Solved: Cisco 3825 - How to Route Traffic to Different Gateways

jack · ‎07-27-2011

Our company has recently purchased a second (much faster) internet service solely for the use of the IT Department.

I am trying to set up the following:

IT Deptartment (VLAN 55 - 192.168.55.0) has access to:

LAN

Internet Through the NEW ISP

Rest of Company (VLAN 11 - 192.168.11.0) has access to:

LAN

Internet Through the OLD ISP

The VLAN 11 stuff is working fine as it always has. I have VLAN 55 setup and it functions just like VLAN 11 right now. I want to make it have access to the local network, but to go out over the NEW ISP for internet, if possible.

If id to an ip route 0.0.0.0 to the interface of the NEW ISP, then the whole company will go out that way. Any help would be appreciated.

Thanks.

Jon Marshall · ‎07-27-2011

Yes it could, apologies, you made no mention of a router

On the router leave the default-route as is. Then

access-list 101 permit ip 192.168.55.0 0.0.0.255 any

route-map PBR permit 10

match ip address 101

set ip next-hop

then on the LAN interface of the router that connects to the 3560 switch -

int fa0/0

ip policy route-map PBR

Note, i have assumed you are doing the routing between vlans on your 3560 switch. If it is on the router then we may need to modify the acl a bit.

Jon

View solution in original post

Jon Marshall · ‎07-27-2011

What device are the vlans routed on ? If it is a L3 switch what model and which feature set are you running ?

PBR is the solution but with L3 switches, if that is what you have, you need a specific feature set.

Jon

jack · ‎07-27-2011

It is a Cisco 3560. That's layer 3 right?

Jon Marshall · ‎07-27-2011

Jack

It is but you need the IP Services image on it to run PBR. If it has IP Base then PBR is a no go.

Jon

jack · ‎07-27-2011

Jon,

C3560-IPBASEK9-M is what is installed. That would fall into the no-go category as you said.

What about PBR on the router? Is there a reason that the router couldn't do it instead of the switch and go by ip subnets?

The router is running C3825-ADVIPSERVICESK9-M.

Jack

Jon Marshall · ‎07-27-2011

Yes it could, apologies, you made no mention of a router

On the router leave the default-route as is. Then

access-list 101 permit ip 192.168.55.0 0.0.0.255 any

route-map PBR permit 10

match ip address 101

set ip next-hop

then on the LAN interface of the router that connects to the 3560 switch -

int fa0/0

ip policy route-map PBR

Note, i have assumed you are doing the routing between vlans on your 3560 switch. If it is on the router then we may need to modify the acl a bit.

Jon

jack · ‎07-27-2011

Jon,

Thanks for the info. What is fa0/0?? Should I change this to g0/0.55 which is the sub-interface of the LAN connection specific to VLAN 55?

Jack

Jon Marshall · ‎07-27-2011

Jack

Ahh okay, it sounds like you are routing the vlans off the router interace ?

If so you need to modify the acl ie.

access-list 101 deny ip 192.168.55.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 permt ip 192.168.55.0 0.0.0.255 any

then apply the PBR to the gi0/0.55 subinterface ie.

int gi0/0.55

ip policy route-map PBR

note - i have assumed that 192.168.0.0 0.0.255.255 includes all the other subnets on your network. Basically the first line of the acl says do not do PBR ie. send traffic to the new ISP next-hop that is from vlan 55 but going to another internal vlan.

If you have other internal subnets that are not included in 192.168.0.0/16 then you need to include these in acl 101 as deny statements before the permit line at the end.

Jon

nqtran1979 · ‎07-28-2011

not so relevant anymore as you will be doing the PBR on the router and not the switch. But if you did decide to upgrade the IOS on the switch and do the PBR there, then you would also need to change the sdm prefer to routing. The default SDM prefer on switches does not allocate any memory for PBR ...

Something of a gotcha if you didn't know what to look for.

have fun