Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4188
Views
0
Helpful
8
Replies

Multiple routing tables

mikedelafield
Level 1
Level 1

‎02-25-2008 02:08 AM - edited ‎03-05-2019 09:20 PM

Hi.

We have a 4507R L3 switch and 3 seperate VLANs which require 3 seperate ISP connections.

Each vlan has the L3 switch as the default gateway but then must route out of its own ISP connection for all external access.

However the 3 vlans also need interconnectivity for various services.

Is there a way to give each VLAN its own routing table to satisfy this requirement?

The alternative we have in place currently is that each VLAN default gateways to its firewall which then routes back for any internal connections.

Any help would be great

Labels:
0 Helpful
8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

‎02-25-2008 02:20 AM

Hi Mike

VRF-lite which is supported on the 4500 switch would allow you to have per vlan routing tables if that is what you want. In effect you have multiple separate routing instances and you assign interfaces to those routing instances.

Please see the following link for more details and feel free to come back with any more questions.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html

HTH

Jon

0 Helpful

mikedelafield
Level 1
Level 1
In response to Jon Marshall

‎02-25-2008 02:31 AM

if thats the most elegant solution

it seems a little messy, but for the requirements we have for the separate ISP connections I cannot think of another way?

have you set up something similar before? does this sound like a valid solution?

0 Helpful

royalblues
Level 10
Level 10

‎02-25-2008 02:33 AM

Mike

I assume the connection is something like this

4507 -- FW--Router---Internet links

On the firewall make sure each vlan is natted to a seperate public block.

Then use PBR on the router and forward the traffic to the required ISP

eg

VLAN 10 - 10.10.10.0/24

VLAN 20 - 20.20.20.0/24

On the switch

int vlan 10

ip address 10.10.10.1 255.255.255.0

no shut

int vlan 20

ip address 20.20.20.1 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0

Assuming u have a PIX/ASA

global (ISP1) 1 1.1.1.1 netmask 255.255.255.255

global (ISP2) 2 2.2.2.2 netmask 255.255.255.255

nat (inside) 1 10.10.10.0 255.255.255.0 0 0

nat (inside) 2 20.20.20.0 255.255.255.0 0 0

You also need to configure proper access-list

on the router

access-list 101 permit ip 2.2.2.0 0.0.0.255 any

route-map internet permit 10

match ip address 101

set ip next-hop

int fa 0/0

description inside

ip policy route-map internet

ip route 0.0.0.0 0.0.0.0

HTH

Narayan

0 Helpful

mikedelafield
Level 1
Level 1
In response to royalblues

‎02-25-2008 02:56 AM

Sorry, I should have mentioned the 2 ISPs connect out through 2 seperate ASA firewalls.

VLAN 10

SUBNET 10.10.10.0/24

L3 SWITCH 10.10.10.1

FIREWALL 10.10.10.254

VLAN 20

SUBNET 20.20.20.0/24

L3 SWITCH 20.20.20.1

FIREWALL 20.20.20.254

The router on the outside of the firewall is managed by the ISP.

What I think we require is seperate routing for each vlan to its default firewall, but also in addition intervlan routing.

Thanks.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mikedelafield

‎02-25-2008 03:02 AM

Mike

I guess elegance is in the eye of the beholder :).

If you have separate routing tables per vlan interface then each routing table could have it's own default-gateway so each could point to it's relevant firewall.

You could also allow routing between the 2 routing tables. I have used VRF-lite before, not for your exact requirement but to segregate out test network from our production network and it works well.

You could modify Narayan's example and use PBR on the 4500 switch if you want but this does not give you separate routing tables per vlan. But you may not need this.

Jon

0 Helpful

royalblues
Level 10
Level 10
In response to mikedelafield

‎02-25-2008 03:05 AM

In that case move the route-map to the switch

access-list 101 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

other access-list entires.. denying the services/subnet that is needed from this subnet

access-list 101 permit ip 10.10.10.0 any

access-list 102 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

other access-list entires

access-list 102 permit ip 20.20.20.0 any

You can fine tune the access-list to allow just www, 443 etc

route-map ISP1 permit 10

match ip address 101

set ip next-hop 10.10.10.254

route-map ISP2 permit 10

match ip address 102

set ip next-hop 20.20.20.254

int vlan 10

ip policy route-map ISP1

int vlan 20

ip policy route-map ISP2

This can easily become dirty as u have more subnets at site. MVRF is a good solution but again you need to play around route-targets/import maps to have access between the vlans

HTH

Narayan

0 Helpful

mikedelafield
Level 1
Level 1
In response to royalblues

‎02-25-2008 03:19 AM

Although the ip next-hop is set to 10.10.10.254 I assume for inter-vlan routing the L3 switch would know to use the directly connected path in order to connect to 20.20.20.0/24? (unless otherwise restricted by an ACL)

0 Helpful

royalblues
Level 10
Level 10
In response to mikedelafield

‎02-25-2008 03:22 AM

Yes .

that is what precisely the deny statement in the access-list is doing

Narayan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card