Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Is PBR my answer?

I'm in the process of setting up a 3560G alongside an ASA 5505. What I'd like to do is have all traffic from vlan 10 to the internet be routed to 192.168.16.2 (the 'blue' inside interface), and all traffic from vlan 20 to the internet be routed to 192.168.17.2 (the 'green' inside interface), so that the traffic can be natted properly.  I'd also like to keep my interVLAN routing.  The problem is that currently, traffic from vlan 20 is being routed to 192.168.16.2 (which is on vlan 10) because of the route statement on the 3560, and the traffic doesn't get nat-translated.  Traffic from vlan 10 flows to the internet properly.  Is PBR on the switch my solution here?  How would I implement it?

My config looks similar to:

(3560)

interface vlan 10

ip address 192.168.16.1 255.255.255.0

interface vlan 20

ip address 192.168.17.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.16.2

(asa)

interface vlan 2

nameif outside

security-level 0

ip address 200.1.1.1 255.255.255.248


interface vlan 10

nameif blue

security-level 100

ip address 192.168.16.2 255.255.255.0

interface vlan 20

nameif green

security-level 100

ip address 192.168.17.2 255.255.255.0

global (outside) 1 interface

global (outside) 2 200.1.1.2

global (outside) 3 200.1.1.3

nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

nat (green) 3 192.168.17.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 200.1.1.6 1

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Is PBR my answer?

sequoyatech wrote:

Ah - in actuality, I don't have to for the 192.168.17.0/24 network.  It could use global 1.

edit - just saw your edit.  Can you elaborate?  As I said before, I appreciate everyone's patience. I'm doing my damndest to learn this stuff!

Actually i think we have all missed a trick here. Your original post said you wanted to route the traffic from the 2 vlans to different interfaces on the ASA because you wanted to make sure the traffic got Natted properly.

But you don't need 2 interfaces on the ASA for that ie. lets say you just have one inside interface - blue, then your NAT statements would just be -

nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

nat (blue) 3 192.168.17.0 255.255.255.0

global (outside) 1 interface

global (outside) 2 200.1.1.2

global (outside) 3 200.1.1.3

So you definitely don't need PBR and you could if you wanted keep your existing NAT.

Or if you want to save a public IP just follow Raj's example.

Sometimes you just can't see the wood for the trees

Jon

26 REPLIES

Re: Is PBR my answer?

Hi Nathan

Yes.. PBR is your answer.. What version of IOS is your switch running ? You need to have an EMI image for PBR to work..

you need to configure a route-map, and have a matching ACL for traffic from VLAN 20.. then set next hop as 192.168.17.2

route-map vlan20 permit 10

match ip address 1

set ip next-hop 192.168.17.2

access-list 1 permit x.x.x.x

ooops.. just saw  your config.. VLAN 20 has a subnet 192.168.17.x ? Is the router gateway 192.168.17.2 local to VLAN 20 ? ahh.. u dont want to change the gateway of your PC's to 192.168.17.2 since you need access to VLAN 10 , from vlan 20 ?

Raj

New Member

Re: Is PBR my answer?

Raj,

I'm running c3560-ipservicesk9-mz.122-53.SE.  As far as the ACL goes, since the policy route gets applied before the static route, wouldn't the "access-list 1 permit xxxx" route ALL traffic from that subnet to 192.168.17.2?

And yes - vlan 20 is 192.168.17.0/24, 192.168.17.1 is the SVI on the switch, and 192.168.17.2 is the SVI on the ASA.

Re: Is PBR my answer?

Hi,

PBR is not ur solution here,,,

why dont you have a trunk port to the ASA carries vlan 10 and 20, and make the ASA typically as Router on Stick so the GWs of vlan 10 and 20 hosts directly pointing to the ASA.  I mean you could have the 3560 perform purely as layer-2 and makes the job of routing and natting to the ASA.

Does this suffice or you have to have the 3560 do intervlan routing?

HTH

Mohamed

New Member

Re: Is PBR my answer?

The 5505 won't do interVLAN routing, so it must be done on the switch.  I'm not terribly experienced in this stuff, so please bear with me

Re: Is PBR my answer?

Well ASAs can forward traffic from one vlan to another... just like switches, but you would need to define appropriate security levels, rules,

nats or no-nats etc, which could add lots of other configurations on ASA.. if you want to do layer 3 on the switch, then you need to look at PBR.. if you are comfortable forwarding traffic to ASA (for layer3) then you can make that work too.. it depends..

btw, why have you put this in parallel to ASA ? Are you planning any kind of migration in future ? What are your plans ?

Raj

New Member

Re: Is PBR my answer?

I'm not sure what you mean by "in parallel".  The idea was that the ASA does its firewall duties, and the 3560 handles internal routing.  I had no idea that I'd have to get into this PBR stuff, I'm still not quite sure why each L3 interface on the switch couldn't have its own routing table (i.e. each vlan has its own default route).

Re: Is PBR my answer?

"in parallel" means running both the switch & ASA on the same subnet ? normally if you need to have ASA doing firewall, and switch doing L3, you will have a setup similar to this:

ASA 5505

|

switch L3

|

VLAN SVI on switch

|

PCs

so the PCs wouild have a default gateway towarsd the swtich and the swich would be connected on a different layer 3 segment to the ASA to make routing feasible.. but in your case you have ASA along side the switch... the layer 3 switch will just be having a single routing table to isolate routing loops .. if you need to have different routing policies for different vlans, you can still use policy based routing as described in my first post..

Raj

Re: Is PBR my answer?

Nathan,

The simplest approach is to have the ASA be the GW for all vlans, with placing the Security level of all vlan Interfaces to the same, you are providing connectivity between vlans as long as connectivity to the Internet.

You dont need PBR here...

HTH

Mohamed

New Member

Re: Is PBR my answer?

Re: Is PBR my answer?

Hi Nathan

Since you already have a 3560, I would still go for a Layer 3 termination on the switch rather than trunking on the ASA... you will have better control and direct switching if you have layer 3 on the switch. Incase your switch does not have an EMI image (not to support PBR), you can have the ASA's terminating the layer 3 interface as given by the URL... im just thinking in terms of scalability.. Suppose you have 10 or 20 more vlans in future, it will be good to terminate the SVi's locally on the switch, rather than configuring 10 VLANs on the ASA, which would complicate things..

Raj

Hall of Fame Super Blue

Re: Is PBR my answer?

sequoyatech wrote:

So this is what you'd recommend Mohamed?

http://www.cisco-tips.com/how-to-configure-a-cisco-layer-3-switch-intervlan-routing/

Apologies for jumping in but why do you need to NAT the 2 internal vlans to different public addresses ?

Personally given the choice i would do as Raj says and use the 3560G for inter-vlan routing because put simply that's what it was designed for and it's good at it. The ASA is not designed to be responsible for inter-vlan routing. It can do it but the config gets quite complex and to be honest it's best left to get on with what it was designed to do ie. firewall.

Plus if you route off the ASA and the ASA crashes you have lost internal and external connectivity which may be a little difficult to explain when you have a perfectly good L3 switch to use internally.

Jon

New Member

Re: Is PBR my answer?

Jon, are you asking why I have

nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

?

The answer is that the server at .6 is required to have its own dedicated WAN IP.

I'm going to try with Raj's method, as it seems the most robust (not that I don't appreciate Mohamed's advice - it's always nice to see different ways of doing things).  As you might have suspected, I have a question regarding the ACL for the route-map. In plain terms, I want to policy-route any traffic to destinations that do not live on the switch (in my case, you can assume this means the internet). Can someone give an example of what the correct ACL would look like?

Hall of Fame Super Blue

Re: Is PBR my answer?

sequoyatech wrote:

Jon, are you asking why I have

nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

?

The answer is that the server at .6 is required to have its own dedicated WAN IP.

I'm going to try with Raj's method, as it seems the most robust (not that I don't appreciate Mohamed's advice - it's always nice to see different ways of doing things).  As you might have suspected, I have a question regarding the ACL for the route-map. In plain terms, I want to policy-route any traffic to destinations that do not live on the switch (in my case, you can assume this means the internet). Can someone give an example of what the correct ACL would look like?

Nathan

No. i'm asking why you have to NAT 192.168.16.0/24 and 192.168.17.0/24 to different public IPs ?

It's actually quite an important question because if you don't need to then you don't need PBR.

Jon

New Member

Re: Is PBR my answer?

Ah - in actuality, I don't have to for the 192.168.17.0/24 network.  It could use global 1.

edit - just saw your edit.  Can you elaborate?  As I said before, I appreciate everyone's patience. I'm doing my damndest to learn this stuff!

Re: Is PBR my answer?

In that case you wouldnt require PBR right ? All packets hit your VLAN SVI, and are forwarded to the ASA inside interface (blue segment). ASA would then do a NAT for both the 16.x & 17.x outside on either the interface IP or 200.1.1.2 ! reverse traffic would come as expected through the firewall.. so simply you can remove the third NAT statement created for Green....

Raj

Hall of Fame Super Blue

Re: Is PBR my answer?

sequoyatech wrote:

Ah - in actuality, I don't have to for the 192.168.17.0/24 network.  It could use global 1.

edit - just saw your edit.  Can you elaborate?  As I said before, I appreciate everyone's patience. I'm doing my damndest to learn this stuff!

Actually i think we have all missed a trick here. Your original post said you wanted to route the traffic from the 2 vlans to different interfaces on the ASA because you wanted to make sure the traffic got Natted properly.

But you don't need 2 interfaces on the ASA for that ie. lets say you just have one inside interface - blue, then your NAT statements would just be -

nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

nat (blue) 3 192.168.17.0 255.255.255.0

global (outside) 1 interface

global (outside) 2 200.1.1.2

global (outside) 3 200.1.1.3

So you definitely don't need PBR and you could if you wanted keep your existing NAT.

Or if you want to save a public IP just follow Raj's example.

Sometimes you just can't see the wood for the trees

Jon

New Member

Re: Is PBR my answer?

I will test it out and let you know.  Thanks!

Re: Is PBR my answer?

Hi Nathan

as said before

route-map vlan20 permit 10

match ip address 1

set ip next-hop 192.168.17.2

access-list 1 permit 192.168.17.0 0.0.0.255

or you can put an extended access-list specifying tcp port/destinatione tc

access-list 101 permit ip 192.168.17.0 0.0.0.255 any

Raj

New Member

Re: Is PBR my answer?

Thanks to everyone for their help.  I used jon.marshall's method and it worked fine.  Helpful hint for anyone trying to solve the same problem - I did have to add a static route to the ASA for each network on the 3560 - for example,

route inside 192.168.17.0 255.255.255.0 192.168.1.2

where 192.168.1.2 is the routed port on the 3560.

Re: Is PBR my answer?

Yes Nathan

You are right ..  this is because 192.168.17.0 is no more a directly connected network, as it was before, and goes through the routed port to the BLUE network.. Any more VLANs you would add here, would need similar routing configuration.. but as said before, you might want to reconsider yourself having a seperate broadcast domain of /30 for your connection between the Switch and firewall.. just to isolate the firewall from local broadcasts and a very good design for future development

Internet router

|                         outside (security level 0)

Firewall ----------- > NAT for internal networks and a route back to L3 switch..

|                         inside (security level 100)

Layer 3 switch

|                          various VLAN SVI's

PC's

Raj

New Member

Re: Is PBR my answer?

Raj, if I'm understanding your post correctly, my solution implements that.

Hall of Fame Super Blue

Re: Is PBR my answer?

sequoyatech wrote:

Raj, if I'm understanding your post correctly, my solution implements that.

Nathan

Based on your last post to me you have indeed implemented this solution. Glad you got it all working.

Jon

Re: Is PBR my answer?

Ahh... You are right.. Didnt notice the next hop interface IP address of your route for 192.168.17.x  (192.168.1.x) which is a dedicated layer 3 interface.... I was thinking that you had used the same vlan 10 interface (192.168.16.1, 192.168.16.2) interfaces to route the VLAN 20 traffic... it looks good now...

Thanks & Regards

Raj

Hall of Fame Super Blue

Re: Is PBR my answer?

sequoyatech wrote:

Thanks to everyone for their help.  I used jon.marshall's method and it worked fine.  Helpful hint for anyone trying to solve the same problem - I did have to add a static route to the ASA for each network on the 3560 - for example,

route inside 192.168.17.0 255.255.255.0 192.168.1.2

where 192.168.1.2 is the routed port on the 3560.

Nathan

Many thanks for getting back and letting us know.

So did you use just one public IP for both 192.168.16.x and 192.168.17.x addresses ?

And by the sounds of it you used just one link between the ASA and the switch ?

Just wanted to confirm for others who may read the post because i think it was a combination of Raj's suggestion (+5 Raj) and mine that was the final solution.

Jon

New Member

Re: Is PBR my answer?

Regarding NAT, I have it set so that 192.168.16.x and 17.x both use the same public, while 192.168.16.6 uses a second public.  There shouldn't be any issues if I were to want to assign 17.x its own public IP though.  To answer your second question, yes, I now have a single link - the inside interface of the ASA is 192.168.1.1, the routed port of the 3560 is 192.168.1.2.  The 192.168.1.x network does not exist anywhere other than on those two interfaces.

Re: Is PBR my answer?

Jon.. thanks a ton for your comments, and the points... this is the best 5 pointer i have ever taken

Thanks again

Raj

780
Views
13
Helpful
26
Replies
CreatePlease to create content