cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
710
Views
0
Helpful
6
Replies

Tricky: IP Route command for 2 gateways on same switch

M.Vrazalic
Level 1
Level 1

The firewall has 3 interfaces:

1 goes to external (router and hence internet), 1 inside interface for internal network (connectes to EMI 24 ports 3550 switch) and 1 dmz interface.

I've connected the inside to let say fastethernet port 1 on switch 1. On that switch i've got 2 internal networks, vlan 2 and 3, that use the ip route 0 0 firewall_inside_ip as gateway of last resort.

Now, if i take the dmz interface of firewall and connect to port 24 of EMI 24 port 3550 switch and i create vlan 5 for dmz on that same switch (logically im trying to separate internal vlans and dmz vlan), i cant exactly use the same ip route and gateway of last resort as i dont want the dmz servers to user fireall inside interface as gateway and i cant specify 2 gateways of last resort. i tried using ip route, but it didnt work.

any ideas?

6 Replies 6

ankurbhasin
Level 9
Level 9

Hi Friend,

Y don't you have one more static route specifically for dmz network.

You already have one default route which is a least preferred route and if you configure 3550 switch with one static route not a defaukt route specific to dmz network it will be preferred that first and incase the traffic is not destined for dmz network then it will check the default route which you already have it on your switch.

HTH, if yes please rate the post.

Ankur

Hi Ankur,

I've tried setting up another static route but it didnt work out for me.

(something in terms of ip route command on 3550 switch, i used ip route a.b.c.d mask dmz_firewall interface_ip, but it didn't work - have i dont something wrong on the firewall? also, when i tried entering above, i was given message on switch that i was using interface on same switch or something similar to that?!)

The problem you probably ran into was that the "interface_ip" you specified was the IP address of the interface on the firewall itself. You should have used the ip address of the device that the firewall connects to on that interface....

Hope that helps - pls rate the post if it does.

Paresh

Hi pkhatri,

Basically, this is whats happening. You've got router that connects to firewall. We have no control over router, but our administration starts from firewall.

OK. Below IP addresses are for illustration only.

The outside address of firewall is 70.197.78.58

(hence the router port that connects to firewall is 70.197.78.57).

The inside interface of firewall is 200.1.1.2 (this one connects to 24 port EMI switch acting as L3 switch). The DMZ interface of firewall is 210.1.1.2 (this one connects to same 24 port EMI switch).

The other settings on firewall (incomplete and partial details here to get idea):

route inside 172.16.0.0 255.255.0.0 200.1.1.1

route dmz 172.32.0.0 255.255.0.0 210.1.1.1.1

The layer 3 EMI switch is 24 ports. In the 1st port, there is no switchport and IP address is 200.1.1.1 (this one connects to firewall inside port). Port 24 connects to DMZ interface of firewall and has ip of 210.1.1.1 (also layer 3 interface and no switchport command used).

on same switch, you also have vlan 2 that has vlan ip 172.16.16.254, and vlan 3 that has vlan ip 192.16.16.254 (used by staff members). vlan 10 is the management vlan 10.10.10.254, while vlan 4 is dmz vlan 172.32.32.254 is vlan ip.

the ip route command on swithc is 0.0.0.0 0.0.0.0 200.1.1.2 (points to inside interface of firewall).

vtp domain is cisco and this is server.

so what i now want is to have:

ip route 172.32.0.0 255.255.0.0 210.1.1.1

for the dmz to leave layer 3 switch and connect to dmz interface of firewall as well as

ip route 172.16.0.0 255.255.0.0 200.1.1.1

ip route 192.16.0.0 255.255.0.0 200.1.1.1

for two internal staff vlans to connect to inside interface of firewall.

is all this possible?

Thanks for the detail.. I begin to see the picture :-)

What you need is policy-based routing. Here's my first stab at a potential config:

interface vlan2

ip policy route-map INSIDE_PBR

!

interface vlan3

ip policy route-map INSIDE_PBR

!

interface vlan4

ip policy route-map DMZ_PBR

!

route-map DMZ_PBR permit 10

set ip default next-hop 210.1.1.1

!

route-map INSIDE_PBR permit 10

set ip default next-hop 200.1.1.1

!

Explanation: for traffic destined to the Internet and coming in through the interfaces above, the route-map will kick in and force it to go via the specified next-hop. For all non-Internet traffic, the standard destination-based routing will occur. As for the default route on the switch, leave it as whatever it is - it will only affect traffic originating from the switch itself.

Hope that helps - pls rate the post if it does.

Paresh

Hello,

Sorry for not replying earlier, but basically, i've applied pbr and it all worked just fine. Many thanks.

Regards!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco