Diagram: https://imgur.com/a/J6qNYnN
Red text is default routes on those layer 3 switches, and blue text is vlan identifier.
We are evaluating a Palo Alto instead of our ASAs. I'm currently using a tap port to see our current traffic but I want to see some real traffic going through it as well. I have a network called IT Test hanging off to the right. Instead of the IT Test internet traffic going to the ASA, I'd like it to flow through the PAN but I'm having a hard time coming up with how to do that.
I don't want to prevent that network from talking to the rest of my internal network, but I do want 'any' destination traffic to head out to the internet via the palo alto. The only ways I can think of doing this is via Route Maps or VRFs and I'm not sure how to configure this properly.
4500-x
Int Vlan 272 desc IT Test Network IP address 10.1.72.1 255.255.255.0 ip policy route-map Send-To-Pan Route-Map Send-To-Pan match ip address ITTest-To-Pan-Traffic set ip next-hop 10.40.0.163 ip access-list extended ITTest-To-Pan-Traffic 10 deny 10.1.72.0 0.0.0.255 10.0.0.0 0.255.255.255 20 deny 10.17.72.0 0.0.0.255 172.16.0.0 0.15.255.255 30 deny 10.17.72.0 0.0.0.255 192.168.0.0 0.0.255.255 40 permit 10.17.72.0 0.0.0.255 any
There are several issues I see with this. 1. Putting a next hop like that skipping the 6513 and it's not directly connected so that might not work. 2. I don't know that using a 'deny' statement on the route map actually fixes continuing to allow that network to talk to the rest of the internal network (especially 10.x.x.x).
Do I need to put the route map on the 6513 even though the SVI for that network lives on the 4500?
I don't even know if route maps are the right way to do this. Is a VRF a better/cleaner way? If I did a VRF for this network, would I have to run a new cable from the 6513 over to the 4500 to assign the VRF to a new interface?
No comments:
Post a Comment