05-21-2020 01:23 PM
We currently have a ASA5516 firewall and our core switch is a Cisco 4500X. The 4500X is doing all our internal routing between VLANS and has a default gateway pointing to the ASA for outgoing traffic.
We recently got a secondary WAN connection and I want to know the best way to route a single VLAN (guest wireless traffic) out the second WAN. The new WAN will not terminate on the ASA but on a Unifi Security Gateway. It will look something like this:
WAN1 <---- ASA5516 <----------------- (All other VLANs)
<--- 4500X (Core)
WAN2 <---- Unifi Security Gateway <------ (Guest VLAN)
Should I just use PBR to get this working or is there a easier way?
Thanks
05-21-2020 02:15 PM
you can have static route, but i suggest is PBR is best best here.
05-21-2020 03:37 PM
05-21-2020 04:15 PM
05-22-2020 06:25 AM
05-22-2020 06:44 AM
That static route will not accomplish what you want. What that static route says for the 4500 is that to reach subnet 10.255.10.0 go to the USG. But the 4500 knows that 10.255.10.0 is a locally connected subnet and is not really reached via the USG,
Normal IP routing is based on destination address. It says to reach destination x.y.z.0 go to next hop 1.2.3.4. And it does not matter what the source address of the packet is. What you want to do is to say that if the source address is in the guest network then go to USG as the next hop. The way to make forwarding decisions based on source address is to use PBR.
05-21-2020 02:16 PM
We do not know some details about this environment and this impacts our ability to understand the issue and to provide good suggestions. The post is fairly clear about the 4500 switch and the ASA as the primary gateway to access the Internet. We do not have much information about the guest wireless vlan or about how the new secondary WAN and how it connects. Assuming that the guest wireless vlan does connect to/through the 4500 and that the Unify Security Gateway does connect to the 4500 then the appropriate way to send the guest wireless traffic to the secondary WAN would be PBR on the 4500.
05-21-2020 03:48 PM
Sorry for not being more clear in my initial post.
Pretty much the UniFi Security Gateway will be a second firewall that the second WAN terminates on. I’ll have a trunk connection between the USG and the 4500X. The USG’s only purpose though in this configuration will be to handle the outgoing guest wireless traffic.
The guest wireless VLAN interface will live on the 4500x (core) with all the other VLANs. I’ll have a ACL setup to prevent the guest VLAN from communicating with everything else on the network besides the wireless controller.
I hope I cleared some stuff up.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide