Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2686
Views
8
Helpful
10
Replies

Problem of Static Routing to different gateway

Go to solution
wcpon_cisco
Level 1
Level 1

‎12-07-2011 02:23 AM - edited ‎03-04-2019 02:33 PM

Hi, I'm facing some problems here.. Wish to get some expert advice..

I will explain my problem below,

I have one Cisco 3560, and it is connected to Firewall...

I already turn on the ip routing, which is able to do interVLAN..

In 3560, the static route is 0.0.0.0 0.0.0.0 192.168.2.2

3560 (port 1) =====> Firewall (port 1) ======> Internet (WAN)

192.168.2.1                192.168.2.2

Which mean... anything from 3560 will be rote to Firewall port 1 (192.168.2.2) and all the user behind 3560 will able to connect to Internet (WAN).

I want different setup now, I'm trying to configure another port (port 2) from Cisco 3560 connect to Firewall port 2...

3560 (port 2) =====> Firewall (port 2) ======> Internet (WAN)

10.1.1.1                     10.1.1.2

I want subnet 10.1.1.x route to different gateway (10.1.1.2) to Firewall go out to WAN... and not using 192.168.2.2 gateway to WAN.

Any advice on this?

Wish to get expert advice.

Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni

‎12-07-2011 02:43 AM

Hi,

Does this mean that you have another WAN link connected to your Firewall port 2?
And you want all internet traffic from 10.1.1.0 should go through 10.1.1.2?

So you need to use route-map and pointing the traffic to your second gateway (10.1.1.2) like below...

ip access-list ext 170
permit ip 10.1.1.0 0.0.0.255 any

route-map wan-out permit 10
match ip address 170
set ip default next-hop 10.1.1.2


Now you need to assign the above route-map to the that vlan interface (10.1.1.1)


interface Vlan10
ip address 10.246.1.1 255.255.255.0
ip policy route-map wan-out


Hope the above will help you...


Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

0 Helpful

Go to solution
mousmani
Level 1
Level 1
In response to wcpon_cisco

‎12-07-2011 05:33 AM

Policy-based routing with matching source address. and setting next-hop ip address will work.

solution provided by  Naidu is correct

ip access-list ext 170
permit ip 10.1.1.0 0.0.0.255 any

route-map  wan-out permit 10
match ip address 170
set ip default next-hop  10.1.1.2


Now you need to assign the above route-map to the  that vlan interface (10.1.1.1)


interface Vlan10
ip address  10.1.1.1 255.255.255.0 --> This should be your config in 3560. just corrected the ip address

ip policy route-map wan-out

++++++++

On the firewall you need another nat , route , access-list statement for say this will come in inside-2 interface at firewall.

For future and scalability please use trunk between switch and firewall.this will save additional ports required for each vlan

cheers !!

aslam

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni

‎12-07-2011 02:43 AM

Hi,

Does this mean that you have another WAN link connected to your Firewall port 2?
And you want all internet traffic from 10.1.1.0 should go through 10.1.1.2?

So you need to use route-map and pointing the traffic to your second gateway (10.1.1.2) like below...

ip access-list ext 170
permit ip 10.1.1.0 0.0.0.255 any

route-map wan-out permit 10
match ip address 170
set ip default next-hop 10.1.1.2


Now you need to assign the above route-map to the that vlan interface (10.1.1.1)


interface Vlan10
ip address 10.246.1.1 255.255.255.0
ip policy route-map wan-out


Hope the above will help you...


Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful

Go to solution
wcpon_cisco
Level 1
Level 1
In response to Latchum Naidu

‎12-07-2011 04:47 AM

Hi Latchum Naidu... Appreciate that your help...

Actually I only have one WAN link connected to my Firewall...

The Firewall port 1 (192.168.2.2) connected to 3560 (port 1)...

Inside the 3560 have few vlan configured... example, vlan 10, 20, 30...

All the vlan (10, 20,30) traffic will be route from 3560 port 1 ===> Firewall port 1

Because the ip route is 0.0.0.0 0.0.0.0 192.168.2.2

In this case, I got another new vlan, which is vlan 80..

I want this to route from 3560 port 2 ====> Firewall port 2

To reduce down the traffic go from 3560 port 1 ====> Firewall port 1...

I can't make it, because the ip route already set 0.0.0.0 0.0.0.0 192.168.2.2

Is it your solution can apply to this case?

0 Helpful

Go to solution
mousmani
Level 1
Level 1
In response to wcpon_cisco

‎12-07-2011 05:33 AM

Policy-based routing with matching source address. and setting next-hop ip address will work.

solution provided by  Naidu is correct

ip access-list ext 170
permit ip 10.1.1.0 0.0.0.255 any

route-map  wan-out permit 10
match ip address 170
set ip default next-hop  10.1.1.2


Now you need to assign the above route-map to the  that vlan interface (10.1.1.1)


interface Vlan10
ip address  10.1.1.1 255.255.255.0 --> This should be your config in 3560. just corrected the ip address

ip policy route-map wan-out

++++++++

On the firewall you need another nat , route , access-list statement for say this will come in inside-2 interface at firewall.

For future and scalability please use trunk between switch and firewall.this will save additional ports required for each vlan

cheers !!

aslam

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to mousmani

‎12-07-2011 05:43 AM

Hi Woody,

Yes, the solution what i have provided in my post is much suitable for you.
Please go ahead with that and come back if you have any troubles.


Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful

Go to solution
wcpon_cisco
Level 1
Level 1

‎12-08-2011 01:15 AM

Thanks for the help...

Appreciate it..

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to wcpon_cisco

‎12-08-2011 01:19 AM

Woody, I am glad that my post helped you... Thanks for your rating...

Please rate the helpfull posts.

Regards,

Naidu.

Go to solution
CSCO11140986
Level 1
Level 1
In response to mousmani

‎12-12-2011 08:30 AM

Dear Naidu I have the same situation, I have vlans as follows

vlan Server

vlan  DMZ

vlan  Wireless

they will have differnet Internet Gateway from a Router 2821, I have 20 mb of dedicated Internet connection with /29 static public Ip scheme, however internet will be the same at the end but each vlan will be using  1 static ip, I will try and post the result. switch I m using 4507

Thanks for your helpfull post

Regars

Mirza

0 Helpful

Go to solution
mousmani
Level 1
Level 1
In response to CSCO11140986

‎12-13-2011 05:44 AM

Hi Mirza ,

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

this will help.

to summarize.

you have

3 vlans - vlan-a,  vlan-b,  vlan-c

1. Create access-list to match the vlans ip subnet.

2. Create Route-map

>>> match the ip address from access-list.

>>> set nex-hop ip address.

3. The above link will help you to have a backup connectivity in case one service provider fails you can pass the traffic to another service provider by using track and a route-map permit 20 statement.

hope this helps.

0 Helpful

Go to solution
mousmani
Level 1
Level 1
In response to CSCO11140986

‎12-13-2011 05:46 AM

Hi Mirza ,

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

this will help.

to summarize.

you have

3 vlans - vlan-a,  vlan-b,  vlan-c

1. Create access-list to match the vlans ip subnet.

2. Create Route-map

>>> match the ip address from access-list.

>>> set nex-hop ip address.

3. The above link will help you to have a backup connectivity in case one service provider fails you can pass the traffic to another service provider by using track and a route-map permit 20 statement.

hope this helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card