Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1351
Views
0
Helpful
6
Replies

Multiple Vlans with multiple Internet connections using PBR

matthew.bernier
Level 1
Level 1

‎01-30-2014 01:34 PM - edited ‎03-07-2019 05:55 PM

Hello all,

I'm trying to wrap my head around this configuration and not having a lot of success.  I have several Vlans 3,6,71,72,160, and 180.  I have two internet connections, Internet1 is connected to an ASA5510 and Internet2 is connected to a Meraki MX80.  I'm using two 4506 switches on my backbone trunked to 3750 switches that my clients connect to.  None of these switches have IP Services and my 4506 supervisor does not have an Enterprise license. However I do have one 3750 100Mbit switch with IP Services so I'm using that to do my PBR.  All my routing is currently being done on the 4506 switches and all Internet traffic is going to the ASA.  What I would like to do is force vlan160 and vlan180 through the Meraki as their Internet connection and the rest of the Vlans go through the ASA.  I'm thinking about trunking my vlans from the 4506 to the 3750 (the one with IP Services) and use policy based routing from there to force vlan160 and vlan180 to the Meraki.  But in order to do this I think I would have to move my routing onto the 3750 switch but since that is only 100Mbits I'm thinking this is going to choke my network down and defeat the purpose of the 4506 backbones.  Any suggestions or alternate ways to achieve my goal?

Appreciate any help you guys can send my way.

Matt

Labels:
Preview file
51 KB
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎01-30-2014 05:08 PM

Matthew

What is the speed of the connection from the 4500 to the ASA and what is the combined speeds of the internet connections ?

You definitely don't want to do all the inter vlan routing on the 3750. You could connect it up as shown in your diagram but leave all the routing between vlans on the 4500s. Then you -

1) connect the 3750 to the 4500 using a L3 point to point link

2) connect the 3750 to the ASA using a L3 point to point link

3) do PBR on the 3750 interface connected to the 4500 for traffic coming from the 4500.

If the 4500 supervisor/IOS version doesn't support routed links on that end just use an access port in a dedicated vlan ie. no other ports in the vlan and create a new SVI for it.

You would need to update your routing to reflect the next hop on the ASA, Meraki, 3750 and the 4500.

Disadvantages are -

1) you only have fast ethernet ports on the 3750 so if the combined internet speed is greater than that then it will be a bottleneck.

2) it is a single point of failure ie. if it is lost all internet via both connections is lost.

The alternative would be to not have the 3750 in the path but connected to the 4500 via a trunk link and then route just vlan 160 and 180 on the 3750 ie. move their SVI(s) onto the 3750. Then the 3750 could have a direct connection to the Meraki device and point the default route that way (no PBR needed). The trunk would only allow those specific vlans on it.  This would mean a failure of the 3750 would not mean ASA internet lost but it would mean loss of connectivity for the two vlans routed on the 3750.

You would need to add routes to the Meraki for return traffic plus routes on the 3750 and 4500 for inter vlan routing.

The main disadvantages here are -

1) inter vlan routing between the vlans routed on the 4500s and the vlans on the 3750 will be limited by the 100Mbps connection. However you could use an etherchannel trunk so you could get greater overall throughput and some redundancy

2) more importantly though i suspect you are running HSRP between the 4500s for the client vlans and moving the SVIs onto the 3750 means a single point of failure for those vlans. 

Personally i would tend towwards option 1) because of the SVI HSRP issue and perhaps because there may be a lot of inter vlan traffic and even with an etherchannel it would be too much. 

But, single point of failure issues aside, a lot does depend on internet bandwidth in option 1) vs inter vlan traffic in option 2).

So it's a tradeoff and personally i don't think either are ideal  so i'll have another think on this in the morning to see if there is anything more obvious that i have missed or maybe someone else will add to the post.

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎01-31-2014 02:26 AM

Matthew

Regarding option 1). The ASA 5510 does support etherchanneling so you could actually put the 3750 in the path and have etherchannels both ways ie. to the ASA and to the 4500.

This would help with redundancy in terms of extra links. It may also help with throughput if you can load balance on src/dst IP address.

So option 1) is looking more appealing.

The only disadvantage is that the 3750 is still a single point of failure.

In terms of PBR on the 3750 be careful with your access lists on the route map. Don't use any deny statements (which you shouldn't have to) as this will send packets to the main CPU rather then be hardware switched.

Jon

0 Helpful

matthew.bernier
Level 1
Level 1
In response to Jon Marshall

‎01-31-2014 06:09 AM

Thanks for the suggestions Jon,

To clarify a bit more.  I do have HSRP running on the 4506 switches and I have a failover ASA so right now my only single point of failures would be the 3750 I'm using for pbr and the Meraki firewall.  I'm using two 100Mbps Internet links for the ASA and the Meraki.  My main objective here is to put direct my clients (Vlan160,180) out through the Meraki to take advantage of L7 outbound filtering and put all my server traffic through the ASA.  Since my Internet pipe is only 100Mbps the 3750 with FastEthernet ports isn't that much of an issue but this setup seems a bit convoluted and I don't want to create a config that no one else would be able to figure out if I were to leave.  Regardless I'm going to go with your first option in my lab and if I think the config can be nailed down enough I'll move that into my production environment.

Again thank you very much.

Matt

0 Helpful

matthew.bernier
Level 1
Level 1
In response to matthew.bernier

‎01-31-2014 06:12 AM

Let me throw this at you.  I have a 2800 series router laying around here as well.  What if I were to throw this device into the mix and possibly remove the 3750 switch that can only handle fast ethernet?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to matthew.bernier

‎01-31-2014 06:21 AM

Matthew

Which model of 2800 ? Bear in mind that routers generally have far less throughput than a L3 switch even though it's interfaces may be gigabit.

The 3750 will not be a bottleneck in terms of switch fabric, simply that the actual physical ports are limited to 100Mbps.

So depending on the model it may not be any better.

Also if the 100Mbps is your main concern if you have a spare fast ethernet interface on the ASA 5510 you can use etherchannel between the ASA and the 3750 and the 3750 and the 4500 to get more throughput.

I am not sure what advantages using the 2800 would give you. Presumably the router does not have a switch module installed ?

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to matthew.bernier

‎01-31-2014 06:13 AM

Matthew

If you have a failover ASA then you would need to use a vlan to connect the 3750 to ASAs. It doesn't change option 1) that much but instead of a routed port on the 3750 to ASA connection just use a new vlan with an SVI on the 3750 and use that as the next hop IP for the ASAs.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card