Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2223
  • Last Modified:

Can I have a different default route for a specific VLAN

We have a core switch with layer 3 and multiple VLANs.  The default route is set for our firewall.  I would like to test another firewall device, but only on a specific VLAN.  Let's say we have 3 VLANs...

VLAN 1 10.0.10.0
VLAN 2 10.0.20.0
VLAN 3 10.0.30.0

In our core switch config, the default route is specified like this...

ip default-gateway 10.0.10.2
ip route 0.0.0.0 0.0.0.0 10.0.10.2 (seems like having both of these statements is redundant?)

Is there a way that I can have a different default route for VLAN 3 so that traffic bound for the internet would go to 10.0.10.3 (a second firewall)?
0
bpl5000
Asked:
bpl5000
  • 5
  • 3
1 Solution
 
BillBondoCommented:
Maybe you could set a specific ip say msn.com to use the second firewall?

Like ip route "msn.com" 255.255.255.255 second firewall?
0
 
bpl5000Author Commented:
No, I need all outbound traffic to go to 10.0.10.3 for VLAN 3.
0
 
bpl5000Author Commented:
I think we could use VRF lite, but it's seems more involved then what it needs to be. Maybe it would be better to setup an access list on the 1st firewall that redirects VLAN 3 to the 2nd firewall.

We already have WCCP redirecting port 80 & 443 to a web filter.  I suppose we could use WCCP on the 1st firewall to redirect traffic to our 2nd firewall.

It just seems like there should be an easy way to do this on our core switch.  I would think you could have a default route, but then have a different default route for a specific VLAN.
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
SouljaCommented:
First:

ip default-gateway 10.0.10.2
ip route 0.0.0.0 0.0.0.0 10.0.10.2 (seems like having both of these statements is redundant?)

This isn't redundant. Ip Default gateway is only used when the switch is in layer 2 mode, so in your case you can remove the command. All you need is the second command.

Second:
To accomplish your goaL, you need to use policy routing. This will match your source address and set the next hop. Here is a configuration example you can use:

ip access-list extended vlan3internet
deny ip 10.0.30.0 0.0.0.255 10.0.10.0 0.0.0.255
deny ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255
permit ip 10.0.30.0 0.0.0.255 any

route-map NEW_FW permit 10
    match ip address vlan3internet
    set ip next-hop 10.0.10.3

Then

Interface VLAN 3
ip policy route-map NEW_FW
0
 
bpl5000Author Commented:
Thanks Soulja!  So currently our vlan 3's config looks like this...

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   exit

So after configuring policy based routing, I'm guessing it should look like this?

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   ip policy route-map NEW_FW
   exit


Now we actually have 41 VLANs.  I used 3 as an example just to keep it simple, but I'm wondering if the access list could look like this?

ip access-list extended vlan3internet
permit ip 10.0.30.0 0.0.0.255 any
deny any any
0
 
SouljaCommented:
No, the access-list has to deny the other vlans. If not, anytime vlan 3 needs to communicate with the other vlans, it will get route mapped and sent to your new firewall instead of to the vlan interface of the other vlan. Thus your vlan communication from vlan 3 to other vlans would be broken.
0
 
bpl5000Author Commented:
Ok, glad I have you to advise me!!!  So I will need to have deny statements for the other 40 VLANs.  What about VLAN 3's config?  Is this how it should look?

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   ip policy route-map NEW_FW
   exit
0
 
SouljaCommented:
Yes that is how it should look.  Test it out and let me know.
0
 
bpl5000Author Commented:
Sorry for not replying... I got sidetracked at work and have not yet setup the second firewall.  I'm going to close out the question, and if I have any issues, I'll open another question.  Thank you so much for all the help... it is greatly appreciated!!!
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now