I basically have two contexts on my ASA box , connected to a router on the outside and a layer 3 switch on the inside, i have about 20 vlans in the L3 Switch.
I want to route 10 vlans through the context 1 and the other 10 through the context 2.
I know PBR can be used but when the PBR with set ip next-hop is set on the vlan interfaces, Intervlan routing is not happening on the L3 switch.
So in this case even if i implement intervlan routing on the ASA with sub interfaces, the first 10 vlans will not be able to communicate with the next 10 vlans,
Is there any other way of doing this, or is it possible that i use two default routes on the l3 switch pointing to each context and the switch automatically load balances it or something.
If someone is wondering y i am doing all this, i am planning to implement Active/active failover for ASA.
first why u have two context?
secondly now i came a cross a way but long:
make the intervaln routing betwwen first 10 vlans through context one and the others through context two and the routing betwenn first 10 vlans and second 10 vlans through the router and fron cotext to context
u dont need any SVI and routing on the switch
creac vlans on the switch
make the link from the switch to each context as trunk
creat subinterface for each vlan on each context
lets say fron 1-10 in context 1 and fron 11-20 on context 2
allow the communication between interfaces with the context like between suninterfaces 1-10 in context 1 and between 11-20 in context 2
make the defualt gateway for each host as the ASA subinterface in the corsponding vlan number!
now on each context make a static route for each vlan on the other context pointing the router contected interface
route outside [vlan 1] [sunet] router ip
and for each vlan this is in context 2
on context one the same like:
route outside [vlan 15] [subnet] [directly connected router ip]
on the router make static route for each vlan network poiting to the righ context IP
or u can run ospf between conext and the router
fo r static should look like
ip route [vlan 1] [subnet] [context 1 outside ip]
ip route [vlan 20] [subnet] [context 2 outsideip]
and dont forget to make the allow ACLs on each context interface to allow comnunication between suinterfaces withing the context and on the outside between context
and on each context
u need adefault orute of cource that point to the router for any other route u have
if helpful Rate
In that case i am using my Cisco 6500 as a layer 2 switch, oh god, and u say routing between the first 10 and the second 10 vlans is to be done on the router, i am NAT'ing in the firewall.
I would better want inter Vlan Routing to occur in the 6500, otherwise the SUP 720 on it will feel really bad, huh.
becuase ASA in multiple context Does not allow any dynamic routing protocols u cant achive it through routing protocol features
keep in mind that u can use two defualt routes with the same metric for loadbalncing
but this way u will have a problem from asymetric routing for the returen traffic
u may send the outbound thorugh context one and the return will be trhough context 2
if u have nating may make problems
ok i can try avoiding NAT on the firewall and do it on the router.
But i tried using two default routes on the Cisco 6500, but in this case traffic is not being routed through the second gateway, i tried it, is there any tweaking i must be doing.
try to make the interfaces between the 6500 and the contexts as a routed port
and assigne it IP addres and include them in the routing and make the defualt route
but not sure about it but it should works either way !
Perhaps there are aspects of your situation that I do not understand. But it seems to me that you would want the inter vlan routing to be done on the switch and to route to destinations that are not on the switch through the contexts on the ASA and to the router.
To do that I would suggest that you configure the Policy Based Routing so that it denies traffic sourced from any of your local vlans and destination in any of your local vlans and then permit other traffic and set the next-hop to the ASA address. Note that denying the traffic in PBR does not deny forwarding the traffic and it only denies the processing of PBR for the traffic so the traffic would use the normal inter vlan forwarding which the switch can do.
Gr8, your idea is perfect for the scenario we were discussing. I might well get it work in this way, but th administrative overhead would become mode, there might be administrators for this setup in the future that dont have understanding of what i have done and cannot analyse it even from documentation.
Thus i was looking for a simple but good solution wherein i can route some part of the traffic onto one context and the remaining onto the other context. this may not even be equal load balancing.
Hope u understood what i was trying to deliver. and could you mention which aspect of the situation you didn't understand so that i could make myself clear.
Thankyou very much.