acl based forwarding

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
I have several groups that are all serviced by one core switch 670 with core license. I need a way to make routing and next hop decisions based on source subnet.
I want group 1 to go out firewall 1 and group 2 to go to firewall 2. I need local traffic to be routed on the core. I do not want to forward all traffic to firewalls for routing decisions. What would be the best way? Clients seem to ping fw but not get to internet.

Here is how I am doing it now. 
show policy "lb-redir_gov"Policies at Policy Server:
Policy: lb-redir_gov
entry route_local_traffic {
if match all {
    destination-address 192.168.0.0/16 ;
}
then {
    permit  ;
}
}
entry redirect_gov {
if match all {
    source-address 192.168.0.0/16 ;
}
then {
    redirect 10.0.5.10 ;
}
}
Number of clients bound to policy: 1
Client: acl bound once
Photo of GCIT_Support

GCIT_Support

  • 510 Points 500 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
I think this may be what you are looking for

entry route_local_traffic {
if {
Destination-address 0.0.0.0/0;
source-address 192.168.0.0/16;
}
then {
redirect 10.0.5.10;
}
}

This will forward all traffic from source 192.168.0.0/16 to take the next hop to 10.0.5.10 for any and all traffic
Photo of David Coglianese

David Coglianese, Embassador

  • 7,388 Points 5k badge 2x thumb
But he only wants to send some traffic from each subnet to the firewalls. He is trying to keep internal traffic on the router. Seems like he needs an exclusion for the internal subnets.

No?
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
If memory serves me well, this should take place after the routing table.