acl based forwarding
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-30-2015 03:40 PM
I have several groups that are all serviced by one core switch 670 with core license. I need a way to make routing and next hop decisions based on source subnet.
I want group 1 to go out firewall 1 and group 2 to go to firewall 2. I need local traffic to be routed on the core. I do not want to forward all traffic to firewalls for routing decisions. What would be the best way? Clients seem to ping fw but not get to internet.
Here is how I am doing it now.
show policy "lb-redir_gov"Policies at Policy Server:
Policy: lb-redir_gov
entry route_local_traffic {
if match all {
destination-address 192.168.0.0/16 ;
}
then {
permit ;
}
}
entry redirect_gov {
if match all {
source-address 192.168.0.0/16 ;
}
then {
redirect 10.0.5.10 ;
}
}
Number of clients bound to policy: 1
Client: acl bound once
I want group 1 to go out firewall 1 and group 2 to go to firewall 2. I need local traffic to be routed on the core. I do not want to forward all traffic to firewalls for routing decisions. What would be the best way? Clients seem to ping fw but not get to internet.
Here is how I am doing it now.
show policy "lb-redir_gov"Policies at Policy Server:
Policy: lb-redir_gov
entry route_local_traffic {
if match all {
destination-address 192.168.0.0/16 ;
}
then {
permit ;
}
}
entry redirect_gov {
if match all {
source-address 192.168.0.0/16 ;
}
then {
redirect 10.0.5.10 ;
}
}
Number of clients bound to policy: 1
Client: acl bound once
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-30-2015 07:34 PM
If memory serves me well, this should take place after the routing table.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-30-2015 07:21 PM
But he only wants to send some traffic from each subnet to the firewalls. He is trying to keep internal traffic on the router. Seems like he needs an exclusion for the internal subnets.
No?
No?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-30-2015 05:09 PM
I think this may be what you are looking for
entry route_local_traffic {
if {
Destination-address 0.0.0.0/0;
source-address 192.168.0.0/16;
}
then {
redirect 10.0.5.10;
}
}
This will forward all traffic from source 192.168.0.0/16 to take the next hop to 10.0.5.10 for any and all traffic
entry route_local_traffic {
if {
Destination-address 0.0.0.0/0;
source-address 192.168.0.0/16;
}
then {
redirect 10.0.5.10;
}
}
This will forward all traffic from source 192.168.0.0/16 to take the next hop to 10.0.5.10 for any and all traffic
