Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
3
Replies

Routing + policy based routing on the CSS

casablancag
Level 1
Level 1

‎08-26-2006 04:57 AM

Hi to all

i have a question regarding PBR on the CSS. I have a configuration with 4 VLAN (2 vlans are outside, eg vlan 3405 and vlan 3403) and 2 vlans are inside(vlan 3407 and 3410). I implemented PBR on the CSS so that i have 2 default route point to FW_VLAN 3403 and FW_VLAN3405). My question is: if a client on the vlan 3410 needs to communicate with a vip address on the VLAN 3405 how the routing is done. The Vlans are locall attached to the CSS so does the Loadbalancer route this packet internally or does it send it to the firewall ??

Thank you for you answer

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎08-27-2006 01:23 AM

You did not configure PBR on the CSS since it does not have this function.

You simply configured static routing.

As so, the CSS will route between the vlans.

If you want a firewall to protect every vlan from the other ones, you should have a one-armed design where the firewall does the routing between the vlans and the CSS is doing the loadbalancing.

ie:

........vlan1

..........|

.vlan2 ---FW----- CSS

..........|

........Vlan2

You'll need to do client nat on the css or implement some form of PBR on the firewall.

PBR means routing based on another factore than the destination ip address. In this case, it is necessary to route based on the source port.

That might be too complex, so an easier choice would be

..vlan1(ext).....vlan2(ext)

....|...............|

....+-------FW------+

.............|

..........+-CSS-+

..........|.....|

........vlan3 vlan4

there is no protection between internal vlan but you don't need policy routing or client nat.

Gilles.

0 Helpful

casablancag
Level 1
Level 1
In response to Gilles Dufour

‎08-27-2006 10:59 PM

Hi Gilles

I have this design.

....+-FW1--------FW2--+

..vlan1(ext).....vlan2(ext)

....|...............|

..........+-CSS-+

..........|.....|

........vlan3 vlan4

And my routing configuration is

ip route 0.0.0.0 0.0.0.0 FW1

ip route 0.0.0.0 0.0.0.0 FW2

clause 50 permit any nql VLAN3 destination nql POSTNETZ prefer FW1

clause 55 permit any nql VLAN3 destination any prefer FW2

clause 60 permit any nql VLAN4 destination nql POSTNETZ prefer FW1

clause 65 permit any nql VLAN4 destination

any prefer FW2

Now if a server on vlan 4 has to communicate to server on vlan 1 should I implement a bypass rule on the acl or is the packet sent to the firewall FW2 ?

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to casablancag

‎08-29-2006 12:08 AM

according to your acl, the traffic should hit clause 65 and be forwarded to FW2.

My concern is that the device in vlan1 will then respond to the device in vlan 4 but where is it going to send the traffic ? FW2 or CSS ?

Is the FW going to send to the CSS an icmp redirect ?

Pix firewall do not allow traffic to enter one interface and forward it back the same interface.

I would personally suggest to move vlan 1 & 2 behind the firewall and have a single vlan between the CSS and firewalls used only for communication between css and firewalls.

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents