Supernet routing

NetworkA /16

NetworkB /16

I need to have all PCs on NetworkB to go to a default gateway at while NetworkA uses the gateway of  RouterB will pass all traffic from NetworkB to NetworkA’s router at

I’m doing this so that I can use DHCP to ‘tag’ user computers that I want to filter/monitor internet activity on.  Most users are assigned an IP like, while those suspected of abusing Internet privileges will get an IP addr like  The main router at handles mapping our internal IPs to the proxy server and the router at will simply add an extra step so that I can monitor traffic on that super-net.  I will use DHCP reservations to assign the 10.10.98.x addresses and change the default gateway form to

Is this scenario doable and can anyone point me in the right direction?
The router I have available is Cisco's ASA 5505.  

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Perhaps a diagram would be useful to illustrate how these networks work together sharing a /16 across two networks.

N5EMXAuthor Commented:
changing the default gateway via a dhcp change means waiting for at least 50% of the lease time for the change to be made, apart from that it seems simple enough. If you traffic monitor box can forward packets, you don't even need routerB, just set the traffic monitoring box as the default gateway.

However, I might do the design slightly differently.

If you split monitoring and filtering into two boxes, or put the filter onto the proxy server, you could then run the monitor on a "span" or "monitor" port on your internal switch and monitor all traffic all of the time and have all traffic go through the filter all of the time.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

N5EMXAuthor Commented:
The problem I'm running into is that I cannot make any changes to the default gateway.  My corporate IT personnel own that box and I can only change what is behind that box.  The idea of using some device to segregate a subset of our network so it can be filtered before it gets to the default router is my issue.  The filter box works by sending a block page to the user, but the default gateway is blocking the block page.  I essentially need to add the filter box in the middle between the subset of private IP addresses and the default gateway that routes out to our single public IP.  

The traffic monitor/filter is a win2008 server and I'm not familiar with routing using this OS.  The last time I tried I only managed to get the server to compete with the default gateway and the network traffic ground to halt.  I only want to add this additional step to the 10.10.98.x ip range, the rest of the network works fine and I will force a DHCP renewal on the computers that will be monitored.

This doesn't make any sense to me.   You say you have two networks (A & B) yet your diagram shows you have SIX networks (counting the Internet section).

You only need one Router and there is no point in a "Traffic Monitor/Filter" machine when you already have a Proxy server that already does all of that.

Do this:
Do your monitoring/blocking/whatever by using the proxy for that,...that is what proxys do.
N5EMXAuthor Commented:
Our proxy doesn't give us the granularity of denial that we need.  UserSetA only need to look at WebPageSetA and UserSetB to look at WebPageSetB.  We are trying to deploy Websense WebFilter so that we can have a white list per user, but our configuration is not allowing the filtering server to send its block page to prevent users from surfing outside of their range.
You may need to verify your attempts with how Websense intends for you to use their product,...but the Websense product would sit on a machine that is plugged into the "Network A" Switch shown in my diagram.

I don't use Websense myself,..but if it behaves as "its own proxy" then all the Users will have to use WebSense as their proxy instead of your real proxy,...then websense would then you your real proxy as an "Upstream Proxy" in what is called a "Proxy Chaining" operation.

If you don't do it correctly you would end up with an infinite proxy chain loop where the users go to the proxy,..then websense,...then back to the proxy,...then back to websense,...,...then back to the proxy,...then back to websense,...,...then back to the proxy,...then back to websense.

Some of the Websense products are specially written for the proxy you actually use and they install on the proxy machine as a "plug-in" to the proxy you are using.
N5EMXAuthor Commented:
Good suggestions, but no concrete solution to my original question.  Will seek a consultant that can come onsite to asses my needs and show me how to approach this.
I could probably do more, but I just don't know enough about Websense specifically as a product.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.