cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4600
Views
5
Helpful
9
Replies

Routing for internal network and guest network

snowmizer
Level 1
Level 1

I am implementing a guest wireless network to work alongside my internal network. The guest network will use the existing switching network and will be separated by VLANs. I have the ASA set so that traffic can get to it and out to the Internet. I can set up a workstation on the same VLAN as my guest network and can route inside my network (strictly doing this for testing purposes). Where I am having problems is with the Catalyst 4506 switches and the ip routing. I had two separate "ip route" statements defined on my switches.

ip route 10.200.2.0 255.255.255.0 10.200.2.254

ip route 0.0.0.0 0.0.0.0 10.100.100.254

I have discovered that the traffic is always following the default route despite the fact that my IP address on my test workstation falls in the 10.200.2.x network.  I was looking at documentation and found that it is possible to set up policy-based routing on the core switches. Can you have two "ip route" statements defined like this to segreate traffic or do I have to use PBR for routing (or a combination) in this case? If I define PBR then how does that impact my existing routing? I need to make sure that I can still route the existing traffic while I'm configuring this change.

Thanks.

1 Accepted Solution

Accepted Solutions

Sorry mt fault - sorry for the confusion...

When I was refering to routes - I was refering to the switches.  If your switch is configured for a VLAN - which is Layer 2, and your firewall has the only "routed" Layer 3 interface in the VLAN - why does the switch need a Layer 3 interface?  it does not, the client machines Default Gateway should be the IP address of the VLAN interface on the firewall context that handles the specific VLAN?

View solution in original post

9 Replies 9

andrew.prince
Level 10
Level 10

ip route 10.200.2.0 255.255.255.0 10.200.2.254 this tells the device that any traffic for that network must use the next hop of 10.200.2.254.  However for that to work the device must have an interface in that range otherwise it will follow a default route if one is configured - this is very normal routing. I cannot see any purpose for this on your problem description.

All you need to do is trunk the guest VLAN to the ASA - and have the only layer 3 default gateway for the guest VLAN on the firewall.

JMTPW.

Yeah I know I can set up the VLAN on the ASA (I've got a couple of these set up already). I set up contexts on my ASA so that I could keep the guest network firewall separate from my internal network so I can have separate rules and make it easier to manage.

I've got the VLAN set up on all appropriate switches and the workstation is attached to a port that is also in this VLAN. Despite this it still still sending traffic to the default route (and thus the wrong firewall).

OK - is your guest context firewall configured to work in transparent mode?  Is your primary firewall context configured to pick up this specific VLAN also?

I must admit I have no experiance with multiple firewall contexts.

I would advise this ticket should be redirected/reposted into the Firewall section.

Yeah the firewall is set to work in transparent mode. When I originally ran this test I didn't have the VLAN set up on my primary firewall context. However when doing a packet capture I could see that the packets were being received by the primary context instead of the guest context.

Does the order of the ip route statements matter on the switches? I was wondering if part of my problem is that this is working like ACLs...first match wins.

I will also move this discussion to the firewall section.

Thanks.

1) From a layer 2 point of view - the guest firewall conetext must not be in transparent mode, it must have a leyer 3 IP interface in the path to be effective.

2) From a switch point of view, they should not need routes as they should not be participating in routing for this particular  VLAN as the default gateway should just be the firewall - for this to happen you need point 1

HTH>

I misspoke earlier. The firewall is in routed mode (both contexts). Why wouldn't they need routes? I can't have two inside interfaces on my ASA (different contexts) with the same IP? If that's the case then I would think I would need a route to specify which firewall the guest network traffic should be routed to?

Maybe I'm not understanding something completely (or I'm just confusing myself).

Thanks.

Sorry mt fault - sorry for the confusion...

When I was refering to routes - I was refering to the switches.  If your switch is configured for a VLAN - which is Layer 2, and your firewall has the only "routed" Layer 3 interface in the VLAN - why does the switch need a Layer 3 interface?  it does not, the client machines Default Gateway should be the IP address of the VLAN interface on the firewall context that handles the specific VLAN?

Man was I confusing myself. I didn't even think about just setting the default gateway on the wireless network to the guest network interface. All makes perfect sense now.

Thanks for the help the network is working great now.

Sometimes you cannot see the wood for the trees, I myself get caught out with that more times than I am willing to admit

Glad to help - Have a stress free Xmas now!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: