Configuring a PBR policy
To configure PBR, you define the policies using IP ACLs and route maps, then enable PBR globally or on individual interfaces. The
device programs the ACLs into the packet processor on the interfaces and routes traffic that matches the ACLs according to the
instructions in the route maps.
From the guide we have 3 simple steps:
To configure a PBR policy:
• Configure ACLs that contain the source IP addresses for the IP traffic you want to route using PBR.
• Configure a route map that matches on the ACLs and sets the route information.
• Apply the route map on untagged interface or on virtual interface.
If you are still having issues maybe you should open a Case with our TAC team and work with them.
Q: On the Cisco, by adding the "ip policy route-map Internet-Vlan1" to the interface this forwards the non internal ip address ranges off to their firewall/WAN. due to the organizations funding and policies, they have to have their own internet installed at each site showing the connection and bill in their name at their address.
A: Makes sense
Q: so the way the rules are in effect are not in the order as they are listed when doing a show run.
the route-map is applied first using the ACL:
access-list 151 deny ip 10.10.1.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 151 permit ip any any
this works and is in use this way, for first of all their firewall at each site handles DHCP rules and static assignments, so if a device is mis-configured on the vlan with the wrong ip and/or subnet then it just does not work. I would rather have something not work than have a vulnerability.
so as the "permit route-map" is implemented, it is the same on a cisco as it is on the fastiron. The "denied" range does not get sent to the "set ip next-hop" but continues on to the normal core routing. the "permit" range of everything else not of our ip gets sent to the firewall to deal with.
A: If a device is misconfigured on a VLAN with the wrong subnet, it will not have any routing even without a route-map. It will not be able to even ARP for the gateway. Your ACL above puts everything into the route-map except 10.10.1.0/24 to 10.10.0.0/16
Q: On the Cisco, the above mentioned "denied" items in the "route-map" then move on to the rule of "ip access-group 101 in" on the interface, which then helps regulate what ips or ranges or protocols they can communicate to and with. plug one end of the straw, and no fluid moves through, since it requires bi-directional traffic to function in our environment. if the access-group does not define the traffic, then it moves on to the default routing tables on the switch that sends it off to another firewall for analysis.
A: Good to know. Thanks. On the ICX, you can probably apply “ip access-group 101 out” but not “in” at least the documentation is specific the “in” direction does not work.
Q: the rules that I have work on the Catalyst, i just need to get them to work, so i can swap it with the ICX.
A: You may need to reverse your access lists taking into consideration all possible sources.
Realistically, your ACL most likely acts like a one-way check-valve not allowing return traffic. For that there are reflexive Access Lists that dynamically add return entries that age-out upon completion of return traffic. This is the most straight forward resource I found on those:
BTW, I doubt reflexive access lists will work with route-maps; since, the dynamically created list that allows traffic to flow the opposite direction most likely needs to be applied inbound.
I would probably revamp this and try VRFs to visualize the routing table, so in essence each organization has a separate virtual router. Here is an unrelated example:
You might need more device memory set asside to run VRFs depending upon Fastiron build family:
system-max ip-route 15168
ip route 0.0.0.0/0 192.168.255.1
interface ve 46
vrf forwarding Organization46
ip address 192.168.46.1 255.255.255.0
ip helper-address 1 192.168.255.1
Just remember if you do that you would need to look at the routing table by name:
SSH@TEST#sh ip route vrf organization46
Total number of IP routes: 3
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
Destination Gateway Port Cost Type Uptime
1 0.0.0.0/0 192.168.255.1 ve 101 1/1 S 27d20h
2 192.168.46.0/24 DIRECT ve 46 0/0 D 255d3 192.168.255.0/30 DIRECT ve 101 0/0 D 27d20h