Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Routing + policy based routing on the CSS

Hi to all

i have a question regarding PBR on the CSS. I have a configuration with 4 VLAN (2 vlans are outside, eg vlan 3405 and vlan 3403) and 2 vlans are inside(vlan 3407 and 3410). I implemented PBR on the CSS so that i have 2 default route point to FW_VLAN 3403 and FW_VLAN3405). My question is: if a client on the vlan 3410 needs to communicate with a vip address on the VLAN 3405 how the routing is done. The Vlans are locall attached to the CSS so does the Loadbalancer route this packet internally or does it send it to the firewall ??

Thank you for you answer

3 REPLIES
Cisco Employee

Re: Routing + policy based routing on the CSS

You did not configure PBR on the CSS since it does not have this function.

You simply configured static routing.

As so, the CSS will route between the vlans.

If you want a firewall to protect every vlan from the other ones, you should have a one-armed design where the firewall does the routing between the vlans and the CSS is doing the loadbalancing.

ie:

........vlan1

..........|

.vlan2 ---FW----- CSS

..........|

........Vlan2

You'll need to do client nat on the css or implement some form of PBR on the firewall.

PBR means routing based on another factore than the destination ip address. In this case, it is necessary to route based on the source port.

That might be too complex, so an easier choice would be

..vlan1(ext).....vlan2(ext)

....|...............|

....+-------FW------+

.............|

..........+-CSS-+

..........|.....|

........vlan3 vlan4

there is no protection between internal vlan but you don't need policy routing or client nat.

Gilles.

New Member

Re: Routing + policy based routing on the CSS

Hi Gilles

I have this design.

....+-FW1--------FW2--+

..vlan1(ext).....vlan2(ext)

....|...............|

..........+-CSS-+

..........|.....|

........vlan3 vlan4

And my routing configuration is

ip route 0.0.0.0 0.0.0.0 FW1

ip route 0.0.0.0 0.0.0.0 FW2

clause 50 permit any nql VLAN3 destination nql POSTNETZ prefer FW1

clause 55 permit any nql VLAN3 destination any prefer FW2

clause 60 permit any nql VLAN4 destination nql POSTNETZ prefer FW1

clause 65 permit any nql VLAN4 destination

any prefer FW2

Now if a server on vlan 4 has to communicate to server on vlan 1 should I implement a bypass rule on the acl or is the packet sent to the firewall FW2 ?

Cisco Employee

Re: Routing + policy based routing on the CSS

according to your acl, the traffic should hit clause 65 and be forwarded to FW2.

My concern is that the device in vlan1 will then respond to the device in vlan 4 but where is it going to send the traffic ? FW2 or CSS ?

Is the FW going to send to the CSS an icmp redirect ?

Pix firewall do not allow traffic to enter one interface and forward it back the same interface.

I would personally suggest to move vlan 1 & 2 behind the firewall and have a single vlan between the CSS and firewalls used only for communication between css and firewalls.

Gilles.

385
Views
0
Helpful
3
Replies