Can I have a different default route for a specific VLAN

bpl5000
bpl5000 used Ask the Experts™
on
We have a core switch with layer 3 and multiple VLANs.  The default route is set for our firewall.  I would like to test another firewall device, but only on a specific VLAN.  Let's say we have 3 VLANs...

VLAN 1 10.0.10.0
VLAN 2 10.0.20.0
VLAN 3 10.0.30.0

In our core switch config, the default route is specified like this...

ip default-gateway 10.0.10.2
ip route 0.0.0.0 0.0.0.0 10.0.10.2 (seems like having both of these statements is redundant?)

Is there a way that I can have a different default route for VLAN 3 so that traffic bound for the internet would go to 10.0.10.3 (a second firewall)?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Maybe you could set a specific ip say msn.com to use the second firewall?

Like ip route "msn.com" 255.255.255.255 second firewall?

Author

Commented:
No, I need all outbound traffic to go to 10.0.10.3 for VLAN 3.

Author

Commented:
I think we could use VRF lite, but it's seems more involved then what it needs to be. Maybe it would be better to setup an access list on the 1st firewall that redirects VLAN 3 to the 2nd firewall.

We already have WCCP redirecting port 80 & 443 to a web filter.  I suppose we could use WCCP on the 1st firewall to redirect traffic to our 2nd firewall.

It just seems like there should be an easy way to do this on our core switch.  I would think you could have a default route, but then have a different default route for a specific VLAN.
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Sr.Net.Eng
Top Expert 2011
Commented:
First:

ip default-gateway 10.0.10.2
ip route 0.0.0.0 0.0.0.0 10.0.10.2 (seems like having both of these statements is redundant?)

This isn't redundant. Ip Default gateway is only used when the switch is in layer 2 mode, so in your case you can remove the command. All you need is the second command.

Second:
To accomplish your goaL, you need to use policy routing. This will match your source address and set the next hop. Here is a configuration example you can use:

ip access-list extended vlan3internet
deny ip 10.0.30.0 0.0.0.255 10.0.10.0 0.0.0.255
deny ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255
permit ip 10.0.30.0 0.0.0.255 any

route-map NEW_FW permit 10
    match ip address vlan3internet
    set ip next-hop 10.0.10.3

Then

Interface VLAN 3
ip policy route-map NEW_FW

Author

Commented:
Thanks Soulja!  So currently our vlan 3's config looks like this...

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   exit

So after configuring policy based routing, I'm guessing it should look like this?

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   ip policy route-map NEW_FW
   exit


Now we actually have 41 VLANs.  I used 3 as an example just to keep it simple, but I'm wondering if the access list could look like this?

ip access-list extended vlan3internet
permit ip 10.0.30.0 0.0.0.255 any
deny any any
SouljaSr.Net.Eng
Top Expert 2011

Commented:
No, the access-list has to deny the other vlans. If not, anytime vlan 3 needs to communicate with the other vlans, it will get route mapped and sent to your new firewall instead of to the vlan interface of the other vlan. Thus your vlan communication from vlan 3 to other vlans would be broken.

Author

Commented:
Ok, glad I have you to advise me!!!  So I will need to have deny statements for the other 40 VLANs.  What about VLAN 3's config?  Is this how it should look?

vlan 3
   name "VLAN3"
   untagged K1-K2
   ip address 10.0.30.1 255.255.254.0
   ip helper-address 10.0.10.22
   ip igmp
   ip policy route-map NEW_FW
   exit
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Yes that is how it should look.  Test it out and let me know.

Author

Commented:
Sorry for not replying... I got sidetracked at work and have not yet setup the second firewall.  I'm going to close out the question, and if I have any issues, I'll open another question.  Thank you so much for all the help... it is greatly appreciated!!!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial