[afnog] Separate Internet Traffic for different Vlan

[Brian Candler]

On Sat, Sep 30, 2006 at 11:35:10AM +0100, Alain ILUNGA wrote:
>    Is it possible to connect Vlan1 and Vlan2 to Internet using different
>    serial port on the router? (1 serial port for Vlan1 and the second
>    serial for Vlan2)

Good question. Yes you can, and there are two main approaches.

(1) Use what Cisco calls VRFs, everyone else calls Virtual Routers or
Virtual Chassis.

VRFs are to routers as VLANs are to switches. Each VRF is a completely
separate router with its own forwarding table. So you can just put vlan1 and
serial1 into one VRF, with defaultroute pointing down serial1; then put
vlan2 and serial2 into another VRF, with defaultroute pointing down serial2.

Since the virtual routers are entirely independent, you can even use
overlapping address space (e.g. 192.168.1.0/24 on two interfaces). The
router knows which is which via context, e.g. if a packet enters on a
particular port then it must be for a particular VRF which that port is
assigned to.

Downsides of VRFs:

- Not all routers support it. I don't know where the cutoff comes in Cisco's
product line, but if the 1700 does support VRFs then it will probably be the
bottom end of what does.

- If you want traffic to pass from one VRF to another VRF then you have to
explicitly configure it, which would then complicate matters.

(2) With a single VRF you can still get the effect you're looking for by
using policy routing.

That is: you set up a route map which matches traffic whose *source* IP
address is the subnet on vlan1. Then you apply this route map to set the
next hop for outbound traffic to be serial1. A similar map will match
traffic whose source address is vlan2's subnet. (Or you can leave one to
follow the normal default route, and use route maps to match the others)

This is a simple solution for the specific problem you've outlined, should
work on pretty much any IOS box, and also allows traffic to be forwarded
between vlan1 and vlan2 easily.

HTH,

Brian.