Link to home
Start Free TrialLog in
Avatar of ndalmolin_13
ndalmolin_13Flag for United States of America

asked on

Can I have different default routes for diffent vlans/networks

Hello Networking Experts

I have some network issues I would like to present to you.  Here is the situation:
•      I work for a state agency.  Our agency consists of two offices.
•      The main office is in Town A.
•      The remote office is in Town B.
•      The main office has a Cisco 3850 layer 3 switch that does layer 2 switching and layer 3 routing.
•      The remote office has a Cisco 4506 layer 3 switch that does layer 2 switching and routing.
•      The remote office has a Cisco 5510 ASA.  The internal interface of the ASA has an IP address of 192.168.100.253.
•      There is a point-to-point connection between the main office and the remote office.
•      The IP on the main office side of the point-to-point connection has an IP address of 192.168.99.1 /30.
•      The IP on the remote office side of the point-to-point connection has an IP address of 192.168.99.2 /30.
•      Up until a few weeks ago, all servers and workstations in the remote office existed on VLAN2 with an address range of 192.168.100.xx /24.  The default gateway for both servers and workstations was 192.168.100.254.
•      Up until a few weeks ago, Internet traffic at the remote office was as follows:
o      If the proxy server setting is configured in Internet Explorer, internet traffic was routed across the point-to-point connection between the main office and the remote office so that it would go through the proxy server at the main office.
o      If the proxy server setting was not configured, the workstation accessed the Internet through a direct T1 connection to the Internet.
•      Up until a few weeks ago, the terminal services gateway server in the remote office functioned as expected and we could remote into the network via that server.
•      At the time everything was working, the default route on the Cisco 4506 in the remote office was:
ip route 0.0.0.0 0.0.0.0 192.168.100.253
•      A few weeks ago, some mandated changes were made.
•      Change 1 - A direct connection to the state network was established.
•      Change 2 - Workstations in the remote office were moved onto a state switch on VLAN5 with an address range of 192.168.105.xx /24.  The default gateway on workstations is 192.168.105.254.
•      The servers in the remote office still reside on our Cisco 4506 on VLAN2 with an address range 192.168.100.xx /24.  The default gateway on servers is 192.168.100.254.
•      Change 3 - Internet traffic for the remote office is as follows:
o      If the proxy server setting is configured in Internet Explorer, internet traffic is routed across the state network to the main office so that it goes through the proxy server at the main office.  This is working as we want it to work.
o      If the proxy server setting is not configured, the workstation cannot access the Internet.  Again, this is how we want things to work.
•      The default route on the Cisco 4506 in the remote office is:  
ip route 0.0.0.0 0.0.0.0 10.147.255.250
The 10.147.255.250 address is the far side of the connection to the state network.
•      A direct pipe to the Internet still exists at the remote office.  I have verified that this link is up and running by establishing an SSH connection to the Cisco ASA in the remote office and pinging 8.8.8.8.  This ping is 100% successful.
•      From the Cisco 4506, I can successfully ping 192.168.100.253 (the internal interface of the Cisco ASA).
•      From the terminal services server, I can ping 192.168.100.253.  The IP configuration of the terminal services server is:
IP – 192.168.100.23
SM – 255.255.2550
GW – 192.168.100.254
•      With the configuration above, I can successfully remote desktop into the terminal services server from my desktop at the main office.

The terminal services server in the remote office needs to use the direct connection to the Internet at the remote office as NATing to the appropriate external IP address is configured on the Cisco 5510 ASA at that office.  My thought to accomplish this was to simply change the default gateway on that server from 192.168.100.254 to 192.168.100.253 (the internal interface of the Cisco ASA).  However, did not work.  When I changed the default gateway, I lost my ability to remote desktop into the server.  I did a trace route and I get all the way down to the Cisco 4506 in the remote office, but it times can’t find the server with the new gateway.  The routing table of the Cisco 4506 and relevant VLAN information is as follows:

interface Vlan2
 ip address 192.168.100.254 255.255.255.0
!
interface Vlan990
 description POINT-TO-POINT_CONNECTION_WITH_STATE_NETWORK
 ip address 10.147.255.249 255.255.255.248
!
ip route 0.0.0.0 0.0.0.0 10.147.255.250
ip route 10.1.5.0 255.255.255.0 192.168.99.1
ip route 10.1.6.0 255.255.255.0 192.168.99.1
ip route 10.1.100.0 255.255.255.0 192.168.99.1
ip route 10.1.101.0 255.255.255.0 192.168.99.1
ip route 10.1.102.0 255.255.255.0 192.168.99.1
ip route 10.1.150.0 255.255.255.0 192.168.99.1
ip route 10.10.10.0 255.255.255.0 192.168.99.1
ip route 10.110.100.0 255.255.255.0 192.168.99.1
ip route 10.110.101.0 255.255.255.0 192.168.99.1
ip route 10.110.110.0 255.255.255.0 192.168.99.1
ip route 10.110.112.0 255.255.255.0 192.168.99.1
ip route 10.110.113.0 255.255.255.0 192.168.99.1
ip route 10.110.114.0 255.255.255.0 192.168.99.1
ip route 10.110.200.0 255.255.255.0 192.168.99.1
ip route 10.110.201.0 255.255.255.0 192.168.99.1
ip route 10.110.220.0 255.255.255.0 192.168.99.1
ip route 10.110.250.0 255.255.255.0 192.168.99.1
ip route 10.110.251.0 255.255.255.0 192.168.99.1
ip route 12.196.11.132 255.255.255.255 192.168.100.253
ip route 159.xxx.xxx.0 255.255.255.0 192.168.99.1
ip route 159.xxx.xxx.0 255.255.255.0 192.168.99.1
ip route 159.xxx.xxx.0 255.255.255.0 192.168.99.1
ip route 159.xxx.xxx.90 255.255.255.255 192.168.99.1
ip route 159.xxx.xxx.138 255.255.255.255 192.168.99.1
ip route 192.xxx.xxx.0 255.255.255.0 192.168.99.1
ip route 192.168.101.0 255.255.255.0 192.168.100.253
ip route 192.xxx.xxx.0 255.255.255.0 192.168.99.1
ip route 192.xxx.xxx.58 255.255.255.255 192.168.99.1
ip route 205.xxx.xxx.200 255.255.255.255 192.168.99.1
ip route 205.xxx.xxx.201 255.255.255.255 192.168.99.1
ip route 206.xxx.xxx.122 255.255.255.255 192.168.99.1
ip route 206.xxx.xxx.124 255.255.255.255 192.168.99.1

In looking at the vlan information and the routing table above, I know the Cisco 4506 “knows” about 192.168.100.254 as it is the svi for VLAN2 and is directly connected.  When I change the default gateway on the terminal services server to 192.168.100.253, the switch does not know how to get to that address, so I think I need to add a route to that network.  Can I do something like the following?
Ip route 192.168.100.0 255.255.255.0 interface VLAN2

Is there a way to setup a default route for the 192.168.100.xx network?

Regards,
Nick
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image

You want policy based routing.
From what subnet are you trying to remote desktop to the terminal server from?

On the 4506 should NOT need to add a route for the 192.168.100.0/24 network as it is on that network.  If you do a "show ip route" on the 4506 it should have one because it is directly on that subnet.
Avatar of ndalmolin_13

ASKER

Hello All,
Giltjr was correct.  The 192.168.100.0 network is connected.  The relevant result from show ip route is posted below.
     C    192.168.100.0/24 is directly connected, Vlan2

 Why is it when I change the default gateway from 192.168.100.254 to 192.168.100.253 the 4506 "looses" the network?

Here is a tracert with the target having 192.168.100.254 as its default gateway:

C:\Users\nick>tracert 192.168.100.254

Tracing route to 192.168.100.254 over a maximum of 30 hops

  1     2 ms     3 ms     3 ms  10.110.250.254
  2    13 ms     7 ms     6 ms  192.168.100.254

Trace complete.


Here is a tracert with the target's default gateway set to 192.168.100.253.

C:\Users\nick>tracert 192.168.100.254

Tracing route to 192.168.100.254 over a maximum of 30 hops

  1     2 ms     3 ms     3 ms  10.110.250.254
  2     6 ms     6 ms     6 ms  192.168.99.2
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.
Can you post the output from the "show ip route" command on the Cisco switch?

Also what is 10.110.250.254?
Here is the output from show ip route.  I had to x some information out to appease the security folks, but I don't think it is that big of a deal.

10.110.250.254 is the default gateway of the vlan that my PC is connected to.

REMOTE-4506#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.147.255.250 to network 0.0.0.0

S    192.xx9.108.0/24 [1/0] via 192.168.99.1
     159.xxx.xxx.0/16 is variably subnetted, 5 subnets, 2 masks
S       159.xxx.xxx.90/32 [1/0] via 192.168.99.1
S       159.xxx.xxx.0/24 [1/0] via 192.168.99.1
S       159.xxx.xxx.0/24 [1/0] via 192.168.99.1
S       159.xxx.xxx.0/24 [1/0] via 192.168.99.1
S       159.xxx.xxx.138/32 [1/0] via 192.168.99.1
     205.xxx.9.0/32 is subnetted, 2 subnets
S       205.xxx.9.201 [1/0] via 192.168.99.1
S       205.xxx.9.200 [1/0] via 192.168.99.1
     206.xxx.229.0/32 is subnetted, 2 subnets
S       206.xxx.229.124 [1/0] via 192.168.99.1
S       206.xxx.229.122 [1/0] via 192.168.99.1
C    192.168.99.0/24 is directly connected, GigabitEthernet2/2
     10.0.0.0/8 is variably subnetted, 19 subnets, 2 masks
S       10.110.100.0/24 [1/0] via 192.168.99.1
S       10.110.101.0/24 [1/0] via 192.168.99.1
S       10.110.110.0/24 [1/0] via 192.168.99.1
S       10.10.10.0/24 [1/0] via 192.168.99.1
S       10.1.6.0/24 [1/0] via 192.168.99.1
S       10.1.5.0/24 [1/0] via 192.168.99.1
S       10.110.112.0/24 [1/0] via 192.168.99.1
S       10.110.113.0/24 [1/0] via 192.168.99.1
S       10.110.114.0/24 [1/0] via 192.168.99.1
S       10.1.102.0/24 [1/0] via 192.168.99.1
S       10.1.101.0/24 [1/0] via 192.168.99.1
S       10.1.100.0/24 [1/0] via 192.168.99.1
S       10.1.150.0/24 [1/0] via 192.168.99.1
C       10.147.255.248/29 is directly connected, Vlan990
S       10.110.250.0/24 [1/0] via 192.168.99.1
S       10.110.251.0/24 [1/0] via 192.168.99.1
S       10.110.200.0/24 [1/0] via 192.168.99.1
S       10.110.201.0/24 [1/0] via 192.168.99.1
S       10.110.220.0/24 [1/0] via 192.168.99.1
S    192.xxx.170.0/24 [1/0] via 192.168.99.1
     12.0.0.0/32 is subnetted, 1 subnets
S       12.196.11.132 [1/0] via 192.168.100.253
     192.xxx.1.0/32 is subnetted, 1 subnets
S       192.xxx.1.58 [1/0] via 192.168.99.1
C    192.168.100.0/24 is directly connected, Vlan2
S    192.168.101.0/24 [1/0] via 192.168.100.253
S*   0.0.0.0/0 [1/0] via 10.147.255.250
ASKER CERTIFIED SOLUTION
Avatar of giltjr
giltjr
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I was wrong about the 192.168.99.0 network having a /30 mask.  It does have a /24 mask.  I have run an IP scan on that network and the only two active IP addresses are 192.168.99.1 (the IP assigned to the point-to-point link in the main office on gi2/0/6) and 192.168.99.2 (the IP assigned to the point-to-point link in the remote office on gi2/2).

The 10.110.250.254 is the IP assigned to the SVI for the 250 vlan on the layer 3 switch in the main office.  All workstations in the 10.110.250.0 network use 10.110.250.254 as their default gateway.

The routing table from the layer 3 switch in the main office is as follows:

ip route 0.0.0.0 0.0.0.0 10.1.4.1
ip route 10.0.0.0 255.0.0.0 Null0
ip route 10.1.4.24 255.255.255.248 10.1.4.1
ip route 10.1.6.0 255.255.255.0 10.1.4.9
ip route 10.110.101.0 255.255.255.0 10.99.99.2
ip route 10.110.110.0 255.255.255.0 10.99.99.2
ip route 10.110.112.0 255.255.255.0 10.99.99.2
ip route 10.110.113.0 255.255.255.0 10.99.99.2
ip route 10.110.114.0 255.255.255.0 10.99.99.2
ip route 69.xxx.0.0 255.255.0.0 159.xxx.xxx.84
ip route 159.xxx.xxx.66 255.255.255.255 10.1.4.1
ip route 172.16.0.0 255.240.0.0 Null0
ip route 172.20.1.0 255.255.255.0 10.1.4.18
ip route 192.168.0.0 255.255.0.0 Null0
ip route 192.168.100.0 255.255.255.0 192.168.99.2
ip route 192.168.101.0 255.255.255.0 10.99.99.2
ip route 192.168.105.0 255.255.255.0 10.99.99.2
ip route 199.xxx.xxx.0 255.255.248.0 159.xxx.xxx.84
ip route 199.xxx.xxx.0 255.255.254.0 159.xxx.xxx.84
ip route 205.xxx.xxx.0 255.255.255.0 159.xxx.xxx.84
ip route 208.xxx.xxx.0 255.255.255.0 159.xxx.xxx.84
ip route 209.xxx.xxx.193 255.255.255.255 10.1.4.9

Based on the routing table above, my tracert to 192.168.100.253 should do the following:
Hop 1 - Hit 10.110.250.254 - This is my default gateway
Hop 2 - Hit 192.168.99.2 - This is the far end of the point-to-point link in the remote office
Hop 3 - Hit 192.168.100.253 - Based on the routing table on the 4506
I will have to look at this, but you are correct as to which routers you should hit when you do a trace route.  

That is why I'm a little confused right now.  In message:

https://www.experts-exchange.com/questions/28586115/Can-I-have-different-default-routes-for-diffent-vlans-networks.html?anchorAnswerId=40516565#a40516565 

when you had 192.168.100.254 as the default route you never saw a response from 192.168.99.2.
My apologies for letting this sit.  I was out last week.
To make sure this is what you have logically:

Your PC <- 10.110.250.0/30  ->  3850 <- 192.168.99.0/30 -> 4605 <- 192.168.100.0/24 ->  5510
                                                                                                                                            /\
                                                                                                                                             |
                                                                                                                                            \/
                                                                                                                                 Some Other Device

You are trying to change the default gateway for "Some other device" to 192.168.100.253, which is the IP address on the 5510. Correct?  

Does the 5510 have a route that points back  to the 4506 for 10.110.250.0/30?  If not it needs one and it (the 5510) should be setup to to issue ICMP redirects for that subnet, and another other internal subnet.
Thanks for the points, but what was the problem?