cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7229
Views
0
Helpful
8
Replies

different gateways for vlans

howithink
Level 1
Level 1

Hello,

we have 3 vlans which we use.

We have a l3 switch which does the routing for us.

I need to know how i can setup in my 3850 l3 switch a way to route one specific vlan to a different gateway.

L3 switch will be connecting to 2 different firewalls. 2 of the vlans will use fw1 as gateway and one of the vlans will use the other fw2 as gateway.

How can i procced?

thanks,

8 Replies 8

parakiteiz
Level 1
Level 1

You should be able to do a static route to it.  Post the switch config and I can make some better suggestions.

interface Port-channel1
switchport trunk allowed vlan 10
switchport mode trunk
!
interface Port-channel2
switchport trunk allowed vlan 20
switchport mode trunk
!
interface GigabitEthernet1/0/1
switchport trunk allowed vlan 10
switchport mode trunk
speed 1000
duplex full
channel-group 1 mode active
!
interface GigabitEthernet1/0/2
switchport trunk allowed vlan 20
switchport mode trunk
speed 1000
duplex full
channel-group 2 mode active
!
interface Vlan20
ip address 10.20.20.2 255.255.255.0 ------ (10.20.20.1 is assigned to FW2)
!
interface Vlan10
ip address 10.10.10.2 255.255.255.0 ------(10.10.10.1 is assigned to FW1)
!
interface Vlan30
ip address 10.30.30.1 255.255.255.0
!
interface Vlan40
ip address 10.40.40.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.10.10.2 --- (goes out via FW1) (this is also all the rest of the network traffic as well)
ip route 10.40.40.0 255.255.255.0 10.20.20.2 (goes out via FW2)
!

Does the above configuration look good? Will i be able to achieve what i am looking for?

So you only want vlan 40/subnet 10.40.40.0 to go out your firewall 2?  You want all other firewall traffic (vlan 20,10,30) to go out FW1?    If so then yes this seems correct.

You do have it routing command turned on the switch right? 

Correct, all i want is vlan 40 to go through FW2 and all the rest to use the default path and yes i have ip routing turned on. 

thanks for your help. appreciate it.

No it is not correct, for a start the routes are wrong!

The destinations reference the SVI'S, it should be the next hop, .1 in your case.

The second route needs to be removed, as this serves no purpose and could potentially cause issues.

Now to answer the question, you need to look at PBR (Policy Based Routing) this allows a different route to be taken when a specified criteria is matched.

Martin

interface Vlan20
ip address 10.20.20.2 255.255.255.0 ------ (10.20.20.1 is assigned to FW2)
!
interface Vlan10
ip address 10.10.10.2 255.255.255.0 ------(10.10.10.1 is assigned to FW1)
!
interface Vlan30
ip address 10.30.30.1 255.255.255.0
!
interface Vlan40
ip address 10.40.40.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1 

interface GigabitEthernet1/0/10
no switchport
no ip address
ip policy route-map vlan40-access


route-map vlan40-access permit 10 (sequence # i am a bit confused about. do i need it?)
match ip address 1
set ip next-hop 10.20.20.1

Does this look good?

Nearly, you need to create an ACL which specifies the source network (which would have to be number 1, as your current config is)

Martin

ok after doing some more research, this is what i have configured. Does this look ok?

interface GigabitEthernet1/0/10
no switchport
no ip address
ip policy route-map vlan40-access


ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
!
access-list 100 permit ip any host 10.40.40.1
access-list 100 permit ip host 10.40.40.1 any
!
route-map vlan40-access permit 10
match ip address 1 100
set ip next-hop 10.20.20.1

Review Cisco Networking for a $25 gift card