IP routing

Unanswered Question
May 26th, 2009

Hi guys,

I am 99% certain that my design will work but just wanted to pose the question to you guys to confirm as I don't have a test lab!

I have a remote site that I have a Cisco 3560 - 24 Port switch installed with IP Services. At present it is a L2 switch only. I want to enable the L3 functionality of the switch. From what I have read the task is accomplished by executing the 'IP ROUTING' command?

Connected to the switch I have two L2 WAN circuits. Everything is in VLAN32.

The WAN circuits are connected to two VLAN sub-interfaces of my Fortigate firewall solution. This has been confirmed to be working. At the HQ site the IP address is 192.168.32.2 and at the DR site the ip address is 192.168.32.3

Behind the HQ interface I have several servers that I want to connect to from devices attached to the Cisco switch. They are 192.168.40.60 and 192.168.40.59

At the DR site I have another network 192.168.31.x/24 that I want to connect to via the 3560, so my plan is the following:

1) enable ip routing on the 3560 switch

2) add a static route to 192.168.40.59 via 192.168.32.2

3) add a static route to 192.168.40.59 via 192.168.32.2

4) add a static route to 192.168.31.x/24 via 192.168.32.3

I then plan to add static routes on the 40.59 and 40.60 devices to get back to the 192.168.32.x network via 192.168.32.2

The Fortigate policies will handle the traffic, etc.

Is this all I need to do on the Cisco switch?

Thanks

D

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Tue, 05/26/2009 - 22:11

Hello Darren,

your understanding is correct.

you need to provide also a default route because after enabling ip routing ip default-gateway command is not effective anymore

ip route 0.0.0.0 0.0.0.0 192.168.32.2

ip routing

in order to this to work you need also to define the L3 logical interface associated to that vlan and to assign an ip address in the same subnet.

int vlan 32

ip address 192.168.32.4 255.255.255.0

! important to do the following

no shut

sh int vlan32 shows the state of L3 interface and should be up/up.

now all ip next-hops of type 192.168.32.x are meaningful and can be resolved by the ARP process in the broadcast domain.

Hope to help

Giuseppe

darren-carr Tue, 05/26/2009 - 22:21

Hello Giuseppe,

Thanks for taking the time to get back to me.

Just to confirm what you have outlined above.

#sh run int vlan 32

Current configuration : 84 bytes

interface Vlan32

ip address 192.168.32.241 255.255.255.0

no ip route-cache

end

#sh run | include ip route

ip route 192.168.40.59 255.255.255.255 192.168.32.2 permanent

ip route 192.168.40.60 255.255.255.255 192.168.32.2 permanent

***** ADD THIS **********

ip route 0.0.0.0 192.168.32.3 (DR Link where 192.168.31.x is)

One other question is can I also add

ip route 0.0.0.0 192.168.32.2 (with a higher metric) for redundancy?

I should also add I use the address 192.168.32.241 to administer the device remotely.

Thanks again

Darren

lamav Wed, 05/27/2009 - 05:14

Darren:

ip route 0.0.0.0 0.0.0.0 192.168.32.3

ip route 0.0.0.0 0.0.0.0 192.168.32.2

Yes, you can use both. The purpose of these default routes is to allow you to access the device for managaement purposes. You can use 2 deafult routes. Im assuming the rest of your network is using dynamic routing....

Victor

darren-carr Wed, 05/27/2009 - 16:11

Hi Victor

Apologies I must not have made myself very clear.

Earlier in the post I stated that I have a kind of 'triangle' network with three sites involved. One is the HQ the other our DR site and the other the DR site for the primary DR site for a specific service/application. Our network is very small and I therefore use static routes in the network. There are other reasons that I won't go into also.

IP addresses 192.168.32.2 and 192.168.32.3 are VLAN interfaces (VLAN32) configured on my firewalls at the HQ and primary DR sites. I have a 3560 at the other DR site that has several machines attached to it. At present this is a layer 2 switch only. I am about to enable the layer 3 functionality of the switch and was just wanting to confirm the tasks involved.

My plan was to:

- enable IP routing

- configure static routes for the servers the machines on this VLAN (all switchports on 3560 are in VLAN 32) to get to servers at the HQ site (via 192.168.32.2)

- configure static routes for the machines on this VLAN to get to servers at the DR site (via 192.168.32.3)

What I was also hoping to achieve was some redundancy by using 'ip route 0.0.0.0 0.0.0.0 192.168.32.3' (which I was hoping would become the default route for all traffic) and also 0.0.0.0 0.0.0.0 192.168.32.2 with a higher metric so if the route 192.168.32.3 ever became unavailable the traffic would route through 192.168.32.2 to get to the other site?

Hope this makes sense?

Thanks

Darren

Giuseppe Larosa Wed, 05/27/2009 - 19:31

Hello Darren,

you can specify a new AD (not a metric but an administrative distance to be formally correct) for a floating static route with

ip route 0.0.0.0 0.0.0.0 192.168.32.2 200

with a primary default route

ip route 0.0.0.0 0.0.0.0 192.168.32.3

or viceversa (exchanging the roles of next-hops)

Hope to help

Giuseppe

darren-carr Wed, 05/27/2009 - 20:14

Hi Giuseppe...

Thanks for the info.. I was using the terminology from recent Fortinet training.. my apologies :)

So to confirm... and please correct me if Im wrong...

If I go switch>en im now in switch# I then add the following:

0.0.0.0 0.0.0.0 192.168.32.3 (this is my primary route)

then add

0.0.0.0 0.0.0.0 192.168.32.2 200 (secondary route)

So all traffic outside of 192.168.32.x will be routed through 192.168.32.2 as long as this route is available. If this route becomes unavailable it will be sent via 192.168.32.2

Lastly the static routes I described earlier will ignore these routing rules and will go to the gateway I specify as they are explicit route definitions?

Thanks again

Darren

Actions

This Discussion