[IT Networking] 2 Default Gateways, 1 Router
- Thread starter Calx
- Start date
i was about to attempt to draw a computer monitor but halfway thru i was like fuck it
tommy didn't even get to be a square
Can't you split your current /24 into two separate /25 subnets?
That way you have two networks/vlans which can be routed differently when going outside (i'm assuming the ASA can do this, not a lot of experience with them)
Apologies if this has been mentioned already, didn't read
Btw in your drawing the two ethernet ports on the ASA in the 192.168.5.0 range could only be in that range if you split it into two networks. I don't think it can have two IPs in the same subnet. (can someone confirm this?)
edit:
better yet, you only need one trunk link between the ASA and the switch.
The interface on the ASA can be subdivided into subinterfaces as two default gateways for the two networks, ie: Ethernet0/1.10 and Ethernet0/1.20
The main interface Ethernet0/1 is configured as a trunk and so is the switch interface towards the ASA.
You can pick the number but it's easy to pick the same one as your two separate vlan numbers, like vlan 10 and 20 for example.
I hope this makes sense, I've been drinking.
I suggest just googling this stuff with terms like InterVLAN routing ASA and just go from there. There's loads of good examples online from cisco and other sources.
That way you have two networks/vlans which can be routed differently when going outside (i'm assuming the ASA can do this, not a lot of experience with them)
Apologies if this has been mentioned already, didn't read
Btw in your drawing the two ethernet ports on the ASA in the 192.168.5.0 range could only be in that range if you split it into two networks. I don't think it can have two IPs in the same subnet. (can someone confirm this?)
edit:
better yet, you only need one trunk link between the ASA and the switch.
The interface on the ASA can be subdivided into subinterfaces as two default gateways for the two networks, ie: Ethernet0/1.10 and Ethernet0/1.20
The main interface Ethernet0/1 is configured as a trunk and so is the switch interface towards the ASA.
You can pick the number but it's easy to pick the same one as your two separate vlan numbers, like vlan 10 and 20 for example.
I hope this makes sense, I've been drinking.
I suggest just googling this stuff with terms like InterVLAN routing ASA and just go from there. There's loads of good examples online from cisco and other sources.
Last edited:
Yeah, you definitely could. If we separate the two connections by VLAN (others have said this is the best solution and I agree) and put fast-internet users on VLAN1 and slow users on VLAN2, this would be fine. However, their odd requirement to be able to hot-swap between the two connections (end-user friendly, so nothing involving SSH'ing into the ASA or command-line stuff) during the business day makes this like, way more complicated than it should be. Considering it looks like their major objective is just to change the public IP they're transmitting data out of, they should just be using proxies/TOR.
The trunk link and sub-interface idea is interesting, I'm gonna google that. The issue with separate VLAN (not sure if this applies to the trunk idea) is that the computer will generally need to always be in the same VLAN as the mail server. Overall, the idea is overly convoluted when they should just use TOR to avoid any type of IP blocks... I'm done asking smart people what to do and instead just going to try to redesign the solution for the execs - convincing them to use TOR would probably be easier than making this work.
Sounds like a super tiny business. If that's the case, and you won't be slapped in the face for doing a hack job based on their hack requests...
Set the 4 shitty employees default gateway to the slow connection, set the 2 owner's gateway to the good connection, and put 2 batch files on their desktop... One that sets the gateway to the fast connection and the other that sets the gateway to the slow connection.
Anyone in IT is gonna throw up in their mouth a bit, but all the owners are going to see is that you got the job done same day at no cost or downtime and they love the power of choosing their connection. They will switch it back and forth every time facebook appears to load 2/10ths of a second slower than usual and just the act of 'doing' something will make it feel faster.
Set the 4 shitty employees default gateway to the slow connection, set the 2 owner's gateway to the good connection, and put 2 batch files on their desktop... One that sets the gateway to the fast connection and the other that sets the gateway to the slow connection.
Anyone in IT is gonna throw up in their mouth a bit, but all the owners are going to see is that you got the job done same day at no cost or downtime and they love the power of choosing their connection. They will switch it back and forth every time facebook appears to load 2/10ths of a second slower than usual and just the act of 'doing' something will make it feel faster.
That's precisely what they want to be able to do, but there's no way to get that done without
a) Plugging AT&T's shit router with shit security directly into the LAN switch
b) Breaking their connection to the mail server (and any other database in the 192.168.5.0 /24 subnet)
The idea was to plug the AT&T router into the ASA for security, but don't know how to configure ethernet0/7 to configure VLAN 1 to route out to 2 different ports based on 2 diff IPs (one of which isn't even in the same fucking subnet and AT&T said the router must stay 192.168.1.254 no matter what). Cisco support said you can't even have VLAN traffic go out 2 different ports on the ASA 5505. I'm currently on the phone asking AT&T if we can put the router into the 192.168.5.x subnet ...
So given AT&T's insistence on router staying in 192.168.1.x, and executives' request, they want:
Default gateway 192.168.1.254 -> Ethernet 0/7
Default gateway 192.168.5.1 -> Ethernet 0/1
Except the office is all in 192.168.5.0/24.. It's a fucking headache of a dumb request. I'd rather put TOR clients on their computers.
Last edited:
this is more a people problem than a technical problem I think
Use a 255.255.0.0 subnet, the att modem will still route it even if you can't change it's subnet, how bad is the ATT router really? You're a thousand times more likely to get bit by random malware or even misconfiguring a very advanced firewall than actually getting hacked through some unknown exploit in the router.
nope
turns out 192.168.1.254 is just for the routers gui, at&t tech confirmed we can assign it whatever IP we like so just going to stick it in the same vlan (fuk broadcast traffic separation these guys dont pay me enough to care) and see if it works
rep for all
Last edited:
yup, if its a 2wire for att... settings-lan-dhcp- and configure manually.
what's the other connection? ethernet?
what's the other connection? ethernet?