01-16-2015 07:03 AM - edited 03-07-2019 10:15 PM
Forum
I am at a client site today where I am tasked with separating a specific VLAN's traffic away from all the other traffic. It is for VLAN 33 which is our PCI scope traffic.
The client uses a 4506 with a Sup II plus, which I just found out from Cisco TAC does not support PBR.
The current configuration consists of a switch fabric with 25 switches and approximately 50 Vlans which all route back to the Core 4506. It is the router on a stick model, wherein each VLAN for example VLAN 5 has an L3 Gateway of 192.168.5.1 on the Core box, and that is the GW for everything in VLAN 5. All Vlans route back to the Core.
Leaving Core and heading towards the Internet Edge, we pass thru a Cisco IPS 4240, then thru an ASA 5515x, and then a Border Router.
I have a separate Interface Pair on the IPS for the VLAN 33 PCI traffic, and also had a separate interface on the ASA for it as well.
I am not sure now how to ship the vlan 33 traffic off of Core to the Edge without PBR being supported here.
Any recommendations would be welcome.
Thank You in advance.
Solved! Go to Solution.
01-16-2015 07:13 AM
Hi Kevin
If PBR is not supported then VRFs won't be either.
If all traffic for all the vlans goes through the same IPS and to the same firewall but you have different interfaces on the IPS and firewall for that specific vlan then just don't create a L3 interface for it on the 4500 ie. you simply extend the vlan to either the IPS or firewall.
I say either because you extend it to next L3 hop. I suspect that might be the firewall but could you confirm.
You then make the IP address on the firewall (or IPS) the default gateway for clients in that specific vlan.
If I have misunderstood please clarify.
Edit - I have assumed that you do not want this specific vlan to communicate with any of the other vlans on the 4500.
Jon
01-16-2015 07:13 AM
Hi Kevin
If PBR is not supported then VRFs won't be either.
If all traffic for all the vlans goes through the same IPS and to the same firewall but you have different interfaces on the IPS and firewall for that specific vlan then just don't create a L3 interface for it on the 4500 ie. you simply extend the vlan to either the IPS or firewall.
I say either because you extend it to next L3 hop. I suspect that might be the firewall but could you confirm.
You then make the IP address on the firewall (or IPS) the default gateway for clients in that specific vlan.
If I have misunderstood please clarify.
Edit - I have assumed that you do not want this specific vlan to communicate with any of the other vlans on the 4500.
Jon
01-19-2015 06:45 AM
Jon
Nice to hear from You. I figured out last Friday that this is exactly what I need to do. I am simply moving the gateway to the ASA interface.
Hope you are well!
Kevin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide