Route VLAN for guest traffic to secondary WAN using a different gateway

tim829 · ‎05-21-2020

We currently have a ASA5516 firewall and our core switch is a Cisco 4500X. The 4500X is doing all our internal routing between VLANS and has a default gateway pointing to the ASA for outgoing traffic.

We recently got a secondary WAN connection and I want to know the best way to route a single VLAN (guest wireless traffic) out the second WAN. The new WAN will not terminate on the ASA but on a Unifi Security Gateway. It will look something like this:

WAN1 <---- ASA5516 <----------------- (All other VLANs)

<--- 4500X (Core)

WAN2 <---- Unifi Security Gateway <------ (Guest VLAN)

Should I just use PBR to get this working or is there a easier way?

Thanks

balaji.bandi · ‎05-21-2020

you can have static route, but i suggest is PBR is best best here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tim829 · ‎05-21-2020

My initial thought when I first started looking into this was to just setup a static route.

What would be the main advantages to using PBR over a basic static route?

Thanks

Meheretab Mengistu · ‎05-21-2020

You will need to use PBR to route the Guest traffic to the internet over the second WAN connection. Just curious, how do you plan to do it with basic static route?

HTH,
Meheretab

tim829 · ‎05-22-2020

By setting up a VLAN interface on the core with an IP address of 172.16.6.2, plugging the USG into that VLAN then giving the USG an IP of 172.16.6.1. Then I would add a static route in the core, something like this:

ip route 10.255.10.0 255.255.255.0 172.16.6.1

10.255.10.0 is the guest network

Richard Burts · ‎05-22-2020

That static route will not accomplish what you want. What that static route says for the 4500 is that to reach subnet 10.255.10.0 go to the USG. But the 4500 knows that 10.255.10.0 is a locally connected subnet and is not really reached via the USG,

Normal IP routing is based on destination address. It says to reach destination x.y.z.0 go to next hop 1.2.3.4. And it does not matter what the source address of the packet is. What you want to do is to say that if the source address is in the guest network then go to USG as the next hop. The way to make forwarding decisions based on source address is to use PBR.

HTH

Rick

Richard Burts · ‎05-21-2020

We do not know some details about this environment and this impacts our ability to understand the issue and to provide good suggestions. The post is fairly clear about the 4500 switch and the ASA as the primary gateway to access the Internet. We do not have much information about the guest wireless vlan or about how the new secondary WAN and how it connects. Assuming that the guest wireless vlan does connect to/through the 4500 and that the Unify Security Gateway does connect to the 4500 then the appropriate way to send the guest wireless traffic to the secondary WAN would be PBR on the 4500.

HTH

Rick

tim829 · ‎05-21-2020

Sorry for not being more clear in my initial post.

Pretty much the UniFi Security Gateway will be a second firewall that the second WAN terminates on. I’ll have a trunk connection between the USG and the 4500X. The USG’s only purpose though in this configuration will be to handle the outgoing guest wireless traffic.

The guest wireless VLAN interface will live on the 4500x (core) with all the other VLANs. I’ll have a ACL setup to prevent the guest VLAN from communicating with everything else on the network besides the wireless controller.

I hope I cleared some stuff up.