Solved: Using 3750 as Router - Page 2

GuidoBarendse88 · ‎08-23-2011

Hello,

I am replacing an Cisco 4006 with a Routing module. The replacement switch will be an stack of one 3750G and two 3750V2.

The Routing module of the 4006 has 192.168.1.3 as IP address. And does some routing to two gateways. all traffic for network 10.0.0.0 goed to 192.168.1.1(Cisco 2600) and the rest goes to 192.168.1.4(Firewall).

Both devices are connected to the routing module of the Cisco 4006.

How would I need to configure the new 3750 stack so it will function as a router and will be able to be used as gateway. And how to connect the other devices to the 3750 stack

Thanks in advance.

GuidoBarendse88 · ‎08-23-2011

If the SVI of VLAN 1 is 192.168.1.3 could I then use 192.168.1.3 as the default gateway on clients?

Then when I client requests 10.0.0.0 it will be forwarded to the 192.168.0.1(Cisco 2600) and otherwise it will be redirected to 192.168.1.4(firewall).

Is this correct?

Amit Aneja · ‎08-23-2011

Yes, this is correct.

192.168.1.1(Cisco 2600)

Jon Marshall · ‎08-23-2011

Guido

What is the current DG of the clients is it. 192.168.1.3 ? If so then yes to your question. If no, then there is something you are not telling us

Jon

GuidoBarendse88 · ‎08-23-2011

The current DG of the most clients is 192.168.1.1(Cisco 2600)

For some clients it is 192.168.1.3(4006 4323-L3). Which then routes to eather 192.168.1.1 or 192.168.1.4

This is because some clients use a diffirent internet connection but still being able to go to the 10.0.0.0 network

Jon Marshall · ‎08-23-2011

Ahh okay so the 4006 is L2 for some clients and L3 for others.

If the only two next-hops are either the 2600 or the firewall then i would make the DG of all clients the vlan 1 interface on the 3750 stack.

But it sounds more complicated than this.

Is it simply any traffic for 10.0.0.0/'8 to 2600 and the rest for firewall for all clients in vlan 1 or does the 2600 router have other connections ?

You need to tell us as much info as possible otherwise we could end up breaking the network.

Jon

GuidoBarendse88 · ‎08-23-2011

If an client has 192.168.1.1 as the DG it will never end up at 192.168.1.4 cause it will not use 192.168.1.3 for routing.

If an client had 192.168.1.3 as the DG. It depends on the destination address if it will use 192.168.1.1 or 192.168.1.4

Did I explained it clear enough?

I can't use 192.168.1.3 as the DG for all clients because only a couple of clients are allowed to use the internet connection that's behind 192.168.1.4(firewall)

Alle the clients that have 192.168.1.1 as the DG have to use the internet connection that is behind 192.168.1.1(Cisco 2600)

Jon Marshall · ‎08-23-2011

Understood.

Well you can either -

1) emulate that on the 3750 ie. do what has been suggested by Amit and me and it should work fine

or

2) if you have the IP services feature set on the 3750s then you could use the DG 192.168.1.3 and use PBR (Policy Based Routing) for the devices that need to go via the 192.168.1.4 firewall.

I am not a huge fan of the setup you currently have because it is confusing and presumably you have to maually set the DG of the clients that you want to go via the 192.168.1.4 firewall ? but emulating this on the 3750 would cause the least disruption to your network.

Personally if PBR was supported i would make the 192.168.1.3 vlan 1 interface the DG for all clients then you don't have to manually set any DGs on the clients.

Jon

GuidoBarendse88 · ‎08-23-2011

Yes you'r right that I have to manually configure the 192.168.1.3 DG if I want to use 192.168.1.4(Firewall). But because this is only on some clients. Not more than 5 it is not such a problem.

Can you tell me something more about the PBR? How would it know which client uses the 192.168.1.4?

Do you specify this on MAC or IP address of the client?

Jon Marshall · ‎08-23-2011

edited

GuidoBarendse88 · ‎08-23-2011

The problem is that sometimes a client needs to use the 192.168.1.4 internet connection for a short time. If I use PBG I would need the change the ACL everytime this is necessary.

It is much easier to change the DG of the client to 192.168.1.3 and then change it back to 192.168.1.1. (This only happens arround ones a month and the users does this with a script)

Jon Marshall · ‎08-23-2011

In that case it is probably easier to make do with what you have although i'm not keen on the user being able to change their own default-gateway but that is just the security side of me coming out

GuidoBarendse88 · ‎08-23-2011

Well, not every user is able to do this. only certain employees that this responsibility is entrusted

So the best option is the first solution you gave?

Jon Marshall · ‎08-23-2011

Yes, i would go with the solution Amit and myself originally gave, using vlan 1 rather than creatin a new vlan. That way there will be minimal disruption and it is the easiest to configure.

Jon

Jon Marshall · ‎08-23-2011

PBR allows you to override the routing table. So lets say you had on your 3750 stack -

ip route 0.0.0.0 0.0.0.0 <2600 router IP>

and all your clients were pointing to the 192.168.1.3 vlan 1 interface on the 3750. With PBR you can specify source IPs that you want to policy route eg. lets says 192.168.1.10 and 11 needed to go to your firewall instead of the 2600 -

access-list 101 permit ip host 192.168.1.10 10.0.0.0 0.255.255.255

access-list 101 permit ip host 192.168.1.11 10.0.0.0 0.255.255.255

access-list 102 permit ip host 192.168.1.10 any

access-list 102 permit ip host 192.168.1.11 any

route-map PBR permit 10

match ip address 101

route-map PBR permit 20

match ip address 102

set ip next-hop 192.168.1.4

int vlan 1 <-- on 3750

ip policy route-map PBR

couple of points to the above -

1) i'm assuming that clients 10 and 11 if they want to go to the 10.0.0.0/8 network need to go to the 2600. So you need to exclude this from the policy routing otherwise traffic to 10.0.0.0/8 from 10/11 would go the firewall as well

2) on routers to exclude addresses you would simply use deny lines in your acl so the PBR config would simply have one acl ie.

access-list 101 deny ip host 192.168.1.10 10.0.0.0 0.255.255.255

access-list 101 deny ip host 192.168.1.11 10.0.0.0 0.255.255.255

access-list 101 permit ip host 192.168.1.10 any

access-list 101 permit ip host 192.168.1.11 any

route-map PBR permit 10

match ip address 101

set ip next-hop 192.168.1.4

any deny lines that match means the traffic is not policy routed. However with 3750 switches (and some other L3 switches) if you use deny statements in the acl then all packets are software switched which you really don't want so the above config is the workaround ie. match the traffic you don't want to policy route but don't set a next-hop IP and so it will use the routing table.

Like i say though you do need the IP Services image on your switches to use PBR.

Jon

GuidoBarendse88 · ‎08-23-2011

Thanks Jon and amit for all the info.