Solved: Setup routing 3750/2960 and RV325 where there are two ISP connections

Marc Angelo · ‎08-17-2019

Hello Cisco community,

I have an odd and seemingly frustrating problem...

I have a set of switches/devices - Catalyst 3750 an 2960 plus a RV325

The RV325 is the gateway to the internet using the primary ISP

There is a second ISP which is there for internet traffic from one vlan

Currently the "second vlan" is physically separate because I cannot find a way to route that vlans traffic through the second ISP.

So I'm looking to route based upon source IP rather than destination IP - is this something that the switches or the RV325 can handle and how would I configure it?

Thanks in advance,

Marc

Richard Burts · ‎01-05-2020

Marc

I am happy to offer these suggestions to guide you through configuring PBR for your 3750. I would start with a review of some of the concepts. Normal IP forwarding logic is based on identifying the destination address and the best path to reach that destination. PBR provides an alternative approach to forwarding that makes the forwarding decision based on something other than the destination address (frequently, as in your case, it is based on source address). There are several things that you will need to do and I would suggest doing the steps in this order.

1) configure an access list to identify traffic to be forwarded using PBR. If I understand your situation devices in vlan 3 use addresses in 10.10.3.0. Those devices might need to communicate with other devices in your network, which use other subnets in 10.0.0.0. Traffic to the Internet from vlan 3 should be Policy routed. So the access list should deny traffic with source of 10.10.3.0 and destination in 10.0.0.0 and the access list should permit traffic with source of 10.10.3.0 to any other destination. The access list might look something like this

access-list 101 deny ip 10.10.3.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 10.10.3.0 0.0.0.255 any

2) configure a route map which will use the access list to identify traffic and will set the next hop to send traffic to modem 2. The route map might look something like this

route-map vlan3PBR permit 10

match ip address 101

set ip next-hop 10.10.2.5

3) apply the route map to the interface. Note that the route map is applied to the interface receiving the traffic. Many people think that it is applied to the outbound interface (which might seem logical but is incorrect) and that causes PBR to not operate correctly. It might look something like this

interface vlan 3

ip policy route-map vlan3PBR

There are some other options that can be used in PBR but based on my understanding of what you are trying to accomplish I believe that this should be sufficient for you. You might find the information in this link helpful if you want more information about PBR

https://community.cisco.com/t5/networking-documents/how-to-configure-pbr/ta-p/3122774

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎08-17-2019

To route based on source address rather than destination address is generally done using Policy Based Routing. This link suggests that PBR is supported on the RV325, but I am not sure how they got to the screen shown in the posting

https://community.cisco.com/t5/small-business-routers/router-rv325-how-to-configure-both-wan-interfaces-without-load/td-p/3882190

HTH

Rick

HTH

Rick

Marc Angelo · ‎08-17-2019

Thanks for the prompt response again Richard,

No I've not seen that interface on the RV325 management GUI - I'll look again and report back...

EDIT: That Protocol Binding GUI is available when you edit the config of a WAN interface - The RV325 emulator doesn't allow you to "edit a WAN" (that UI page is not emulated at the moment)

Marc Angelo · ‎08-17-2019

I can't find that UI anywhere on the RV325 management GUI - I'll leave a post on the discussion you referenced to see if that respondent can shed any light on the matter...

EDIT: This UI was not in the emulator but in a live RV325 it is found when you edit a WAN interface

I assume that there's nothing in the 3750 that can do this?

Richard Burts · ‎08-17-2019

I have briefly looked through some documentation for RV325 and do not find any statements about PBR support. It will be interesting if the poster in that discussion does have anything to say.

I was focusing on the RV325 based on assumptions I was making about the topology of your network. Now that you ask about it I have found a reference indicating that the 3750 does support PBR (for certain feature sets and assuming that the sdm preference is set for routing. See this link for details

https://community.cisco.com/t5/switching/pbr-cisco-3750-vlan-does-not-accept-ip-policy-route-map/td-p/2051369

Perhaps you can provide a bit more information about the topology of the network and we can explore whether PBR on your 3750 would be useful for you.

HTH

Rick

HTH

Rick

Marc Angelo · ‎08-17-2019

Hi Richard,

Attached is a basic diagram of what I'm hoping to achieve.

The 3750 is the main switch - it operates DHCP, routing etc.

Let me know what you think.

Thanks,

Marc

Richard Burts · ‎08-18-2019

Marc

Thank you for the additional information. I had assumed that the RV325 would have the 2 links to ISPs and therefore would be where PBR would be appropriate. But looking at your drawing I see that vlans 4 and 5 go through the RV325 to get to the Internet but that vlan 3 connects to 3750 which uses vlan 2 as the path to the other ISP. Therefore PBR would be appropriate on the 3750 rather than the RV325.

One question occurs to me looking at the drawing. I assume that the RV325 will do address translation for the traffic going to its ISP. But what will do address translation for vlan 3 as it goes to its ISP?

HTH

Rick

HTH

Rick

Marc Angelo · ‎01-03-2020

hi Rick,

Many apologies for the gap between your question and this response:

"Modem 2" on the diagram will provide NAT and knows to route vlan3 traffic back via vlan2/vlan3 gateway.

Do you have any suggestions regarding commands to configure the 3750 for PBR?

Many thanks in advance

Marc

Richard Burts · ‎01-05-2020

Marc

I am happy to offer these suggestions to guide you through configuring PBR for your 3750. I would start with a review of some of the concepts. Normal IP forwarding logic is based on identifying the destination address and the best path to reach that destination. PBR provides an alternative approach to forwarding that makes the forwarding decision based on something other than the destination address (frequently, as in your case, it is based on source address). There are several things that you will need to do and I would suggest doing the steps in this order.

1) configure an access list to identify traffic to be forwarded using PBR. If I understand your situation devices in vlan 3 use addresses in 10.10.3.0. Those devices might need to communicate with other devices in your network, which use other subnets in 10.0.0.0. Traffic to the Internet from vlan 3 should be Policy routed. So the access list should deny traffic with source of 10.10.3.0 and destination in 10.0.0.0 and the access list should permit traffic with source of 10.10.3.0 to any other destination. The access list might look something like this

access-list 101 deny ip 10.10.3.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 10.10.3.0 0.0.0.255 any

2) configure a route map which will use the access list to identify traffic and will set the next hop to send traffic to modem 2. The route map might look something like this

route-map vlan3PBR permit 10

match ip address 101

set ip next-hop 10.10.2.5

3) apply the route map to the interface. Note that the route map is applied to the interface receiving the traffic. Many people think that it is applied to the outbound interface (which might seem logical but is incorrect) and that causes PBR to not operate correctly. It might look something like this

interface vlan 3

ip policy route-map vlan3PBR

There are some other options that can be used in PBR but based on my understanding of what you are trying to accomplish I believe that this should be sufficient for you. You might find the information in this link helpful if you want more information about PBR

https://community.cisco.com/t5/networking-documents/how-to-configure-pbr/ta-p/3122774

HTH

Rick

HTH

Rick

Marc Angelo · ‎01-06-2020

Hi Rick,

I see what you did and I believe that it is most likely going to be the solution.

One of the reasons for my delay is that I needed to put in a new POE switch so thought that I would incorporate your changes in this little upgrade - which is not going very well...

ref:

new discussion

To understand the ACL rules:

The first

access-list 101 deny ip 10.10.3.0 0.0.0.255 10.0.0.0 0.255.255.255

filters out packets going from this vlan to other vlans, then the second

access-list 101 permit ip 10.10.3.0 0.0.0.255 any

permits traffic from this vlan to any - therefore denying any traffic from outside this vlan.

Therefore the policy/route map is applied to packets identified in this ACL which are only packets leaving this vlan whose destination is outside all vlans (in this case the public network)

Brilliant!

Many thanks,

Marc

Richard Burts · ‎01-08-2020

Marc

You are welcome. I hope that my suggestions do point you in the right direction to getting PBR implemented. I did look at your other post and have made a response there. I hope that you get both of the questions resolved.

HTH

Rick

HTH

Rick

Marc Angelo · ‎05-12-2020

Hi Rick,
I finally found the time to complete this project and your advice was invaluable and the answer to question.
(I also removed the trunk connection and instead used a stack master/slave arrangement)

I had one question regarding default route:
when I enter the command _show ip route_
In the output text it states two things of concern/interest:
1) "Gateway of last resort is not set"
is this resolved by
config t
ip route 0.0.0.0 0.0.0.0 10.10.10.10
(if 10.10.10.10 is the gateway)

2) "10.0.0.0/24 is subnetted, 10 subnets"
What does this mean when is use 10.10.x.0 as subnets?

Best

Marc