Routing Question on 6500 Switch

moahmed1981 · ‎12-03-2008

Hi

please find the attached file for our current topology and the future topology.

According to the current topology , there is a default route on the BB switch to the inside interface of the firewall.

ip route 0.0.0.0 0.0.0.0 172.16.1.2

We will add a new firewall (ASA2) on another internet connection from different ISP.

our customer requests that the subnet 10.10.100.x must connect to the internet using ASA1 and subnet 10.10.200.x must connect to the internet through ASA2.

How can i configure the BB switch for this Scenario (i mean routing on BB) ????

waiting your replies.

regards

Jon Marshall · ‎12-03-2008

Mohamed

I can't read your .vsd so i may be misunderstanding but it sounds like you need policy routing eg.

vlan 10 = 10.10.100.x

vlan 20 = 10.10.200.x

ASA2 internal interface - 172.16.2.2

access-list 101 permit ip 10.10.100.0 0.0.0.255 any

access-list 101 permit ip 10.10.200.0 0.0.0.255 any

route-map INTERNET permit 10

match ip address 101

set ip next-hop 172.16.1.2

route-map INTERNET permit 20

match ip address 102

set ip next-hop 172.16.2.2

int vlan 10

ip policy route-map INTERNET

int vlan 20

ip policy route-map INTERNET

NOTE - the above will do what you want for Internet traffic but not for routing internally. You need to modify the access-lists to exclude vlan internal routing ie. you don't want traffic from 10.10.100.x going to 10.10.200.x going via the ASA1 device. So either

1) explicitly add in your internal vlans to the access-list with deny statements

OR

2) remove the default-route from your BB switch and then instead of "set ip next-hop" use "set ip default next-hop" which means the routing table is checked first before PBR. Because your BB switch should have routes for all internal networks these would used first but all external networks would not be in the routing table and so would use the PBR.

The above would only work if the default-route is not needed for anything else ie. other vlans routing out the Internet.

Jon

lamav · ‎12-03-2008

Mo:

You will need to configure policy-based-routing (PBR). Typically, forwarding decisions are made by L3 engines based on the destination layer 3 address in the datagram/packet. With PBR, a forwarding decision is based on the source L3 address.

What you do is define a policy and then apply it to a specific interface. When a packet arrives on that interface, if the criteria set forth in the policy match, the packet will be source/policy routed.

Here is a link that will show you how to configure it.

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html

HTH

Victor

lamav · ‎12-03-2008

Jon:

Sorry for the cross-post.

Mo:

Jon hit the nail on the head. I gave you a link, but he actually did the work for you. What a pal!

You're a better man than me, Charlie Brown. :-)

Victor

Jon Marshall · ‎12-03-2008

Victor

Long time..

Don't see you around as much as we used to. Hope everythings going well.

Jon

lamav · ‎12-03-2008

Hey, Jon:

I hear ya, buddy. All is OK, thank God. Just very busy at work. Dont really have too much time to participate like I used to. I miss it, actually. Im glad youre still active. I look forward to reading your posts.

Got another job yet?

Victor

Jon Marshall · ‎12-04-2008

"Got another job yet?"

Nope still got a few things to sort out on the family front.

Glad to hear your'e busy but it isn't the same without you, no one to insult me and no one for me to take the mick out of :-)

Jon

lamav · ‎12-04-2008

Insult you??? LOLOL Stop that! I have never insulted you. Maybe corrected you a few times, but never insulted ya. ;-)