cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
541
Views
5
Helpful
12
Replies

2 ip routes in 3550 EMI switch possible?

M.Vrazalic
Level 1
Level 1

firewall connected to EMI 3550 switch.

The ip route command on EMI 3550 is:

ip route 0.0.0.0 0.0.0.0 10.10.10.1

where 10.10.10.1 is the inside interface of firewall and is the gateway of last resort.now, i connected another cable from same switch to dmz interface of same firewall.i want certain ip subnet (for example 192.16.0.0 to use this as default gateway). can i just type:

ip route 192.16.0.0 255.255.0.0 20.20.20.1 (where 20.20.20.1 is the ip address of dmz interface of firewall).

im confused in general with ip route command. if i have other internal networks like 5 different vlans with different subnets, can i specify these in ip route command and tell them what their default gateway will be?

how many ip routes are possible anyway.

12 Replies 12

johgill
Level 1
Level 1

The "ip route" command expects the following input (in the most simple sense):

ip route

If you want to route based on source address, you would need to implement policy-based routing.

If you wish to change the default gateway for the hosts, I suggest just setting that through DHCP.

Not applicable

Hi,

I posted this earlier.. that's the way to get this to work:

What you need is policy-based routing. Here's my first stab at a potential config:

interface vlan2

ip policy route-map INSIDE_PBR

!

interface vlan3

ip policy route-map INSIDE_PBR

!

interface vlan4

ip policy route-map DMZ_PBR

!

route-map DMZ_PBR permit 10

set ip default next-hop 210.1.1.1

!

route-map INSIDE_PBR permit 10

set ip default next-hop 200.1.1.1

!

Explanation: for traffic destined to the Internet and coming in through the interfaces above, the route-map will kick in and force it to go via the specified next-hop. For all non-Internet traffic, the standard destination-based routing will occur. As for the default route on the switch, leave it as whatever it is - it will only affect traffic originating from the switch itself.

Hope that helps - pls rate the post if it does.

Paresh

Hi Paresh,

Thanks for the above. I tried it out. It seems to work and the only reason i know is because when i ping from computers in dmz they cannot reach the inside interface and like wise when i ping computers in vlans 2 and 3, they cannot reach the dmz interface. HOWEVER,

what really is annoying me like never before is the fact that unless i specify 200.1.1.1 for instance to be the gateway of last resort or in the sense ip route 0.0.0.0 0.0.0.0 200.1.1.1, i cannot get the inside vlans (2 and 3) to actually reach the internet. This is also a problem because they can reach it through there, BUT the computers on dmz cannot reach internet!

From what you described, it seems as if PBR is not working. Would you be able to post the relevant bits of your config ?

Paresh

Another thing is that the default next-hop command is not available with the 12.1 software it seems, so i couldn't use it, but yes, the pbr did not work...again, to this day, it seems that the only reason the net will work is because il put the gateway of last resort to point to the inside interface of firewall...i will have to post it tomorrow as i've left work, although, if you could shed some light on this gateway of last resort, id appreciate it...

Early morning start...back to work...to basically summarise for you, this is the outcome of show ip route on the switch connected to the firewall:

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 200.1.1.1 to network 0.0.0.0

C 200.1.1.0/24 is directly connected, FastEthernet0/1

C 172.64.0.0/16 is directly connected, Vlan2

10.0.0.0/29 is subnetted, 1 subnets

C 10.30.30.248 is directly connected, Vlan10

C 210.1.1.0/24 is directly connected, FastEthernet0/5

10.0.0.0/24 is subnetted, 1 subnets

C 10.60.46.0 is directly connected, Vlan4

S* 0.0.0.0/0 [1/0] via 200.1.1.1

C 192.168.0.0/16 is directly connected, Vlan3

BUT, I dont think/want this gateway of last resort! The only reason the bloody internet works for internal networks is because of this!

I applied the pbr_inside to vlans 2 and 3 and pbr_dmz to vlan 4.

Here's the info for above on the switch:

access-list 10 permit 200.1.1.0 0.0.0.255

access-list 20 permit 210.1.1.0 0.0.0.255

route-map pbr_inside permit 10

match ip address 10

set ip next-hop 200.1.1.1

!

route-map pbr_dmz permit 20

match ip address 20

set ip next-hop 210.1.1.1

So as you can see the 200.1.1.1 is the inside interface of firewall and 210.1.1.1 is the dmz interface of firewall...

man, i broke my head over these examples....hope you can help out!

Your access-list, I believe, is configured incorrectly. The purpose of the ACL is to determine which source IP to match and apply the PBR rule. It should read something like this.

access-list 10 permit 172.64.0.0 0.0.255.255

access-list 10 permit 192.168.0.0 0.0.255.255

access-list 20 permit 10.60.46.0 0.0.0.255

Oh yes, indeed. I will try this. You mean to say that i need to specify the internal network in the access list and set the inside and dmz interface of firewall as the next hop. I will try that.

Question: would you recommend i just put in these static routes and follow pbr or would you go ahead with ospf routing protocol instead (or other dynamic routing protocols?)

I think im gonna cry! it worked! :) Thanks a mill mate...an obvious error, but was so frustrated earlier that i didnt notice it...

tell me, though, what is your suggestion? would u use this over dynamic routing (with ospf, rip2, etc?)

What device would the switch exchange routes with? Given your current configuration I don’t believe you have a requirement for a dynamic routing protocol. IMHO, static routing with PBR is the optimal solution.

Your PBR next-hop IPs are directly connected routes in the route table. Assuming that your DMZ and internal firewall interface are up, dynamically learned or statically configured routes will not influence your policy routes. If one of the interfaces were to go down the switch would use the route table to make a routing decision. In other words if the switches DMZ interface entered a down state, packets sourced from 10.60.46.0/24 network would no longer use the policy and a decision would be made based on the route table.

Make sense?

Hey mate.

Thanks for the reply. Sorry i couldn't reply earlier.Yes, what you said makes sense. The policy will take precedence over the routing table, unless an interface goes down. Thanks for everything again. Cheers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: