Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1400
Views
0
Helpful
12
Replies

About VLANs Default Route's. Is it possible?

Diego Oliva
Level 1
Level 1

‎08-25-2011 11:51 AM - edited ‎03-04-2019 01:24 PM

Hi there!! Being this my first post in the Cisco community i'll make a newbie question.

Is it posible to assign differen Default Static Routes to different VLANs?

My scenario is like this, i've got two WAN public ips, from different ISP providers, and i would like to make 2 vlans, one for the servers (vlan 1) and the other for the employee's computers (vlan 2), but i need vlan 1 to route through isp 1 and vlan 2 through isp 2. but not just that! i would love it if i could also set backup routes through the other isp in both vlans...

i've got a 1841...

I would be very gratefull if there is a solution for this...

thanks in advance!

Labels:
0 Helpful
12 Replies 12

Peter Paluch
Cisco Employee
Cisco Employee

‎08-25-2011 11:55 AM

Hi Diego,

What you are looking for is called Policy Based Routing (PBR) and is related to the fact that your routing should be concerned not only with the destination but in your case, also the source IP address.

An example would be easy to do but as you are facing two ISPs, you also have to consider the necessary NAT issues. The best course of action would be to post your current configuration (complete, just xxx-out the sensitive information) so that someone here can suggest a proper modification of your config. Giving out just the partial example of a PBR config could make more harm than good.

And, by the way, welcome

Best regards,

Peter

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Peter Paluch

‎08-25-2011 12:01 PM

Hi Peter

Giving out just the partial example of a PBR config could make more harm than good.

Guess that makes me very irresponsible then

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎08-25-2011 12:00 PM

Diego

You would use PBR (Policy Based Routing) to do this eg.

vlan 1 = 192.168.5.0 255.255.255.0

vlan 2 = 192.168.6.0 255.255.255.0

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

route-map PBR permit 10

match ip address 101

set ip next-hop y.y.y.y

int fa0/0 <-- this connects back to your LAN switch

ip policy route-map PBR

ip route 0.0.0.0 0.0.0.0 x.x.x.x

where x.x.x.x is one ISPs next-hop and y.y.y.y is the other ISPs hop

Couple of things -

1) you could explicitly set the next-hop for both networks with another entry in the route-map. But there is little point in doing that. You usually set up a default-route pointing to one ISP and then use PBR to send the traffic you don't want to use the default-route to the other next-hop

2) note the deny line in the acl. This is so traffic from vlan 1 to vlan 2 is not sent to the next-hop y.y.y.y. A deny line simply means that the traffic is not polict routed and uses the routing table.

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎08-25-2011 12:08 PM

Diego

Peter is correct, he is being more responsible than me.

If you want backup routes ie. so you can use the other link, well if y.y.y.y fails then there is the default-route to use. But if x.x.x.x fails then you need to switch to using y.y.y.y.

How you do this really depends on the type of connections you have to your ISPs ie. are they ethernet ? If so they would need some sort of tracking.

As for NAT. I am assuming that you have "ip nat inside" on the LAN interface, and "ip nat outside" on both the ISP interfaces, is that correct ?

Jon

0 Helpful

Diego Oliva
Level 1
Level 1
In response to Jon Marshall

‎08-25-2011 12:34 PM

thanks for the quick answers!

my config is quiet short since i'd just started it...

i've got two on-board fa interfaces + a four port l2 ethernet board (at this moment all of them are part of a vlan 1 interface, but my intention is two set both vlans by ip, haven't tried it yet, but i assume it is possible, isn't it? )

fa0/0 -- isp1_ethernet

fa0/1 -- isp2 (actually, it would be, fa0/0 -- squid proxy -- isp2)_ethernet

fa0/0/0 -- l3 switch -- pcs and servers...

fa0/0/1 -- l3 switch -- pcs, printers, etc...

yes, for nat i've got ip nat outside and inside...

actually, my idea for the vlans where more like:

vlan 1 = 192.168.100.230 0.0.0.250 for example....

vlan 2 = 192.168.100.1 0.0.0.229 ....

and... now that i'm thinking it through... i can't use vlan through the l2 ethernet board can i?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Diego Oliva

‎08-25-2011 12:42 PM

Diego

vlan 1 = 192.168.100.230 0.0.0.250 for example....

vlan 2 = 192.168.100.1 0.0.0.229 ....

the above makes no sense. You cannot subnet like this. What IPs do you want in each subnet(vlan) ?

Jon

0 Helpful

Diego Oliva
Level 1
Level 1
In response to Jon Marshall

‎08-25-2011 12:48 PM

what i meant was to set the vlans under the same subnet...

ips from 192.168.100.1 to 192.168.100.229 vlan 2 and 192.168.100.230 to 192.168.100.249

don't know if this is possible...

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Diego Oliva

‎08-25-2011 12:51 PM

No it's not possible.

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Diego Oliva

‎08-25-2011 12:49 PM

Diego

Also -

fa0/1 -- isp2 (actually, it would be, fa0/0 -- squid proxy -- isp2)_ethernet

what does this mean ? Do you mean traffic goes out of fa0/0 to a proxy server and then to ISP2.

If so then PBR might not work. Where is the proxy server in relation to the interfaces on the router.

Jon

0 Helpful

Diego Oliva
Level 1
Level 1
In response to Jon Marshall

‎08-25-2011 12:53 PM

yes, traffic goes out to a proxy server (squid on debian) and then to the isp2...

Where is the proxy server in relation to the interfaces on the router.

i'm sorry, i don't follow...

Diego.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Diego Oliva

‎08-25-2011 12:57 PM

You say fa0/0 connects to ISP1 and that fa0/1 connects to ISP2.

Then you say to get to ISP2 you go out of fa0/0 to a proxy server. So where does fa0/1 come into it ?

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Diego Oliva

‎08-25-2011 01:32 PM

Diego

Apologies if my answers came across as a bit short, i was in the middle of something else so i was very brief in my replies.

We do like to help people honestly

I think before we get into PBR (if needed) it might help to just get the basics right on your router and also to understand how things are setup.

Your subnetting -

If you need hosts 1 -> 230 from a subnet then you will have to use a full class C for that ie. 192.168.100.0 255.255.255.0.

Then for your other devices you can either use another full class C or just a subnet of a class C ie. you need 20 hosts for your second subnet. Bear in mind it's always good to have spare IPs in a subnet and as they are private you don't need to worry too much about wasting addresses so i would just use -

192.168.101.0 255.255.255.0

if you want to subnet it down then you could use -

192.168.101.0 255.255.255.224 which would give you 192.168.101.1 -> 192.168.101.30 broadcast 192.168.101.31

192.168.101.0 255.255.255.192 which would give you 192.168.101.1 -> 192.168.101.62 broadcast 192.168.101.63

192.168.101.0 255.255.255.128 which would give you 192.168.101.1 -> 192.168.101.126 broadcast 192.168.101.127

we also need to really understand how the proxy server works in relation to the ISPs.

Jon

0 Helpful
Customers Also Viewed These Support Documents