Per-VLAN Routing

daniel · ‎01-29-2017

Hi Guys,

I'm planning to upgrade my network from Router-on-a-stick HSRP.

My current network consist of 2 routers and 1 main switch, with different ISP per router.
Per VLAN depends on what ISP will they be routed by changing HSRP priority and track on sub-interfaces .
This current network almost running for about 3 years now without having problem on it.

(Please see attached images)

With my proposal, the new network will compose of the existing 2 routers(1941/k9) with ISP, and a L3 switch on it. (please see attached images).
I will be using L3 as my main switch and for the intervlan routing. But I don't have any idea what configuration I will do to make this work.
Some say I will use PBR in L3 to route traffic. Per VLAN will be routed on different ISP depending on the requirements. Inter-Vlan is working on the L3 switch but routing per VLAN doesn't have config yet.

Requirements
1. VLAN 10 and VLAN 30 will be routed on the ISP1
2. VLAN 20 will be routed on the ISP2.

I don't have any experience yet in configuring with this kind of network.

Please help or suggest any.

Thanks in advance.

Deepak Kumar · ‎01-29-2017

Hi,

You have configured your all VLANs and other basic commands on switch

Here, your answers:

1. How to configure InterVLAN routing:

Ans: First finish your VLAN configuration and type one command on

"ip routing"

2. VLAN 10 and VLAN 30 data will be routed on the ISP1

Ans: Just configure two static routing as:

! for VLAN 10 route to ISP1

"ip route 192.168.10.0 255.255.255.0 192.168.1.1"

! for VLAN 30 route to ISP1

"ip route 192.168.30.0 255.255.255.0 192.168.1.1"

3. VLAN 10 and VLAN 30 data will be routed on the ISP1

Ans: Just configure a static routing as:

! for VLAN 20 route to ISP2

"ip route 192.168.20.0 255.255.255.0 192.168.2.1"

For verify all routing, just type a command:

"Sho ip route"

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Julio E. Moisa · ‎01-30-2017

Hi

First take in consideration that with a only L3 switch you will have a point of failure, you should have high availability with a second switch and enable rapid per vlan stp or MST.

Also you could enable an IGP protocol between the routers and the L3 switches like OSPF, the routers could avertise a default route with different costs to enable redundancy.

Other option is to enable default routes but you should use an script EEM to create an automatic failover.

On the routers you should create PAT to enable the Internet access to the users behind the switches.

If you are going to move traffic to specific vendor, for example Vlan 20 should use ISP2 this is an example:

Step 1) Create 2 ACLs one of them is to specify the internal services and avoid move this traffic to Internet, the second is to reach anything else to Internet.

* SWITCH

ip access-list extended PRIVATE-NET (here you will match your internal networks)

permit ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255

ip access-list extended INTERNET (it will used for Internet)
permit ip 192.168.20.0 0.0.0.255 any

Step 2) Create route-map to mach first your internal services like access to domain controllers, dhcp, storage, etc. And a second Route Map to match the rest of the traffic to Internet.

(this RM (sequence 5) will make nothing, it is like protection to avoid move all your traffic (including access to internal services) to Internet.

route-map INTERNET-ISP2 permit 5
match ip address PRIVATE-NET

route-map INTERNET-ISP2 permit 100 (this RM will move everything else to your ISP 2)
match ip address INTERNET
set ip next-hop 192.168.2.1 <--- Next-hop to your ISP2.

Step 3) Apply the RM where the traffic is being originated.

interface vlan 20
ip policy route-map INTERNET-ISP2 <-- All the traffic originated on this SVI 20 will be matched with the RM above.

* The rest of your traffic should use the default path without inconveniences or additional config. The special config is for Vlan 20 only.

Try to implement it first on your lab :-) I hope it is useful for you.
I think is a typo on your diagram but P2P should be /30 instead /32

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

daniel · ‎01-31-2017

Hi Julio,

I'm very thankful for the config that you have provided. I have tested it on the GNS3 and it is working. I have also replaced all the IP address for me to connect it to my own LAN. (see attached image) I have also created an EIGRP AS 1.

192.168.50.0 /24 is my local network.

Kindly check my configurations.

MainSwitch#
interface FastEthernet1/1
description CONNECTION TO R1
no switchport
ip address 10.1.1.2 255.255.255.252
!
interface FastEthernet1/2
description CONNECTION TO R2
no switchport
ip address 10.1.2.2 255.255.255.252
!
interface FastEthernet1/11
switchport access vlan 10
!
interface FastEthernet1/12
switchport access vlan 20
!
interface FastEthernet1/13
switchport access vlan 30
!

interface Vlan10
ip address 10.1.10.1 255.255.255.0
ip policy route-map INTERNET-ISP1
!
interface Vlan20
ip address 10.1.20.1 255.255.255.0
ip policy route-map INTERNET-ISP2
!
interface Vlan30
ip address 10.1.30.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0
no auto-summary
!
ip access-list extended INT <----For VLAN 10
permit ip 10.1.10.0 0.0.0.255 any
ip access-list extended INTERNET <---for VLAN 20
permit ip 10.1.20.0 0.0.0.255 any
ip access-list extended PRIVATE-NET    <---for VLAN 20
permit ip 10.1.20.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.1.20.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 10.1.20.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list extended PRIVATE-NET-2    <---for VLAN 10
permit ip 10.1.10.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.1.10.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.255.255
!
route-map INTERNET-ISP1 permit 5    <---for VLAN 10
match ip address PRIVATE-NET-2
!
route-map INTERNET-ISP1 permit 100    <---for VLAN 10
match ip address INT
set ip next-hop 10.1.1.1
!
route-map INTERNET-ISP2 permit 5    <---for VLAN 20
match ip address PRIVATE-NET
!
route-map INTERNET-ISP2 permit 100    <---for VLAN 20
match ip address INTERNET
set ip next-hop 10.1.2.1

-------------------------------------------------------------------------

R1# show running-config

ip name-server 192.168.50.20
ip name-server 8.8.8.8
ip name-server 4.2.2.2

interface FastEthernet0/0
ip address 192.168.50.100 255.255.255.0
description CONNECTION TO MY LAN
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.252
description CONNECTION TO MAINSWITCH
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router eigrp 1
network 10.0.0.0
no auto-summary
!
ip default-gateway 192.168.50.1 <--- MY LAN gateway
ip route 0.0.0.0 0.0.0.0 192.168.50.1
!
ip nat pool ISP1 192.168.50.100 192.168.50.100 netmask 255.255.255.224
ip nat inside source list 10 pool ISP1 overload
!
access-list 10 permit 10.1.10.0 0.0.0.255
access-list 10 permit 10.1.20.0 0.0.0.255
access-list 10 permit 10.1.30.0 0.0.0.255
access-list 10 permit 10.1.1.0 0.0.0.3

------------------------------------------------------------

R2#show running-config

ip name-server 192.168.50.20
ip name-server 8.8.8.8
ip name-server 4.2.2.2

interface FastEthernet0/0
ip address 192.168.50.200 255.255.255.0
description CONNECTION TO MY LAN
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.2.1 255.255.255.0
description CONNECTION TO MAINSWITCH
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router eigrp 1
network 10.0.0.0
no auto-summary
!
ip default-gateway 192.168.50.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.50.1
!
!
ip nat pool ISP2 192.168.50.200 192.168.50.200 netmask 255.255.255.224
ip nat inside source list 10 pool ISP2 overload
!
access-list 10 permit 10.1.10.0 0.0.0.255
access-list 10 permit 10.1.20.0 0.0.0.255
access-list 10 permit 10.1.30.0 0.0.0.255
access-list 10 permit 10.1.2.0 0.0.0.3

There are only some issues regarding on my testing. It maybe on the GNS or my internal firewall.

Inter-VLAN - OK

Ping PC10 - 8.8.8.8 / 4.2.2.2 - OK

Ping PC20 - 8.8.8.8 / 4.2.2.2 - OK
Ping PC 10/PC20 - 192.168.50.1(LAN gateway) - U.U.U.U

PING PC10/PC20 - 192.168.50.20 (My Win2k12 DNS) - U.U.U.U

But it seems that it has no problem reaching out the internet.

By the way, what would L3 would you recommend for this kind of network? And would also support this kind of configs.

And also I needed some fail-over. Unlike my current network I uses IP SLA for my fail-over.

I'm very thankful. :)

PS: Please have patience with my english and typo. :)

Julio E. Moisa · ‎01-31-2017

Hi Daniel,

hehe that is ok Daniel :-) and good to know that config works. There are various factors to select a L3 switch: performance, cost, the size of your company, etc. If you are going to use one for small branch, you could use a switch 3560 or 3750 or later, also you should request an images that supports routing.

For High Availability you should have 2 L3 switches running Rapid Per vlan stp at least, you can execute HSRP for your vlans as well. The primary switch will be the root for your vlans and the Master HSRP as well. The secondary switch will be your secondary root bridge with highest priority than the primary root and it will be the Standby HSRP for your vlans. Between these switches you could create Etherchannel with trunks.

About the failover, yeap you could use EEM combined with IP SLA icmp echo, it will create a log once the ping fails so the EEM will execute a script automatically with the configuration that you have created for. If you want i can provide you an example.

If you want to create failover with EIGRP, you could redistribute the default route or advertise the default route with different metrics from the Core routers.

R1 could advertise the metric:

10000 10 255 1 1500

R2 could advertise the metric:

10000 20 255 1 1500

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

daniel · ‎02-01-2017

Hi Julio,

Thanks again for the help.

Actually, my original plan is to use 2 L3 Switch as my main. But I have to use my existing two 1941 Router for the upgrade. (see attached image). But I'm finding it hard to emulate on the GNS3 so I have decided to use only 1 L3 for my question. VTP is not supported either on it.

Is it better to stack switch (L3 Switch) or to use EtherChannel on it like the original plan.

If I will use HSRP on both L3, on what VLAN interface would I will apply the PBR. Is it on the Mainswitch or on the secondary.

Thanks again for the Help. :)

Julio E. Moisa · ‎02-01-2017

Hi,

Anytime :-) with HSRP you need to apply the PBR on both (main switch and secondary) Interface vlan for vlan 20. I suggest to use the Etherchannel.

Regards

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

daniel · ‎02-02-2017

Hi Julio,

Thanks again. By the way, is GLBP also applicable for this network instead of HSRP? If ever I will move to GLBP, is there an effect with the PBR of every VLANs interface. Thanks again.

Julio E. Moisa · ‎02-02-2017

Hi Daniel,

Yes, you can use GLBP if you want to enable load balancing on your network, the PBR will not be affect at all because you are already pointing your next hop statically :-)

Regards.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<