cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
529
Views
0
Helpful
2
Replies

Separating VLAN traffic when PBR is not supported on the Core Switch

Kevin Melton
Level 2
Level 2

Forum

I am at a client site today where I am tasked with separating a specific VLAN's traffic away from all the other traffic.  It is for VLAN 33 which is our PCI scope traffic.

The client uses a 4506 with a Sup II plus, which I just found out from Cisco TAC does not support PBR.

The current configuration consists of a switch fabric with 25 switches and approximately 50 Vlans which all route back to the Core 4506.  It is the router on a stick model, wherein each VLAN for example VLAN 5 has an L3 Gateway of 192.168.5.1 on the Core box, and that is the GW for everything in VLAN 5.  All Vlans route back to the Core.

 

Leaving Core and heading towards the Internet Edge, we pass thru a Cisco IPS 4240, then thru an ASA 5515x, and then a Border Router.

I have a separate Interface Pair on the IPS for the VLAN 33 PCI traffic, and also had a separate interface on the ASA for it as well.

I am not sure now how to ship the vlan 33 traffic off of Core to the Edge without PBR being supported here.

Any recommendations would be welcome.

Thank You in advance.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Hi Kevin

If PBR is not supported then VRFs won't be either.

If all traffic for all the vlans goes through the same IPS and to the same firewall but you have different interfaces on the IPS and firewall for that specific vlan then just don't create a L3 interface for it on the 4500 ie. you simply extend the vlan to either the IPS or firewall.

I say either because you extend it to next L3 hop. I suspect that might be the firewall but could you confirm.

You then make the IP address on the firewall (or IPS) the default gateway for clients in that specific vlan.

If I have misunderstood please clarify.

Edit - I have assumed that you do not want this specific vlan to communicate with any of the other vlans on the 4500.

Jon

View solution in original post

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

Hi Kevin

If PBR is not supported then VRFs won't be either.

If all traffic for all the vlans goes through the same IPS and to the same firewall but you have different interfaces on the IPS and firewall for that specific vlan then just don't create a L3 interface for it on the 4500 ie. you simply extend the vlan to either the IPS or firewall.

I say either because you extend it to next L3 hop. I suspect that might be the firewall but could you confirm.

You then make the IP address on the firewall (or IPS) the default gateway for clients in that specific vlan.

If I have misunderstood please clarify.

Edit - I have assumed that you do not want this specific vlan to communicate with any of the other vlans on the 4500.

Jon

Jon

 

Nice to hear from You.  I figured out last Friday that this is exactly what I need to do.  I am simply moving the gateway to the ASA interface.

Hope you are well!

 

Kevin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: