Link to home
Start Free TrialLog in
Avatar of ianmclachlan
ianmclachlan

asked on

Cisco 3560 Switch with Multiple Gateways

Hi Guys,

I've been looking after a switch for a virtual office, which is pretty basic in design and now consists of a 3650 main switch and two 2950 switches.  

It's primary role is having a number of vlans with different DHCP's and ACL's which restricts the traffic to it's own vlan and the default vlan(1) where the gateway lives.  It all works fine, however, there are two gateways on-site and for load balancing i would like to route some of the vlans through this gateway which also resides in vlan(1).

So, I think I need to setup 'policy based routing'.  I've never done this before and looking on-line isn't really helping - just more confusing ... I'm playing around with packet tracer and was hoping some of the more knowledgeable guys could point me in the right direction.

Here's copies of my 3 switches :  (edited for privacy)

3650 Main Switch

!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ******
!
enable password *****
!
ip dhcp excluded-address 192.168.100.1 192.168.100.100
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.102.1 192.168.102.100
ip dhcp excluded-address 192.168.103.1 192.168.103.100
ip dhcp excluded-address 192.168.104.1 192.168.104.100
ip dhcp excluded-address 192.168.105.1 192.168.105.100
ip dhcp excluded-address 192.168.106.1 192.168.106.100
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.107.1 192.168.107.100
ip dhcp excluded-address 192.168.108.1 192.168.108.100
ip dhcp excluded-address 192.168.109.1 192.168.109.100
ip dhcp excluded-address 192.168.110.1 192.168.110.100
ip dhcp excluded-address 192.168.111.1 192.168.111.100
ip dhcp excluded-address 192.168.112.1 192.168.112.100
!
ip dhcp pool VLAN10
 network 192.168.100.0 255.255.255.0
 default-router 192.168.100.1
 dns-server 8.8.8.8
ip dhcp pool VLAN20
 network 192.168.101.0 255.255.255.0
 default-router 192.168.101.1
 dns-server 8.8.8.8
ip dhcp pool Vlan30
 network 192.168.102.0 255.255.255.0
 default-router 192.168.102.1
 dns-server 8.8.8.8
ip dhcp pool vlan1
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.2
 dns-server 8.8.8.8
ip dhcp pool vlan40
 network 192.168.103.0 255.255.255.0
 default-router 192.168.103.1
 dns-server 8.8.8.8
ip dhcp pool vlan50
 network 192.168.104.0 255.255.255.0
 default-router 192.168.104.1
 dns-server 8.8.8.8
ip dhcp pool vlan60
 network 192.168.105.0 255.255.255.0
 default-router 192.168.105.1
 dns-server 8.8.8.8
ip dhcp pool vlan70
 network 192.168.106.0 255.255.255.0
 default-router 192.168.106.1
 dns-server 8.8.8.8
ip dhcp pool vlan80
 network 192.168.107.0 255.255.255.0
 default-router 192.168.107.1
 dns-server 8.8.8.8
ip dhcp pool vlan90
 network 192.168.108.0 255.255.255.0
 default-router 192.168.108.1
 dns-server 8.8.8.8
ip dhcp pool vlan100
 network 192.168.109.0 255.255.255.0
 default-router 192.168.109.1
 dns-server 8.8.8.8
ip dhcp pool vlan110
 network 192.168.110.0 255.255.255.0
 default-router 192.168.110.1
 dns-server 8.8.8.8
ip dhcp pool vlan120
 network 192.168.111.0 255.255.255.0
 default-router 192.168.111.1
 dns-server 8.8.8.8
ip dhcp pool vlan130
 network 192.168.112.0 255.255.255.0
 default-router 192.168.112.1
 dns-server 8.8.8.8
!
ip routing
!
spanning-tree mode pvst
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 tx-ring-limit 1
!
interface FastEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/3
!
interface FastEthernet0/4
 switchport access vlan 110
!
interface FastEthernet0/5
 switchport access vlan 100
!
interface FastEthernet0/6
 switchport access vlan 100
!
interface FastEthernet0/7
 switchport access vlan 90
!
interface FastEthernet0/8
 switchport access vlan 90
!
interface FastEthernet0/9
 switchport access vlan 80
 switchport mode access
!
interface FastEthernet0/10
 switchport access vlan 80
!
interface FastEthernet0/11
 switchport access vlan 10
!
interface FastEthernet0/12
 switchport access vlan 10
!
interface FastEthernet0/13
 switchport access vlan 20
!
interface FastEthernet0/14
 switchport access vlan 20
!
interface FastEthernet0/15
 switchport access vlan 30
!
interface FastEthernet0/16
 switchport access vlan 30
!
interface FastEthernet0/17
 switchport access vlan 40
!
interface FastEthernet0/18
 switchport access vlan 120
!
interface FastEthernet0/19
 switchport access vlan 50
!
interface FastEthernet0/20
 switchport access vlan 50
!
interface FastEthernet0/21
 switchport access vlan 60
!
interface FastEthernet0/22
 switchport access vlan 60
!
interface FastEthernet0/23
 switchport access vlan 70
!
interface FastEthernet0/24
 switchport access vlan 130
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
 mac-address 00d0.58cb.0701
 ip address 192.168.100.1 255.255.255.0
 ip access-group 100 in
!
interface Vlan20
 mac-address 00d0.58cb.0702
 ip address 192.168.101.1 255.255.255.0
 ip access-group 101 in
!
interface Vlan30
 mac-address 00d0.58cb.0703
 ip address 192.168.102.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan40
 mac-address 00d0.58cb.0704
 ip address 192.168.103.1 255.255.255.0
 ip access-group 103 in
!
interface Vlan50
 mac-address 00d0.58cb.0705
 ip address 192.168.104.1 255.255.255.0
 ip access-group 104 in
!
interface Vlan60
 mac-address 00d0.58cb.0706
 ip address 192.168.105.1 255.255.255.0
 ip access-group 105 in
!
interface Vlan70
 mac-address 00d0.58cb.0707
 ip address 192.168.106.1 255.255.255.0
 ip access-group 106 in
!
interface Vlan80
 mac-address 00d0.58cb.0708
 ip address 192.168.107.1 255.255.255.0
 ip access-group 107 in
!
interface Vlan90
 mac-address 00d0.58cb.0709
 ip address 192.168.108.1 255.255.255.0
 ip access-group 108 in
!
interface Vlan100
 mac-address 00d0.58cb.070a
 ip address 192.168.109.1 255.255.255.0
 ip access-group 109 in
!
interface Vlan110
 mac-address 00d0.58cb.070b
 ip address 192.168.110.1 255.255.255.0
 ip access-group 110 in
!
interface Vlan120
 mac-address 00d0.58cb.070c
 ip address 192.168.111.1 255.255.255.0
 ip access-group 111 in
!
interface Vlan130
 mac-address 00d0.58cb.070d
 ip address 192.168.112.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip flow-export version 9
!
!
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.109.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.109.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.109.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.109.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 103 permit ip any any
access-list 104 deny ip 192.168.104.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 104 deny ip 192.168.104.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 104 deny ip 192.168.104.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 104 deny ip 192.168.104.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 104 deny ip 192.168.104.0 0.0.0.255 192.168.109.0 0.0.0.255
access-list 104 deny ip 192.168.104.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 104 deny ip 192.168.104.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 104 deny ip 192.168.104.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 104 permit ip any any
access-list 105 deny ip 192.168.105.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 105 deny ip 192.168.105.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 105 deny ip 192.168.105.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 105 deny ip 192.168.105.0 0.0.0.255 192.168.109.0 0.0.0.255
access-list 105 deny ip 192.168.105.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 105 deny ip 192.168.105.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 105 deny ip 192.168.105.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 105 permit ip any any
access-list 106 deny ip 192.168.106.0 0.0.0.255 192.168.107.0 0.0.0.255
access-list 106 deny ip 192.168.106.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 106 deny ip 192.168.106.0 0.0.0.255 192.168.109.0 0.0.0.255
access-list 106 deny ip 192.168.106.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 106 deny ip 192.168.106.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 106 deny ip 192.168.106.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 106 permit ip any any
access-list 107 deny ip 192.168.107.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 107 deny ip 192.168.107.0 0.0.0.255 192.168.109.0 0.0.0.255
access-list 107 deny ip 192.168.107.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 107 deny ip 192.168.107.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 107 deny ip 192.168.107.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 107 permit ip any any
access-list 108 deny ip 192.168.108.0 0.0.0.255 192.168.109.0 0.0.0.255
access-list 108 deny ip 192.168.108.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 108 deny ip 192.168.108.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 108 deny ip 192.168.108.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 108 permit ip any any
access-list 109 deny ip 192.168.109.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 109 deny ip 192.168.109.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 109 deny ip 192.168.109.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 109 permit ip any any
access-list 110 deny ip 192.168.110.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 110 deny ip 192.168.110.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 110 permit ip any any
access-list 111 deny ip 192.168.111.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 111 permit ip any any
!
line con 0
 password ****
 login
!
line aux 0
!
line vty 0 4
 password ****
 login
!
end

2950 Switch 1

!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname *****
!
enable password ****
!
spanning-tree mode pvst
!
interface FastEthernet0/1
 switchport mode trunk
!
interface FastEthernet0/2
 switchport mode access
!
interface FastEthernet0/3
!
interface FastEthernet0/4
 switchport access vlan 60
!
interface FastEthernet0/5
 switchport access vlan 60
!
interface FastEthernet0/6
 switchport access vlan 60
!
interface FastEthernet0/7
 switchport access vlan 60
!
interface FastEthernet0/8
 switchport access vlan 60
!
interface FastEthernet0/9
 switchport access vlan 60
!
interface FastEthernet0/10
 switchport access vlan 60
!
interface FastEthernet0/11
 switchport access vlan 70
!
interface FastEthernet0/12
 switchport access vlan 70
!
interface FastEthernet0/13
 switchport access vlan 70
!
interface FastEthernet0/14
 switchport access vlan 70
!
interface FastEthernet0/15
 switchport access vlan 70
!
interface FastEthernet0/16
 switchport access vlan 70
 switchport mode access
!
interface FastEthernet0/17
 switchport access vlan 70
!
interface FastEthernet0/18
 switchport access vlan 80
!
interface FastEthernet0/19
 switchport access vlan 80
!
interface FastEthernet0/20
 switchport access vlan 80
!
interface FastEthernet0/21
 switchport access vlan 80
!
interface FastEthernet0/22
 switchport access vlan 80
!
interface FastEthernet0/23
 switchport access vlan 80
!
interface FastEthernet0/24
 switchport access vlan 80
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address 192.168.1.3 255.255.255.0
!
line con 0
 password ****
 login
!
line vty 0 4
 password ****
 login
!
end

2950 Switch 2

!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname *****
!
enable password *****
!
spanning-tree mode pvst
!
interface FastEthernet0/1
 switchport mode trunk
!
interface FastEthernet0/2
 switchport mode access
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
 switchport access vlan 130
!
interface FastEthernet0/16
 switchport access vlan 130
!
interface FastEthernet0/17
 switchport access vlan 130
!
interface FastEthernet0/18
 switchport access vlan 110
!
interface FastEthernet0/19
 switchport access vlan 110
 switchport mode access
!
interface FastEthernet0/20
 switchport access vlan 110
!
interface FastEthernet0/21
 switchport access vlan 110
!
interface FastEthernet0/22
 switchport access vlan 110
!
interface FastEthernet0/23
 switchport access vlan 110
!
interface FastEthernet0/24
 switchport access vlan 110
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address 192.168.1.4 255.255.255.0
!
line con 0
 password *****
 login
!
line vty 0 4
 password *****
 login
!
end
ASKER CERTIFIED SOLUTION
Avatar of Predrag Jovic
Predrag Jovic
Flag of Poland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ianmclachlan
ianmclachlan

ASKER

Hi

Thanks for the advice with regards to the optimization of my ACL's,

I will apply the permit statement to the top of my access-list as it's good to be able to test connectivity to the gateway.

I have create my PBR which consists of this:


ip-access-list extended load-bal-gateway
permit ip any any
!
route-map use-2nd-gateway permit 10
match ip address load-bal-gateway
set ip next-hop 192.168.1.50
!
interface vlan110
ip policy route-map use-2nd-gateway

So my thinking is, that any routable traffic from vlan10 is set to hop to 192.168.1.50

Will run this inmy test system and iron out any probelms.

Thanks again for your help.

IM
The way you wrote ACL all traffic from VLAN 110 will be forwarded to 192.168.1.50.
if that's what you want, that's it.
What routers do you have?

Assuming Cisco routers, if you only want each VLAN to get to the internet you could subinterface your routers and run HSRP or VRRP between them and selectively choose which router is the primary gateway for each VLAN.  That'd give you the best of both worlds then and would mean you don't have to worry about complicated ACLs on your switches.
ACLs most likely still need to be present for filtering traffic between VLANs since next hop is assigned in private IP address range.
Hi Guys,

Thanks again for the info.  Unfortunately I don't appear to have the "route-map" cmd  on the 3650 switch template with the latest version of Packet Tracer.  I telnetted into the live switch and the cmd is there.  I may have recreate in GNS3 as I like to throughly test before rolling out to a live environment.

Predrag Jovic - I award you the points for a very comprehensive explanation and example.  I', sure I'll get it working when I can find a supporting IOS

IM
You are welcome.
I said complicated ACLs, Predrag ;-)
Can it be simplified depends on network design. If routers know all routes in domain ACLs, most likely, cannot be changed.
;)
Hmmm, you're not following.

If the router just needs to give internet access the ACL is a one-liner for ALL VLANs, rather than several lines for each VLAN.

;)  ;)  ;)