Routing Question on 6500 Switch

Unanswered Question
Dec 3rd, 2008


please find the attached file for our current topology and the future topology.

According to the current topology , there is a default route on the BB switch to the inside interface of the firewall.

ip route

We will add a new firewall (ASA2) on another internet connection from different ISP.

our customer requests that the subnet 10.10.100.x must connect to the internet using ASA1 and subnet 10.10.200.x must connect to the internet through ASA2.

How can i configure the BB switch for this Scenario (i mean routing on BB) ????

waiting your replies.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 12/03/2008 - 08:47


I can't read your .vsd so i may be misunderstanding but it sounds like you need policy routing eg.

vlan 10 = 10.10.100.x

vlan 20 = 10.10.200.x

ASA2 internal interface -

access-list 101 permit ip any

access-list 101 permit ip any

route-map INTERNET permit 10

match ip address 101

set ip next-hop

route-map INTERNET permit 20

match ip address 102

set ip next-hop

int vlan 10

ip policy route-map INTERNET

int vlan 20

ip policy route-map INTERNET

NOTE - the above will do what you want for Internet traffic but not for routing internally. You need to modify the access-lists to exclude vlan internal routing ie. you don't want traffic from 10.10.100.x going to 10.10.200.x going via the ASA1 device. So either

1) explicitly add in your internal vlans to the access-list with deny statements


2) remove the default-route from your BB switch and then instead of "set ip next-hop" use "set ip default next-hop" which means the routing table is checked first before PBR. Because your BB switch should have routes for all internal networks these would used first but all external networks would not be in the routing table and so would use the PBR.

The above would only work if the default-route is not needed for anything else ie. other vlans routing out the Internet.


lamav Wed, 12/03/2008 - 09:00


You will need to configure policy-based-routing (PBR). Typically, forwarding decisions are made by L3 engines based on the destination layer 3 address in the datagram/packet. With PBR, a forwarding decision is based on the source L3 address.

What you do is define a policy and then apply it to a specific interface. When a packet arrives on that interface, if the criteria set forth in the policy match, the packet will be source/policy routed.

Here is a link that will show you how to configure it.



lamav Wed, 12/03/2008 - 09:02


Sorry for the cross-post.


Jon hit the nail on the head. I gave you a link, but he actually did the work for you. What a pal!

You're a better man than me, Charlie Brown. :-)


Jon Marshall Wed, 12/03/2008 - 09:39


Long time..

Don't see you around as much as we used to. Hope everythings going well.


lamav Wed, 12/03/2008 - 16:56

Hey, Jon:

I hear ya, buddy. All is OK, thank God. Just very busy at work. Dont really have too much time to participate like I used to. I miss it, actually. Im glad youre still active. I look forward to reading your posts.

Got another job yet?


Jon Marshall Thu, 12/04/2008 - 03:35

"Got another job yet?"

Nope still got a few things to sort out on the family front.

Glad to hear your'e busy but it isn't the same without you, no one to insult me and no one for me to take the mick out of :-)


lamav Thu, 12/04/2008 - 09:27

Insult you??? LOLOL Stop that! I have never insulted you. Maybe corrected you a few times, but never insulted ya. ;-)


This Discussion