Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1426
Views
0
Helpful
7
Replies

Policy Based Routing on Cisco 3750X

aichireh
Level 1
Level 1

‎11-26-2015 10:16 AM - edited ‎03-08-2019 02:52 AM

Hi,

We have a Cisco 3750X as Core of our network connected to our Firewall for Internet access. We have two Internet Access (2 ISPs). We would like to install a second firewall to the second internet line and then let some VLANs users to access Internet through the seconf Firewall.

We've tried to enable PBR on the 3750X but this caused issue because the switch performances gone down.

Can anyone let us know another way to do this, please.

Thanks.

aichireh 

Labels:
0 Helpful
7 Replies 7

Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎11-26-2015 11:31 AM

Hello,

Is the firewall doing the NAT? How much traffic do you have?  Instead of sharing by source, you can share by destination. I am not sure what was the exaxt problem because having two route-maps shoud not cause that problem.

One approach can be loadbalacing accross two links.

IP route 0.0.0.0 0.0.0.0.0 FW1

Ip route 0.0.0.0 0.0.0.0 FW2

There is another approach which may sound wired, but it worked for me. Dividing internet into two groups

ip route 0.0.0.0 128.0.0.0 FW1

ip route 128.0.0.0 128.0.0.0 FW2

You can also configure IP SLA for checking the ISP connectivity to switch to the other link in case of link failure..

Please wait for others feedback also.

Masoud

0 Helpful

aichireh
Level 1
Level 1
In response to Masoud Pourshabanian

‎11-26-2015 12:40 PM

Hi Masoud,

Thnaks for your response.

Yes the current firewall as well as the scheduled are doing NAT. The reason why we want to share by source is that we have a huge WiFi Guest Internet traffic (VLAN x). We are looking a way to seperate Corporate and Guest traffics using different Internt links and different Firewalls.

Best regards.

aichireh

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to aichireh

‎11-26-2015 12:47 PM

Do the guest devices need to communicate with any corporate devices ?

Are the guest vlans separate from the corporate vlans ?

Jon

0 Helpful

aichireh
Level 1
Level 1
In response to Jon Marshall

‎11-26-2015 01:13 PM

Hi Jon,

Yes guest VLANs are seperate from Corporte VLANs using ACLs.

Guest devices do not have to communicate with corporate devices.

Best regards.

Aichireh

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to aichireh

‎11-26-2015 01:28 PM

If you have only one guest vlan you could simply make the guest firewall the default gateway for the clients and not have an SVI on the switch for that vlan.

If you have multiple guest vlans then you could either -

1) run a trunk from the switch to the guest firewall and use subinterfaces on the firewall for each guest vlan, again no SVIs on the switch.

This does depend on the capabilities of the firewall though and how many guest vlans there are.

2) a better solution is probably to use a VRF on your switch and put all the SVIs for guest vlans in the VRF.

You then need the guest firewall to be in a separate vlan from the other firewall or use a routed L3 port to connect to the firewall from your switch.

Then you either place the L3 routed port or the SVI for the firewall vlan into the same VRF.

You can then add a default route to this VRF that points to the guest firewall and this will be in a separate routing table so it will not conflict with the default route for your corporate subnets.

It would also mean you did not need to use acls to keep guest from corporate because with VRFs the guest vlans would not be able to route to corporate, only between each other and to the guest firewall.

This assumes that nothing for the guests is needed from corporate eg. DHCP for example.

It also means you can't use your firewalls as failover for each other.

Is this a concern ?

Jon

0 Helpful

aichireh
Level 1
Level 1
In response to Jon Marshall

‎11-27-2015 07:53 AM

Hi Jon,

Thanks for these suggestions. I'll try them.

Best regards.

Aichireh

0 Helpful

Reuben Farrelly
Level 3
Level 3

‎11-29-2015 12:56 PM

Can you send through the output of 'show sdm prefer' and 'show ver' ?

Also what do you have in terms of access-lists for your policy routing?

It sounds like the performance may be due to one of three things:

(a) you have an SDM profile which does not support Policy Routing, which will cause high CPU.  PBR should be being done done in hardware.

(b) you have an old version of IOS which does not properly support PBR

(c) you may have something in your access list which is not supported (such as a deny statement - not supported in earlier versions of IOS on this platform but fixed in later versions)

0 Helpful
Customers Also Viewed These Support Documents