Multiple routing tables

Unanswered Question
Feb 25th, 2008
User Badges:

Hi.

We have a 4507R L3 switch and 3 seperate VLANs which require 3 seperate ISP connections.


Each vlan has the L3 switch as the default gateway but then must route out of its own ISP connection for all external access.


However the 3 vlans also need interconnectivity for various services.


Is there a way to give each VLAN its own routing table to satisfy this requirement?


The alternative we have in place currently is that each VLAN default gateways to its firewall which then routes back for any internal connections.


Any help would be great


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 02/25/2008 - 02:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Mike


VRF-lite which is supported on the 4500 switch would allow you to have per vlan routing tables if that is what you want. In effect you have multiple separate routing instances and you assign interfaces to those routing instances.


Please see the following link for more details and feel free to come back with any more questions.


http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html


HTH


Jon


mikedelafield Mon, 02/25/2008 - 02:31
User Badges:

if thats the most elegant solution


it seems a little messy, but for the requirements we have for the separate ISP connections I cannot think of another way?


have you set up something similar before? does this sound like a valid solution?

royalblues Mon, 02/25/2008 - 02:33
User Badges:
  • Green, 3000 points or more

Mike


I assume the connection is something like this

4507 -- FW--Router---Internet links


On the firewall make sure each vlan is natted to a seperate public block.

Then use PBR on the router and forward the traffic to the required ISP


eg

VLAN 10 - 10.10.10.0/24

VLAN 20 - 20.20.20.0/24

On the switch


int vlan 10

ip address 10.10.10.1 255.255.255.0

no shut


int vlan 20

ip address 20.20.20.1 255.255.255.0

no shut


ip route 0.0.0.0 0.0.0.0


Assuming u have a PIX/ASA


global (ISP1) 1 1.1.1.1 netmask 255.255.255.255

global (ISP2) 2 2.2.2.2 netmask 255.255.255.255


nat (inside) 1 10.10.10.0 255.255.255.0 0 0

nat (inside) 2 20.20.20.0 255.255.255.0 0 0


You also need to configure proper access-list


on the router


access-list 101 permit ip 2.2.2.0 0.0.0.255 any


route-map internet permit 10

match ip address 101

set ip next-hop


int fa 0/0

description inside

ip policy route-map internet


ip route 0.0.0.0 0.0.0.0



HTH

Narayan

mikedelafield Mon, 02/25/2008 - 02:56
User Badges:

Sorry, I should have mentioned the 2 ISPs connect out through 2 seperate ASA firewalls.


VLAN 10

SUBNET 10.10.10.0/24

L3 SWITCH 10.10.10.1

FIREWALL 10.10.10.254


VLAN 20

SUBNET 20.20.20.0/24

L3 SWITCH 20.20.20.1

FIREWALL 20.20.20.254


The router on the outside of the firewall is managed by the ISP.


What I think we require is seperate routing for each vlan to its default firewall, but also in addition intervlan routing.


Thanks.


Jon Marshall Mon, 02/25/2008 - 03:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mike


I guess elegance is in the eye of the beholder :).


If you have separate routing tables per vlan interface then each routing table could have it's own default-gateway so each could point to it's relevant firewall.


You could also allow routing between the 2 routing tables. I have used VRF-lite before, not for your exact requirement but to segregate out test network from our production network and it works well.


You could modify Narayan's example and use PBR on the 4500 switch if you want but this does not give you separate routing tables per vlan. But you may not need this.


Jon

royalblues Mon, 02/25/2008 - 03:05
User Badges:
  • Green, 3000 points or more

In that case move the route-map to the switch


access-list 101 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

other access-list entires.. denying the services/subnet that is needed from this subnet

access-list 101 permit ip 10.10.10.0 any


access-list 102 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

other access-list entires

access-list 102 permit ip 20.20.20.0 any


You can fine tune the access-list to allow just www, 443 etc


route-map ISP1 permit 10

match ip address 101

set ip next-hop 10.10.10.254


route-map ISP2 permit 10

match ip address 102

set ip next-hop 20.20.20.254


int vlan 10

ip policy route-map ISP1


int vlan 20

ip policy route-map ISP2


This can easily become dirty as u have more subnets at site. MVRF is a good solution but again you need to play around route-targets/import maps to have access between the vlans


HTH

Narayan



mikedelafield Mon, 02/25/2008 - 03:19
User Badges:

Although the ip next-hop is set to 10.10.10.254 I assume for inter-vlan routing the L3 switch would know to use the directly connected path in order to connect to 20.20.20.0/24? (unless otherwise restricted by an ACL)

royalblues Mon, 02/25/2008 - 03:22
User Badges:
  • Green, 3000 points or more

Yes .


that is what precisely the deny statement in the access-list is doing


Narayan

Actions

This Discussion