Building off of one of my earlier posts, I am working to segregate clients into VLANs based on their subscriptions to our service. We offer an SLA, with dedicated access (VLAN 3), and a "pay-as-you-go" option where they can pay in selected intervals of time (VLAN 2). I'm having difficulty directing traffic to the node that displays a splash screen when a client's time expires through our system.
In short (see attached diagram), I need to route one VLAN only through one gateway, and the other VLANs through another- restricting each from reaching the other (through an ACL I suppose.)
I have the IP route currently set so that all traffic routes through the G4/48 interface.
So you want all vlan 2 users to use 10.255.158.98 as their gateway to the internet ?
Do you want vlan 2 to be able to communicate with any of the other internal vlans ?
If not then try this configuration on your 4500 -
access-list 101 permit ip 220.127.116.11 0.0.0.255 any
route-map PBR permit 10
match ip address 101
set ip next-hop 10.255.158.98
int vlan 2
ip policy route-map PBR
If you need vlan 2 to be able to talk to the other internal vlans then you need to let me know because the above sends all traffic from vlan 2 to the open access gateway.
Some points -
1) the above is restricting which gateways clients can access purely by manipulating the routing ie. vlan 2 clients get directed to the open access gateway and vlan 3 users use the default route on the 4500.
No acls are used to restrict traffic ie. the acl above is just for PBR.
This may or may not be good enough but try it out.
2) I am assuming you have the right IOS/feature set for PBR on your 4500. You will soon find out if it doesn't let you configure PBR on the interface.
3) I have also assumed 10.255.158.98 is the next hop IP from the 4500. If it isn't you need to adjust.
If anything is unclear or I have misunderstood let me know before implementing.
Actually before you try PBR there may be a more secure way using VRFs but it really depends on a couple of things. So can you confirm -
1) do vlan 2 clients need to talk to any other clients in the other internal vlans ?
2) what is the traffic flow from the open access gateway because your diagram shows a connection to the other router.
So does each router have it's own internet connection and you want to keep them separate.
3) finally what is the version of IOS and feature set you are running ?
If you are not sure you can post the output of "sh version".
1) Vlan 2 and 3 have no need to talk to anyone else; however, VLAN 5 has full access (already configured.)
2) The traffic runs through the Open Access Gateway to the the other router for its internet connection. The OA Node just prevents users from reaching the internet without paying.
3) Currently running Version 12.2
Okay, so on the other router do you have a route for the vlan 2 subnet pointing back to the open access gateway ?
That bit is quite important.
If traffic from vlan 2 goes to the open access gateway then to the other router and out to the internet but return traffic just comes straight from the other router back to the 4500 then PBR is probably the best solution.
If traffic coming back from the internet goes back to the open access gateway then VRFs would be more secure.
Also where is the firewall in all of this as I seem to remember you have one.
If you do then I need to understand exactly what traffic I terms of vlan 2 goes through it.
Also could you post exact IOS version and if possible what feature set because using either of the above is dependant on that.
Sorry to keep asking all these questions but I want to make sure we get the right solution and that it works.
Here's a different way to look at what we're implementing: See attached image.
The O.A. Filter (for lack of a better term - node, router, splash-screen-enforcer) runs through VLAN 5 back to the internet for its WAN. It is solely to keep VLAN 2 clients from going outbound without a valid subscription, as managed by the O.A. system.
PBR seems to be the best solution from what I've read, so that will be my first implementation. I'll follow up with that.
Okay, it looks like PBR would work.
If vlan 2 only talks to the open access gateway and from your diagram it looks like it does this on a separate interface than the one connected to vlan 5 from the gateway then using VRFs may also be an option (if your IOS supports it).
This is assuming that return traffic follows the same path ie. via vlan 5 to the open access gateway and then to vlan 2.
If it did then could place vlan 2 into it's own VRF which creates a separate routing table for vlan 2.
This would mean vlan 2 could not access any other vlans on the switch because it has no visibility of any of the routes in the main (global) routing table.
It also means you can then add a default route to the VRF routing table pointing to the open access gateway and because it is a separate routing table it does not conflict with your existing default route.
Using VRFs is more secure because of the fact that vlan 2 has no visibility of any of the other vlans.
Like I say though it would only work if -
1) vlan 2 is connected to gateway on a different interface which it looks like it is
2) the path to and from the internet takes the same route.
Up to you and hopefully haven't confused the issue but just wanted to offer it as an alternative.