Solved: I need a VLAN to have a different nexthop than the default route

tis-it · ‎06-14-2022

I've been trying to solve the problem of a single VLAN in our org needing a different route than the rest of the traffic on the core switch. It goes to a different firewall to keep things separated. In my research, I keep coming back around to Policy Based Routing, which appears to be an enterprise feature, which I don't currently have a license for. Is there a way to accomplish this through VRF or something similar where I don't have to fork out 10's of thousands of dollars for an enterprise license, or am I hosed here?

Georg Pauwen · ‎06-15-2022

Hello,

if you do have VRF feature access, below is an example of how to accomplish this. IP addressing is obviously arbitrary...

ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool LAN
vrf RED
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
interface GigabitEthernet0/0
description LAN
vrf forwarding RED
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Uplink to Firewall
vrf forwarding RED
ip address 1.1.1.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description Uplink to ISP
ip address 2.2.2.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
ip route 0.0.0.0 0.0.0.0 2.2.2.2
ip route vrf RED 0.0.0.0 0.0.0.0 1.1.1.2

View solution in original post

balaji.bandi · ‎06-15-2022

You need to make a Static route if you do not have that feature License for PBR ( that is what most people use).

Since you mentioned VRF (not sure or recollect your License has that feature in the base License)

By the way what device is this ? what IOS Code, you can use the VRF routing table, and compare it to the GRT routing table.

Or you may be achieved using IGP ( Like EIGRP/ OSPF if supported or in place).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎06-15-2022

Hello,

if you do have VRF feature access, below is an example of how to accomplish this. IP addressing is obviously arbitrary...

ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool LAN
vrf RED
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
interface GigabitEthernet0/0
description LAN
vrf forwarding RED
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Uplink to Firewall
vrf forwarding RED
ip address 1.1.1.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description Uplink to ISP
ip address 2.2.2.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
ip route 0.0.0.0 0.0.0.0 2.2.2.2
ip route vrf RED 0.0.0.0 0.0.0.0 1.1.1.2

MHM Cisco World · ‎06-15-2022

ip route VRF VLAN 0.0.0.0 0.0.0.0 global <- this for direction form VLAN with VRF VLAN to global routing interface 

ip route VLAN-subnet mask SVI VRF VLAN <-this for direction from global to VLAN with VRF VLAN

this issue I don't test before but if the static route accept add VRF after the next-hop (in this case it is SVI of VLAN) then it can work.