Policy-based routing

[dearingkr]

I'm having a problem implementing policy-based routing.

My situation is this:
Very large network
Multiple sites connected via MetroE
At least 5 VLANs at each site
1 Core site where all traffic is routed
Internet access only at Core site
Have 2 firewalls
Core switch is a BD6808 running ExtremeWare 7.6
All other switches are Summit X450s & X250s running XOS 12

My problem is that I want to be able to route internet traffic to a different firewall dependant upon source subnet.

The only thing I've been able to get half-way working is flow-redirect. but with flow-redirect, it over-rides routing making the device inaccessable from inside the network.
In fact, even DHCP doesn't work because my DHCP server is on a different subnet (using bootprelay).

Note that I'm not using any routing protocols at this time.
I'm using static routes (summarized). For instance all of Site1 IP addresses are 10.101.x.x, Site2 is 10.102.x.x, etc.

Any help would be greatly appreciated.


MCSE CCNA CCDA

 

[rn4it]

You can create exception to your flow redirect, by not giving a next hop to those flow-redirects. Here's an basic example.

Scenario:
All internal subnets are on the 10.x.x.x network, I have a couple business partners that come in on 172.16.1.0/24 and 172.16.2.0/24. I have a WAN FW which the business partners and WAN branches connect into which is also the default gateway of my core switch 10.254.254.254. Internet FW is 10.254.254.3. We're in the process of migrating to a new firewall and are useing a similar config to force selected traffic to the new internet firewalls.

The first 3 flow reidrect statements tell the switch to referrence it's static/dynamic routing table. the last 2 statement tell the switch to route all other non defined entries to be directed to the internet firewall.

create flow-redirect int1 any destination 10.0.0.0/8 source 10.0.0.0 255.0.0.0
create flow-redirect int2 any destination 172.16.1.0/24 source 10.0.0.0 255.0.0.0
create flow-redirect int3 any destination 172.16.2.0/24 source 10.0.0.0 255.0.0.0
create flow-redirect int4 any destination 0.0.0.0/0 source 10.0.0.0 255.0.0.0
conf flow-redirect int4 add next-hop 10.254.254.253

hope this helps

 

[dearingkr]

OK, I think I see what you mean.
That seems overly complicated.
If you wanted to modify it, I believe you'd have to disable flow-redirect, re-enable, and start over.

I'd rather not use flow-redirect.

Is there another way to conditionally route traffic based on source IP?


MCSE CCNA CCDA

 

[rn4it]

Actually you don't, you can just add the next one in. I just did this we had a device that was in a network that was being redirected to our new FWs. I needed to force it out our old one, so I just added another exemption statement, without disabling flow-redirect and it worked.

 

[rn4it]

Sorry, I made a mistake, icmp traffic had no problem but other traffic ie. snmp and telnet had issue. This will work if you have you number your PBR rules as I did above. Except the redirection rule give a space then when you add the new exemption rules you don't need to delete the flow-redirect, I've done this with my PC and I didn't lose my connection to the website and I see my traffic going throught the old FW.

Here's what my config looks like, IPs have been changed but you'd get the idea.

create flow-redirect int1 any destination 10.0.0.0/8 source 10.0.0.0 255.0.0.0
create flow-redirect int2 any destination 172.16.1.0/24 source 10.0.0.0 255.0.0.0
create flow-redirect int3 any destination 172.16.2.0/24 source 10.0.0.0 255.0.0.0
create flow-redirect int20 any destination 0.0.0.0/0 source 10.0.0.0 255.0.0.0
conf flow-redirect int20 add next-hop 10.254.254.253
create flow-redirect int4 any destination 10.100.100.1/32

 

[dearingkr]

OK, thanks for your help.
I honestly never thought about adding exemptions.
I'll have to experiment with this.

MCSE CCNA CCDA

 

[rn4it]

Welcome, one thing I'll do when modifying these is type them out in notepad. Once I have all the cmds I need I copy and paste them into my ssh shell for the switch and hit enter. That way I can make these changes with less disruption then if I typed them out one at a time.