02-25-2008 02:08 AM - edited 03-05-2019 09:20 PM
Hi.
We have a 4507R L3 switch and 3 seperate VLANs which require 3 seperate ISP connections.
Each vlan has the L3 switch as the default gateway but then must route out of its own ISP connection for all external access.
However the 3 vlans also need interconnectivity for various services.
Is there a way to give each VLAN its own routing table to satisfy this requirement?
The alternative we have in place currently is that each VLAN default gateways to its firewall which then routes back for any internal connections.
Any help would be great
02-25-2008 02:20 AM
Hi Mike
VRF-lite which is supported on the 4500 switch would allow you to have per vlan routing tables if that is what you want. In effect you have multiple separate routing instances and you assign interfaces to those routing instances.
Please see the following link for more details and feel free to come back with any more questions.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
HTH
Jon
02-25-2008 02:31 AM
if thats the most elegant solution
it seems a little messy, but for the requirements we have for the separate ISP connections I cannot think of another way?
have you set up something similar before? does this sound like a valid solution?
02-25-2008 02:33 AM
Mike
I assume the connection is something like this
4507 -- FW--Router---Internet links
On the firewall make sure each vlan is natted to a seperate public block.
Then use PBR on the router and forward the traffic to the required ISP
eg
VLAN 10 - 10.10.10.0/24
VLAN 20 - 20.20.20.0/24
On the switch
int vlan 10
ip address 10.10.10.1 255.255.255.0
no shut
int vlan 20
ip address 20.20.20.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0
Assuming u have a PIX/ASA
global (ISP1) 1 1.1.1.1 netmask 255.255.255.255
global (ISP2) 2 2.2.2.2 netmask 255.255.255.255
nat (inside) 1 10.10.10.0 255.255.255.0 0 0
nat (inside) 2 20.20.20.0 255.255.255.0 0 0
You also need to configure proper access-list
on the router
access-list 101 permit ip 2.2.2.0 0.0.0.255 any
route-map internet permit 10
match ip address 101
set ip next-hop
int fa 0/0
description inside
ip policy route-map internet
ip route 0.0.0.0 0.0.0.0
HTH
Narayan
02-25-2008 02:56 AM
Sorry, I should have mentioned the 2 ISPs connect out through 2 seperate ASA firewalls.
VLAN 10
SUBNET 10.10.10.0/24
L3 SWITCH 10.10.10.1
FIREWALL 10.10.10.254
VLAN 20
SUBNET 20.20.20.0/24
L3 SWITCH 20.20.20.1
FIREWALL 20.20.20.254
The router on the outside of the firewall is managed by the ISP.
What I think we require is seperate routing for each vlan to its default firewall, but also in addition intervlan routing.
Thanks.
02-25-2008 03:02 AM
Mike
I guess elegance is in the eye of the beholder :).
If you have separate routing tables per vlan interface then each routing table could have it's own default-gateway so each could point to it's relevant firewall.
You could also allow routing between the 2 routing tables. I have used VRF-lite before, not for your exact requirement but to segregate out test network from our production network and it works well.
You could modify Narayan's example and use PBR on the 4500 switch if you want but this does not give you separate routing tables per vlan. But you may not need this.
Jon
02-25-2008 03:05 AM
In that case move the route-map to the switch
access-list 101 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
other access-list entires.. denying the services/subnet that is needed from this subnet
access-list 101 permit ip 10.10.10.0 any
access-list 102 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
other access-list entires
access-list 102 permit ip 20.20.20.0 any
You can fine tune the access-list to allow just www, 443 etc
route-map ISP1 permit 10
match ip address 101
set ip next-hop 10.10.10.254
route-map ISP2 permit 10
match ip address 102
set ip next-hop 20.20.20.254
int vlan 10
ip policy route-map ISP1
int vlan 20
ip policy route-map ISP2
This can easily become dirty as u have more subnets at site. MVRF is a good solution but again you need to play around route-targets/import maps to have access between the vlans
HTH
Narayan
02-25-2008 03:19 AM
Although the ip next-hop is set to 10.10.10.254 I assume for inter-vlan routing the L3 switch would know to use the directly connected path in order to connect to 20.20.20.0/24? (unless otherwise restricted by an ACL)
02-25-2008 03:22 AM
Yes .
that is what precisely the deny statement in the access-list is doing
Narayan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: