This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

acl based forwarding

acl based forwarding

GCIT_Support
New Contributor II

‎12-30-2015 03:40 PM

I have several groups that are all serviced by one core switch 670 with core license. I need a way to make routing and next hop decisions based on source subnet.
I want group 1 to go out firewall 1 and group 2 to go to firewall 2. I need local traffic to be routed on the core. I do not want to forward all traffic to firewalls for routing decisions. What would be the best way? Clients seem to ping fw but not get to internet.

Here is how I am doing it now.
show policy "lb-redir_gov"Policies at Policy Server:
Policy: lb-redir_gov
entry route_local_traffic {
if match all {
destination-address 192.168.0.0/16 ;
}
then {
permit ;
}
}
entry redirect_gov {
if match all {
source-address 192.168.0.0/16 ;
}
then {
redirect 10.0.5.10 ;
}
}
Number of clients bound to policy: 1
Client: acl bound once
0 Kudos
3 REPLIES 3

Joseph_Burnswor
New Contributor III

‎12-30-2015 07:34 PM

If memory serves me well, this should take place after the routing table.
0 Kudos

davidj_cogliane
Contributor

‎12-30-2015 07:21 PM

But he only wants to send some traffic from each subnet to the firewalls. He is trying to keep internal traffic on the router. Seems like he needs an exclusion for the internal subnets.

No?
0 Kudos

Joseph_Burnswor
New Contributor III

‎12-30-2015 05:09 PM

I think this may be what you are looking for

entry route_local_traffic {
if {
Destination-address 0.0.0.0/0;
source-address 192.168.0.0/16;
}
then {
redirect 10.0.5.10;
}
}

This will forward all traffic from source 192.168.0.0/16 to take the next hop to 10.0.5.10 for any and all traffic

0 Kudos
GTM-P2G8KFN