02-19-2018 02:40 PM - edited 03-08-2019 01:55 PM
Hello,
We are testing some new firewalls and I want all internet traffic that is sourced from this test VLAN to be routed to the test firewall and not the production firewall. I want to continue to have any internal traffic routed by normal means, so I understand that I need to use set ip default next-hop instead of set ip next-hop since our internal traffic is in the routing table.
This is not working. The route-map is policy routing all traffic to my test firewall and then the test firewall is routing is back to the core switch. I have done some research and understand that is has something to do with how I write my ACL, but I'm not sure how to fix it.
So to recap, I want all internet(default route) traffic from VLAN128 to be policy routed to 10.9.100.21. I want any traffic destined to routes in the routing table to be routed normally. With the below config, all traffic is policy routed to the test firewall and if the destination is a local network (10.0.0.0/8) the firewall sends it back to the core switch and then it gets routed appropriately. So while this obviously works, it's a couple extra, unnecessary routes.
Here's the related configs:
CLV-1ST-CR01#sh run | s route-map route-map fw_test_route permit 18 match ip address 18 set ip default next-hop 10.9.100.21 CLV-1ST-CR01#sh ip route Gateway of last resort is 10.9.10.4 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.9.10.4 10.0.0.0/8 is variably subnetted, 45 subnets, 4 masks D EX 10.1.0.0/16 [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1 D EX 10.1.1.1/32 [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1 D EX 10.1.250.0/30 [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1 D EX 10.8.0.0/16 [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1 D EX 10.8.250.0/30 [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1 D EX 10.9.1.1/32 [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1 C 10.9.7.0/24 is directly connected, Vlan7 L 10.9.7.1/32 is directly connected, Vlan7 C 10.9.10.0/24 is directly connected, Vlan10 L 10.9.10.1/32 is directly connected, Vlan10 C 10.9.12.0/24 is directly connected, Vlan12 L 10.9.12.1/32 is directly connected, Vlan12 C 10.9.13.0/24 is directly connected, Vlan13 L 10.9.13.1/32 is directly connected, Vlan13 C 10.9.14.0/24 is directly connected, Vlan14 L 10.9.14.1/32 is directly connected, Vlan14 C 10.9.15.0/24 is directly connected, Vlan15 L 10.9.15.1/32 is directly connected, Vlan15 C 10.9.20.0/24 is directly connected, Vlan20 L 10.9.20.1/32 is directly connected, Vlan20 C 10.9.21.0/24 is directly connected, Vlan21 L 10.9.21.1/32 is directly connected, Vlan21 C 10.9.40.0/24 is directly connected, Vlan40 L 10.9.40.1/32 is directly connected, Vlan40 S 10.9.70.0/24 [1/0] via 10.9.10.4 C 10.9.80.0/24 is directly connected, Vlan80 L 10.9.80.1/32 is directly connected, Vlan80 C 10.9.100.4/30 is directly connected, TenGigabitEthernet1/0/1 L 10.9.100.5/32 is directly connected, TenGigabitEthernet1/0/1 C 10.9.100.20/30 is directly connected, Vlan127 L 10.9.100.22/32 is directly connected, Vlan127 C 10.9.110.0/24 is directly connected, Vlan110 L 10.9.110.1/32 is directly connected, Vlan110 C 10.9.128.0/24 is directly connected, Vlan128 L 10.9.128.1/32 is directly connected, Vlan128 D EX 10.12.0.0/16 [170/153856] via 10.9.100.6, 08:26:43, TenGigabitEthernet1/0/1 D EX 10.12.250.0/30 [170/153856] via 10.9.100.6, 08:27:13, TenGigabitEthernet1/0/1 D EX 10.13.0.0/16 [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1 D EX 10.13.250.0/30 [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1 D EX 10.14.0.0/16 [170/153856] via 10.9.100.6, 1w0d, TenGigabitEthernet1/0/1 D EX 10.14.250.0/30 [170/153856] via 10.9.100.6, 1w0d, TenGigabitEthernet1/0/1 D EX 10.16.0.0/16 [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1 D EX 10.16.250.0/30 [170/153856] via 10.9.100.6, 7w0d, TenGigabitEthernet1/0/1 D EX 10.80.0.0/16 [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1 D EX 10.81.0.0/16 [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1 D EX 192.168.10.0/24 [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1 D EX 192.168.11.0/24 [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1 D EX 192.168.20.0/24 [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1 D EX 192.168.250.0/24 [170/153856] via 10.9.100.6, 2w2d, TenGigabitEthernet1/0/1 CLV-1ST-CR01#sh access-lists Standard IP access list 18 10 permit 10.9.128.0, wildcard bits 0.0.0.255 (113 matches) CLV-1ST-CR01#show run int vlan128 Building configuration... Current configuration : 160 bytes ! interface Vlan128 description FW Test ip address 10.9.128.1 255.255.255.0 ip helper-address 10.9.10.11 ip policy route-map fw_test_route end
Solved! Go to Solution.
02-20-2018 12:01 AM - edited 02-20-2018 12:01 AM
Replace standard ACL with extended ACL and apply it to route-map. First deny all private address space addresses (and multicast) and then permit anything else.
no access-list 18
access-list 118 deny ip any 10.0.0.0 0.255.255.255
access-list 118 deny ip any 172.16.0.0 0.15.255.255
access-list 118 deny ip any 192.168.0.0 0.0.255.255
access-list 118 deny ip any 224.0.0.0 15.255.255.255
access-list 118 permit ip any any
route-map fw_test_route permit 18
match ip address 118
set ip default next-hop 10.9.100.21
Traffic that has been denied to be policy based routed will fall back to be forwarded according to routing table.
02-19-2018 02:54 PM
The posted config for PBR looks appropriate. Would you post the output of the command show route-map. Also can you tell us what device this is configured on and what version of code it is running.
HTH
Rick
02-19-2018 07:55 PM
Attached is the info.
CLV-1ST-CR01#sh ver Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.07.03E RELEASE SOFTWARE (fc3) Switch Ports Model SW Version SW Image Mode ------ ----- ----- ---------- ---------- ---- * 1 16 WS-C3850-12XS 03.07.03E cat3k_caa-universalk9 INSTALL CLV-1ST-CR01#show route-map route-map fw_test_route, permit, sequence 18 Match clauses: ip address (access-lists): 18 Set clauses: ip default next-hop 10.9.100.21 Policy routing matches: 124 packets, 14745 bytes
02-20-2018 12:01 AM - edited 02-20-2018 12:01 AM
Replace standard ACL with extended ACL and apply it to route-map. First deny all private address space addresses (and multicast) and then permit anything else.
no access-list 18
access-list 118 deny ip any 10.0.0.0 0.255.255.255
access-list 118 deny ip any 172.16.0.0 0.15.255.255
access-list 118 deny ip any 192.168.0.0 0.0.255.255
access-list 118 deny ip any 224.0.0.0 15.255.255.255
access-list 118 permit ip any any
route-map fw_test_route permit 18
match ip address 118
set ip default next-hop 10.9.100.21
Traffic that has been denied to be policy based routed will fall back to be forwarded according to routing table.
02-20-2018 08:23 AM
This was the answer! Thank you for clarifying this for me, it works exactly how I want now.
02-20-2018 08:27 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: