topic Policy Based Forwarding in General Topics

Policy Based Forwarding

MistryJa — Thu, 18 Feb 2021 17:57:31 GMT

Hi All,

I have a guest wifi vlan 10.25.x.x that needs to be routed out to a second ISP.

AP-->WLC--Palo Alto FW-->MPLS/VPLS-Router-->L3Switch-->ISP

The vlan will each have a sub-interface and gateway 10.25.x.1 assigned on firewall in its own guest zone and virtual router.

The virtual router will have a default gateway 0.0.0.0 to a next hop 10.25.x.2 layer 3 switch SVI where ISP is connected.

Nat will be performed on the L3 switch, 10.25.x.x addresses pool to a public IP before routing out to internet.

1) Will the policy based forwarding work ?

2) I assume I can forward the same traffic out the same sub-interfaces ?

3) Also if I performed the NAT on the Palo Alto before routing out to ISP over a private network is that acceptable from security point of view ?

Re: Policy Based Forwarding

S.Cantwell — Thu, 18 Feb 2021 18:57:15 GMT

Hello there.

So there are 2 ways to perform what want to do.

2 ISPs = 2 virtual routers, which is a single default gateway/route per virtual router.

1) Willthe policy based routing work in this scenarios ?

PBF is used to SUPERSEDE the routing table, to ignore it.. and follow the PBF rules.

So... if you only have a single virtual router, then you would need a PBF rule, to tell the guest wireless to ignore the existing default gateway.

If you have 2 virtual routers, then the "guest wireless virtual router" would be different that your "corporate network" and because of this, NO need to use PBF. You would WANT your guests to get an address with a dg of 10.25.x.1, whose on default gateway is 10.25.x.2...

2) I assume I can forward the same traffic out the same sub-interfaces ?

Yes, you can route whatever traffic you want, and engineer the firewall do to your bidding. 😛

3) Also if I performed the NAT on the Palo Alto before routing out to ISP over a private network is that acceptable from security point of view ?

Perfectly acceptable to use to use security policies and NAT policies on your FW.

Now, are you planning to use SrcNAT or DestNAT (you did not state the specifics)

Remember that security polices for DNAT rules follow "Pre/Post/Pre" or PreNat SRC Zone, POST Nat DestZone, PRENAT Public IP (because we do not NAT until AFTER the security policy approves the traffic is permitted)

Thanks

What other questions can we answer for you?

Re: Policy Based Forwarding

MistryJa — Fri, 19 Feb 2021 08:05:14 GMT

Hello Steve,

Many thanks for reply.