Solved: Routing secondary address

sterdnotshaken · ‎12-03-2008

I have a Cisco 3725 router with 3 Fast Ethernet ports. We also have 2 separate firewalls (Checkpoint and Sonicwall)

We got this router to allow us the option of making gateway changes on the fly without having to change anyones default gateway.

What I have done so far is assigned one of the Ethernet ports on the router a primary and secondary address... These addresses were the gateway addresses of the 2 firewalls. I have configured the 2 other ports on the router to have an address out of a unique subnet (each port to be connected directly to one of the 2 firewalls, obviously assigning the firewall ports addresses that allow them to communicate with the router).

So lets say the 2 IP addresses that are assigned to that one port on the router are 1.1.1.1 and 1.1.1.2. These being the 2 possible default gateways of all computers on the network... I want the router to recognize which address traffic from the network arrived on and from that, route to one of the 2 firewalls... So if a computer had 1.1.1.1 as its gateway, the router would route Internet request to the Checkpoint, and if a computer had 1.1.1.2 as its gateway, that the traffic would be routed to the other gateway (Sonicwall). The only exception to traffic from one gateway address being routed to a specific firewall all the time, is when they try and access shares on one of our remote sites, (we have a site to site VPN tunnel) and that tunnel is only between the checkpoint and the remote site, the sonicwall has no VPN tunnels... I have configured static routes for those subnets to go to the checkpoint on the router, so I don't think that will be an issue...

Anyway, how do I route traffic depending on what gateway address computers used? Gateway of last resort forces all internet traffic to one of the 2, without any dynamic routing options...

Thanks in advance!

Laurent Aubert · ‎12-03-2008

Hi,

If I understood correctly, you want to add the 3725 router between your hosts and the 2x Fws without re-addressing the default-gateway of the hosts right ?

In this case, you need the two addresses on your router interface as it's now the unique default-gateway of all the hosts.

The router is not aware about the host IP configuration, the only thing he knows is he will answer to ARP request regarding 1.1.1.1 and 1.1.1.2 addresses

That's being said, the only solution I see is to make routing decision based on the source @ using PBR:

route-map GW-SELECTION permit 10

match ip address 101

set ip next-hop FW1

route-map GW-SELECTION permit 20

match ip address 102

set ip next-hop FW2

!

interface Fast a/b

ip policy route-map GW-SELECTION

!

ACL 101 matches host source @ which default-gateway is 1.1.1.1

ACL 102 matches host source @ which default-gateway is 1.1.1.2

Don't add in the ACLs the host whose traffic need to go in the VPN so the router will use its routing table for this one (and use the static routes you configured).

This is not a scalable solution as you will have to update manually the ACLs each time you have a new hosts.

If you detail a little bit your needs, we may come up with another design

Thanks

Laurent.

View solution in original post

Jon Marshall · ‎12-04-2008

Steven

Just getting another interface will not make it much easier to be honest. As i said previously you would need to readdress clients that go onto the other subnet, you can't have 2 ethernet interfaces on the same router using addresses out of the same subnet.

So you will still need allocate the IT users and execs into a new vlan. If you know who they are you could use Lauren's post with the setup you have now. But you would need to make the client IP addresses static ie. all those going via the Sonicwall need static IP's or need to be in a different vlan which requires extra interface. Either way there is some work to do.

And that also assumes a fairly static setup ie. an exec doesn't have a laptop that they could connect in to the network at various different points. If they do use static IP reservations and go with the existing setup you have with Lauren's post.

Jon

View solution in original post

Jon Marshall · ‎12-03-2008

Steven

I first though of PBR (Policy Based Routing) but this won't work because they arrive on the same interface and the destination could be anything as it is presumably Internet destinations.

Others may have other suggestions but the only thing that springs to mind at the moment is if you want to utilise both links then have 2 default-routes on your 3725 and do per destination load-sharing. The per-destination is important as if you did per-packet you could get some packets from a connection going out through one firewall and other packets from the same connection going out the other firewall. This obviously wouldn't work.

This would utilise both links but may not be what you are looking for. Perhaps if you could expand on your requirements ?

Jon

Joseph W. Doherty · ‎12-03-2008

What you're attempting to accomplish is going to be rather difficult. The problem is, a host gateway address is a next hop address. The host will ARP for the MAC and then forward the frame to that MAC address. The source and destination IP addresses (i.e. L3 packet info) wouldn't reflect L2 MAC. I.e. you couldn't tell at the L3 level which gateway was selected.

Even at the L2 level, I don't recall, if you're using a secondary address, whether the primary and secondary would return different MACs. (If they didn't, using two MHSRP addresses could return different virtual MACs - but even then, router's ARP cache tracks hosts IP to MAC, not the gateway MAC a particular host ARP'ed for.)

Jon's comment about interface is important because PBR can use received interface, I believe.

Perhaps the easist method that comes somewhat close to your requirement would be to use MHSRP on two different routers. Each router would be the virtual gateway for one firewall. If both routers are active, you could know which gateway was being used. However, if a router fails, we're back to not knowing which gateway was selected by the host.

What you want to accomplish might be possible on a single router, but if so, it would be complex. I'm thinking of using options like the embedded event monitor and perhaps debug to try to trap host ARP requests, analyze them, and build PBR on-the-fly using the host's source IP.

Laurent Aubert · ‎12-03-2008

Hi,

If I understood correctly, you want to add the 3725 router between your hosts and the 2x Fws without re-addressing the default-gateway of the hosts right ?

In this case, you need the two addresses on your router interface as it's now the unique default-gateway of all the hosts.

The router is not aware about the host IP configuration, the only thing he knows is he will answer to ARP request regarding 1.1.1.1 and 1.1.1.2 addresses

That's being said, the only solution I see is to make routing decision based on the source @ using PBR:

route-map GW-SELECTION permit 10

match ip address 101

set ip next-hop FW1

route-map GW-SELECTION permit 20

match ip address 102

set ip next-hop FW2

!

interface Fast a/b

ip policy route-map GW-SELECTION

!

ACL 101 matches host source @ which default-gateway is 1.1.1.1

ACL 102 matches host source @ which default-gateway is 1.1.1.2

Don't add in the ACLs the host whose traffic need to go in the VPN so the router will use its routing table for this one (and use the static routes you configured).

This is not a scalable solution as you will have to update manually the ACLs each time you have a new hosts.

If you detail a little bit your needs, we may come up with another design

Thanks

Laurent.

sterdnotshaken · ‎12-04-2008

First of all, I really appreciate all of your help everyone!

Below is my router config configuration. I have assigned both of these route maps to the interface Fa0/0 (the interface that has both inside gateway addresses assigned and is the inside port for our network, with the ip policy route-map command... is that correct? It seems like it should be assigned to that port. As you can see, I specified one ip address that is assigned to Fa0/0 in each ACL... is that correct? It seems like I would need to specify each address (assigned to Fa0/0) as the source via the ACL and then route it to the next hop address according to which address it came in on... instead of including the whole internal subnet... otherwise how does the route map command delineate the different gateways that hosts have and route accordingly? Is it ok that each ACL references ip addresses assigned to the local port instead of a network host?

Would what I am trying to do be made any easier if each of the 2 Ip addresses assigned to the internal port acting as the gateway port for the network had its own Fast Ethernet port? It would require me purchasing another card, which I could totally do, if it would make things easier...?

interface FastEthernet0/0

ip address 1.1.1.1 255.255.0.0 secondary

ip address 1.1.1.2 255.255.0.0

ip policy route-map Sonicwall

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.1.1.2 255.255.255.240

duplex auto

speed auto

!

interface FastEthernet2/0

ip address 10.2.1.2 255.255.255.240

duplex auto

speed auto

!

ip forward-protocol nd

ip route 172.16.0.0 255.255.0.0 FastEthernet0/1

ip route 172.20.0.0 255.255.0.0 FastEthernet0/1

!

ip http server

!

access-list 1 permit 1.1.1.1

access-list 2 permit 1.1.1.2

route-map Checkpoint permit 10

match ip address 2

match interface FastEthernet0/1

set ip next-hop 10.1.1.1

!

route-map Sonicwall permit 10

match ip address 1

match interface FastEthernet2/0

set ip next-hop 10.2.1.1

Jon Marshall · ‎12-04-2008

Steven

Unfortunately this won't work and it is primarily because your 2 addresses are on the same interface.

You can't use the access-lists 1 & 2 because the source or destination IP address of packets is never going to be the default-gateway on the router ie. when a client on the 1.1.x.x network sends a packet to the Internet the source would be the client address and the destination would be an Internet address, neither of which are 1.1.1.1 or 1.1.1.2.

Also the match interface command in the route map is used to match an incoming interface not set an outgoing interface. Traffic that you want to policy route will always be coming on fa0/0.

As Laurent said in his post if you know which clients use 1.1.1.1 as their default-gateway and which use 1.1.1.2 as their default-gateway then you could use PBR because you can direct the traffic to the correct firewall based on the clients source IP address.

If you don't know this then you could look into using 2 default-routes with per-destination load-sharing but you still haven't told us exactly what you expect in terms of traffic across the links. If a client has a gateway of 1.1.1.1 does it absolutely have to go out via the Checkpoint or could it go out via the SonicWall and vice-versa.

You could get another interface or if the switch that the router connects to on the LAN is 802.1q capable you could create 2 subinterfaces on fa0/0 and this again would solve your problem.

But there is one issue with this. If you had 2 separate interface or 2 subinterfaces you would need to have 2 separate subnets for the clients - some on one and some on the other whereas at the moment they are all on the same network.

Hope that hasn't confused the issue too much.

Jon

Giuseppe Larosa · ‎12-04-2008

Hello Steven,

you need to be able to discriminate between packets sent to

1.1.1.1

and packets sent to

1.1.1.2

the ip address secondary feature doesn't allow you to do that the MAC address is always the same.

So first suggestion:

even if the router is only one you can take advantage from HSRP having its own MAC address for VIP

interface FastEthernet0/0

ip address 1.1.1.2 255.255.0.0

standby 1 address 1.1.1.1

this provides distinction at layer2

then you should two mac address based ACL so that

when the destination MAC of received frame is that of HSRP tied to 1.1.1.1 you perform one redirection if the mac address of the received frame is that of the router interface you do a different redirection with second route-map block.

But this has to be tested because you need:

a) to have the router supports mac based ACLs

b) verify if you can match a mac based ACL inside a route map used for PBR

if this is not possible the next approximate solution is that suggested bu Laurent.

Another option is that of using extended ip acls matching on source and destination ip addresses

Edit

I've looked at 12.4 command reference there is no match mac-address acl option so this is something that cannot be done in this way.

Hope to help

Giuseppe

sterdnotshaken · ‎12-04-2008

OK, so if I buy another interface, I can match a unique interface with a unique destination address via the match and next hop criteria in route map? if that is the case, then it sounds like my best bet is to get another interface...?

Basically, to give you a clearer picture of what I am trying to do, I want all normal Internet traffic to be routed out the checkpoint T1 and only privileged users (ie... IT he he he... and Executives) to be routed through the Sonicwall Bonded T1... So, as it stands currently, the executives and IT have the Default GW currently going to the Sonicwall and the rest of the users going out the checkpoint... And the reason for adding the router is so I can still keep that General Users=Checkpoint and Privileged Users=Sonicwall association, but also, with the router, route all traffic destined for one of our remote sites always to the checkpoint via static routes (that is the firewall where all of our VPN tunnels are terminated).

So with an additional interface on the router, I can accomplish this with relative ease?

Jon Marshall · ‎12-04-2008

Steven

Just getting another interface will not make it much easier to be honest. As i said previously you would need to readdress clients that go onto the other subnet, you can't have 2 ethernet interfaces on the same router using addresses out of the same subnet.

So you will still need allocate the IT users and execs into a new vlan. If you know who they are you could use Lauren's post with the setup you have now. But you would need to make the client IP addresses static ie. all those going via the Sonicwall need static IP's or need to be in a different vlan which requires extra interface. Either way there is some work to do.

And that also assumes a fairly static setup ie. an exec doesn't have a laptop that they could connect in to the network at various different points. If they do use static IP reservations and go with the existing setup you have with Lauren's post.

Jon

Giuseppe Larosa · ‎12-04-2008

Hello Jon, Steven

I would consider using vlan subinterfaces and to divide the IP network in two parts

one for normal users

one for users ++

However, if someone moves a PC from a port to another it can get more privileges.

Ideally the best solution is to assign the vlan to the user/device using 802.1X authentication with this info coming from the Radius attributes.

You need switches that support this feature to do this.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/sw8021x.html#wp1289244

Hope to help

Giuseppe

Jon Marshall · ‎12-04-2008

Giuseppe

Agree about subinterfaces if switch supports 802.1q.

It really depends on how much time and effort you want to put into it. I have worked at places where the clients were locked down enough so that users could not change IP address and if that's the case here a simpler solution is to use hardcoded IP's on the IT/exec's clients and leave all other dynamically assigned. Then use Lauren's solution, or if you want go with subinterfaces/extra interface.

If the OP has an AAA server that can support 802.1x then you could use this as a solution and i have used dynamic vlan assignment with ACS before but it is not trivial to implement and you then need to consider redundant AAA servers etc. because last thing you want is to have execs not able to log in because the AAA server is down.

Personally i don't generally like giving groups of people preferential treatment especially people like the execs because this can mask a general problem for most users that they are never aware of. Mind you if the exec is threatening to sack you if you don't improve performance.. :-)

I don't disagree with anything you have said but it should be pointed out how much extra work is involved with this solution.

Jon

sterdnotshaken · ‎12-04-2008

Thanks for your help! Excellent points!

Yea, I forgot about the fact that you cannot assign 2 different interfaces ip's in the same subnet... So, outside of vlaning, which we are planning on doing, but not until mid next year, I would have to use the solution proposed by Lauren? That really shouldn't be an issue, as all of the internet users already have a static IP assigned to them anyway. I just wanted something that was more automated, verses adding specific IP's in an ACL, which would then allow them through the faster internet connection... This was the main reason I was hoping to be able to route off the one interface according to whither it came in on the primary IP or the Secondary IP...

So that sounds like the solution right?

Jon Marshall · ‎12-04-2008

As an interim measure yes i would use Lauren's solution until you implement vlans when you could look to put something more flexible in place.

Jon

sterdnotshaken · ‎12-04-2008

Alright, I will give that a try and if it is ok, post questions along the way.

Thanks again!

Jon Marshall · ‎12-04-2008

Steven

No problem, hope it goes well and if you have any problems just post another query, there will be always be someone around to help :-)

Jon