cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1049
Views
0
Helpful
17
Replies

Routing/Switching question

cowetacoit
Level 1
Level 1

I currently have a Cisco 4506 doing inter vlan routing for about 30 networks. I have a default route pointing towards a ASA5520, and a default route to our edge router then to ISP1. I have a network on my LAN that needs to be routed out another ISP, ISP2. It is a vlan for about 50 PC's that the public use, and i need them to be routed out ISP2 for content filtering services. Ideally i would like for them to be going through our ASA5520 but apparently an ASA can only have one default route. I've also looked at having a PIX501 but i couldn't get the two networks to communicate with each other. What if i was to set up a route map saying 10.0.0.0 /16 go to ASA/ISP1 and 192.168.250.0 /24go to PIX/ISP2, would that work? Would the 10 network and the 192 network still be able to communicate with each other but still have separate internet connections?

1 Accepted Solution

Accepted Solutions

Sure thing. :-)

Victor

View solution in original post

17 Replies 17

Collin Clark
VIP Alumni
VIP Alumni

A route map would work just fine here. You would set each networks next hop to be different so each network would still be able to talk to one another. If you don't want them to talk, take a look at vrf-lite.

ok, cool. Do i leave the default route on my 4506 pointing to FW/ISP1 still? or do i just take it out and let the route map do the routing to the FW's/ISP's?

I would leave it in. You can create a route map that just sends the 192 network to PIX1 and everything else will use the default route to ASA1.

lamav
Level 8
Level 8

Cow:

One approach is to do the following:

Set up PBR for the 192.168.250.0 subnet for internet-bound traffic (lets call that vlan VLAN 250).

The route map for the PBR will exclude (deny) traffic between VLAN 250 and all the other VLANs (so that the traffic between them doesnt get policy-routed), and then permit traffic from VLAN 250 to anywhere (policy route Internet traffic).

access-list 100 deny ip

access-list 100 deny ip

access-list 100 permit ip

route-map INTERNET permit 10

match ip address 100

set ip next-hop

interface vlan 250

ip policy route-map INTERNET

HTH

Victor

Clark:

Sorry fo rthe cross post.

Victor

How about this. I guess i could just remove ACL1 and the COWETA route map and just leave my default route for that network. Keep ACL2 and the CPLS route map to route that traffic to PIX/ISP2.

192.168.250.1 4506 SVI

192.168.250.2 PIX Inside IP

192.168.100.0 /24 network that needs to be routed to PIX/ISP2

access-list 1 permit ip 10.0.0.0 0.0.255.255

access-list 2 permit ip 192.168.100.0 0.0.0.255

route-map COWETA permit 10

match ip address 1

set ip next-hop 10.0.0.75

route-map CPLS permit 20

match ip address 2

set ip next-hop 192.168.250.2

interface FastEthernet5/45

ip policy route-map COWETA

interface vlan 100

ip policy route-map CPLS

That's how I would do it. I like to keep that default route for new networks, troubleshooting, etc.

You only need a route map for VLAN 250.

Keep the default route.

Policy routing is performed before normal destination-based routing in the order of operations, so if the traffic does not match whats on the PBR filter, then it will be routed normally.

Thats why I recommended you deny the inter-vlan traffic, except for VLAN 250 to "any". You will need an extended ACL for that, as shown above.

HTH

Victor

Cow:

I think we're cross-talking. You aren't addressing your messages, so Im not sure who you're talking to. :-)

Clark is more than capable of helping you. So, I'll just drop out, unless you are talking to me.

Victor

my bad lamav.

so...

ip route 0.0.0.0 0.0.0.0 (ISP1)

then...

access-list 1 permit ip 192.168.250.0 0.0.0.255

route-map CPLS permit 10

match ip address 1

set ip next-hop 192.168.250.2

interface vlan 250

ip policy route-map CPLS

192.168.250.0 /24 subnet/vlan for hosts

192.168.250.1 = SVI on 4506

192.168.250.2 = PIX inside

C:

No problem.

Its OK, but take note of what I said in my last post.

Policy routing is performed before normal destination-based routing in the order of operations, so if the traffic does not match whats on the PBR filter, then it will be routed normally.

Thats why I recommended you deny the inter-vlan traffic, except for VLAN 250 to "any". You will need an extended ACL for that, as shown above.

See example I gave you.

If you leave the standard ACL with the permit, you will policy-route ALL traffic sourced from that subnet destined to anywhere, INCLUDING the other vlans. I know you dont want that. You want normal inter-vlan routing.

HTH

Victor

GREAT!

So....this won't affect my inter vlan routing?

(10.0.0.0 /16 is my network summarized)

access-list 100 deny ip 10.0.0.0 0.0.255.255 192.168.250.0 0.0.0.255

access-list 100 permit ip 192.168.250.0 0.0.0.255 any

route-map CPLS permit 10

match ip address 100

set ip next-hop 192.168.250.2

interface vlan 250

ip policy route-map CPLS

Slight change in order for consistency...

access-list 100 deny ip 192.168.250.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 100 permit ip 192.168.250.0 0.0.0.255 any

HTH

Victor

Vic, if this works I'd buy you a beer. I've been working on this for two weeks now. I just didn't know if the PBR would work because of the PIX, but i was thinking about it wrong. This should straighten everything out now. I'll let you know if it works.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: