1800 Series Gateway issues \ PBR multiple gateway interfaces

Unanswered Question
Feb 25th, 2011

Sigh,.. I'm sorry for being such a newbie..

ok,.. again, I've attached the network diagram.

im trying not to run before i can walk,.. so first thing I'm trying to do is ping out to a DNS server in the internet: 212.135.1.36 from my internal network.

If I put a default gateway on my router, and set to 172.16.32.254 (Firewall Vlan100 interface) and ping,.. it works fine from my router.

If put a default gateway on my switch below the router as 172.16.32.252 (VLAN100 interface of the router) and ping from the switch it doesnt work.

I assume its getting to the switch as I can ping the 172.16.32.252 from the switch so the router is dropping the packets... my question is why!?

Sorry

once this bit works,.. the intention is to route any external bound traffic that comes from VLAN100 to 172.16.32.254, external bound traffice from VLAN200 to 172.16.64.254 etc etc

Cheers

SWITCH ARP:

[4510G]dis ip rout
Routing Tables: Public
        Destinations : 15       Routes : 15

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

0.0.0.0/0           Static 60   0            172.16.32.252   Vlan100
127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0
127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0
172.16.32.0/19      Direct 0    0            172.16.32.253   Vlan100
172.16.32.253/32    Direct 0    0            127.0.0.1       InLoop0
172.16.64.0/19      Direct 0    0            172.16.64.253   Vlan200
172.16.64.253/32    Direct 0    0            127.0.0.1       InLoop0
172.16.96.0/19      Direct 0    0            172.16.96.253   Vlan300
172.16.96.253/32    Direct 0    0            127.0.0.1       InLoop0
172.16.128.0/19     Direct 0    0            172.16.128.253  Vlan400
172.16.128.253/32   Direct 0    0            127.0.0.1       InLoop0
172.16.160.0/19     Direct 0    0            172.16.160.253  Vlan500
172.16.160.253/32   Direct 0    0            127.0.0.1       InLoop0
192.168.1.0/24      Direct 0    0            192.168.1.253   Vlan1
192.168.1.253/32    Direct 0    0            127.0.0.1       InLoop0

Router running config:


Current configuration : 2436 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$XdN.$MwSFWx3ahZIkRxcfmdrqX1
enable password sys1881
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip routing
!
!
no ip cef
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
no ip route-cache
no snmp trap link-status
no cdp enable
!
interface FastEthernet0.100
encapsulation dot1Q 100
no ip route-cache
no snmp trap link-status
no cdp enable
!
interface FastEthernet0.200
encapsulation dot1Q 200
no ip route-cache
no snmp trap link-status
no cdp enable
!
interface FastEthernet0.300
encapsulation dot1Q 300
no ip route-cache
no snmp trap link-status
no cdp enable
!
interface FastEthernet0.400
encapsulation dot1Q 400
no ip route-cache
no snmp trap link-status
no cdp enable
!
interface BRI0
no ip address
encapsulation hdlc
no ip route-cache
shutdown
no cdp enable
!
interface FastEthernet1
switchport mode trunk
no cdp enable
!
interface FastEthernet2
switchport mode trunk
no cdp enable
!
interface FastEthernet3
shutdown
no cdp enable
!
interface FastEthernet4
shutdown
no cdp enable
!
interface FastEthernet5
shutdown
no cdp enable
!
interface FastEthernet6
shutdown
no cdp enable
!
interface FastEthernet7
shutdown
no cdp enable
!
interface FastEthernet8
shutdown
no cdp enable
!
interface ATM0
no ip address
no ip route-cache
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip route-cache
vlan-id dot1q 1
  exit-vlan-config
!
!
interface Vlan100
ip address 172.16.32.252 255.255.224.0
!
interface Vlan200
ip address 172.16.64.252 255.255.224.0
!
interface Vlan300
ip address 172.16.96.252 255.255.224.0
!
interface Vlan400
ip address 172.16.128.252 255.255.224.0
!
ip default-gateway 172.16.32.254
ip classless
ip route profile
!
!
no ip http server
no ip http secure-server
!
no cdp run
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password sys1881
login
!
no scheduler allocate
no process cpu extended
no process cpu autoprofile hog
end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
lgijssel Fri, 02/25/2011 - 06:19

The ip default gateway doesn't work as you expect.

It only works for traffic which is originated by the router itself.

What you need is a default route like this on the router:

ip route 0.0.0.0 0.0.0.0 172.16.32.254

I suspect there are several other issues with your proposed setup but at least this will fix the routing problem.

Feel free to ask additional questions.

regards,

Leo

shaunhayward2000 Fri, 02/25/2011 - 06:36

Hi Leo,

Thank you,.. I've removed the default gateway and added the static route as suggested (same command to set a default gateway on the switch)

Unfortiontely, this seems to stop the ping to the external address completely,.. from the router and the switch still doesnt ping it either.

I must be missing something really obvious, but alas its outsmarting me!

shaunhayward2000 Fri, 02/25/2011 - 07:59

ok,.. sorted, it would seem that ip routing needs to be enabled!

so that sorts the standard routing problem.

Now I need to set up PBR somehow .

basically,.. the sonicwall doesnt support trunk or spanning so you have to set up vlan interfaces each with its own ip relevent to that vlan subnet.

I need the router to route anyway external web requests to the correct firewall gateway address.

i.e.:

Client on VLAN200 with an ip address of 172.16.64.10/19 gateway address: 172.16.64.253 (switch)

  |

\|/

requests the internet - switch's static route is: 0.0.0.0 0.0.0.0 192.168.1.1 (router - default VLAN1 interface)

  |

\|/

router should see VLAN200 tagged traffic and forward to 172.16.64.254 (firewall VLAN200 interface ip)

make sense?

Config i tried doesnt work obviouslty,..:

access-list 100 permit ip 172.16.32.0 0.0.31.255 any
no cdp run
!
route-map WebTraffic permit 100
match ip address 100
set ip next-hop 172.16.32.254

shaunhayward2000 Fri, 02/25/2011 - 08:34

arggg,... Soooo close

ok,.. I can get it working,.. but the problem I have now is that you can only seem to apply one route-map policy to each interface!?

Since my switch points to the default VLAN as its gateway,.. I get internet requests from all vlans hitting that interface.

So I wanted to put a policy on there that routes it to the firewall as below:

access-list 100 permit ip 172.16.32.0 0.0.31.255 any
access-list 101 permit ip 172.16.64.0 0.0.31.255 any
no cdp run
!
route-map WebTraffic permit 100
match ip address 100
set ip next-hop 172.16.32.254
!
route-map WebTraffic1 permit 200
match ip address 101
set ip next-hop 172.16.64.254

Problem is you can only add one route-map to that interface,... how do I get aruiond that!?!?!??

pllllease help!!

shaunhayward2000 Mon, 02/28/2011 - 00:45

Hi guys,

I know I cant put "corerct answer" on my own post, but if anyone searches this in google then at least theres an answer on the bottom of the feed. nothing worse than searching a problem, finding the exact same issue you have with no fix lol!

to send multiple VLAN's to different gateway IP addresses for use with Sonicwall (due to the fact Sonicwall do not support trunking or spanning tree and require seperate VLAN interfaces set up on them) the following config should help. (This is only nessersary if you want the switch to do the routing,... I have to use a cisco 1800 router as my apparntly L3 switch doesnt support PBR)

If anyone on here see's something wrong,.. please let me know, as I said before I'm no CISCO genius like everyone else on here,.. but the below seems to work for me.

Cheers.

Shaun

interface Vlan1                                                                                # I used the default VLAN to recieve internet traffic requests from the switch
ip address 192.168.1.1 255.255.224.0                                                      
ip policy route-map WebTraffic                                                            # Apply the route map policy (as below)
!
interface Vlan100
ip address 172.16.32.252 255.255.224.0
!
interface Vlan200
ip address 172.16.64.252 255.255.224.0
!
interface Vlan300
ip address 172.16.96.252 255.255.224.0
!
interface Vlan400
ip address 172.16.128.252 255.255.224.0
!

access-list 100 permit ip 172.16.32.0 0.0.31.255 any                              #creates an access list to permit traffic from VLAN100 subnet to any address (in my setup the router only receives external traffic requests anyway)
access-list 101 permit ip 172.16.64.0 0.0.31.255 any                              #as above but with VLAN200
access-list 102 permit ip 172.16.96.0 0.0.31.255 any                              #etc
access-list 103 permit ip 172.16.128.0 0.0.31.255 any                            #etc
no cdp run
!
route-map WebTraffic permit 0                                                            #route map rule 0 - required rule number to apply multiple rules to one interface
match ip address 100                                                                          # if matches access-list ip subnet
set ip next-hop 172.16.32.254                                                                 # send to sonicwall vlan interface ip
!
route-map WebTraffic permit 5
match ip address 101
set ip next-hop 172.16.64.254
!
route-map WebTraffic permit 10
match ip address 102
set ip next-hop 172.16.96.254
!
route-map WebTraffic permit 15
match ip address 103
set ip next-hop 172.16.128.254
!

Actions

This Discussion

Related Content