has an IP address of 1.1.1.1
Both internet firewalls sit in VLAN 200, the primary is 2.2.2.1 and the secondary is 2.2.2.2.
The GLR on the switch points to 2.2.2.1 but all internet traffic from the PC (traffic entering VLAN 100) should be sent to the secondary device (2.2.2.2)
I have created an access list to define the traffic, created the route map and applied it
access-list 30 permit 1.1.1.1
ip route-map REROUTE permit 10
#match ip address 30
#set ip next-hop 2.2.2.2
interface vlan 1000
(config-if)# ip policy route-map REROUTE
What am I missing>???
04-09-2010 12:59 PM
Hi,
Is the machine being routed to 2.2.2.1?
It wasa typo that you enter the policy route-map on interface vlan 1000?
Can you get to 2.2.2.2 from VLAN 100? Does the Firewall on 2.2.2.2 has a route knowing how to return your traffic?
Federico.
04-09-2010 01:07 PM
1. The machine is being routed to the GLR (2.2.2.1) but the route-map should redirect to 2.2.2.2
2. Yes, 1000 was a typo
3. Yes, traffic can route between VLANs
04-09-2010 01:14 PM
When you have the configuration in place for the route-map and you send traffic from 1.1.1.1 to the secondary Firewall,
you said is being routed to the primary Firewall. The route-map is not taking effect.
There are no access-lists denying the communcation between the PC and the secondary Firewall?
Federico.
04-09-2010 01:21 PM
there are no access-lists denying access.. the traffic is being sent to the GLR with all the other traffic instead of being re-routed.
04-09-2010 01:35 PM
Just for testing purposes, if you create a static route to the second firewall does it work?
For example,
ip route network_behind_second_firewall mask 2.2.2.2
This will route all traffic to 2.2.2.2 (not only from 1.1.1.1) that's why I say that is a test just to see if the problem is only the route-map.
If it works,
does the route-map shows as active?
sh route-map all
Federico.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: