Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Can I have a different default route for a specific VLAN

Posted on 2014-02-27
9
Medium Priority
?
1,935 Views
Last Modified: 2014-03-08
We have a core switch with layer 3 and multiple VLANs.  The default route is set for our firewall.  I would like to test another firewall device, but only on a specific VLAN.  Let's say we have 3 VLANs...

VLAN 1 10.0.10.0
VLAN 2 10.0.20.0
VLAN 3 10.0.30.0

In our core switch config, the default route is specified like this...

ip default-gateway 10.0.10.2
ip route 0.0.0.0 0.0.0.0 10.0.10.2 (seems like having both of these statements is redundant?)

Is there a way that I can have a different default route for VLAN 3 so that traffic bound for the internet would go to 10.0.10.3 (a second firewall)?
0
Comment
Question by:bpl5000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 11

Expert Comment

by:BillBondo
ID: 39891818
Maybe you could set a specific ip say msn.com to use the second firewall?

Like ip route "msn.com" 255.255.255.255 second firewall?
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39891840
No, I need all outbound traffic to go to 10.0.10.3 for VLAN 3.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39892421
I think we could use VRF lite, but it's seems more involved then what it needs to be. Maybe it would be better to setup an access list on the 1st firewall that redirects VLAN 3 to the 2nd firewall.

We already have WCCP redirecting port 80 & 443 to a web filter.  I suppose we could use WCCP on the 1st firewall to redirect traffic to our 2nd firewall.

It just seems like there should be an easy way to do this on our core switch.  I would think you could have a default route, but then have a different default route for a specific VLAN.
0
Take our survey for a chance to win!

As a valued customer of Targus, we’d like to ask you a few questions about us. As thanks, you will be automatically entered for a chance to win a $500 VISA gift card. To enter, just complete the survey by September 15, 2017.

 
LVL 26

Accepted Solution

by:
Soulja earned 2000 total points
ID: 39895461
First:

ip default-gateway 10.0.10.2
ip route 0.0.0.0 0.0.0.0 10.0.10.2 (seems like having both of these statements is redundant?)

This isn't redundant. Ip Default gateway is only used when the switch is in layer 2 mode, so in your case you can remove the command. All you need is the second command.

Second:
To accomplish your goaL, you need to use policy routing. This will match your source address and set the next hop. Here is a configuration example you can use:

ip access-list extended vlan3internet
deny ip 10.0.30.0 0.0.0.255 10.0.10.0 0.0.0.255
deny ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255
permit ip 10.0.30.0 0.0.0.255 any

route-map NEW_FW permit 10
    match ip address vlan3internet
    set ip next-hop 10.0.10.3

Then

Interface VLAN 3
ip policy route-map NEW_FW
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39897328
Thanks Soulja!  So currently our vlan 3's config looks like this...

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   exit

So after configuring policy based routing, I'm guessing it should look like this?

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   ip policy route-map NEW_FW
   exit


Now we actually have 41 VLANs.  I used 3 as an example just to keep it simple, but I'm wondering if the access list could look like this?

ip access-list extended vlan3internet
permit ip 10.0.30.0 0.0.0.255 any
deny any any
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39897355
No, the access-list has to deny the other vlans. If not, anytime vlan 3 needs to communicate with the other vlans, it will get route mapped and sent to your new firewall instead of to the vlan interface of the other vlan. Thus your vlan communication from vlan 3 to other vlans would be broken.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39897396
Ok, glad I have you to advise me!!!  So I will need to have deny statements for the other 40 VLANs.  What about VLAN 3's config?  Is this how it should look?

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   ip policy route-map NEW_FW
   exit
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39897401
Yes that is how it should look.  Test it out and let me know.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39915067
Sorry for not replying... I got sidetracked at work and have not yet setup the second firewall.  I'm going to close out the question, and if I have any issues, I'll open another question.  Thank you so much for all the help... it is greatly appreciated!!!
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question