Solved

Can I have a different default route for a specific VLAN

Posted on 2014-02-27
9
1,243 Views
Last Modified: 2014-03-08
We have a core switch with layer 3 and multiple VLANs.  The default route is set for our firewall.  I would like to test another firewall device, but only on a specific VLAN.  Let's say we have 3 VLANs...

VLAN 1 10.0.10.0
VLAN 2 10.0.20.0
VLAN 3 10.0.30.0

In our core switch config, the default route is specified like this...

ip default-gateway 10.0.10.2
ip route 0.0.0.0 0.0.0.0 10.0.10.2 (seems like having both of these statements is redundant?)

Is there a way that I can have a different default route for VLAN 3 so that traffic bound for the internet would go to 10.0.10.3 (a second firewall)?
0
Comment
Question by:bpl5000
  • 5
  • 3
9 Comments
 
LVL 11

Expert Comment

by:BillBondo
ID: 39891818
Maybe you could set a specific ip say msn.com to use the second firewall?

Like ip route "msn.com" 255.255.255.255 second firewall?
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39891840
No, I need all outbound traffic to go to 10.0.10.3 for VLAN 3.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39892421
I think we could use VRF lite, but it's seems more involved then what it needs to be. Maybe it would be better to setup an access list on the 1st firewall that redirects VLAN 3 to the 2nd firewall.

We already have WCCP redirecting port 80 & 443 to a web filter.  I suppose we could use WCCP on the 1st firewall to redirect traffic to our 2nd firewall.

It just seems like there should be an easy way to do this on our core switch.  I would think you could have a default route, but then have a different default route for a specific VLAN.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39895461
First:

ip default-gateway 10.0.10.2
ip route 0.0.0.0 0.0.0.0 10.0.10.2 (seems like having both of these statements is redundant?)

This isn't redundant. Ip Default gateway is only used when the switch is in layer 2 mode, so in your case you can remove the command. All you need is the second command.

Second:
To accomplish your goaL, you need to use policy routing. This will match your source address and set the next hop. Here is a configuration example you can use:

ip access-list extended vlan3internet
deny ip 10.0.30.0 0.0.0.255 10.0.10.0 0.0.0.255
deny ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255
permit ip 10.0.30.0 0.0.0.255 any

route-map NEW_FW permit 10
    match ip address vlan3internet
    set ip next-hop 10.0.10.3

Then

Interface VLAN 3
ip policy route-map NEW_FW
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39897328
Thanks Soulja!  So currently our vlan 3's config looks like this...

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   exit

So after configuring policy based routing, I'm guessing it should look like this?

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   ip policy route-map NEW_FW
   exit


Now we actually have 41 VLANs.  I used 3 as an example just to keep it simple, but I'm wondering if the access list could look like this?

ip access-list extended vlan3internet
permit ip 10.0.30.0 0.0.0.255 any
deny any any
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39897355
No, the access-list has to deny the other vlans. If not, anytime vlan 3 needs to communicate with the other vlans, it will get route mapped and sent to your new firewall instead of to the vlan interface of the other vlan. Thus your vlan communication from vlan 3 to other vlans would be broken.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39897396
Ok, glad I have you to advise me!!!  So I will need to have deny statements for the other 40 VLANs.  What about VLAN 3's config?  Is this how it should look?

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   ip policy route-map NEW_FW
   exit
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39897401
Yes that is how it should look.  Test it out and let me know.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39915067
Sorry for not replying... I got sidetracked at work and have not yet setup the second firewall.  I'm going to close out the question, and if I have any issues, I'll open another question.  Thank you so much for all the help... it is greatly appreciated!!!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following recovery method will work on All Cisco Switchs that run ISO software. You will need a good copy of the IOS version you want you use saved on your PC and a Com's Cable. The software for these switches comes as a .tar file. Tar is …
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question