Jon,Thanks for replying. The

Robert Molina · ‎05-20-2015

Currently on our Cisco 4506, we have a routed port that sends traffic from our vlans to our TLA stack inside router. We recently implemented two additional vlans that are sent through a trunked port to another switch and a secure tunnel. The problem is that I still have the two vlans going out the routed port and through the tunnel port at the same time. I don't want the vlans to be allowed through the routed port only through the trunked port.

We are running EIGRP.

Cisco Catalyst 4506, running cat4500-entservicesk9-mz.122-54.SG1

My question is how can I keep the two new vlans from being sent through the routed port?

If you need additional information, please let me know.

Thank you.

Jon Marshall · ‎05-20-2015

Robert

Do the new vlans need to communicate with the any of the existing vlans on the 4500 ?

If not then you can put them into their own VRF (assuming you have the right feature set).

If yes then it depends on what routes are on the 4500 ie. if the default route points to the TLA stack then you could use PBR for the two new vlans to make the default next hop the secure tunnel.

Again you would need the right feature set on the 4500.

If the 4500 has multiple routes via the TLA stack and other routes via the secure tunnel you could always use acls on the new vlan SVIs to only allow traffic to networks via the secure tunnel.

Difficult to be precise without knowing more about the current routing.

Jon

Robert Molina · ‎05-20-2015

Jon,

Thanks for replying. The 2 new vlans do not need communicate with the existing vlans. I attached a diagram. The default route points to the TLA stack and the trunk port is where the new vlans go. They are labeled as 113 and 1600.

It is hard to provide you with a lot of particulars because this is a government network. Just for my knowledge since its the first time I have heard of this, what is PBR?

Thank you,

Robert

Jon Marshall · ‎05-21-2015

Robert

If the two vlans do not need to communicate with the other vlans then if you have the right feature set on your switch I would use VRF-Lite and put the two vlans into their own VRF.

Doing this means they have a separate routing table and so could not talk to the other vlans or use the default route via the TLA stack.

PBR = Policy Based Routing which is a way of overriding the routing table ie. you can tell traffic which next hop to use regardless of what is in the IP routing table.

However, if memory serves, you need the same feature set for PBR as you do VRF-LIte and using VRFs would be a better choice for what you need.

Jon

Robert Molina · ‎05-21-2015

Jon,

Thanks. What do you think about doing VACLs? From what I've read, VACLs could restrict the vlans from going out the routed port. I will read up on VRF-Lite and see how it works. I will also see if we have the feature set.

Thank you!

Robert

Jon Marshall · ‎05-21-2015

Robert

Apologies, you did include the feature set in your initial post.

You should be able to run VRF-Lite and for what you want that is the best solution.

It is pretty easy to setup, see this link -

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/54sg/configuration/guide/config/vrf.html

note you don't need to worry about import maps etc, you just need to create VRF and place the SVIs (L3 vlan interfaces) into that VRF.

Then you can add a default route to the VRF routing table pointing to the secure tunnel and this will not conflict with your existing routing table.

Jon

Robert Molina · ‎05-21-2015

Jon,

I will look at it and see how it is setup. Hopefully I can get it right and not screw up the production network in the process. I'll never hear the end of it from the boss.

I'll let you know the outcome.

Robert

Segregating Vlan traffic