Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Silver

Using policy-routing to override connected routes

Hi guys,

I have a question about policy routing, where I'm not sure if this is possible or not.

Here's what a customer of mine wants to achieve.

They have a main router connected with a fastethernet to there network 10.1.16.0/20 (thus a connected route)

Via this router several locations with different IP-subnet are connected via DSL. They want to have some of this subnets reach the 10.1.16.0/20 network directly, but other subnets to reach 10.1.16.0/20 via a firewall, which is connected on another interface of the main router (within another subnet 10.1.151.0/24)

Here's what I think should work, but I want to be sure.

interface Fastethernet0/0

ip address 10.1.31.254 255.255.240.0

interface Fastethernet0/1

ip address 10.1.151.254 255.255.255.0

interface serial1/0

ip address x.x.x.x x.x.x.x

ip policy route-map test

route-map test permit 10

match ip address 110

set ip next-hop 10.1.151.1

access-list 140 permit ip <firewalled subnet> <netmask>

access-list 140 deny ip any any

Will this work? Or does the connected route takes precedence above policy-routing?

Thanks in advance,

Leo

2 REPLIES
Bronze

Re: Using policy-routing to override connected routes

It'll work, though I wouldn't advise it from a security standpoint. In general you want all traffic to go through the firewall rather than relying on a router to send only certain traffic to it. In your case the firewall could be told to allow all traffic from the "special subnets" and only apply its block rules to the remaining traffic.

Silver

Re: Using policy-routing to override connected routes

Hi, thanks for the reply. I am aware that from security point of view it would be better to schose another solution. But security is not really involved as issue in this case. In fact, the plocy route will be in place for just a few weeks.

Tha case is about a company which has taken over another company, and during the insourcing they will have the firewall in place, after the insourcing the firewall will be removed.

But thanks for the reply, I thought it would work, but I needed to be sure.

Kind regards,

Leo

818
Views
0
Helpful
2
Replies
CreatePlease to create content