• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1975
  • Last Modified:

Alternative to Policy Based Routing

I'm looking for design alternative to the way I currently have my network designed.  We have to data centers, in two different buildings, connected via fiber.  Each data center has a layer 3 switch, firewall, and internet connection.  Our first data center has a T1, with whom we host our dns zone file, mx record, ect.  At the second data center, we have a comcast business class cable connection.  We run EIGRP on the network.  The default route sends all internet traffic out the comcast cable connection at the second data center.  I've set up a Policy Based Route on the 3750 layer 3 switch at the first data center.  This policy looks for traffic sourced from an IIS server, and an Exchange server, and sets the next hop to the inside interface of the firewall at the first data center.  The reason for this is to return traffic out to the internet, using the same route the request came in on, because these two servers are hosting OWA, and a web site.

The PBR on the 3750 is applied to the vlan interface that my servers are behind.  This PBR is killing my switch.  I've been up and down the issue with consultants, and Cisco TAC.  There is essentially no answer.  Because of the performance hit the cpu is taking, the ping times to all servers in that vlan are terrible, sometimes jumping above 25ms.

I'm trying to figure out what my best option is to remedy this problem.  Here are the options I'm thinking about:

-Inserting a router in front of the 3750 to handle the routing
-Possibly moving the servers that host services on the T1, to a separate vlan.  If so, am I still required to use PBR to get around the default route on the network
-Can I set the next hop for all servers behind the affected VLAN interface to use the T1, without using PBR?
-Install a new layer 3 switch dedicated to only the servers
-Could a reverse proxy server in the dmz solve the issue?
New.jpg
0
bluespringsit
Asked:
bluespringsit
  • 2
1 Solution
 
mikebernhardtCommented:
-Possibly moving the servers that host services on the T1, to a separate vlan.  If so, am I still required to use PBR to get around the default route on the network
      Yes, because the same switch would be handling the routing.
-Can I set the next hop for all servers behind the affected VLAN interface to use the T1, without using PBR?
      No, PBR is the only option in this topology\
-Install a new layer 3 switch dedicated to only the servers
      No different than adding a router except that the switch is not optimized for PBR.

You have 2 options in my opinion.
1. If you have an extra interface on the ASA, hang the VLAN directly off of it. I assume that it is not running EIGRP. If it is, I would suggest using static routes anyway on your firewalls if possible.
2. Get a router with 2 ethernet interfaces. Plug one into Vlan 110 and one into the VLAN to the ASA. Let it run EIGRP, but give it a static default route pointing to the ASA. Whichever servers need to go out the T1, point their default gateway to the router. Now they will always use the T1 without PBR.
0
 
mikebernhardtCommented:
>and one into the VLAN to the ASA.
  If you have a Layer 3 interface between the 3750 and the ASA right now, you will have to change this to a VLAN on the switch and possibly change the mask so that the router can be put in there too.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now