Solved

Can I have a different default route for a specific VLAN

Posted on 2014-02-27
9
1,632 Views
Last Modified: 2014-03-08
We have a core switch with layer 3 and multiple VLANs.  The default route is set for our firewall.  I would like to test another firewall device, but only on a specific VLAN.  Let's say we have 3 VLANs...

VLAN 1 10.0.10.0
VLAN 2 10.0.20.0
VLAN 3 10.0.30.0

In our core switch config, the default route is specified like this...

ip default-gateway 10.0.10.2
ip route 0.0.0.0 0.0.0.0 10.0.10.2 (seems like having both of these statements is redundant?)

Is there a way that I can have a different default route for VLAN 3 so that traffic bound for the internet would go to 10.0.10.3 (a second firewall)?
0
Comment
Question by:bpl5000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 11

Expert Comment

by:BillBondo
ID: 39891818
Maybe you could set a specific ip say msn.com to use the second firewall?

Like ip route "msn.com" 255.255.255.255 second firewall?
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39891840
No, I need all outbound traffic to go to 10.0.10.3 for VLAN 3.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39892421
I think we could use VRF lite, but it's seems more involved then what it needs to be. Maybe it would be better to setup an access list on the 1st firewall that redirects VLAN 3 to the 2nd firewall.

We already have WCCP redirecting port 80 & 443 to a web filter.  I suppose we could use WCCP on the 1st firewall to redirect traffic to our 2nd firewall.

It just seems like there should be an easy way to do this on our core switch.  I would think you could have a default route, but then have a different default route for a specific VLAN.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39895461
First:

ip default-gateway 10.0.10.2
ip route 0.0.0.0 0.0.0.0 10.0.10.2 (seems like having both of these statements is redundant?)

This isn't redundant. Ip Default gateway is only used when the switch is in layer 2 mode, so in your case you can remove the command. All you need is the second command.

Second:
To accomplish your goaL, you need to use policy routing. This will match your source address and set the next hop. Here is a configuration example you can use:

ip access-list extended vlan3internet
deny ip 10.0.30.0 0.0.0.255 10.0.10.0 0.0.0.255
deny ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255
permit ip 10.0.30.0 0.0.0.255 any

route-map NEW_FW permit 10
    match ip address vlan3internet
    set ip next-hop 10.0.10.3

Then

Interface VLAN 3
ip policy route-map NEW_FW
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39897328
Thanks Soulja!  So currently our vlan 3's config looks like this...

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   exit

So after configuring policy based routing, I'm guessing it should look like this?

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   ip policy route-map NEW_FW
   exit


Now we actually have 41 VLANs.  I used 3 as an example just to keep it simple, but I'm wondering if the access list could look like this?

ip access-list extended vlan3internet
permit ip 10.0.30.0 0.0.0.255 any
deny any any
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39897355
No, the access-list has to deny the other vlans. If not, anytime vlan 3 needs to communicate with the other vlans, it will get route mapped and sent to your new firewall instead of to the vlan interface of the other vlan. Thus your vlan communication from vlan 3 to other vlans would be broken.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39897396
Ok, glad I have you to advise me!!!  So I will need to have deny statements for the other 40 VLANs.  What about VLAN 3's config?  Is this how it should look?

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   ip policy route-map NEW_FW
   exit
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39897401
Yes that is how it should look.  Test it out and let me know.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39915067
Sorry for not replying... I got sidetracked at work and have not yet setup the second firewall.  I'm going to close out the question, and if I have any issues, I'll open another question.  Thank you so much for all the help... it is greatly appreciated!!!
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following recovery method will work on All Cisco Switchs that run ISO software. You will need a good copy of the IOS version you want you use saved on your PC and a Com's Cable. The software for these switches comes as a .tar file. Tar is …
Do you have a computer or other electronic gear that is attached to a rat nest of cables, or alternatively have your cables all bundled nice at neat?  If so then read this post to sidstep common pitfalls. When I was a student at DeVry University,…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question