cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3476
Views
0
Helpful
12
Replies

Is it possible to do VLAN routing without PBR?

kmigmar805
Level 1
Level 1

Dear Experts,

I'd like to ask your advice on the following issue. We have two Catalyst 3750-X stacked switches serving as core/distribution switch for our small network. Both of them have IP base licenses.

The goals is to setup 2 separate internet gateways for different VLANs. For instance Student VLAN 10 needs to use one gateway and the Teacher VLAN 20 another gateway. However, as far as I digged it requires Policy Based Routing feature set activated on the switches which would cost over 10 thousand USD for  license upgrade. On our tight budget it is really tough to get the necessary money.

So, is there any way to accomplish this with the existing IP base license?

Thanks a lot!

1 Accepted Solution

Accepted Solutions

I am glad that my suggestions have been helpful. I believe that my suggestion will work and will scale whether it is two VLANs or eight VLANs or however many. The switches should probably be connected by a trunk that allows traffic to flow between switches. Each switch can have an SVI (interface vlan x) in each of the VLANs and so they will be able to do inter vlan routing since the subnet of each VLAN will be known as a local connected subnet. Each switch will have an Internet connection and each switch will have a default route that points to its own Internet connection. Divide the VLANs into two groups based on what your requirements might be (teacher or students or what). All the PCs in one group of the VLANs will have their default gateway set as the IP address of that VLAN on switch 1. And all the PCs in the other group of VLANs will have their default gateway set as the IP address of that VLAN in switch 2.

The result of this is that all PCs in group 1 will use ISP 1 and all PCs in group 2 will use ISP 2. And I believe that this will satisfy your requirement that you route one group one way and route the other group the other way.

HTH

Rick

HTH

Rick

View solution in original post

12 Replies 12

John Blakley
VIP Alumni
VIP Alumni

The only time that you would need to really do pbr would be if you needed to route packets different from what the routing table says. If you have all teachers on vlan 20 and all students on vlan 10, you won't need pbr as long as the gateways for the respective vlans are set on the workstations.

If you have:

router for teachers: vlan 20 ip address 192.168.20.1

vlan 20 for teachers

subnet and gateway for teachers: 192.168.20.0/24 : gw 192.168.20.1

The students can have:

router for students: vlan 10 ip address 192.168.10.1

vlan 10 for students

subnet and gateway for students: 192.168.10.0/24 : gw 192.168.10.1

The students will go out their respective gateway as will the teachers with no pbr needed.

HTH,

John

HTH, John *** Please rate all useful posts ***

Thank you so much for the fast reply! Really appreciate it.

Actually, the student and teacher VLANs are already setup as you said. I am sorry my explanation was not clear.

We are setting up two separate internet connections - one for students and one for teachers. So, for all VLAN 20 users their gateway is switch SVI interface 192.168.20.1, and for VLAN 10 users it is 192.168.10.1 SVI interface.

And, the switch default gateway is 10.10.10.1 that it connected to ASA 5510 firewall 10.10.10.2 interface going out to the internet.

Now, we are installing another firewall (172.100.100.2) that will be connected to second internet ISP .

The question is how to route from VLAN 10 to the 10.10.10.1 that will go to first ISP connection, 

and from VLAN 20 to 172.100.100.1 (another routed port on the L3 switch) that will go to secondary ISP.

Thank you very much!

Hi there,

with IP base license you can use static routes.... not elegant but it can work for your purposes. maybe double the number of static routes if you have two gateway so to balance. PBr is not essential but a dynamic routing protocol would help you...

HTH

Alessio

Wow that is actually wonderful news! Our setup is simplistic and no fancy dynamic routing is required.

So, would then if I setup static routes for each VLAN on the L3 switch then this two-gateway setup  work?

ip route 192.168.20.0   0.0.0.0   10.10.10.1

ip route 192.168.10.0   0.0.0.0   172.100.100.1

ip route 192.168.30.0   0.0.0.0    172.100.100.1

What you suggest here are static routes about how to get to networks 192.168.10.0, 192.168.20.0, and 192.168.30.0. But these networks should be in the routing table already as connected routes. So static routes for them does not do much good that I can see.

It is a bit of a kludge but I think that this might work if you:

- configure the PCs in VLAN 10 to have their default gateway as the SVI on switch 1.

- configure switch 1 with a default route pointing to firewall 1.

- configure the PCs in VLAN 20 to have their default gateway as the SVI on switch 2.

- configure switch 2 with a default route pointing to firewall 2.

This would result that all PCs in VLAN 10 would use the Internet gateway on firewall 1 while all PCs on VLAN 20 would use the Internet gateway on firewall 2. And it does not require PBR.

HTH

Rick

HTH

Rick

Richard,

I've done this here in my office. But suppose I had just one Switch L3, how could I do this same scenario making specific devices go to the ISP I wanted to?

In this discussion it is possible to achieve the result without requiring PBR because there are two switches and each switch can be configured to use the appropriate gateway (and has no knowledge of the other gateway). But if you have only a single switch it must know about both Internet gateways. And in this situation to achieve the result you would need PBR.

HTH

Rick

HTH

Rick

Thanks for info Richard.

Mr. Richard Burts,

Thank you tremendously for the detailed explanation. Now I see how it can be done.

I've tested setting default gateway that sits on different subnet  for PC and Mac clients, and it is working ok. I suppose it will be the same for tablets and smartphones.  That gateway is actually default gateway for the Switch1 directly connected to firewall port, althought SVI gateway for the VLAN those computers belong to is 192.168.10.1 - same subnet gateway.

If computers in VLAN2 will have the same configuration then second default gateway on the Switch2 connected to second firewall can be used for secondary internet connection.

BUT... there is big but. I can't figure out how can I do then interVLAN routing. Because those two switches are stacked and if the stack is broken how to configure interVLAN routing between multiple VLANs. The problem is all access switches carry many VLANs. Actually, we have eight VLANs not two.

How should this be solved?

I am glad that my suggestions have been helpful. I believe that my suggestion will work and will scale whether it is two VLANs or eight VLANs or however many. The switches should probably be connected by a trunk that allows traffic to flow between switches. Each switch can have an SVI (interface vlan x) in each of the VLANs and so they will be able to do inter vlan routing since the subnet of each VLAN will be known as a local connected subnet. Each switch will have an Internet connection and each switch will have a default route that points to its own Internet connection. Divide the VLANs into two groups based on what your requirements might be (teacher or students or what). All the PCs in one group of the VLANs will have their default gateway set as the IP address of that VLAN on switch 1. And all the PCs in the other group of VLANs will have their default gateway set as the IP address of that VLAN in switch 2.

The result of this is that all PCs in group 1 will use ISP 1 and all PCs in group 2 will use ISP 2. And I believe that this will satisfy your requirement that you route one group one way and route the other group the other way.

HTH

Rick

HTH

Rick

THANK you so much for the clarification.

I would like to ask for your advice on the following.

We are using two stacked Catalyst 3750-X (IP Base license) switches  as intervlan router. Due to bandwidth limitations of our existing internet connection we are planning to install additional internet service next month. So the question is :

How to assign certain VLANs to one ISP connection and the rest to second ISP connection? For instance VLAN 10 and VLAN 20 are only to use ISP1 and all other VLANS to use ISP2.

Will it work if 2 routed ports configured on the Catalyst 3750-X switch, and set 1 port as default gateway for all computers inside VLANs 10 & VLAN 20, and second routed port as gateway for computers in other VLANs? Please kindly see the attached diagram for details.

The VLANs itself have their gateways defined as SVI interfaces on the Catalyst 3750-x. But, the actual computers will have their gateway set as the routed ports (that means a gateway on different subnet).

I have tested it with 1 port and it seems working ok. For example a computer (192.168.10.10) in VLAN 10  would have a gateway set as 172.20.100.1 (which is routed port 1 IP address). But, the VLAN 10 (192.168.10.0/24) itself  still have SVI interface gateway defined as 192.168.10.1 on the L3 switch.

So, would this kind of setup work for multpiple VLANs for two routed ports? Or is there any other better way to configure it with the existing IP base license features.

Thank you in advance so much!

Looking forward for your reply,

I do not believe that the suggestion of two routed ports will work. You could certainly configure it but I do not believe that it will work the way that you want. When the PC sends a packets it gets to the switch and the switch routing logic will direct how to forward the packet. It does not matter what is configured as the gateway on the PC. When the packet gets to the switch then the routing logic of the switch takes over.

With the switches in a stack, so that they work as a unit, I believe that the only alternative for you that will work would be PBR. If you take out the stack and connect the switches via trunk so that each switch can do inter VLAN routing and each switch has its own default gateway (as has been discussed in this thread) then this should work for you.

HTH

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card