l3 traffic segregation

rajbhatt · ‎12-11-2006

hi,

any one has any sugesstions :

l3--lan--pix--internet router

|

ASA--internet router

The default gateway of l3 switch is pix

now I want that only one segment 10.10.3.0 of the lan goes to the intrenet through the ASA instead of the pix

my solution is to connect the cable for that segment directly to the ASA .

Is there any other way direct the internet traffic to the ASA and intranet traffic as usaul to the l3 switch

Dont want to do pbr on the l3 switch for that segment

thanks

Raj

amit-singh · ‎12-11-2006

Raj,

Only PBR is the other way around this situation. I wonder why you dont want to set this on your L3 switch.

HTH,

-amit singh

rajbhatt · ‎12-12-2006

Hello Amit,

Thanks for your reply.

The reason I dont want to configure PBR on the switch is then I will redirect all traffic to the ASA and in the ASA I have to make the same modifications if I connect directly.

Like I need to configure DNAT,Access to other networks internally with ip address .

Will involve double work as all traffic will go to the ASA from there again go back to the L3 for the DMZ acecess to servers.

My setup is like

ASA-inside---l3

|

DMZ is also connected to the same L3 switch.

What use it will be ?

I need that only internet traffic to be directed to the ASA and not other lan or DMZ traffic.

Raj

amit-singh · ‎12-13-2006

Raj,

I am a bit confused. If you are doing PBR on the L3 doesnot mean that all the traffic will go through ASA.The Idea here is to setup an extended ACL on the L3 matching the traffic destined to internet only.You can match the source ip subnet with the webport 80 and have it policy routed to ASA i.e the traffic which destined only for internet will go to ASA. Rest all the traffic can be normally routed to you PIX or the DMZ zone.

Let me know if there is some confusion.

HTH,

-amit singh