Solved: Routing secondary address - Page 2

sterdnotshaken · ‎12-03-2008

I have a Cisco 3725 router with 3 Fast Ethernet ports. We also have 2 separate firewalls (Checkpoint and Sonicwall)

We got this router to allow us the option of making gateway changes on the fly without having to change anyones default gateway.

What I have done so far is assigned one of the Ethernet ports on the router a primary and secondary address... These addresses were the gateway addresses of the 2 firewalls. I have configured the 2 other ports on the router to have an address out of a unique subnet (each port to be connected directly to one of the 2 firewalls, obviously assigning the firewall ports addresses that allow them to communicate with the router).

So lets say the 2 IP addresses that are assigned to that one port on the router are 1.1.1.1 and 1.1.1.2. These being the 2 possible default gateways of all computers on the network... I want the router to recognize which address traffic from the network arrived on and from that, route to one of the 2 firewalls... So if a computer had 1.1.1.1 as its gateway, the router would route Internet request to the Checkpoint, and if a computer had 1.1.1.2 as its gateway, that the traffic would be routed to the other gateway (Sonicwall). The only exception to traffic from one gateway address being routed to a specific firewall all the time, is when they try and access shares on one of our remote sites, (we have a site to site VPN tunnel) and that tunnel is only between the checkpoint and the remote site, the sonicwall has no VPN tunnels... I have configured static routes for those subnets to go to the checkpoint on the router, so I don't think that will be an issue...

Anyway, how do I route traffic depending on what gateway address computers used? Gateway of last resort forces all internet traffic to one of the 2, without any dynamic routing options...

Thanks in advance!

Laurent Aubert · ‎12-04-2008

Hi,

If you have a 2nd interface available, you can use the VRF-lite feature to split your 3725 into 2x different virtual routers. This way you will have two routing tables. Because you have complete separation between them, two interfaces belonging to different VRF can have IP addresses belonging to the same subnet.

So the idea would be:

- Interface with 1.1.1.1 @ and the interface connected to the checkpoint FW stay in the GRT which is the default routing table (configuration is the one you already have)

- Interface with 1.1.1.2 @ and the interface connected to the Sonic FW are in a new routing table (VRF):

Each routing table will have a default-route pointing to their FW

This way you will have natural routing for all the hosts ;-) !!

Configuration looks like this:

ip vrf SONIC

rd 1:1

!

interface Fas0/0

ip address 1.1.1.1 255.255.0.0

!

interface Fas1/0

descripion Checkpoint FW

ip address 10.1.1.2 255.255.255.240

!

ip route 0.0.0.0 0.0.0.0 10.1.1.1

!

interface Fas0/1

ip vrf forwarding SONIC

ip address 1.1.1.2 255.255.0.0

!

interface Fas2/0

descripion SONIC FW

ip vrf forwarding SONIC

ip address 10.2.1.2 255.255.255.240

!

ip route vrf SONIC 0.0.0.0 0.0.0.0 10.2.1.1

!

Then do a sh ip route and a sh ip route vrf SONIC and you will see the two different routing tables.

Hosts which need access to the VPN must have have their default gateway set to 1.1.1.1

You have now two virtual routers so when you are troubleshooting first determine which routing table you are using because for the one in the VRF, you need to add the vrf keywork in all your command (ping, telnet, sh ip route,..) otherwise the router will use the default routing table called GRT (Global Routing Table) instead.

The link below will give you more details about vrf-lite feature (12.2T min is required):

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/44sg/configuration/guide/vrf.html#wp1045190

Thanks

Laurent.