12-07-2011 02:23 AM - edited 03-04-2019 02:33 PM
Hi, I'm facing some problems here.. Wish to get some expert advice..
I will explain my problem below,
I have one Cisco 3560, and it is connected to Firewall...
I already turn on the ip routing, which is able to do interVLAN..
In 3560, the static route is 0.0.0.0 0.0.0.0 192.168.2.2
3560 (port 1) =====> Firewall (port 1) ======> Internet (WAN)
192.168.2.1 192.168.2.2
Which mean... anything from 3560 will be rote to Firewall port 1 (192.168.2.2) and all the user behind 3560 will able to connect to Internet (WAN).
I want different setup now, I'm trying to configure another port (port 2) from Cisco 3560 connect to Firewall port 2...
3560 (port 2) =====> Firewall (port 2) ======> Internet (WAN)
10.1.1.1 10.1.1.2
I want subnet 10.1.1.x route to different gateway (10.1.1.2) to Firewall go out to WAN... and not using 192.168.2.2 gateway to WAN.
Any advice on this?
Wish to get expert advice.
Thanks.
Solved! Go to Solution.
12-07-2011 02:43 AM
Hi,
Does this mean that you have another WAN link connected to your Firewall port 2?
And you want all internet traffic from 10.1.1.0 should go through 10.1.1.2?
So you need to use route-map and pointing the traffic to your second gateway (10.1.1.2) like below...
ip access-list ext 170
permit ip 10.1.1.0 0.0.0.255 any
route-map wan-out permit 10
match ip address 170
set ip default next-hop 10.1.1.2
Now you need to assign the above route-map to the that vlan interface (10.1.1.1)
interface Vlan10
ip address 10.246.1.1 255.255.255.0
ip policy route-map wan-out
Hope the above will help you...
Please rate the helpfull posts.
Regards,
Naidu.
12-07-2011 05:33 AM
Policy-based routing with matching source address. and setting next-hop ip address will work.
solution provided by Naidu is correct
ip access-list ext 170
permit ip 10.1.1.0 0.0.0.255 any
route-map wan-out permit 10
match ip address 170
set ip default next-hop 10.1.1.2
Now you need to assign the above route-map to the that vlan interface (10.1.1.1)
interface Vlan10
ip address 10.1.1.1 255.255.255.0 --> This should be your config in 3560. just corrected the ip address
ip policy route-map wan-out
++++++++
On the firewall you need another nat , route , access-list statement for say this will come in inside-2 interface at firewall.
For future and scalability please use trunk between switch and firewall.this will save additional ports required for each vlan
cheers !!
aslam
12-07-2011 02:43 AM
Hi,
Does this mean that you have another WAN link connected to your Firewall port 2?
And you want all internet traffic from 10.1.1.0 should go through 10.1.1.2?
So you need to use route-map and pointing the traffic to your second gateway (10.1.1.2) like below...
ip access-list ext 170
permit ip 10.1.1.0 0.0.0.255 any
route-map wan-out permit 10
match ip address 170
set ip default next-hop 10.1.1.2
Now you need to assign the above route-map to the that vlan interface (10.1.1.1)
interface Vlan10
ip address 10.246.1.1 255.255.255.0
ip policy route-map wan-out
Hope the above will help you...
Please rate the helpfull posts.
Regards,
Naidu.
12-07-2011 04:47 AM
Hi Latchum Naidu... Appreciate that your help...
Actually I only have one WAN link connected to my Firewall...
The Firewall port 1 (192.168.2.2) connected to 3560 (port 1)...
Inside the 3560 have few vlan configured... example, vlan 10, 20, 30...
All the vlan (10, 20,30) traffic will be route from 3560 port 1 ===> Firewall port 1
Because the ip route is 0.0.0.0 0.0.0.0 192.168.2.2
In this case, I got another new vlan, which is vlan 80..
I want this to route from 3560 port 2 ====> Firewall port 2
To reduce down the traffic go from 3560 port 1 ====> Firewall port 1...
I can't make it, because the ip route already set 0.0.0.0 0.0.0.0 192.168.2.2
Is it your solution can apply to this case?
12-07-2011 05:33 AM
Policy-based routing with matching source address. and setting next-hop ip address will work.
solution provided by Naidu is correct
ip access-list ext 170
permit ip 10.1.1.0 0.0.0.255 any
route-map wan-out permit 10
match ip address 170
set ip default next-hop 10.1.1.2
Now you need to assign the above route-map to the that vlan interface (10.1.1.1)
interface Vlan10
ip address 10.1.1.1 255.255.255.0 --> This should be your config in 3560. just corrected the ip address
ip policy route-map wan-out
++++++++
On the firewall you need another nat , route , access-list statement for say this will come in inside-2 interface at firewall.
For future and scalability please use trunk between switch and firewall.this will save additional ports required for each vlan
cheers !!
aslam
12-07-2011 05:43 AM
Hi Woody,
Yes, the solution what i have provided in my post is much suitable for you.
Please go ahead with that and come back if you have any troubles.
Please rate the helpfull posts.
Regards,
Naidu.
12-08-2011 01:15 AM
Thanks for the help...
Appreciate it..
12-08-2011 01:19 AM
Woody, I am glad that my post helped you... Thanks for your rating...
Please rate the helpfull posts.
Regards,
Naidu.
12-08-2011 01:26 AM
njoy Woody!!
12-12-2011 08:30 AM
Dear Naidu I have the same situation, I have vlans as follows
vlan Server
vlan DMZ
vlan Wireless
they will have differnet Internet Gateway from a Router 2821, I have 20 mb of dedicated Internet connection with /29 static public Ip scheme, however internet will be the same at the end but each vlan will be using 1 static ip, I will try and post the result. switch I m using 4507
Thanks for your helpfull post
Regars
Mirza
12-13-2011 05:44 AM
Hi Mirza ,
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml
this will help.
to summarize.
you have
3 vlans - vlan-a, vlan-b, vlan-c
1. Create access-list to match the vlans ip subnet.
2. Create Route-map
>>> match the ip address from access-list.
>>> set nex-hop ip address.
3. The above link will help you to have a backup connectivity in case one service provider fails you can pass the traffic to another service provider by using track and a route-map permit 20 statement.
hope this helps.
12-13-2011 05:46 AM
Hi Mirza ,
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml
this will help.
to summarize.
you have
3 vlans - vlan-a, vlan-b, vlan-c
1. Create access-list to match the vlans ip subnet.
2. Create Route-map
>>> match the ip address from access-list.
>>> set nex-hop ip address.
3. The above link will help you to have a backup connectivity in case one service provider fails you can pass the traffic to another service provider by using track and a route-map permit 20 statement.
hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide