Inter-VLAN routing and multiple interfaces

Unanswered Question
Nov 30th, 2007

I've searched the forum and read some good information about Inter-VLAN routing, but I don't feel somfortable enough in my own situation without asking for help.

I have several VLANs set for each 'inside' PIX interface. I want to enable ArcServe traffic between VLANS to get 1GB links, but want all other interVLAN and internet traffic to go back through the PIX interfaces.

I've attached a rough network diagram. Individual switches were replaced with 1 3750 divided into one VLAN per PIX interface.

Any guidance would be greatly appeciated.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Sun, 12/02/2007 - 12:03

Hi Roy

"Rough network diagram" - i'd hate to see one of your detailed diagrams :)

Anyway do i understand correctly that all four of the switches in your diagram have been replaced by a 3750 switch ?

And that you want all traffic from servers to use the pix as their default-gateway except for backup traffic.

It really depends what else is on vlan 75. The problem is that you want all servers to use the pix as their gateway unless it is backup traffic. So the default-gateway on the servers must stay as the relevant pix interface.

You could

1) Create L3 vlan interfaces for the 4 vlans on your 3750.

2) Add a static route on each server that says to get to the backup server use the L3 vlan interface on the 3750 and not the pix default-gateway eg.

route add mask "relevant L3 vlan interface on 3750"

You could then add routes on the backup server for each of the other subnets eg

route add mask "vlan 75 L3 interface on 3750"

However this is assuming that only backup traffic travels between the backup server and the other vlans. If there is other traffic between the backup server and the other servers and you want this traffic to go via the pix interfaces then the above wouldn't work.

Even if it is only backup traffic it is not an elegant solution to say the least as it requires static routes on each server which is never a good idea.

Can you explain what you are trying to achieve.


rwchenow Mon, 12/03/2007 - 06:14

Thanks for the response, Jon.

Yes, the four switches have been replaced by VLANs on a single 3750 switch. I want to have traffic to/from the Arc Server on use the 1GB switchports for routing to other subnets rather than choking down the tape backup at the 100MB PIX interfaces.

There is other traffic on .1.44 beside backup traffic -- SNMP to all subnets -- because .1.44 is also the host for Compaq Insight Manager. It would probably be good to keep this management/monitoring traffic on the switch also.

I agree that creating the static routes on each server is probably asking for trouble in the future.

To avoid touching each server to change their default-gateway, could I change the PIX interfaces to something like 192.168.x.203 and set up L3 routing on the switch with 192.168.x.201 as the VLAN interfaces? Could this allow routing between VLANs for backup traffic (with ACLs??) and send other traffic to the PIX interface via 192.168.x.203?


Jon Marshall Mon, 12/03/2007 - 06:54


That's the problem. If you create a L3 interface on the switch with 192.168.x.201 then what do you set the default-gateway to on the servers. If you set it to the L3 interface on your 3750 then ALL traffic between your servers goes via the switch, backup traffic and non-backup traffic.

The fundamental problem is that you cannot set the default-gateway on a server based on the ports/applications it is trying to use. You can only specify an IP address and if you specify the L3 interface on the switch then the server will use that for all it's traffic.

Hope this makes sense


rwchenow Tue, 12/04/2007 - 12:45

Thanks Jon-

Would this change if when I move to an ASA unit an use one 1GB link to carry all the VLAN traffic to the ASA 'inside' interface?


Jon Marshall Tue, 12/04/2007 - 13:00


No not really because you still have to make a choice of which device will be the default-gateway of the servers ie. the L3 switch or the ASA device.

Is there any reason why you have to firewall traffic between your servers or is this just something you have inherited.



This Discussion