Per Vlan Routing

Tormod Macleod · ‎05-15-2013

I'm trying to set up per vlan routing on a 3560G switch but it's not performing as I would expect. I've got a server on the 109 vlan with a 10.1.9.100 address and a default gateway of 10.1.9.1 this address is an HSRP gateway and currently resides on 10.1.9.7. When I traceroute through to my user PC on the internal network it receives a response from 10.1.9.7 However, it is then denied by an ACL on the internal firewall which has been applied to interface Eth0/0. It should arrive at the firewall on Eth0/2.109 as it has the 10.1.9.4 address.

My goal here is to route traffic on the 101 vlan to a seperate interface on the internal firewall from 109 vlan traffic. I'm either doing something wrong or these routing commands aren't designed to work in the way I'm expecting (I couldn't find any documentation on the ip route command where it is followed by different gateways for different vlans)

I'd be grateful for any help

interface GigabitEthernet0/2

description Internal-FW Eth0/0

switchport access vlan 101

switchport mode access

!

interface GigabitEthernet0/12

description Internal-FW Eth0/2

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 109

switchport mode trunk

!

interface Vlan1

no ip address

no ip mroute-cache

shutdown

!

interface Vlan101

ip address 10.1.1.7 255.255.255.0

standby 0 ip 10.1.1.1

standby 0 priority 90

!

interface Vlan109

ip address 10.1.9.7 255.255.255.0

standby 0 ip 10.1.9.1

standby 0 priority 110

no ip mroute-cache

!

ip route 0.0.0.0 0.0.0.0 Vlan101 10.1.1.2

ip route 0.0.0.0 0.0.0.0 Vlan109 10.1.9.50

ip route 192.168.0.0 255.255.0.0 Vlan101 10.1.1.4

ip route 192.168.0.0 255.255.0.0 Vlan109 10.1.9.4

!

DMZ-SW#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 10.1.9.50 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.1.9.50, Vlan109

[1/0] via 10.1.1.2, Vlan101

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.1.1.0/24 is directly connected, Vlan101

L 10.1.1.7/32 is directly connected, Vlan101

C 10.1.9.0/24 is directly connected, Vlan109

L 10.1.9.7/32 is directly connected, Vlan109

S 192.168.0.0/16 [1/0] via 10.1.9.4, Vlan109

[1/0] via 10.1.1.4, Vlan101

DMZ-SW#

DMZ-SW#sh ver

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 15.0(2)SE, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Sat 28-Jul-12 00:01 by prod_rel_team

ROM: Bootstrap program is C3560 boot loader

BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

DMZ-SW uptime is 1 day, 2 hours, 34 minutes

System returned to ROM by power-on

System image file is "flash:/c3560-ipservicesk9-mz.150-2.SE.bin"

Gregory Snipes · ‎05-15-2013

Per what I see in your diagram you should not need to do any routing. VLAN 101 can pass through the switch at layer 2 and go right into the firewall.

However, if you do feel you need to do this with routing, you will want to take a look at policy based routing. It is absolutely the correct tool for doing that. Essentially you will just match a class of traffic and set where you want it to go.