Re: Routing vlan traffic to FW other than default route

david-flores · ‎09-06-2005

We have 2 firewalls connected to our 6509 with MSFC, and want to route all internet traffic on a certain vlan to a firewall that is not designated as the default route on the msfc? is this possible?

For example.

Here is the default route:

0.0.0.0 0.0.0.0 172.16.2.14

We want most users to use this FW for internet access. However, we want users in a different vlan to go to a different FW for internet access.

Thanks

thisisshanky · ‎09-06-2005

You can use policy routing on the respective vlans, to route traffic from Vlan X to FW 1, while traffic from Vlan Y to FW 2. If your Sup engine is 720/MSFC3, you can do policy routing with CEF.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

david-flores · ‎09-06-2005

We are using an older sup and msfc and ios.

WS-X6K-SUP1A-2GE

Can we implement policy routing with older hardware?

thisisshanky · ‎09-06-2005

Do you have MSFC 1 or MSFC 2 . Do you have PFC 1 or PFC 2 ? Can you paste a sh module ? The MSFC 2/ MSFC3 and PFC2/PFC3 have CEF turned on by default without any configuration. So my good guess is PBR should also be done CEF on yours with the above hardware combo (MSFC2/PFC2).

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

david-flores · ‎09-06-2005

Mod Slot Ports Module-Type Model Sub Status

--- ---- ----- ------------------------- ------------------- --- --------

1 1 2 1000BaseX Supervisor WS-X6K-SUP1A-2GE yes ok

15 1 1 Multilayer Switch Feature WS-F6K-MSFC no ok

2 2 2 1000BaseX Supervisor WS-X6K-SUP1A-2GE yes standby

16 2 1 Multilayer Switch Feature WS-F6K-MSFC no ok

3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 no ok

4 4 48 10/100BaseTX Ethernet WS-X6348-RJ-45 no ok

5 5 48 10/100BaseTX Ethernet WS-X6348-RJ-45 no ok

7 7 16 10/100/1000BaseT Ethernet WS-X6516-GE-TX no ok

8 8 8 1000BaseX Ethernet WS-X6408A-GBIC no ok

9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok

Mod Module-Name Serial-Num

--- -------------------- -----------

1 SAD04260G4K

15 SAD04260KX4

2 SAD0405047N

16 SAD040504YP

3 SAD04290U2S

4 SAD04250MGT

5 SAD04280YE7

7 SAL064892ZH

8 SAD04270HSP

9 SAD042705NY

Mod MAC-Address(es) Hw Fw Sw

--- -------------------------------------- ------ ---------- -----------------

1 00-d0-d3-a4-e4-6b to 00-d0-d3-a4-e4-6c 3.2 5.3(1) 6.3(10)

00-d0-d3-a4-e4-69 to 00-d0-d3-a4-e4-6a

00-d0-00-ca-ec-00 to 00-d0-00-ca-ef-ff

15 00-d0-d3-a4-e4-6d to 00-d0-d3-a4-e4-ac 1.4 12.0(7)XE1 12.0(7)XE1,

2 00-d0-d3-36-19-46 to 00-d0-d3-36-19-47 3.2 5.3(1) 6.3(10)

00-d0-d3-36-19-44 to 00-d0-d3-36-19-45

16 00-d0-d3-36-19-48 to 00-d0-d3-36-19-87 1.4 12.0(7)XE1 12.0(7)XE1,

3 00-01-97-51-e6-c0 to 00-01-97-51-e6-ef 1.1 5.3(1) 6.3(10)

4 00-30-96-33-f9-18 to 00-30-96-33-f9-47 1.1 5.3(1) 6.3(10)

5 00-30-19-da-60-04 to 00-30-19-da-60-33 1.1 5.3(1) 6.3(10)

7 00-05-74-86-ea-e0 to 00-05-74-86-ea-ef 2.3 6.3(1) 6.3(10)

8 00-d0-d3-a5-5a-fd to 00-d0-d3-a5-5b-04 1.3 5.4(2) 6.3(10)

9 00-30-b6-3c-15-58 to 00-30-b6-3c-15-5f 1.3 5.4(2) 6.3(10)

Mod Sub-Type Sub-Model Sub-Serial Sub-Hw

--- ----------------------- ------------------- ----------- ------

1 L3 Switching Engine WS-F6K-PFC SAD04260BZF 1.1

2 L3 Switching Engine WS-F6K-PFC SAD04040817 1.0

will this hardware work, or do we absolutely need an upgrade to do this type of routing?

Thank you

thisisshanky · ‎09-06-2005

You have a PFC1/MSFC1. They run MLS and not CEF. So I would think, that you will need to upgrade the hardware to a PFC2/MSFC2 atleast to get CEF based PBR.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus