IP routing

Unanswered Question
May 26th, 2009

Hi guys,

I am 99% certain that my design will work but just wanted to pose the question to you guys to confirm as I don't have a test lab!

I have a remote site that I have a Cisco 3560 - 24 Port switch installed with IP Services. At present it is a L2 switch only. I want to enable the L3 functionality of the switch. From what I have read the task is accomplished by executing the 'IP ROUTING' command?

Connected to the switch I have two L2 WAN circuits. Everything is in VLAN32.

The WAN circuits are connected to two VLAN sub-interfaces of my Fortigate firewall solution. This has been confirmed to be working. At the HQ site the IP address is and at the DR site the ip address is

Behind the HQ interface I have several servers that I want to connect to from devices attached to the Cisco switch. They are and

At the DR site I have another network 192.168.31.x/24 that I want to connect to via the 3560, so my plan is the following:

1) enable ip routing on the 3560 switch

2) add a static route to via

3) add a static route to via

4) add a static route to 192.168.31.x/24 via

I then plan to add static routes on the 40.59 and 40.60 devices to get back to the 192.168.32.x network via

The Fortigate policies will handle the traffic, etc.

Is this all I need to do on the Cisco switch?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 05/26/2009 - 22:11

Hello Darren,

your understanding is correct.

you need to provide also a default route because after enabling ip routing ip default-gateway command is not effective anymore

ip route

ip routing

in order to this to work you need also to define the L3 logical interface associated to that vlan and to assign an ip address in the same subnet.

int vlan 32

ip address

! important to do the following

no shut

sh int vlan32 shows the state of L3 interface and should be up/up.

now all ip next-hops of type 192.168.32.x are meaningful and can be resolved by the ARP process in the broadcast domain.

Hope to help


darren-carr Tue, 05/26/2009 - 22:21

Hello Giuseppe,

Thanks for taking the time to get back to me.

Just to confirm what you have outlined above.

#sh run int vlan 32

Current configuration : 84 bytes

interface Vlan32

ip address

no ip route-cache


#sh run | include ip route

ip route permanent

ip route permanent

***** ADD THIS **********

ip route (DR Link where 192.168.31.x is)

One other question is can I also add

ip route (with a higher metric) for redundancy?

I should also add I use the address to administer the device remotely.

Thanks again


lamav Wed, 05/27/2009 - 05:14


ip route

ip route

Yes, you can use both. The purpose of these default routes is to allow you to access the device for managaement purposes. You can use 2 deafult routes. Im assuming the rest of your network is using dynamic routing....


darren-carr Wed, 05/27/2009 - 16:11

Hi Victor

Apologies I must not have made myself very clear.

Earlier in the post I stated that I have a kind of 'triangle' network with three sites involved. One is the HQ the other our DR site and the other the DR site for the primary DR site for a specific service/application. Our network is very small and I therefore use static routes in the network. There are other reasons that I won't go into also.

IP addresses and are VLAN interfaces (VLAN32) configured on my firewalls at the HQ and primary DR sites. I have a 3560 at the other DR site that has several machines attached to it. At present this is a layer 2 switch only. I am about to enable the layer 3 functionality of the switch and was just wanting to confirm the tasks involved.

My plan was to:

- enable IP routing

- configure static routes for the servers the machines on this VLAN (all switchports on 3560 are in VLAN 32) to get to servers at the HQ site (via

- configure static routes for the machines on this VLAN to get to servers at the DR site (via

What I was also hoping to achieve was some redundancy by using 'ip route' (which I was hoping would become the default route for all traffic) and also with a higher metric so if the route ever became unavailable the traffic would route through to get to the other site?

Hope this makes sense?



Giuseppe Larosa Wed, 05/27/2009 - 19:31

Hello Darren,

you can specify a new AD (not a metric but an administrative distance to be formally correct) for a floating static route with

ip route 200

with a primary default route

ip route

or viceversa (exchanging the roles of next-hops)

Hope to help


darren-carr Wed, 05/27/2009 - 20:14

Hi Giuseppe...

Thanks for the info.. I was using the terminology from recent Fortinet training.. my apologies :)

So to confirm... and please correct me if Im wrong...

If I go switch>en im now in switch# I then add the following: (this is my primary route)

then add 200 (secondary route)

So all traffic outside of 192.168.32.x will be routed through as long as this route is available. If this route becomes unavailable it will be sent via

Lastly the static routes I described earlier will ignore these routing rules and will go to the gateway I specify as they are explicit route definitions?

Thanks again



This Discussion