cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6041
Views
0
Helpful
14
Replies

How to Push internet traffic for a VLAN to a specific Gateway and the other Vlans to another Gateway

Hello

I currently have the following VLANs on my 3560 Switch with IP Routing Enabled. All VLANs can and need to communicate with each other

What i want to do is have all my VLANS route internet based traffic to our CISCO PIX IP-10.10.1.101 which is on Vlan 111 except for traffic on VLAN 11 which i want internet traffic to route to our new SonicWall NSA 3600 with IP 10.10.1.100.  Currently all traffic that is not interVLAN communication is routed to our PIX as you can see by the routes i have entered on our 3560.  How do i push traffic on VLAN 11 to the Sonicwall?

Thank You in advance for your help.

VLAN Name
---- -----------------
1    default

10   VM_Servers      Interface IP - 10.10.10.1
11   TEST_VLAN     Interface IP - 11.11.11.1

111  Server             Interface IP 10.10.1.111
120  IT                    Interface IP - 10.10.120.1
130  Integ               Interface IP 10.10.130.1
140  Office              Interface IP - 10.10.140.1
150  ENG_Plant      Interface IP - 10.10.150.1  

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.1.101

ip route 10.10.2.0 255.255.255.0 10.10.1.101        "User VPN Subnet"

ip route 10.10.6.0 255.255.255.0 10.10.1.101        "L2L VPN Tunnel between off site ASA Device and PIX"

ip route 10.10.7.0 255.255.255.0 10.10.1.101        "L2L VPN Tunnel between off site ASA Device and PIX"

ip route 10.10.8.0 255.255.255.0 10.10.1.101        "L2L VPN Tunnel between off site ASA Device and PIX"

14 Replies 14

Hello

if the 3560s upport PBR -that should do the trick

res
paul

Sent from Cisco Technical Support Android App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank You for your responce.  I have heard of PBR and i believe this is the correct approach however i'm not sure if it is supported on the 3560 catalyst or even how to configure it. 

james.doukas
Level 1
Level 1

You would need to do some policy based routing. There are a few ways you could do it. You could create a route-map to match the source subnet of vlan 11 and set the next-hop as the sonicwall gateway. This route-map could be applied to the outbound interface leading to the Internet firewalls. Traffic that doesn't meet the match requirement would follow the already defined gateway. Intervlan traffic should continue to route normally. Any traffic that matches the policy heading towards the PIX would have it's next hop set to the sonicwall.

Something like:

route-map internet-via-sonic permit 10

  match ip address (acl or prefix list)

  set ip next hop

route-map internet-via-sonic permit 20

interface vlan111

  ip policy route-map internet-via-sonic

ip prefix-list 10 permit 11.11.11.0/24

***However, this should be tested in a lab setup before trying to implement it into production to prevent any outages.***

Thank You James

i'm not that's heavily versed in Cisco commands.  I can create a VTP Domain and Vlans and set up Switchports  I'm not sure what to do with the match ip address (acl or prefix list) line you wrote

would you be able to give me a complete config?

The match ip address command needs something to match on. The acl or prefix list simply defines what to match. The prefix list below the other commands is an example.

So, you could create a prefix list like:

ip prefix-list send-to-sonic seq 10 permit 11.11.11.0/24

Then, you would use the name of the prefix list after the match statement:

match ip address prefix-list send-to-sonic

After that, you do the set ip next hop with the IP of the sonicwall.

After this, you apply the policy under the vlan interface that has the sonicwall. In your case, I believe its vlan111 according to your above text.

***Once again, test this first before trying in production***

i am doing the folowing


ip prefix-list send-to-sonic seq 10 permit 11.11.11.0/24

route-map internet-via-sonic permit 10
      match ip address prefix-list send-to-sonic
      set ip next 10.10.1.100


interface vlan111
  ip policy route-map internet-via-sonic  

I think my iOS is extremly old

Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(25)SEB1, RELEASE SOFTWARE (fc1)

Hmmm....the 3560 might be limited in how it can apply polices. Let me see if I can check this on a 3560 I have.

You might need to upgrade to IPServices from IPBase. I'll have to check the feature set.

It appears the route-map commands are in the release train you have (up to 50 at least) but they are unsupported according to Cisco. I'm still looking but for right now, it appears that the PBR might not be support on this version. Is this a 3560, 3560E or 3560X?

Unsupported Commands in Cisco IOS Release 12.2(50)SE

Unsupported Route Map Commands

match route-type for policy-based routing (PBR)

set as-path {tag | prepend as-path-string}

set automatic-tag

set dampening half-life reuse suppress max-suppress-time

set default interface interface-id [interface-id.....]

set interface interface-id [interface-id.....]

set ip default next-hop ip-address [ip-address.....]

set ip destination ip-address mask

set ip next-hop verify-availability

set ip precedence value

set ip qos-group

set metric-type internal

set origin

set metric-type internal

set tag tag-value

It is a WS-C3560G-24TS

Thank you for all your help so far

I have an 1800 series cisco router that i could use.  i can set the default route on the 3560 to go to the Router and then set it's default route to the PIX.  it should support PBR.  I was hoping to be able to do this without it on the network.  We had it in place when we had a Point to Point T1 in place a while ago.

In the show version, what is the Version Info for the IOS image? Should look similar.

Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(50)SE3, RELEASE SOFTWARE (fc1)

Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(25)SEB1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Fri 29-Apr-05 22:25 by yenanh

ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SE1, RELEASE SOFTWARE (fc)

VISSW1001 uptime is 12 weeks, 3 days, 10 hours, 21 minutes
System returned to ROM by power-on
System restarted at 10:38:05 UTC Tue Jul 9 2013
System image file is "flash:c3560-ipbase-mz.122-25.SEB1/c3560-ipbase-mz.122-25.SEB1.bin"

cisco WS-C3560G-24TS (PowerPC405) processor (revision C0) with 118784K/12280K bytes of memory.

Processor board ID FOC0922U0XG

Last reset from power-on

19 Virtual Ethernet interfaces

28 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

Was it purchases as the Standard or the Enhanced? Basically, WS-C3560G-24TS-S or -E? I'm not sure Cisco will support it if you put an image on it that wasn't part of the original model. 

At this point, I would defer to Cisco as far as finding out if you can get the 3560 you have upgraded to IP Services the correct way. I'm not 100% sure about how you would upgrade and still get the proper supprt. However, to do PBR on the 3560 you have, you need IP Services according to Software Advisor. 

Review Cisco Networking for a $25 gift card