cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6924
Views
0
Helpful
15
Replies

How to redirect traffic from a VLAN

raulgomez101
Level 1
Level 1

Hi,

I have two firewalls:  192.168.1.1  and 192.168.1.2 .  Yes they are in the same subnet and even worse, vlan 1.

All the user's traffic is redirected to firewall 1 at IP address:  192.168.1.1 . 

I create a new VLAN 30 and I want to redirect ONLY the traffic coming from this VLAN to the second firewall at IP: 192.168.1.2 .  

I know this is simple, but I don't remember how to do it.  Can you help me ?

15 Replies 15

Mark Malone
VIP Alumni
VIP Alumni

Hi

does you device support policy based routing PBR , you can set a route-map match against an access-list for that ip range or host and redirect all traffic to the next hop ip address by applying it to the vlan 30 interface

example in this doc

http://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html

Thank you Mark.

Unfortunately, this is not a router. It is 2960X switch running IOS 15.2.  I tried the route-map command and doesn't work.

What else could I try ?

hmm your trying to redirect ip layer 3 subnet traffic on a purely layer 2 device which will be an issue  , some 2960s can do pbr but there XR models and you need ip lite ios running  , is that a standard 2960x

not sure what other options there are for redirection at layer 2 switches like that , is it possible to redirect it on the fw itself , do the fws have pbr , you could do it on fw 1 anything that comes from vlan 30 gets sent to fw2

This is a Layer 3 device. I have the IP routing command enabled. 

I forgot to mention that VLAN 30 is a routed interface and has an IP address.

Hi

You can configure this:

Example:

(2 next hops, 20.0.0.2 (normal path) and 10.0.0.2), your network is 192.168.30.0/24

vlan 30

Access-list 100 permit ip 192.168.30.0 0.0.0.255 host 1.1.1.1 

route-map PBR permit 5
match ip address 100
set ip next-hop 10.0.0.2  <-- the next hop

route-map PBR permit 100  <-- empty in order to avoid block the rest of the traffic. so the traffic will flow through the default path

interface vlan 30
ip policy route-map PBR. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hi Julio,

Unfortunately, the 2960X switch I am using doesn't not accept the route-map command.

Hola Raul,

Yes unfortunately it wil not work on layer 2 switches. It should be on the layer 3 device, on the router you can manipulate the traffic to redirect to other next hop. 

How is your topology?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

If its L3 could you not just set a static route , anything from vlan 30 next hop FW2 , so it doesn't per say have to be redirected

Excellent Mark, I was thinking about that, but how do I set it up ?

Vlan 30 = 10.10.30.1/24 . It is a routed VLAN I have in the switch:

interface Vlan30
ip address 10.10.30.1 255.255.255.0
ip helper-address 192.168.2.206

If I write: ---------

ip route 10.10.30.0 255.255.255.0  IP_Firewall2

I don't think it will work since the 10.10.30 is directly connected.  How could I define this static route ?

Hi Raul,

Do you have a diagram to know how it is connected?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Here is a simple diagram. The Core Switch has the old Firewall as the default gateway. NO traffic is passing thru the new Firewall, and that is why I want to do this. I want to pilot a small group, move this pilot group to a new VLAN and route the traffic of the Pilot group to the NEW Firewall. I don't know how to direct just a small portion of the internet traffic thru the New Firewall.

All Internal Users

  I

  I

Core Switch ------------ New Firewall

  I                                             I

  I                                             I

Old Firewall                             I

  I                                             I

  I                                             I

Internet   -----------------------------

Thank you Raul,

Is the 2960X the core switch? 

If the new firewall will be the gateway for the internal vlans you could create them and shutdown the ports. Once under a maintenance windows your could disconnect the old firewall then the traffic will go through the new one.

The traffic manipulation can be done on layer 3 devices only. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Yes, 

The core Switch is a 2960X in layer 3 mode. All the inter-vlan routing is done at this core switch.

The thing is that is not just a maintenance Window. The new Firewall has URL and Application control capabilities. It is a next-gen Firewall (Cisco ASA 5516) that needs data over time, not just a few hours. I want to do a "phased" migration of the users to the new Firewall / gateway. I don't want to do a one-hour cutover. Risk is too high of something going wrong.

Thank you all for your help trying to solve this.

Since the device is not capable of doing PBR, we are stuck and can't manipulate the traffic redirection.

One ugly solution is to manually change the default gateway for the intended clients ( I call them Pilot group ) and that way we would achieve a manual redirection of traffic to the new Firewall.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: