05-01-2008 07:50 AM - edited 03-05-2019 10:43 PM
I currently have a Cisco 4506 doing inter vlan routing for about 30 networks. I have a default route pointing towards a ASA5520, and a default route to our edge router then to ISP1. I have a network on my LAN that needs to be routed out another ISP, ISP2. It is a vlan for about 50 PC's that the public use, and i need them to be routed out ISP2 for content filtering services. Ideally i would like for them to be going through our ASA5520 but apparently an ASA can only have one default route. I've also looked at having a PIX501 but i couldn't get the two networks to communicate with each other. What if i was to set up a route map saying 10.0.0.0 /16 go to ASA/ISP1 and 192.168.250.0 /24go to PIX/ISP2, would that work? Would the 10 network and the 192 network still be able to communicate with each other but still have separate internet connections?
Solved! Go to Solution.
05-01-2008 10:13 AM
05-01-2008 07:57 AM
A route map would work just fine here. You would set each networks next hop to be different so each network would still be able to talk to one another. If you don't want them to talk, take a look at vrf-lite.
05-01-2008 08:07 AM
ok, cool. Do i leave the default route on my 4506 pointing to FW/ISP1 still? or do i just take it out and let the route map do the routing to the FW's/ISP's?
05-01-2008 08:11 AM
I would leave it in. You can create a route map that just sends the 192 network to PIX1 and everything else will use the default route to ASA1.
05-01-2008 08:12 AM
Cow:
One approach is to do the following:
Set up PBR for the 192.168.250.0 subnet for internet-bound traffic (lets call that vlan VLAN 250).
The route map for the PBR will exclude (deny) traffic between VLAN 250 and all the other VLANs (so that the traffic between them doesnt get policy-routed), and then permit traffic from VLAN 250 to anywhere (policy route Internet traffic).
access-list 100 deny ip
access-list 100 deny ip
access-list 100 permit ip
route-map INTERNET permit 10
match ip address 100
set ip next-hop
interface vlan 250
ip policy route-map INTERNET
HTH
Victor
05-01-2008 08:12 AM
Clark:
Sorry fo rthe cross post.
Victor
05-01-2008 08:16 AM
How about this. I guess i could just remove ACL1 and the COWETA route map and just leave my default route for that network. Keep ACL2 and the CPLS route map to route that traffic to PIX/ISP2.
192.168.250.1 4506 SVI
192.168.250.2 PIX Inside IP
192.168.100.0 /24 network that needs to be routed to PIX/ISP2
access-list 1 permit ip 10.0.0.0 0.0.255.255
access-list 2 permit ip 192.168.100.0 0.0.0.255
route-map COWETA permit 10
match ip address 1
set ip next-hop 10.0.0.75
route-map CPLS permit 20
match ip address 2
set ip next-hop 192.168.250.2
interface FastEthernet5/45
ip policy route-map COWETA
interface vlan 100
ip policy route-map CPLS
05-01-2008 08:23 AM
That's how I would do it. I like to keep that default route for new networks, troubleshooting, etc.
05-01-2008 08:24 AM
You only need a route map for VLAN 250.
Keep the default route.
Policy routing is performed before normal destination-based routing in the order of operations, so if the traffic does not match whats on the PBR filter, then it will be routed normally.
Thats why I recommended you deny the inter-vlan traffic, except for VLAN 250 to "any". You will need an extended ACL for that, as shown above.
HTH
Victor
05-01-2008 08:27 AM
Cow:
I think we're cross-talking. You aren't addressing your messages, so Im not sure who you're talking to. :-)
Clark is more than capable of helping you. So, I'll just drop out, unless you are talking to me.
Victor
05-01-2008 09:13 AM
my bad lamav.
so...
ip route 0.0.0.0 0.0.0.0 (ISP1)
then...
access-list 1 permit ip 192.168.250.0 0.0.0.255
route-map CPLS permit 10
match ip address 1
set ip next-hop 192.168.250.2
interface vlan 250
ip policy route-map CPLS
192.168.250.0 /24 subnet/vlan for hosts
192.168.250.1 = SVI on 4506
192.168.250.2 = PIX inside
05-01-2008 09:47 AM
C:
No problem.
Its OK, but take note of what I said in my last post.
Policy routing is performed before normal destination-based routing in the order of operations, so if the traffic does not match whats on the PBR filter, then it will be routed normally.
Thats why I recommended you deny the inter-vlan traffic, except for VLAN 250 to "any". You will need an extended ACL for that, as shown above.
See example I gave you.
If you leave the standard ACL with the permit, you will policy-route ALL traffic sourced from that subnet destined to anywhere, INCLUDING the other vlans. I know you dont want that. You want normal inter-vlan routing.
HTH
Victor
05-01-2008 09:53 AM
GREAT!
So....this won't affect my inter vlan routing?
(10.0.0.0 /16 is my network summarized)
access-list 100 deny ip 10.0.0.0 0.0.255.255 192.168.250.0 0.0.0.255
access-list 100 permit ip 192.168.250.0 0.0.0.255 any
route-map CPLS permit 10
match ip address 100
set ip next-hop 192.168.250.2
interface vlan 250
ip policy route-map CPLS
05-01-2008 10:05 AM
Slight change in order for consistency...
access-list 100 deny ip 192.168.250.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 100 permit ip 192.168.250.0 0.0.0.255 any
HTH
Victor
05-01-2008 10:10 AM
Vic, if this works I'd buy you a beer. I've been working on this for two weeks now. I just didn't know if the PBR would work because of the PIX, but i was thinking about it wrong. This should straighten everything out now. I'll let you know if it works.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: