05-26-2009 09:14 PM - edited 03-06-2019 05:56 AM
Hi guys,
I am 99% certain that my design will work but just wanted to pose the question to you guys to confirm as I don't have a test lab!
I have a remote site that I have a Cisco 3560 - 24 Port switch installed with IP Services. At present it is a L2 switch only. I want to enable the L3 functionality of the switch. From what I have read the task is accomplished by executing the 'IP ROUTING' command?
Connected to the switch I have two L2 WAN circuits. Everything is in VLAN32.
The WAN circuits are connected to two VLAN sub-interfaces of my Fortigate firewall solution. This has been confirmed to be working. At the HQ site the IP address is 192.168.32.2 and at the DR site the ip address is 192.168.32.3
Behind the HQ interface I have several servers that I want to connect to from devices attached to the Cisco switch. They are 192.168.40.60 and 192.168.40.59
At the DR site I have another network 192.168.31.x/24 that I want to connect to via the 3560, so my plan is the following:
1) enable ip routing on the 3560 switch
2) add a static route to 192.168.40.59 via 192.168.32.2
3) add a static route to 192.168.40.59 via 192.168.32.2
4) add a static route to 192.168.31.x/24 via 192.168.32.3
I then plan to add static routes on the 40.59 and 40.60 devices to get back to the 192.168.32.x network via 192.168.32.2
The Fortigate policies will handle the traffic, etc.
Is this all I need to do on the Cisco switch?
Thanks
D
05-26-2009 10:11 PM
Hello Darren,
your understanding is correct.
you need to provide also a default route because after enabling ip routing ip default-gateway command is not effective anymore
ip route 0.0.0.0 0.0.0.0 192.168.32.2
ip routing
in order to this to work you need also to define the L3 logical interface associated to that vlan and to assign an ip address in the same subnet.
int vlan 32
ip address 192.168.32.4 255.255.255.0
! important to do the following
no shut
sh int vlan32 shows the state of L3 interface and should be up/up.
now all ip next-hops of type 192.168.32.x are meaningful and can be resolved by the ARP process in the broadcast domain.
Hope to help
Giuseppe
05-26-2009 10:21 PM
Hello Giuseppe,
Thanks for taking the time to get back to me.
Just to confirm what you have outlined above.
#sh run int vlan 32
Current configuration : 84 bytes
interface Vlan32
ip address 192.168.32.241 255.255.255.0
no ip route-cache
end
#sh run | include ip route
ip route 192.168.40.59 255.255.255.255 192.168.32.2 permanent
ip route 192.168.40.60 255.255.255.255 192.168.32.2 permanent
***** ADD THIS **********
ip route 0.0.0.0 192.168.32.3 (DR Link where 192.168.31.x is)
One other question is can I also add
ip route 0.0.0.0 192.168.32.2 (with a higher metric) for redundancy?
I should also add I use the address 192.168.32.241 to administer the device remotely.
Thanks again
Darren
05-27-2009 05:13 AM
Duplicate post
05-27-2009 05:13 AM
Duplicate post
05-27-2009 05:14 AM
Darren:
ip route 0.0.0.0 0.0.0.0 192.168.32.3
ip route 0.0.0.0 0.0.0.0 192.168.32.2
Yes, you can use both. The purpose of these default routes is to allow you to access the device for managaement purposes. You can use 2 deafult routes. Im assuming the rest of your network is using dynamic routing....
Victor
05-27-2009 04:11 PM
Hi Victor
Apologies I must not have made myself very clear.
Earlier in the post I stated that I have a kind of 'triangle' network with three sites involved. One is the HQ the other our DR site and the other the DR site for the primary DR site for a specific service/application. Our network is very small and I therefore use static routes in the network. There are other reasons that I won't go into also.
IP addresses 192.168.32.2 and 192.168.32.3 are VLAN interfaces (VLAN32) configured on my firewalls at the HQ and primary DR sites. I have a 3560 at the other DR site that has several machines attached to it. At present this is a layer 2 switch only. I am about to enable the layer 3 functionality of the switch and was just wanting to confirm the tasks involved.
My plan was to:
- enable IP routing
- configure static routes for the servers the machines on this VLAN (all switchports on 3560 are in VLAN 32) to get to servers at the HQ site (via 192.168.32.2)
- configure static routes for the machines on this VLAN to get to servers at the DR site (via 192.168.32.3)
What I was also hoping to achieve was some redundancy by using 'ip route 0.0.0.0 0.0.0.0 192.168.32.3' (which I was hoping would become the default route for all traffic) and also 0.0.0.0 0.0.0.0 192.168.32.2 with a higher metric so if the route 192.168.32.3 ever became unavailable the traffic would route through 192.168.32.2 to get to the other site?
Hope this makes sense?
Thanks
Darren
05-27-2009 07:31 PM
Hello Darren,
you can specify a new AD (not a metric but an administrative distance to be formally correct) for a floating static route with
ip route 0.0.0.0 0.0.0.0 192.168.32.2 200
with a primary default route
ip route 0.0.0.0 0.0.0.0 192.168.32.3
or viceversa (exchanging the roles of next-hops)
Hope to help
Giuseppe
05-27-2009 08:14 PM
Hi Giuseppe...
Thanks for the info.. I was using the terminology from recent Fortinet training.. my apologies :)
So to confirm... and please correct me if Im wrong...
If I go switch>en im now in switch# I then add the following:
0.0.0.0 0.0.0.0 192.168.32.3 (this is my primary route)
then add
0.0.0.0 0.0.0.0 192.168.32.2 200 (secondary route)
So all traffic outside of 192.168.32.x will be routed through 192.168.32.2 as long as this route is available. If this route becomes unavailable it will be sent via 192.168.32.2
Lastly the static routes I described earlier will ignore these routing rules and will go to the gateway I specify as they are explicit route definitions?
Thanks again
Darren
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide