Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
10
Helpful
5
Replies

Trying to use PBR to route all traffic from one VLAN to a different next-hop

Go to solution
jonlarson13
Level 1
Level 1

‎02-19-2018 02:40 PM - edited ‎03-08-2019 01:55 PM

Hello,

 

We are testing some new firewalls and I want all internet traffic that is sourced from this test VLAN to be routed to the test firewall and not the production firewall. I want to continue to have any internal traffic routed by normal means, so I understand that I need to use set ip default next-hop instead of set ip next-hop since our internal traffic is in the routing table. 

 

This is not working. The route-map is policy routing all traffic to my test firewall and then the test firewall is routing is back to the core switch. I have done some research and understand that is has something to do with how I write my ACL, but I'm not sure how to fix it. 

 

So to recap, I want all internet(default route) traffic from VLAN128 to be policy routed to 10.9.100.21. I want any traffic destined to routes in the routing table to be routed normally. With the below config, all traffic is policy routed to the test firewall and if the destination is a local network (10.0.0.0/8) the firewall sends it back to the core switch and then it gets routed appropriately. So while this obviously works, it's a couple extra, unnecessary routes. 

 

Here's the related configs: 

 

 

CLV-1ST-CR01#sh run | s route-map
route-map fw_test_route permit 18
 match ip address 18
 set ip default next-hop 10.9.100.21

CLV-1ST-CR01#sh ip route
Gateway of last resort is 10.9.10.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.9.10.4
      10.0.0.0/8 is variably subnetted, 45 subnets, 4 masks
D EX     10.1.0.0/16
           [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1
D EX     10.1.1.1/32
           [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1
D EX     10.1.250.0/30
           [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1
D EX     10.8.0.0/16
           [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1
D EX     10.8.250.0/30
           [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1
D EX     10.9.1.1/32
           [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1
C        10.9.7.0/24 is directly connected, Vlan7
L        10.9.7.1/32 is directly connected, Vlan7
C        10.9.10.0/24 is directly connected, Vlan10
L        10.9.10.1/32 is directly connected, Vlan10
C        10.9.12.0/24 is directly connected, Vlan12
L        10.9.12.1/32 is directly connected, Vlan12
C        10.9.13.0/24 is directly connected, Vlan13
L        10.9.13.1/32 is directly connected, Vlan13
C        10.9.14.0/24 is directly connected, Vlan14
L        10.9.14.1/32 is directly connected, Vlan14
C        10.9.15.0/24 is directly connected, Vlan15
L        10.9.15.1/32 is directly connected, Vlan15
C        10.9.20.0/24 is directly connected, Vlan20
L        10.9.20.1/32 is directly connected, Vlan20
C        10.9.21.0/24 is directly connected, Vlan21
L        10.9.21.1/32 is directly connected, Vlan21
C        10.9.40.0/24 is directly connected, Vlan40
L        10.9.40.1/32 is directly connected, Vlan40
S        10.9.70.0/24 [1/0] via 10.9.10.4
C        10.9.80.0/24 is directly connected, Vlan80
L        10.9.80.1/32 is directly connected, Vlan80
C        10.9.100.4/30 is directly connected, TenGigabitEthernet1/0/1
L        10.9.100.5/32 is directly connected, TenGigabitEthernet1/0/1
C        10.9.100.20/30 is directly connected, Vlan127
L        10.9.100.22/32 is directly connected, Vlan127
C        10.9.110.0/24 is directly connected, Vlan110
L        10.9.110.1/32 is directly connected, Vlan110
C        10.9.128.0/24 is directly connected, Vlan128
L        10.9.128.1/32 is directly connected, Vlan128
D EX     10.12.0.0/16
           [170/153856] via 10.9.100.6, 08:26:43, TenGigabitEthernet1/0/1
D EX     10.12.250.0/30
           [170/153856] via 10.9.100.6, 08:27:13, TenGigabitEthernet1/0/1
D EX     10.13.0.0/16
           [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1
D EX     10.13.250.0/30
           [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1
D EX     10.14.0.0/16
           [170/153856] via 10.9.100.6, 1w0d, TenGigabitEthernet1/0/1
D EX     10.14.250.0/30
           [170/153856] via 10.9.100.6, 1w0d, TenGigabitEthernet1/0/1
D EX     10.16.0.0/16
           [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1
D EX     10.16.250.0/30
           [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1
D EX     10.80.0.0/16
           [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1
D EX     10.81.0.0/16
           [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1
D EX  192.168.10.0/24
           [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1
D EX  192.168.11.0/24
           [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1
D EX  192.168.20.0/24
           [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1
D EX  192.168.250.0/24
           [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1
CLV-1ST-CR01#sh access-lists
Standard IP access list 18
    10 permit 10.9.128.0, wildcard bits 0.0.0.255 (113 matches)
CLV-1ST-CR01#show run int vlan128
Building configuration...

Current configuration : 160 bytes
!
interface Vlan128
 description FW Test
 ip address 10.9.128.1 255.255.255.0
 ip helper-address 10.9.10.11
 ip policy route-map fw_test_route
end

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Predrag Jovic
Level 3
Level 3
In response to jonlarson13

‎02-20-2018 12:01 AM - edited ‎02-20-2018 12:01 AM

Replace standard ACL with extended ACL and apply it to route-map. First deny all private address space addresses (and multicast) and then permit anything else.

no access-list 18

access-list 118 deny ip any 10.0.0.0 0.255.255.255

access-list 118 deny ip any 172.16.0.0 0.15.255.255

access-list 118 deny ip any 192.168.0.0 0.0.255.255

access-list 118 deny ip any 224.0.0.0 15.255.255.255

access-list 118 permit ip any any

 

route-map fw_test_route permit 18

 match ip address 118

 set ip default next-hop 10.9.100.21

 

Traffic that has been denied to be policy based routed will fall back to be forwarded according to routing table.

View solution in original post

5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎02-19-2018 02:54 PM

The posted config for PBR looks appropriate. Would you post the output of the command show route-map. Also can you tell us what device this is configured on and what version of code it is running.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
jonlarson13
Level 1
Level 1
In response to Richard Burts

‎02-19-2018 07:55 PM

Attached is the info. 

 

CLV-1ST-CR01#sh ver
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.07.03E RELEASE SOFTWARE (fc3)


Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 16    WS-C3850-12XS      03.07.03E         cat3k_caa-universalk9 INSTALL

CLV-1ST-CR01#show route-map
route-map fw_test_route, permit, sequence 18
  Match clauses:
    ip address (access-lists): 18
  Set clauses:
    ip default next-hop 10.9.100.21
  Policy routing matches: 124 packets, 14745 bytes
0 Helpful

Go to solution
Predrag Jovic
Level 3
Level 3
In response to jonlarson13

‎02-20-2018 12:01 AM - edited ‎02-20-2018 12:01 AM

Replace standard ACL with extended ACL and apply it to route-map. First deny all private address space addresses (and multicast) and then permit anything else.

no access-list 18

access-list 118 deny ip any 10.0.0.0 0.255.255.255

access-list 118 deny ip any 172.16.0.0 0.15.255.255

access-list 118 deny ip any 192.168.0.0 0.0.255.255

access-list 118 deny ip any 224.0.0.0 15.255.255.255

access-list 118 permit ip any any

 

route-map fw_test_route permit 18

 match ip address 118

 set ip default next-hop 10.9.100.21

 

Traffic that has been denied to be policy based routed will fall back to be forwarded according to routing table.

Go to solution
jonlarson13
Level 1
Level 1
In response to Predrag Jovic

‎02-20-2018 08:23 AM

This was the answer! Thank you for clarifying this for me, it works exactly how I want now.

 

0 Helpful

Go to solution
Predrag Jovic
Level 3
Level 3
In response to jonlarson13

‎02-20-2018 08:27 AM

You're welcome.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card