Solved

Can I have different default routes for diffent vlans/networks

Posted on 2014-12-23
11
332 Views
Last Modified: 2015-01-06
Hello Networking Experts

I have some network issues I would like to present to you.  Here is the situation:
•      I work for a state agency.  Our agency consists of two offices.
•      The main office is in Town A.
•      The remote office is in Town B.
•      The main office has a Cisco 3850 layer 3 switch that does layer 2 switching and layer 3 routing.
•      The remote office has a Cisco 4506 layer 3 switch that does layer 2 switching and routing.
•      The remote office has a Cisco 5510 ASA.  The internal interface of the ASA has an IP address of 192.168.100.253.
•      There is a point-to-point connection between the main office and the remote office.
•      The IP on the main office side of the point-to-point connection has an IP address of 192.168.99.1 /30.
•      The IP on the remote office side of the point-to-point connection has an IP address of 192.168.99.2 /30.
•      Up until a few weeks ago, all servers and workstations in the remote office existed on VLAN2 with an address range of 192.168.100.xx /24.  The default gateway for both servers and workstations was 192.168.100.254.
•      Up until a few weeks ago, Internet traffic at the remote office was as follows:
o      If the proxy server setting is configured in Internet Explorer, internet traffic was routed across the point-to-point connection between the main office and the remote office so that it would go through the proxy server at the main office.
o      If the proxy server setting was not configured, the workstation accessed the Internet through a direct T1 connection to the Internet.
•      Up until a few weeks ago, the terminal services gateway server in the remote office functioned as expected and we could remote into the network via that server.
•      At the time everything was working, the default route on the Cisco 4506 in the remote office was:
ip route 0.0.0.0 0.0.0.0 192.168.100.253
•      A few weeks ago, some mandated changes were made.
•      Change 1 - A direct connection to the state network was established.
•      Change 2 - Workstations in the remote office were moved onto a state switch on VLAN5 with an address range of 192.168.105.xx /24.  The default gateway on workstations is 192.168.105.254.
•      The servers in the remote office still reside on our Cisco 4506 on VLAN2 with an address range 192.168.100.xx /24.  The default gateway on servers is 192.168.100.254.
•      Change 3 - Internet traffic for the remote office is as follows:
o      If the proxy server setting is configured in Internet Explorer, internet traffic is routed across the state network to the main office so that it goes through the proxy server at the main office.  This is working as we want it to work.
o      If the proxy server setting is not configured, the workstation cannot access the Internet.  Again, this is how we want things to work.
•      The default route on the Cisco 4506 in the remote office is:  
ip route 0.0.0.0 0.0.0.0 10.147.255.250
The 10.147.255.250 address is the far side of the connection to the state network.
•      A direct pipe to the Internet still exists at the remote office.  I have verified that this link is up and running by establishing an SSH connection to the Cisco ASA in the remote office and pinging 8.8.8.8.  This ping is 100% successful.
•      From the Cisco 4506, I can successfully ping 192.168.100.253 (the internal interface of the Cisco ASA).
•      From the terminal services server, I can ping 192.168.100.253.  The IP configuration of the terminal services server is:
IP – 192.168.100.23
SM – 255.255.2550
GW – 192.168.100.254
•      With the configuration above, I can successfully remote desktop into the terminal services server from my desktop at the main office.

The terminal services server in the remote office needs to use the direct connection to the Internet at the remote office as NATing to the appropriate external IP address is configured on the Cisco 5510 ASA at that office.  My thought to accomplish this was to simply change the default gateway on that server from 192.168.100.254 to 192.168.100.253 (the internal interface of the Cisco ASA).  However, did not work.  When I changed the default gateway, I lost my ability to remote desktop into the server.  I did a trace route and I get all the way down to the Cisco 4506 in the remote office, but it times can’t find the server with the new gateway.  The routing table of the Cisco 4506 and relevant VLAN information is as follows:

interface Vlan2
 ip address 192.168.100.254 255.255.255.0
!
interface Vlan990
 description POINT-TO-POINT_CONNECTION_WITH_STATE_NETWORK
 ip address 10.147.255.249 255.255.255.248
!
ip route 0.0.0.0 0.0.0.0 10.147.255.250
ip route 10.1.5.0 255.255.255.0 192.168.99.1
ip route 10.1.6.0 255.255.255.0 192.168.99.1
ip route 10.1.100.0 255.255.255.0 192.168.99.1
ip route 10.1.101.0 255.255.255.0 192.168.99.1
ip route 10.1.102.0 255.255.255.0 192.168.99.1
ip route 10.1.150.0 255.255.255.0 192.168.99.1
ip route 10.10.10.0 255.255.255.0 192.168.99.1
ip route 10.110.100.0 255.255.255.0 192.168.99.1
ip route 10.110.101.0 255.255.255.0 192.168.99.1
ip route 10.110.110.0 255.255.255.0 192.168.99.1
ip route 10.110.112.0 255.255.255.0 192.168.99.1
ip route 10.110.113.0 255.255.255.0 192.168.99.1
ip route 10.110.114.0 255.255.255.0 192.168.99.1
ip route 10.110.200.0 255.255.255.0 192.168.99.1
ip route 10.110.201.0 255.255.255.0 192.168.99.1
ip route 10.110.220.0 255.255.255.0 192.168.99.1
ip route 10.110.250.0 255.255.255.0 192.168.99.1
ip route 10.110.251.0 255.255.255.0 192.168.99.1
ip route 12.196.11.132 255.255.255.255 192.168.100.253
ip route 159.xxx.xxx.0 255.255.255.0 192.168.99.1
ip route 159.xxx.xxx.0 255.255.255.0 192.168.99.1
ip route 159.xxx.xxx.0 255.255.255.0 192.168.99.1
ip route 159.xxx.xxx.90 255.255.255.255 192.168.99.1
ip route 159.xxx.xxx.138 255.255.255.255 192.168.99.1
ip route 192.xxx.xxx.0 255.255.255.0 192.168.99.1
ip route 192.168.101.0 255.255.255.0 192.168.100.253
ip route 192.xxx.xxx.0 255.255.255.0 192.168.99.1
ip route 192.xxx.xxx.58 255.255.255.255 192.168.99.1
ip route 205.xxx.xxx.200 255.255.255.255 192.168.99.1
ip route 205.xxx.xxx.201 255.255.255.255 192.168.99.1
ip route 206.xxx.xxx.122 255.255.255.255 192.168.99.1
ip route 206.xxx.xxx.124 255.255.255.255 192.168.99.1

In looking at the vlan information and the routing table above, I know the Cisco 4506 “knows” about 192.168.100.254 as it is the svi for VLAN2 and is directly connected.  When I change the default gateway on the terminal services server to 192.168.100.253, the switch does not know how to get to that address, so I think I need to add a route to that network.  Can I do something like the following?
Ip route 192.168.100.0 255.255.255.0 interface VLAN2

Is there a way to setup a default route for the 192.168.100.xx network?

Regards,
Nick
0
Comment
Question by:ndalmolin_13
  • 6
  • 4
11 Comments
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
You want policy based routing.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
From what subnet are you trying to remote desktop to the terminal server from?

On the 4506 should NOT need to add a route for the 192.168.100.0/24 network as it is on that network.  If you do a "show ip route" on the 4506 it should have one because it is directly on that subnet.
0
 
LVL 1

Author Comment

by:ndalmolin_13
Comment Utility
Hello All,
Giltjr was correct.  The 192.168.100.0 network is connected.  The relevant result from show ip route is posted below.
     C    192.168.100.0/24 is directly connected, Vlan2

 Why is it when I change the default gateway from 192.168.100.254 to 192.168.100.253 the 4506 "looses" the network?

Here is a tracert with the target having 192.168.100.254 as its default gateway:

C:\Users\nick>tracert 192.168.100.254

Tracing route to 192.168.100.254 over a maximum of 30 hops

  1     2 ms     3 ms     3 ms  10.110.250.254
  2    13 ms     7 ms     6 ms  192.168.100.254

Trace complete.


Here is a tracert with the target's default gateway set to 192.168.100.253.

C:\Users\nick>tracert 192.168.100.254

Tracing route to 192.168.100.254 over a maximum of 30 hops

  1     2 ms     3 ms     3 ms  10.110.250.254
  2     6 ms     6 ms     6 ms  192.168.99.2
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Can you post the output from the "show ip route" command on the Cisco switch?

Also what is 10.110.250.254?
0
 
LVL 1

Author Comment

by:ndalmolin_13
Comment Utility
Here is the output from show ip route.  I had to x some information out to appease the security folks, but I don't think it is that big of a deal.

10.110.250.254 is the default gateway of the vlan that my PC is connected to.

REMOTE-4506#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.147.255.250 to network 0.0.0.0

S    192.xx9.108.0/24 [1/0] via 192.168.99.1
     159.xxx.xxx.0/16 is variably subnetted, 5 subnets, 2 masks
S       159.xxx.xxx.90/32 [1/0] via 192.168.99.1
S       159.xxx.xxx.0/24 [1/0] via 192.168.99.1
S       159.xxx.xxx.0/24 [1/0] via 192.168.99.1
S       159.xxx.xxx.0/24 [1/0] via 192.168.99.1
S       159.xxx.xxx.138/32 [1/0] via 192.168.99.1
     205.xxx.9.0/32 is subnetted, 2 subnets
S       205.xxx.9.201 [1/0] via 192.168.99.1
S       205.xxx.9.200 [1/0] via 192.168.99.1
     206.xxx.229.0/32 is subnetted, 2 subnets
S       206.xxx.229.124 [1/0] via 192.168.99.1
S       206.xxx.229.122 [1/0] via 192.168.99.1
C    192.168.99.0/24 is directly connected, GigabitEthernet2/2
     10.0.0.0/8 is variably subnetted, 19 subnets, 2 masks
S       10.110.100.0/24 [1/0] via 192.168.99.1
S       10.110.101.0/24 [1/0] via 192.168.99.1
S       10.110.110.0/24 [1/0] via 192.168.99.1
S       10.10.10.0/24 [1/0] via 192.168.99.1
S       10.1.6.0/24 [1/0] via 192.168.99.1
S       10.1.5.0/24 [1/0] via 192.168.99.1
S       10.110.112.0/24 [1/0] via 192.168.99.1
S       10.110.113.0/24 [1/0] via 192.168.99.1
S       10.110.114.0/24 [1/0] via 192.168.99.1
S       10.1.102.0/24 [1/0] via 192.168.99.1
S       10.1.101.0/24 [1/0] via 192.168.99.1
S       10.1.100.0/24 [1/0] via 192.168.99.1
S       10.1.150.0/24 [1/0] via 192.168.99.1
C       10.147.255.248/29 is directly connected, Vlan990
S       10.110.250.0/24 [1/0] via 192.168.99.1
S       10.110.251.0/24 [1/0] via 192.168.99.1
S       10.110.200.0/24 [1/0] via 192.168.99.1
S       10.110.201.0/24 [1/0] via 192.168.99.1
S       10.110.220.0/24 [1/0] via 192.168.99.1
S    192.xxx.170.0/24 [1/0] via 192.168.99.1
     12.0.0.0/32 is subnetted, 1 subnets
S       12.196.11.132 [1/0] via 192.168.100.253
     192.xxx.1.0/32 is subnetted, 1 subnets
S       192.xxx.1.58 [1/0] via 192.168.99.1
C    192.168.100.0/24 is directly connected, Vlan2
S    192.168.101.0/24 [1/0] via 192.168.100.253
S*   0.0.0.0/0 [1/0] via 10.147.255.250
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
Comment Utility
O.K. A couple of things:

It appears that the 4506 is not directly attached to 10.110.250.0/24.  You need to look at the routing table on that router.

You stated that 192.168.99.0/30 connect the two routers in question, but on the 4506 route table says it is /24.  That in a sense should not matter, but it may.  If it is a /24 that implies you could have more than just two devices in that subnet where as a /30 would only allow two.

Why is that important, because it almost appears as if there is another device/router on the 192.168.99.0/?? subnet.  If you look at the output from your trace routes the 1st hop after 10.100.250.254 is different and based on what I understand as of right now the next hop should be the same in both cases.  In the 1st trace route it is 192.168.100.254, in the second it is 192.168.99.1.  This implies that 10.100.250.254 is sending traffic differently.
0
 
LVL 1

Author Comment

by:ndalmolin_13
Comment Utility
I was wrong about the 192.168.99.0 network having a /30 mask.  It does have a /24 mask.  I have run an IP scan on that network and the only two active IP addresses are 192.168.99.1 (the IP assigned to the point-to-point link in the main office on gi2/0/6) and 192.168.99.2 (the IP assigned to the point-to-point link in the remote office on gi2/2).

The 10.110.250.254 is the IP assigned to the SVI for the 250 vlan on the layer 3 switch in the main office.  All workstations in the 10.110.250.0 network use 10.110.250.254 as their default gateway.

The routing table from the layer 3 switch in the main office is as follows:

ip route 0.0.0.0 0.0.0.0 10.1.4.1
ip route 10.0.0.0 255.0.0.0 Null0
ip route 10.1.4.24 255.255.255.248 10.1.4.1
ip route 10.1.6.0 255.255.255.0 10.1.4.9
ip route 10.110.101.0 255.255.255.0 10.99.99.2
ip route 10.110.110.0 255.255.255.0 10.99.99.2
ip route 10.110.112.0 255.255.255.0 10.99.99.2
ip route 10.110.113.0 255.255.255.0 10.99.99.2
ip route 10.110.114.0 255.255.255.0 10.99.99.2
ip route 69.xxx.0.0 255.255.0.0 159.xxx.xxx.84
ip route 159.xxx.xxx.66 255.255.255.255 10.1.4.1
ip route 172.16.0.0 255.240.0.0 Null0
ip route 172.20.1.0 255.255.255.0 10.1.4.18
ip route 192.168.0.0 255.255.0.0 Null0
ip route 192.168.100.0 255.255.255.0 192.168.99.2
ip route 192.168.101.0 255.255.255.0 10.99.99.2
ip route 192.168.105.0 255.255.255.0 10.99.99.2
ip route 199.xxx.xxx.0 255.255.248.0 159.xxx.xxx.84
ip route 199.xxx.xxx.0 255.255.254.0 159.xxx.xxx.84
ip route 205.xxx.xxx.0 255.255.255.0 159.xxx.xxx.84
ip route 208.xxx.xxx.0 255.255.255.0 159.xxx.xxx.84
ip route 209.xxx.xxx.193 255.255.255.255 10.1.4.9

Based on the routing table above, my tracert to 192.168.100.253 should do the following:
Hop 1 - Hit 10.110.250.254 - This is my default gateway
Hop 2 - Hit 192.168.99.2 - This is the far end of the point-to-point link in the remote office
Hop 3 - Hit 192.168.100.253 - Based on the routing table on the 4506
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I will have to look at this, but you are correct as to which routers you should hit when you do a trace route.  

That is why I'm a little confused right now.  In message:

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_28586115.html#a40516565  

when you had 192.168.100.254 as the default route you never saw a response from 192.168.99.2.
0
 
LVL 1

Author Comment

by:ndalmolin_13
Comment Utility
My apologies for letting this sit.  I was out last week.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
To make sure this is what you have logically:

Your PC <- 10.110.250.0/30  ->  3850 <- 192.168.99.0/30 -> 4605 <- 192.168.100.0/24 ->  5510
                                                                                                                                            /\
                                                                                                                                             |
                                                                                                                                            \/
                                                                                                                                 Some Other Device

You are trying to change the default gateway for "Some other device" to 192.168.100.253, which is the IP address on the 5510. Correct?  

Does the 5510 have a route that points back  to the 4506 for 10.110.250.0/30?  If not it needs one and it (the 5510) should be setup to to issue ICMP redirects for that subnet, and another other internal subnet.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Thanks for the points, but what was the problem?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now