mlederman
asked on
Routing VLANs to different firewalls on a catalyst 3750
My network core is a Catalyst 3750 (SMI) using a series of VLANs. We have a pair of firewalls going to two different ISPs. Right now, the 3750 is the default route for all hosts and then the primary PIX is the default route for the 3750. I'd like to set one VLAN to use the secondary firewall as its default route instead of the PIX, but without having to change the local routes on the hosts.
Here is my network:
VLAN1 - 192.168.1.0
VLAN2 - 192.168.2.0
VLAN3 - 192.168.3.0
Core Switch - 192.168.1.254
Primary PIX - 192.168.1.253 (primary ISP)
Secondary firewall - 192.168.1.252
I'd like 192.168.1.253 to still be the primary default route, but allow some VLANs to point to 192.168.1.252
I tried this so far:
ip access-list extended failovert1
permit tcp 192.168.2.0 0.0.0.255 any
route-map verizont1 permit 10
match ip address failovert1
set ip next-hop 192.168.1.252
interface vlan 2
ip policy route-map verizont1
But, it doesn't work, all VLAN2 traffic still goes out the primary link. What did I miss?
Here is my network:
VLAN1 - 192.168.1.0
VLAN2 - 192.168.2.0
VLAN3 - 192.168.3.0
Core Switch - 192.168.1.254
Primary PIX - 192.168.1.253 (primary ISP)
Secondary firewall - 192.168.1.252
I'd like 192.168.1.253 to still be the primary default route, but allow some VLANs to point to 192.168.1.252
I tried this so far:
ip access-list extended failovert1
permit tcp 192.168.2.0 0.0.0.255 any
route-map verizont1 permit 10
match ip address failovert1
set ip next-hop 192.168.1.252
interface vlan 2
ip policy route-map verizont1
But, it doesn't work, all VLAN2 traffic still goes out the primary link. What did I miss?
ASKER
SDM template is "desktop default". Is that the same thing?
If its not, how will that affect the rest of the switch operations, including VOIP?
I fixed the line to be "set ip default next-hop 192.168.1.252" and no luck. I did notice that the VLAN config on a sh run doesn't indicate the route-map policy at all.
If its not, how will that affect the rest of the switch operations, including VOIP?
I fixed the line to be "set ip default next-hop 192.168.1.252" and no luck. I did notice that the VLAN config on a sh run doesn't indicate the route-map policy at all.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Pretty sure the SDM template also needs to be "desktop routing". At least it does for a 3560 switch.
conf t
sdm prefer routing <--reload after chaning this setting
The SDM template simply allocates more memory to routing so it shouldn't negatively affect your VoIP. Worst case, change it back to "desktop default" if you experience any issues (sdm prefer desktop).
conf t
sdm prefer routing <--reload after chaning this setting
The SDM template simply allocates more memory to routing so it shouldn't negatively affect your VoIP. Worst case, change it back to "desktop default" if you experience any issues (sdm prefer desktop).
conf t
sdm prefer routing <--requires a reboot
Also, the set command should be "set ip default next-hop 192.168.1.252".