PBR needs to be configured on

szczyrk80 · ‎05-18-2015

Hi All,

We have a layer 3 switch (.64.250) that has got two ASAs connected to it,

1st ASA (.64.254) - it is default gateway 0.0.0.0. 0.0.0.0 for that layer 3 switch

2nd ASA (.64.1) - 2nd gateway

All are in the same subnet

DHCP server assigns IPs to the computers with default gateway of .64.1

We have recently created new vlan 306 with the IP .53.1/24 and interface .53.250 and dhcp assigns IPs with default gateway .53.250

The problem that we have got is we can not route traffic from vlan 306 to .64.1 ASA, despite of implementing below routes:

ip route 192.168.53.0 255.255.255.0 192.168.64.1 - on layer 3 switch

route 192.168.53.0 255.255.255.0 192.168.64.250 - ASA (64.1)

We can ping .64.1 from all clients in vlan 306 but if we want to go to outside (e.g. google.com) only default route works and after implementing route defined for vlan 306 we can not ping any external ip

So the question that I would like to ask is how to tell Layer 3 switch to route whole traffic from vlan 306 to 64.1 gateway instead of using default route

Thank you for your help

Kind Regards,

S

eduardopozo56 · ‎05-18-2015

Hi S,

Please remember that the routing choice is made on a hop by hop basis

When packets from 53.0 network reach their default gateway (53.250, which i guess is the L3 switch) , the switch will choose were to route the packets by looking at the destination ip.

If the destination ip is for example, Google dns (8.8.8.8) then the L3 switch will use the default gateway.

On your static routes, you are telling the Switch that the whole 53.0 network is behind the ASA and on the ASA that the whole 53.0 network is on the switch.

Your topology as described is a little confusing, could you please make a quick drawing of it in order to understand a little better?

Regards,

szczyrk80 · ‎05-18-2015

Hi Eduardo,

Thank you for your response,

I have attached simple network diagram

Kind Regards,

Sebastian

eduardopozo56 · ‎05-18-2015

Thanks, now i understand better.

a. static route "192.168.53.0 255.255.255.0 192.168.64.1" is wrong on L3 switch, as this is a directly connected network on the switch, no need for an static route pointing on the ASA

b. The use of the default route pointing to the ASA for internet access is correct, as i said before, the routing choice is on a hop by hop basis, when the packets reach the L3 switch (DG for the network) the L3 switch will decide where to sent the packets looking at the destination address.

The default route will send all non-known destinations (internet) to the ASA.

c. You need to create the route back on both ASAs

"route 192.168.53.0 255.255.255.0 192.168.64.250"

d. Depending on your ASA configuration, you might also need to add the new network on Interfaces access lists, NAT access lists, etc.

szczyrk80 · ‎05-18-2015

Thank you,

But is there any way we can tell L3 switch to send all not-known destinations (internet) coming from vlan 306 (53.x) to the gateway .64.1 instead of .64.254?

Thank you,

Kind Regards,

S

eduardopozo56 · ‎05-18-2015

Ok, now i understood what you are trying to accomplish, sorry.

Yes, you can use policy-based routing on the SVI (Interface vlan) to set the next-hop for the arriving packets to 64.254

Please refer to the following configuration guide for PBR

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/policy_based_routing_pbr.pdf

szczyrk80 · ‎05-18-2015

Thank you Jon and Eduardo,

Yes, vlan 306 needs to talk to native vlan .64.x

Just to clarify, Does PBR have to be implemented on vlan 306 interface or on the other interface?

Thank you,

Jon Marshall · ‎05-18-2015

PBR needs to be configured on the vlan 306 interface.

So you leave the default route as is and then you configure your PBR to send the traffic to the other gateway.

Jon

Jon Marshall · ‎05-18-2015

Yes, you can use PBR if your switch supports it ie. you need the right feature set.

Does vlan 306 need to talk to other vlans on the internal L3 switch ?

Jon

Layer 3 Switch and Two default gateways ASAs