12-03-2008 08:38 AM - edited 03-06-2019 02:47 AM
Hi
please find the attached file for our current topology and the future topology.
According to the current topology , there is a default route on the BB switch to the inside interface of the firewall.
ip route 0.0.0.0 0.0.0.0 172.16.1.2
We will add a new firewall (ASA2) on another internet connection from different ISP.
our customer requests that the subnet 10.10.100.x must connect to the internet using ASA1 and subnet 10.10.200.x must connect to the internet through ASA2.
How can i configure the BB switch for this Scenario (i mean routing on BB) ????
waiting your replies.
regards
12-03-2008 08:47 AM
Mohamed
I can't read your .vsd so i may be misunderstanding but it sounds like you need policy routing eg.
vlan 10 = 10.10.100.x
vlan 20 = 10.10.200.x
ASA2 internal interface - 172.16.2.2
access-list 101 permit ip 10.10.100.0 0.0.0.255 any
access-list 101 permit ip 10.10.200.0 0.0.0.255 any
route-map INTERNET permit 10
match ip address 101
set ip next-hop 172.16.1.2
route-map INTERNET permit 20
match ip address 102
set ip next-hop 172.16.2.2
int vlan 10
ip policy route-map INTERNET
int vlan 20
ip policy route-map INTERNET
NOTE - the above will do what you want for Internet traffic but not for routing internally. You need to modify the access-lists to exclude vlan internal routing ie. you don't want traffic from 10.10.100.x going to 10.10.200.x going via the ASA1 device. So either
1) explicitly add in your internal vlans to the access-list with deny statements
OR
2) remove the default-route from your BB switch and then instead of "set ip next-hop" use "set ip default next-hop" which means the routing table is checked first before PBR. Because your BB switch should have routes for all internal networks these would used first but all external networks would not be in the routing table and so would use the PBR.
The above would only work if the default-route is not needed for anything else ie. other vlans routing out the Internet.
Jon
12-03-2008 09:00 AM
Mo:
You will need to configure policy-based-routing (PBR). Typically, forwarding decisions are made by L3 engines based on the destination layer 3 address in the datagram/packet. With PBR, a forwarding decision is based on the source L3 address.
What you do is define a policy and then apply it to a specific interface. When a packet arrives on that interface, if the criteria set forth in the policy match, the packet will be source/policy routed.
Here is a link that will show you how to configure it.
HTH
Victor
12-03-2008 09:02 AM
Jon:
Sorry for the cross-post.
Mo:
Jon hit the nail on the head. I gave you a link, but he actually did the work for you. What a pal!
You're a better man than me, Charlie Brown. :-)
Victor
12-03-2008 09:39 AM
Victor
Long time..
Don't see you around as much as we used to. Hope everythings going well.
Jon
12-03-2008 04:56 PM
Hey, Jon:
I hear ya, buddy. All is OK, thank God. Just very busy at work. Dont really have too much time to participate like I used to. I miss it, actually. Im glad youre still active. I look forward to reading your posts.
Got another job yet?
Victor
12-04-2008 03:35 AM
"Got another job yet?"
Nope still got a few things to sort out on the family front.
Glad to hear your'e busy but it isn't the same without you, no one to insult me and no one for me to take the mick out of :-)
Jon
12-04-2008 09:27 AM
Insult you??? LOLOL Stop that! I have never insulted you. Maybe corrected you a few times, but never insulted ya. ;-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide