Re: Cannot route users to multiple gateway in same or difference

rayyapsdaletech · ‎05-22-2010

Dear All,

I am Ray, new to here.

Lately i helped my office to conifgure VLAN by using the 3560g-24TS, i am able to create a multiple VLAN and connectable to all nodes and the default gateway(Watchguard Firewall).

Seem the worked was done, but i facing one issue. Before the VLAN implementation, we have 2 more internet link to serve for special department. Which it only allow for slected users to go out internet without going through the firewall.

The issue that i facing now, i cant route those selected users to the others gateway rather then the default gateway (Watchguard Firewall).

Things that i attempted as below;

1) Thoses others gateway are same VLAN as the default gateway.

2) i had tried to insert 2 ip route 0.0.0.0 0.0.0.0 10.10.10.1(Default gateway) and ip route 0.0.0.0 0.0.0.0 10.10.10.2(Others gateway). THe end the internet was down.

May i know is that a way to configure 3560g switch to route to multiple gateway? or the 3560g is totally cannot be configure as multiples gateway?

Version 12.2(35).se5

Kindly advice

Thank you

Ray

Jon Marshall · ‎05-22-2010

Ray

You need to look at PBR or vrf-lite to achieve what you want.

Firstly the vlan that needs to go out via the other connection - does this vlan need to connect to other internal vlans as well ?

Secondly, need to know what feature set you have on your 3560 because PBR for example is only supported on IP Services - can you post a "sh version" from your 3560 switch.

Just to confirm you are actually routing the vlans on the 3560 switch ?

Jon

rayyapsdaletech · ‎05-22-2010

Hi Jon,

Really thanks for your replied. I not sure what is the PBR and VRF-lite for? can you kindly enlighten me?

Firstly the vlan that needs to go out via the other connection - does this vlan need to connect to other internal vlans as well?

Yes, we have few Internet lines here, therefore some of the users will need to go out via other connection and all vlans are able to connect to internal vlans as well.

Here is the sh version result;

Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(35)SE
5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:44 by nachen
Image text-base: 0x00003000, data-base: 0x01500000

ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SEE4, RELEASE SOFTWA
RE (fc1)

CORESW01 uptime is 2 days, 1 minute
System returned to ROM by power-on
System image file is "flash:c3560-advipservicesk9-mz.122-35.SE5/c3560-advipservi
cesk9-mz.122-35.SE5.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html you require further assistance please contact us by sending email to
export@cisco.com. WS-C3560G-24TS (PowerPC405) processor (revision D0) with 122880K/8184K byt
es of memory.
Processor board ID XXXXXXXXX
Last reset from power-on
17 Virtual Ethernet interfaces
28 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

If

cisco

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : XXXXXXXXX
Motherboard assembly number     : 73-10215-04
Power supply part number        : 341-0098-02
Motherboard serial number       : XXXXXXXXX
Power supply serial number      : AZS132004T6
Model revision number           : D0
Motherboard revision number     : D0
Model number                    : WS-C3560G-24TS-E
System serial number            : XXXXXXXXX
Top Assembly Part Number        : 800-26851-01
Top Assembly Revision Number    : D0
Version ID                      : V03
CLEI Code Number                : CNMW200ARC
Hardware Board Revision Number : 0x09

Switch   Ports Model              SW Version              SW Image
------   ----- -----              ----------              ----------
*    1   28     WS-C3560G-24TS     12.2(35)SE5             C3560-ADVIPSERVICESK

Configuration register is 0xF

Thank you

Ray

Ganesh Hariharan · ‎05-23-2010

Hi Jon,

Really thanks for your replied. I not sure what is the PBR and VRF-lite for? can you kindly enlighten me?

Firstly the vlan that needs to go out via the other connection - does this vlan need to connect to other internal vlans as well?

Yes, we have few Internet lines here, therefore some of the users will need to go out via other connection and all vlans are able to connect to internal vlans as well.

Here is the sh version result;

Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(35)SE
5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:44 by nachen
Image text-base: 0x00003000, data-base: 0x01500000

ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SEE4, RELEASE SOFTWA
RE (fc1)

CORESW01 uptime is 2 days, 1 minute
System returned to ROM by power-on
System image file is "flash:c3560-advipservicesk9-mz.122-35.SE5/c3560-advipservi
cesk9-mz.122-35.SE5.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic produ

Hi,

Check out the below link for Policy based routing on cisco switches 3560:-

http://ciscosystems.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Jon Marshall · ‎05-23-2010

Ray

You have the right image to do PBR. So as an example -

vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.6.0/24

vlan 12 = 192.168.7.0/24

vlan 12 is the vlan you want to go out to a different internet connection -

access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 permit ip 192.168.7.0 any

route-map PBR permit 10

match ip address 101

set ip next-hop

int vlan 12

ip policy route-map PBR

note that in the access-list 101 you must deny all the other internal vlans. This does not deny traffic between vlan 12 and vlan 10 and vlan 11 rather it stops that traffic from being policy routed which is what you want. So in access-list 101 you must include all internal vlans as eny statements before the permit ip any at the end.

Jon

rayyapsdaletech · ‎05-23-2010

Hi Jon,

I had tried the setting that you mentioned, but still having problem to connect to the others gateway.

below is my setting

access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.29.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.28.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.30.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.31.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.32.0 0.0.0.255
access-list 101 permit ip 10.10.26.0 0.0.0.255 any
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.3.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.21.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.22.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.23.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.24.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.25.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.27.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.252.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.253.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.254.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 11.0.0.0 0.0.255.255

route-map PBR permit 10

match ip address 101

set ip next-hop 10.10.1.6

By the way, those router are connected to Cisco switch 2960g, with it not directly connect to the Cisco switch 3560g. Will it possible due to this issue?

At the same tme i do have a static route to the firewall, ip route 0.0.0.0 0.0.0.0 10.10.0.130. Will it possible due to this setting?

Kindly advice please,

Thank you

Ray

Jon Marshall · ‎05-24-2010

Ray

Firstly you need to move the "permit ip 10.26.0.0 0.0.0.255 any" line in your acl to the bottom otherwise the deny lines below it will never get hit.

Secondly, apologies for not giving you the complete picture. To run PBR on a 3560 you need to enable the SDM routing template. So if you enter -

3560# sh sdm prefer

this will show you which SDM template you are currently running. If it isn't the routing template you need to change it to be the routing template ie.

3560(config)# sdm prefer routing

the switch will require a reload for the new template to take effect.

Also don't forget to apply the route-map to the 10.26.0.0/24 vlan interface.

Jon

rayyapsdaletech · ‎05-24-2010

Hi Jon,

Appreciate for your replied.

I had tried this just now. Users in the IP range of 10.10.26.0 0.0.0.255 will go out to the internet at the firewall gateway.

I had changed the setting as below;

access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.29.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.28.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.30.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.31.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.32.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.3.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.21.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.22.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.23.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.24.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.25.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.27.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.252.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.253.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 10.10.254.0 0.0.0.255
access-list 101 deny   ip 10.10.26.0 0.0.0.255 11.0.0.0 0.0.255.255

access-list 101 permit ip 10.10.26.0 0.0.0.255 any

route-map PBR permit 10

match ip address 101

set ip next-hop 10.10.1.6 (This router will be within the range of VLAN 3)

int vlan 3 (This VLAN ip 10.10.1.0)

ip policy route-map PBR

The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

The router(10.10.1.6) is attached to another switch 2960g by trunking from 3560g and i assigned it to port 26 as below setting

switchport access vlan 3

switchport mode access

May i know is there any setting else i missed out ?? Kindly advice

Many thanks in advance.

Ray

Cannot route users to multiple gateway in same or difference VLAN