Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Different Default Routes for Groups of VLANS

I've inherited a Cicso Catalyst 4006 switch with a WS-4232-L3 routing module. Currently, all of our VLANS are connected to each by this router.

What I want to do it take a portion of our network that contains VLANS that are comprised of untrusted computers (student dorms, wireless network, third-party) and have their traffic exit the Catalyst 4006 switch, pass through a Packetshaper, then through our firewall, then either directly out to the Internet or back into our trusted network. I want to do this while still routing packets between the trusted VLANs, and do both using the one routing module.

As I am a novice at confiuring Cisco routers, can someone tell me if this can be done and, if so, an example of how to do so?


Curtis Spears

Sr. Network Administrator

Northwest Nazarene University


Re: Different Default Routes for Groups of VLANS

What you want to do can most likely be achieved through policy routing:

You can send traffic either way, for example based on it's source adress.



Re: Different Default Routes for Groups of VLANS

Unfortunately, the 4232-L3 card does not support PBR. You might have to point the untrusted vlans's PCs default gateway to the Firewall.

New Member

Re: Different Default Routes for Groups of VLANS

How about if the untrusted vlans you take them off the l-3 routing module. They will then be only L-2 as far as the switch is concerned. Create a VLAN between the router and f/w which will be used to send traffic to the untrusted vlans via the f/w. The firewall then needs another connection back to your trusted vlans and one out to the internet. In effect the untrusted vlans can only get back to the trusted domain via the f/w. And as the previous post suggested the untrusted PCs have to have their DGW to the firewall. It will be easier if your fw suopports trunking.

I would not say that what I have suggested is best practice from the security prospective, but it's a way of solving your problem. I would at least try and keep the external f/w interface physically separated from the cat switch.