acl based forwarding


I have several groups that are all serviced by one core switch 670 with core license. I need a way to make routing and next hop decisions based on source subnet.
I want group 1 to go out firewall 1 and group 2 to go to firewall 2. I need local traffic to be routed on the core. I do not want to forward all traffic to firewalls for routing decisions. What would be the best way? Clients seem to ping fw but not get to internet.

Here is how I am doing it now.
show policy "lb-redir_gov"Policies at Policy Server:
Policy: lb-redir_gov
entry route_local_traffic {
if match all {
destination-address 192.168.0.0/16 ;
}
then {
permit ;
}
}
entry redirect_gov {
if match all {
source-address 192.168.0.0/16 ;
}
then {
redirect 10.0.5.10 ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

3 replies

Userlevel 4
I think this may be what you are looking for

entry route_local_traffic {
if {
Destination-address 0.0.0.0/0;
source-address 192.168.0.0/16;
}
then {
redirect 10.0.5.10;
}
}

This will forward all traffic from source 192.168.0.0/16 to take the next hop to 10.0.5.10 for any and all traffic
But he only wants to send some traffic from each subnet to the firewalls. He is trying to keep internal traffic on the router. Seems like he needs an exclusion for the internal subnets.

No?
Userlevel 4
If memory serves me well, this should take place after the routing table.

Reply