Announcement

Collapse
No announcement yet.

PBR to bypass FWSM

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PBR to bypass FWSM

    I have a situation where I am trying to migrate our company away from the builtin FWSM on our 6500-series switches (IOS) onto a new install of Juniper firewalls. To facilitate this, I am trying to implement PBR for networks one-by-one as I build up the ruleset to support our networks.

    from the inside out:

    current:
    host --> (Cisco)blade switch --> 6500 --> FWSM

    desired:
    host --> (Cisco)blade switch --> 6500 --> Juniper

    I have already added a vlan to test the cfg before deploying it.

    INTERFACE CFG:

    interface Vlan300
    description TRIAL_TEST
    ip address 10.0.0.1 255.255.255.224
    no ip redirects
    no ip proxy-arp
    ip route-cache policy
    ip policy route-map trial_test_to_inet

    ROUTE MAP:

    route-map trial_test_to_inet permit 10
    match ip address 10
    set ip default next-hop 10.1.0.1

    ACCESS LIST:

    access-list 10 permit 10.0.0.0 0.0.0.31


    ...in my mind, this should pick up the match (10.0.0.0/27) route to 10.1.0.1 if the network is not known, otherwise do nothing special with the packet. Pretty basic, am I correct in my assumption?

  • #2
    Re: PBR to bypass FWSM

    From how I see this, anything that comes into the interface Vlan300 destined to 10.0.0.0/27 will be routed towards 10.1.0.1. Any traffic destined to a network not in 10.0.0.0/27 will use the routing table.

    Have you tested this config yet?

    Comment

    Working...
    X