Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Confusing Policy Based Routing


I have a query regarding policy based routing.

I have a Catalyst 4510 Switch with the following 2 VLANS

VLAN / Subnet / 24 VLAN Interface

VLAN / Subnet / 24 VLAN Interface

I also have 2 firewalls also with VLANS on the 4510

Firewall IP VLAN / Subnet / 24 VLAN Interface

Firewall IP VLAN / Subnet / 24 VLAN Interface

Traffic from is directed out through the firewall by default route on the 4510.

Traffic from is forced out via Policy Based Routing to

This is done with the following PBR config and applied on the VLAN interface

ip access-list extended PBR_VLAN10

deny ip

permit ip any

route-map SIB_LIV_PBR permit 10

match ip address PBR_VLAN10

set ip next-hop

For the potential need for resiliency both firewalls have routes back to both subnets and via the 4510.

This works correctly.

However I am confused about the internal connectivity between the two subnets and

As I can follow it, if a device on were to ping a device on it would hit the PBR rule and head to the firewall and would then be routed back to the 4510, which should then be able to reach the subnet anyway. However this does not seem to happen.

As it happens I don't actually want the subnets to interact, but I didn't think I had configured anything yet to prohibit this!

I know its a long and complicated one but any thoughts?

Hall of Fame Super Gold

Re: Confusing Policy Based Routing


There are aspects of your environment that we do not know or understand and they may have some impact on this question. But here are my thoughts on what you have posted:

- I am puzzled by the first line in the access list:

deny ip

which basically says do not policy route traffic where the source and the destination are both in the subnet of the interface. But why would traffic where the destination was in the same subnet as the source even get to the interface? It should just go local to the destination without needing a layer 3 interface.

- it would make a lot more sense to me if the destination address were slightly changed:

deny ip

this would say do not policy route if the source and destination are both on the 4510 and do not need any firewall.

- depending on what type of firewall it is and how it is configured, many firewalls do not want to forward a packet back out the same interface on which it was received (sometimes called hairpinning the traffic). Perhaps that is why traffic from to does not work.

If you do want to prevent traffic between the local subnets then you would need an access list on the interface to deny inter subnet traffic and permit other traffic.



CreatePlease to create content