Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Policy Based Routing on 6509

I need to setup my 6509 with PBR going to two different Firewalls. The 6509 has vlans and multiple serial interfaces. What/where do I install the policy-maps? I want to direct one of the vlans to one firewall and the other vlans and wan subnets to the other firewall.

26 REPLIES
New Member

Policy Based Routing on 6509

Use ACL or prefix list, apply the prefix list to the route-map, have set-interface option in route-map pointing to your vlan interface. If a packet matches your prefix-list or ACL the packet is directed to the interface specified in the route-map. WRT to where, depends on how you want to police your routes, based on what you are saying I would say on the interfaces. Under interface config you would see ip policy route-map "NAME"

New Member

Re: Policy Based Routing on 6509

Do you have any configuration examples?

Policy Based Routing on 6509

Hello,

You need to apply the specific PBR under the specific VLAN which traffic you want to send through other firewall.
Make sure you used ip default next-hop command under the route-map.


Please rate the helpfull posts.
Regards,
Naidu.

New Member

Re: Policy Based Routing on 6509

can you send any configuration examples?

Policy Based Routing on 6509

Hi,

Please find the below config what I have at one of my customer L3 switch. With this config the traffic will go from the specific network to the default next gateway which is 10.28.1.200


interface Vlan51
description MANAGEMENT NETWORK
ip address 10.246.2.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip policy route-map Net-access1


route-map Net-access1 permit 10
match ip address 171
set ip default next-hop 10.28.1.200

access-list 171 deny   ip 10.31.4.0 0.0.0.255 192.168.199.0 0.0.0.255
access-list 171 permit ip 10.31.6.0 0.0.0.255 any
access-list 171 permit ip 10.31.2.0 0.0.0.255 any


Hope the above helps you, if so please rate all the helpfull posts.


Regards,
Naidu.

New Member

Re: Policy Based Routing on 6509

This does help, except I have a 6509 with multiple interfaces and vlans.

I am uncertain as to where (vlan/interfaces) to apply the router-map

policies.

Policy Based Routing on 6509

Hi,

As per the example config I provided in my last post.
You need to apply the route-map to which vlan traffic you want to send the specific firewall.
Still if you are not sure to where apply the route-map, post here your config so that I can advice you on that where to apply exactly.


Please rate the helpfull posts.
Regards,
Naidu.

New Member

Re: Policy Based Routing on 6509

Not sure if this is what you need, but here is the 6509 int and VLAN config.

The subnet (VLAN 30) 10.133.3.0/24 is to go to the UTM Firewall and all

traffic from the other serial connections as well the other VLANS are to

go to the IPSO firewall. Thank you.

interface Serial9/0/0:0

description Training Office DHZA802177

ip address 100.0.10.1 255.255.255.252

ip access-group 122 out

no fair-queue

!

interface Serial9/0/1:0

description Ventures DHZA845048

ip address 100.0.4.1 255.255.255.252

no fair-queue

!

interface Serial9/0/2:0

description FOCUS DHZA748373

ip address 10.15.0.58 255.255.255.252

no fair-queue

!

interface Serial9/0/3:0

description FN Multilink 1 dhza005310

no ip address

encapsulation ppp

ppp multilink

multilink-group 1

!

interface Serial9/0/4:0

description FN Multilink 2 dhza005311

no ip address

encapsulation ppp

ppp multilink

multilink-group 1

!

interface Serial9/0/5:0

description FSW Multilink 1 dhza005331

no ip address

encapsulation ppp

ppp multilink

multilink-group 2

!

interface Serial9/0/6:0

description FN Multilink 3 dhza005313

no ip address

encapsulation ppp

ppp multilink

multilink-group 1

!

interface Serial9/0/7:0

description FSW Multilink 2 dhza005309

no ip address

encapsulation ppp

ppp multilink

multilink-group 2

!

interface Vlan1

no ip address

no ip route-cache

no ip mroute-cache

shutdown

no mop enabled

!

interface Vlan10

description Phone network

ip address 10.133.1.1 255.255.255.0

arp timeout 240

!

interface Vlan20

description User network

ip address 10.133.2.1 255.255.255.0

arp timeout 240

!

interface Vlan30

description Server network

ip address 10.133.3.1 255.255.255.0

arp timeout 240

!

interface Vlan100

description Wireless network

ip address 100.1.200.1 255.255.255.252

!

interface Vlan101

description UTM1 Firewall

ip address 100.1.100.1 255.255.255.248

!

interface Vlan102

description IPSO Firewall

ip address 200.1.200.1 255.255.255.252

!

interface Vlan200

description AT&T OPTEMAN

ip address 10.10.10.1 255.255.255.248

!

interface Vlan300

description Aerohive WLAN

ip address 172.30.1.1 255.255.255.0

New Member

Re: Policy Based Routing on 6509

I would opt to define a default route towards the IPSO firewall (it will handle all other vlans and serial connections), and then use PBR for your exception of directing traffic from 10.133.3.0/24 to the UTM firewall.  I'm no expert on PBR, but I would try this config:

! default route towards the IPSO fw

ip route 0.0.0.0 0.0.0.0 200.1.200.2

interface Vlan30

ip policy route-map UTMPBRroute

access-list 100 permit ip 10.133.3.0 0.0.0.255

route-map UTMPBRroute permit 10

match ip address 100

set ip default next-hop 100.1.100.

-Jason

New Member

Re: Policy Based Routing on 6509

I tried this config and am still having problems:

I applied your config as follows:

FW1 - 100.1.100.2

FW2 - 200.1.200.2

Want 10.133.3.0/24 subnet to go to FW2 for internet usage

Want all other subnets to go through FW1 for internet

Gateway of last resort on core router: 0.0.0.0 0.0.0.0 100.1.100.2

ip access-list extended 150

permit ip 10.133.3.0 0.0.0.255 any

route-map TO-UTM1-FW

match ip address 150

set ip next-hop 200.1.200.2

Int Vlan30

ip policy route-map TO-UTM1-FW

When I do this I cannot access the servers on 10.133.3.0/24 subnet from

any other subnet. This is a problem

as all the other subnets need to access them as well.

Thanks

New Member

Re: Policy Based Routing on 6509

Why don't you do this.

ip access-list extended 150

   deny ip 10.133.3.0 0.0.0.255

   permit ip 10.133.3.0 0.0.0.255 any

The reason without knowing everything about our internal network, is because of TTL expiration of IP packets as it bounces between your router and firewall.

Traceroute of you reaching out to your other private subnet from 10.133.3.0 to your internal network would help debug this issue little bit more better in my opinion.

Hope this helps!

New Member

Re: Policy Based Routing on 6509

If I deny from 10.133.3.0 to my internal network(s), then no one will

get to any services. See 10.133.3.0 is our server network. I want to

segregate it's internet usage to a separate firewall.

There are about 15 other subets that need to access 10.133.3.0 internally.

New Member

Re: Policy Based Routing on 6509

Remember this is an ACL applied to route-map, not to access-group, so deny on the ACL that is applied to the route-map means, when the packet is destined to internet the next hop is your "FW2", when it is your Internal, the next hop is what ever is in your routing table, not what is given in the route-map

New Member

Re: Policy Based Routing on 6509

I only have one default route on the core router to FW1 100.1.100.2. Do

I need to add another to FW2? seemed when it was in place, it affected

all the subnets.

New Member

Re: Policy Based Routing on 6509

Here is what I would do.

ip route 0/0 FW1(100.1.100.2)

ip access-list extended PBRoute

  deny ip 10.133.3.0 0.0.0.255

  permit ip 10.133.3.0 0.0.0.255 any

route-map SOME_RTE_MAP permit 10

  match ip address PBRoute

  set ip next-hop "FW2"

int vlan 30

  ip policy route-map PBRoute

This is what I would do if I were you, apart from redoing the network in a better way.

Hope this helps

New Member

Re: Policy Based Routing on 6509

This line I am stuggling with: deny ip 10.133.3.0 0.0.0.255

I have so many

New Member

Re: Policy Based Routing on 6509

This is policy routing, deny on an ACL applied to policy means the deny line is NOT processed as part of policy, whatever the policy that may be, do not think of it as an ACL applied to access-group. As part of stop-gap measure I had to do the something this similar, but it required policy based routing with PAT.

New Member

Re: Policy Based Routing on 6509

so let me understand this:

the deny rule in the acl tells the policy to allow traffic from the

other subnets?

for configuration sake what would I put for: ??

New Member

Re: Policy Based Routing on 6509

Yep, you are correct.

Attributes like match, set parameters are LOGICAL AND statements in a route-map, if there is a deny on the ACL that is part of the match clause, nothing else is processed on the route-map and it exits the policy, there by no PBR i.e. it is a normal packet. That is my understanding and that is the way I've made this work before.

Hope this helps.

New Member

Re: Policy Based Routing on 6509

so last question,

for this statement: deny ip 10.133.3.0 0.0.0.255

should I write as: deny ip 10.133.3.0 0.0.0.255 any

New Member

Re: Policy Based Routing on 6509

No, on your ACL:

deny ip 10.133.3.0/24 (Do normal routing for packets destined to internal networks)

permit ip 10.133.3.0/24 any (Do PBR routing for packets going to anywhere but internal networks)

New Member

Re: Policy Based Routing on 6509

ok, I know I am struggling with this but I am confused about one line:

Ip access-list ext 150

deny ip 10.133.3.0/24 is not a Cisco option.....

so should the line look like this:

deny ip 10.133.3.0/24 10.133.2.0/24 10.133.1.0/24 10.133.4.0/23 ?

New Member

Re: Policy Based Routing on 6509

Oh Wow, I was under the impression that you would be able to expand /24 to its corresponding wildcard.

Example:

ip access-list ext 150

deny ip 10.133.3.0 0.0.0.255 10.133.2.0 0.0.0.255

so on and so forth.

New Member

Re: Policy Based Routing on 6509

The problem I have with your solution is I would have to deny all subnets except 10.133.3.0/24 not sure how to go about that

New Member

Re: Policy Based Routing on 6509

I do not know how else you would like to acheive it apart from re-architecting the network in a better way, if all your internal routes are 10/8 (i.e. 10.0.0.0 255.0.0.0) then use that network instead of all your individual subnets. or use the entire RFC 1918 spectrum.

New Member

Re: Policy Based Routing on 6509

That is what I was thinking. We have 10/8 and 172/16 rfc1918 subnets.

I am going to test this Wednesday night.

1952
Views
0
Helpful
26
Replies