Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2115
Views
0
Helpful
14
Replies

Route MAP on a 3750 (or other Cisco device possibly)

ngthen
Level 1
Level 1

‎10-06-2010 09:31 AM - edited ‎03-06-2019 01:21 PM

For the sake of discussion, I have two 100mb/s cirucits back to each of my firewalls (the 100mb/s bandwidth to each firewall is needed as I connect to other datacenters etc, but not really part of this discussion)  What I am wanting to do is send my server VLANs our data center A and my workstation VLANs out data center B.  I know that a route map can help however if I use deny statements on my 3750 it causes CPU overhead as they are not hardware switched.  Are there any other cisco devices that can accomplish this were I could say one route map denies all traffic from workstations and the other denies all traffic from servers.  If I were to use a router instead of a switch assuming I have the correct interfaces on the device would a 3745 or 2851 work (as I need to use a full 100mb/s at times)  From here I could set my next hop to the appropiate firewall providing that the deny statements can be used correctly without killing the CPU.

Labels:
0 Helpful
14 Replies 14

Jon Marshall
Hall of Fame
Hall of Fame

‎10-06-2010 09:43 AM 

ngthen@moonark.com
For the sake of discussion, I have two 100mb/s cirucits back to each of my firewalls (the 100mb/s bandwidth to each firewall is needed as I connect to other datacenters etc, but not really part of this discussion)  What I am wanting to do is send my server VLANs our data center A and my workstation VLANs out data center B.  I know that a route map can help however if I use deny statements on my 3750 it causes CPU overhead as they are not hardware switched.  Are there any other cisco devices that can accomplish this were I could say one route map denies all traffic from workstations and the other denies all traffic from servers.  If I were to use a router instead of a switch assuming I have the correct interfaces on the device would a 3745 or 2851 work (as I need to use a full 100mb/s at times)  From here I could set my next hop to the appropiate firewall providing that the deny statements can be used correctly without killing the CPU.

You can still use the 3750 just don't include any deny statements in your acl ie. you don't have to specifically deny traffic because there is an implicit deny at the end of the acl so -

access-list 101 permit ip  

access-list 101 permit ip  

etc...

access-list 102 permit ip  

access-list 102 permit ip  

etc...

route-map PBR permit 10

match ip address 101

set ip next-hop x.x.x.x

route-map PBR permit 20

match ip address 102

set ip next-hop y.y.y.y

Jon

0 Helpful

ngthen
Level 1
Level 1
In response to Jon Marshall

‎10-06-2010 10:09 AM

Ok so in theory all I would need to do would be add each VLAN I want to send to the workstation firewall using the allow statements.  I wouldn't need to have a route map for servers essestially as these would use the standard default route on the device.  Now my next question would be how to internal routes work when using a route map?  If I have some static routes configured on the 3750 would the workstations be able to get to them OR would traffic just get sent out the ip next hop?  I am hoping the first.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to ngthen

‎10-06-2010 10:19 AM 

ngthen@moonark.com
Ok so in theory all I would need to do would be add each VLAN I want to send to the workstation firewall using the allow statements.  I wouldn't need to have a route map for servers essestially as these would use the standard default route on the device.  Now my next question would be how to internal routes work when using a route map?  If I have some static routes configured on the 3750 would the workstations be able to get to them OR would traffic just get sent out the ip next hop?  I am hoping the first.

Yes servers could use default-route.

If the static routes are for a destination not included in your route-map acls then yes the clients will be routed via the normal routing table entries.

Jon

0 Helpful

ngthen
Level 1
Level 1
In response to Jon Marshall

‎10-06-2010 10:21 AM

If I want to send all Internet outbound traffic through the route map is there an easy way to do it?  If I do 0.0.0.0 then wouldn't this override the static route and then not apply to the user?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to ngthen

‎10-06-2010 10:38 AM 

ngthen@moonark.com
If I want to send all Internet outbound traffic through the route map is there an easy way to do it?  If I do 0.0.0.0 then wouldn't this override the static route and then not apply to the user?

That would override the static route and ALL traffic would be sent via your PBR next-hop. In this case you either need to -

1) have deny statements in your access-list for PBR for your internal subnets but we are back to square one on this (perhaps would have been helpful if you had mentioned everything in your initial thread ! )

2) have permit entries in your acl matching the static route entries first and send them to the next-hop but this is not what PBR was designed for and is not a good solution

3) use a device that supports "set ip default next-hop" and then you can check the routing table first and only then PBR everything else

However i'm not sure which is of use because you keep changing the requirements.

Jon

0 Helpful

ngthen
Level 1
Level 1
In response to Jon Marshall

‎10-06-2010 10:42 AM

I apologize not putting that in my initial post, and you're are correct for calling me out on it.  The "set ip default next-hop" command would be perfect.  I am not opposed to purchasing a device or devices that can do it.  In fact this would be more along the lines that I am looking for.  Correct me if I am wrong but static routes would still work correctly, however Internet traffic could be sent to a different default gateway.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to ngthen

‎10-06-2010 10:55 AM 

ngthen@moonark.com
I apologize not putting that in my initial post, and you're are correct for calling me out on it.  The "set ip default next-hop" command would be perfect.  I am not opposed to purchasing a device or devices that can do it.  In fact this would be more along the lines that I am looking for.  Correct me if I am wrong but static routes would still work correctly, however Internet traffic could be sent to a different default gateway.

With set ip default next-hop x.x.x.x in your route-map the routing table is checked first. So any statics in the routing table would be used. However it's important to note that if you also had a default-route in your routing table that would also be used for any other traffic and so nothing would be policy routed.

If you wanted to policy route all internet traffic for clients then you would need to remove the default-route unless of course that was the correct next-hop but then you wouldn't PBR

Jon

0 Helpful

brettborschel
Level 1
Level 1

‎10-06-2010 11:06 AM

Route maps on a 3750 would be bad. Process switching all your traffic with the puny CPU on the 3750?. You want this to happen natively with the routing table and CEF if possible.

At first I thought this was a simple problem however the more I think about it, the harder it gets. Not knowing too much about the actual design (you mentioned firewalls, so static routes everywhere?) makes it much harder.

This is all hypothetical, I haven't labbed it out for you or anything but it seems like it should work on some level.

How about something like using vrf-lite to create two seperate routing tables in your switch. Then you can mess with the metrics to make vrf-servers perfer the route to datacenter A and vrf-users perfer the path to datacenter B. This makes your routing processes a bit more complicated to configure, especially if you havent ever used vrf-lite before, however by having perfered routes in the table you will hardware switch the traffic with CEF.This option should work with static routes in case you dont have the option of running a dynamic routing protocol end to end.

Something like

ip route vrf SERVERS 0.0.0.0 0.0.0.0 10.0.0.1 5

ip route vrf SERVERS 0.0.0.0 0.0.0.0 10.0.1.1 10

ip route vrf WROKSTATIONS 0.0.0.0 0.0.0.0 10.0.1.1 5

ip route vrf WROKSTATIONS 0.0.0.0 0.0.0.0 10.0.0.1 10

Also, BGP can make routing desisions based on prefix which could work for you as well.

Message was edited by: brettborschel Jon is correct. I did some digging and PBR does happen in the ASICs. However, I would still be extremely careful with route maps on a 3750. I put a GRE tunnel on a 3750 once and it had to process switch everything that went over the tunnel. Needless to say the switch finally blew up.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎10-06-2010 11:14 AM

Route maps on a 3750 would be bad. Process switching all your traffic with the puny CPU on the 3750?

PBR is done in hardware on the 3750 not in software so the above statement doesn't apply unless you are actually using "deny" statements in your acl. That is also why PBR on switches like the 3750 does not support all options because of hardware limitations something which routers generally don't have.

Jon

0 Helpful

ngthen
Level 1
Level 1
In response to Jon Marshall

‎10-06-2010 11:22 AM

Do you know off hand which devices (router or switch) support the "set ip default next-hop" command?  I haven't looked at the products yet...just curious.  I like the option of "set ip default next-hop."  I could simply have a map for workstation networks and one for servers.  Doesn't seem too bad.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to ngthen

‎10-06-2010 11:26 AM 

ngthen@moonark.com
Do you know off hand which devices (router or switch) support the "set ip default next-hop" command?  I haven't looked at the products yet...just curious.  I like the option of "set ip default next-hop."  I could simply have a map for workstation networks and one for servers.  Doesn't seem too bad.

Not off hand but the 3560 doesn't support it. Then you are looking at 4500/4900/6500 for switches and these especially 4500 and 6500 are getting expensive just for PBR and i'm not certain they even support the default next-hop option.

Most routers should support it though because as i said in my last post routers do things in software so it is easier to support the full range of options. Were you thinking of any device in particular ?

Jon

0 Helpful

ngthen
Level 1
Level 1
In response to Jon Marshall

‎10-06-2010 11:33 AM

I was thinking about possibly running 2 2851s using HSRP.  Each would be connected to a different firewall, however provide one common gateway.  The 2851s from what I was reading support around 110 mb/s when CEF is turned on.  This way I could take advantage of a faster line speed going back to my firewalls.

0 Helpful

ngthen
Level 1
Level 1
In response to ngthen

‎10-08-2010 01:15 PM

Do you know off hand if the 2851s would work in this case?

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to ngthen

‎10-08-2010 04:57 PM

regarding your question above, set ip default is supported on 2800 series.

This output is from a 2821 with IOS below:

T-1#sh ver | inc bin
System image file is "flash:/c2800nm-adventerprisek9_ivs-mz.124-3g.bin"
T-1#

T-1(config-route-map)#set ip default next-hop ?
  A.B.C.D              Default next hop IP address
  verify-availability  Verify if default nexthop is a CDP neighbor
 

T-1(config-route-map)#set ip default next-hop

HTH

Reza

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card