dbjohnso_il
asked on
3750 + Pix + ASA + route-map problems
Ok some background - very basic info
VLAN1 - 10.0.1.254 (building 1 users)
VLAN10 - 10.0.0.254 (Core Lan)
Lan Segments
ge1/0/1 - Trunk coming from local sites (10.0.0.0/24) (all vlans allowed)
ge1/0/2 - Trunk coming from building 1 (10.0.1.0/24) (all vlans allowed)
Wan Segments
ge1/0/10 - link to ASA-1 (10.0.1.253/24)
ge1/0/11 - link to PIX (10.0.0.253/24)
ip route 0.0.0.0 0.0.0.0 10.0.0.253 (Default route to pix)
The information above works .. 10.0.1.0 and 10.0.0.0 are accessible to each other and
each vlan defaults to the PIX and all is good.
Also devices @ Building 1 have a default gateway set as 10.0.1.254 (which is on the core switch) and devices on the 10.0.0.0 network have a default gateway set as 10.0.0.254 which is also on the core switch.
if I try and add a route-map so I can re-route PC traffic from Building 1 to a seperate internet provider I am failing and am not sure why ...
Lines below added to try and accomplish route-map
ip access-list 101 permit ip 10.0.1.0 0.0.0.255 any <-- Building 1 nodes
route-map ASA1 permit 10
match ip address 101
set ip next-hop 10.0.1.253 (route to ASA-1)
interface vlan1
ip policy route-map ASA1
After adding this the traffic SOURCED from 10.0.1.0 DOES get re-routed to 10.0.1.253(ASA1) however the switch also seems to route the traffic that was already LOCAL to the 3750.
So even though there is a directly connected route on the 3750 to the 10.0.0.0/24 lan segments the 3750 appears to route ALL traffic coming from from 10.0.1.0 (Building 1) to the ASA1 (due to the ANY ?? in the access-list) which results in traffic that WAS coming from 10.0.1.0 and going to 10.0.0.0 routing through the ASA1 device which is not desired at all :(
I had thought that the process on the 3750 was that if the destination was local(connected) to the switch it would not even get to the point of the route-map clause ?? It appears I am not correct in this assumption.
So my question is can I accomplish my goal of routing JUST non local traffic from Building 1 to ASA1 while still allowing traffic between 10.0.1.0 and 10.0.0.0 to be handled at the Core switch (3750) ? If yes any help is definately appreciated because I have found a few articles online here that go over this scenario but it does not appear to work for me.
VLAN1 - 10.0.1.254 (building 1 users)
VLAN10 - 10.0.0.254 (Core Lan)
Lan Segments
ge1/0/1 - Trunk coming from local sites (10.0.0.0/24) (all vlans allowed)
ge1/0/2 - Trunk coming from building 1 (10.0.1.0/24) (all vlans allowed)
Wan Segments
ge1/0/10 - link to ASA-1 (10.0.1.253/24)
ge1/0/11 - link to PIX (10.0.0.253/24)
ip route 0.0.0.0 0.0.0.0 10.0.0.253 (Default route to pix)
The information above works .. 10.0.1.0 and 10.0.0.0 are accessible to each other and
each vlan defaults to the PIX and all is good.
Also devices @ Building 1 have a default gateway set as 10.0.1.254 (which is on the core switch) and devices on the 10.0.0.0 network have a default gateway set as 10.0.0.254 which is also on the core switch.
if I try and add a route-map so I can re-route PC traffic from Building 1 to a seperate internet provider I am failing and am not sure why ...
Lines below added to try and accomplish route-map
ip access-list 101 permit ip 10.0.1.0 0.0.0.255 any <-- Building 1 nodes
route-map ASA1 permit 10
match ip address 101
set ip next-hop 10.0.1.253 (route to ASA-1)
interface vlan1
ip policy route-map ASA1
After adding this the traffic SOURCED from 10.0.1.0 DOES get re-routed to 10.0.1.253(ASA1) however the switch also seems to route the traffic that was already LOCAL to the 3750.
So even though there is a directly connected route on the 3750 to the 10.0.0.0/24 lan segments the 3750 appears to route ALL traffic coming from from 10.0.1.0 (Building 1) to the ASA1 (due to the ANY ?? in the access-list) which results in traffic that WAS coming from 10.0.1.0 and going to 10.0.0.0 routing through the ASA1 device which is not desired at all :(
I had thought that the process on the 3750 was that if the destination was local(connected) to the switch it would not even get to the point of the route-map clause ?? It appears I am not correct in this assumption.
So my question is can I accomplish my goal of routing JUST non local traffic from Building 1 to ASA1 while still allowing traffic between 10.0.1.0 and 10.0.0.0 to be handled at the Core switch (3750) ? If yes any help is definately appreciated because I have found a few articles online here that go over this scenario but it does not appear to work for me.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No, the packets won't get dropped at all, they just won't meet the criteria to be routed to the next hop.
ASKER
Perfect solution!
Worked liked a charm! Monitored the switch processor util and barely saw a hit which was one thing I was worried about!
Thanks a ton!
Worked liked a charm! Monitored the switch processor util and barely saw a hit which was one thing I was worried about!
Thanks a ton!
ASKER
Once my users are gone in 3 hours I'll be able to try in either case.