Guys,
We are in the middle of a FW edge migration and want to specific subnets to the new internet edge for anything but rfc1918 address space, we want the rfc1918 address space to follow normal routing behaviours. Our switching infrastructure is cisco nexus 9k (7.0(3)I7(5a))
I was first thinking of doing this using PBR - creating an ACL with 3 deny statements at the top to deny RFC 1918 from being policy routed to the new internet edge and they a permit on the 0.0.0.0/0 - I would reference this is a route map and then set the next hop to the new internet edge.
I went to do this and the nxos didnt like it, and told me that I can't have deny statements in an ACL referenced in PBR (I'm sure I have done this on IOS)
So my second train of thought would be to create 2 ACLs named 'routed_to_new_edge' and 'normal_routing' (names will probably change) - routed to new edge would contain the following logic - permit SOURCE to 0.0.0.0/0. normal routing would contain the following logic permit SOURCE to RFC1928
I would then create a route map with 2 sequences the first sequence would match the normal routing ACL and have no set statement (this would not have any effect on the flow and would follow the normal routing logic) my second sequence would match the 'routed_to_new_edge' ACL and the next hop would be set to the new internet edge firewall.
Can anyone foresee any issues with this, should this logic work, has anyone done anything similar? Obviously all PBR will be removed when the FW migration is complete
Thanks
No comments:
Post a Comment