05-18-2015 04:08 AM - edited 03-05-2019 06:55 AM
Hi All,
We have a layer 3 switch (.64.250) that has got two ASAs connected to it,
1st ASA (.64.254) - it is default gateway 0.0.0.0. 0.0.0.0 for that layer 3 switch
2nd ASA (.64.1) - 2nd gateway
All are in the same subnet
DHCP server assigns IPs to the computers with default gateway of .64.1
We have recently created new vlan 306 with the IP .53.1/24 and interface .53.250 and dhcp assigns IPs with default gateway .53.250
The problem that we have got is we can not route traffic from vlan 306 to .64.1 ASA, despite of implementing below routes:
ip route 192.168.53.0 255.255.255.0 192.168.64.1 - on layer 3 switch
route 192.168.53.0 255.255.255.0 192.168.64.250 - ASA (64.1)
We can ping .64.1 from all clients in vlan 306 but if we want to go to outside (e.g. google.com) only default route works and after implementing route defined for vlan 306 we can not ping any external ip
So the question that I would like to ask is how to tell Layer 3 switch to route whole traffic from vlan 306 to 64.1 gateway instead of using default route
Thank you for your help
Kind Regards,
S
05-18-2015 05:18 AM
Hi S,
Please remember that the routing choice is made on a hop by hop basis
When packets from 53.0 network reach their default gateway (53.250, which i guess is the L3 switch) , the switch will choose were to route the packets by looking at the destination ip.
If the destination ip is for example, Google dns (8.8.8.8) then the L3 switch will use the default gateway.
On your static routes, you are telling the Switch that the whole 53.0 network is behind the ASA and on the ASA that the whole 53.0 network is on the switch.
Your topology as described is a little confusing, could you please make a quick drawing of it in order to understand a little better?
Regards,
05-18-2015 06:07 AM
05-18-2015 06:14 AM
Thanks, now i understand better.
a. static route "192.168.53.0 255.255.255.0 192.168.64.1" is wrong on L3 switch, as this is a directly connected network on the switch, no need for an static route pointing on the ASA
b. The use of the default route pointing to the ASA for internet access is correct, as i said before, the routing choice is on a hop by hop basis, when the packets reach the L3 switch (DG for the network) the L3 switch will decide where to sent the packets looking at the destination address.
The default route will send all non-known destinations (internet) to the ASA.
c. You need to create the route back on both ASAs
"route 192.168.53.0 255.255.255.0 192.168.64.250"
d. Depending on your ASA configuration, you might also need to add the new network on Interfaces access lists, NAT access lists, etc.
05-18-2015 06:30 AM
Thank you,
But is there any way we can tell L3 switch to send all not-known destinations (internet) coming from vlan 306 (53.x) to the gateway .64.1 instead of .64.254?
Thank you,
Kind Regards,
S
05-18-2015 06:39 AM
Ok, now i understood what you are trying to accomplish, sorry.
Yes, you can use policy-based routing on the SVI (Interface vlan) to set the next-hop for the arriving packets to 64.254
Please refer to the following configuration guide for PBR
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/policy_based_routing_pbr.pdf
05-18-2015 08:31 AM
Thank you Jon and Eduardo,
Yes, vlan 306 needs to talk to native vlan .64.x
Just to clarify, Does PBR have to be implemented on vlan 306 interface or on the other interface?
Thank you,
05-18-2015 12:03 PM
PBR needs to be configured on the vlan 306 interface.
So you leave the default route as is and then you configure your PBR to send the traffic to the other gateway.
Jon
05-18-2015 06:40 AM
Yes, you can use PBR if your switch supports it ie. you need the right feature set.
Does vlan 306 need to talk to other vlans on the internal L3 switch ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide