Solved: Re: Routing guest vlan from different router

techguy · ‎10-10-2017

Hi,

We have existing network of core switch and one main router. All vlans traffic was going out from main router. Now, we have decided to isolate guest network from corporate network.

So, I connected secondary router with same core switch port. Now, i want to route guest vlan traffic to that secondary router and rest all vlan continue to router from primary router.

Can anyone let me know that how to do this. Thanks

paul driver · ‎10-10-2017

Hello

you can also have the guest L3 on this new rtr and just have L2 on your Lan towards it in that case you are just utilising the physical infrastructure-But given the choice vrf -lite would be the most applicable

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Richard Burts · ‎10-10-2017

The important parts of configuring PBR include these steps:

- configure an access list that identifies the traffic that will need the special routing of PBR.

- configure a route map that will use the access list to identify traffic and will set the next hop for the traffic that matches the ACL.

- apply the route map on the interface which receives the traffic that will need the special routing of PBR.

Since we do not know anything specific about your environment, assume these parameters to create an example for the PBR. Guest uses network 192.168.200.0. Guest is on vlan 200. The next hop address for the new router is 1.2.3.4. Something like this is what you need to add to your config:

access-list 100 permit ip 192.168.200.0 0.0.0.255 any

route-map PBR_guest permit 10

match ip address 10

set ip next-hop 1.2.3.4

interface vlan 200

ip policy route-map PBR_guest

There are a number of other things that could be used in PBR but this represents the basics of what you would need.

HTH

Rick

HTH

Rick

View solution in original post

Joseph W. Doherty · ‎10-10-2017

VRFs or different routing processes or protocols might accomplish your requirement. Which might be best will depend on your device feature support and whether you still need to route as all between the guest subnet and your other subnets.

BTW, what's the purpose of routing on a different router for your guest network?

Richard Burts · ‎10-10-2017

We do not know what kind of switch is the core switch so we do not know what its capabilities are. If it supports VRFs (and especially if it supports VRF Lite) then that might be the optimum way to separate the guest traffic and send it through the second router. The other option to consider would be to use Policy Based Routing to send traffic from the Guest vlan to the second router.

HTH

Rick

HTH

Rick

techguy · ‎10-10-2017

Core switch is 3750 with advipservices IOS. How to configure VRF lite or PBR. Can you please let me know. Thanks

Richard Burts · ‎10-10-2017

The important parts of configuring PBR include these steps:

- configure an access list that identifies the traffic that will need the special routing of PBR.

- configure a route map that will use the access list to identify traffic and will set the next hop for the traffic that matches the ACL.

- apply the route map on the interface which receives the traffic that will need the special routing of PBR.

Since we do not know anything specific about your environment, assume these parameters to create an example for the PBR. Guest uses network 192.168.200.0. Guest is on vlan 200. The next hop address for the new router is 1.2.3.4. Something like this is what you need to add to your config:

access-list 100 permit ip 192.168.200.0 0.0.0.255 any

route-map PBR_guest permit 10

match ip address 10

set ip next-hop 1.2.3.4

interface vlan 200

ip policy route-map PBR_guest

There are a number of other things that could be used in PBR but this represents the basics of what you would need.

HTH

Rick

HTH

Rick

techguy · ‎10-10-2017

Mr. Rick,

Thanks for your reply. I have followed as you suggested below and on 2nd router i configured IP on LAN interface 1.1.1.2/30 and in switchport 1.1.1.1/30.

2nd router WAN port is also configured with public IP. Internet is working from 2nd router.

Now, when i ping 8.8.8.8 from switch keeping source as vlan 200 it does ping. Switch can ping router LAN interface 1.1.1.2. 2nd router is 1841. There are 2 router in 2nd router

ip route 0.0.0.0.0 0.0.0.0 <public IP>

ip route 192.168.200.0 255.255.255.0 1.1.1.1

Richard Burts · ‎10-11-2017

Thank you for the additional information. Can you clarify how the switchport is configured? Is it configured as a routed port (no switchport), or is it in a vlan? If in a vlan then which vlan is it in?

Also I am not clear in your response whether you have configured PBR on the switch. Can you clarify this?

HTH

Rick

HTH

Rick

techguy · ‎10-11-2017

switch port is having IP address 1.1.1.1 255.255.255.252 and "no switchport" command.

Vlan interface is having IP address 192.168.200.254 255.255.255.0 and ip poloicy "route-map"command.

one ACL matching intresting traffic which is 192.168.200.0/24

one route map having match & set commands. matching ACL and setting next hop 1.1.1.2.

In router, interface is configured with 1.1.1.2 255.255.255.252 & ip nat inside

other interface is having public IP address.

2 ip routes, one default route to public IP & other is 192.168.200.0/24 next hop 1.1.1.1

Thanks.

Richard Burts · ‎10-12-2017

Thank you for the additional information. What you tell of the configuration sounds right. Is the PBR working?

HTH

Rick

HTH

Rick

techguy · ‎10-10-2017

Guest vlan traffic shouldnt coomunicate with other vlan network. Secondary router is used with another ISP.

paul driver · ‎10-10-2017

Hello

you can also have the guest L3 on this new rtr and just have L2 on your Lan towards it in that case you are just utilising the physical infrastructure-But given the choice vrf -lite would be the most applicable

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

techguy · ‎10-10-2017

in my core switch guest vlan is created before. Right now guest vlan is passing from core switch to primary link using firewall. I have one default router toward firewall from switch.

I have connected one switchport of core switch with secondary router. Thanks