LAN Routing Question

Answered Question
Dec 7th, 2009

My internal LAN is segmented into numerous VLANs.  The VLANs are routed via a Cisco 3550 switch.  The routing in the switch has a default to our firewall which then sends traffic on to the Internet.  We are going to be testing a new firewall and would like to have a single machine have its traffic routed to the new firewall.  The single machine will be an Exchange email server.  I need this internal server to still serve all VLANs but I want it to route to firewall 2 for Internet based traffic and not firewall 1.  How would I set up the routing in the 3550 so this one server's default route pointed to firewall 2?


Thanks for any help,


Ken

Correct Answer by Edison Ortiz about 7 years 2 months ago

Another option is changing the Exchange Server's default gateway to point to FW 2

and under the DOS prompt enter a persistent route add for network 10.0.0.0/8 pointing to your 3550 switch.


http://www.howtogeek.com/howto/windows/adding-a-tcpip-route-to-the-windows-routing-table/


Note: This will only work if the FW and Exchange server are on the same subnet.


Regards


Edison

Correct Answer by Jon Marshall about 7 years 2 months ago

tohoken wrote:


Jon,


Our vlans are not summarisable.  Our network is scattered across a 10.x.x.x address scheme, segmented into 20+ vlans.  I would have a lot of entries to place in the hosts file of the email server.  Could I just put the gateway address 0.0.0.0 0.0.0.0 into the hosts file and have it work?  Would it use the routing table of the layer 3 switch to route between vlans and use the hosts file when it cannot find an entry in the routing table or would it use the layer 3 switch default route at that point and skip the host file?


Ken


Ken


If all your networks are 10.x.x.x then they don't need to be summarisable. All 10.x.x.x is not routable on the internet so you actually only need 2 routes entries ie.


ip route 10.0.0.0 255.0.0.0

ip route 0.0.0.0 0.0.0.0


Edit - in answer to your question host routes would take precedence. So with a default route it would send everything other than traffic for the server vlan to the firewall which is not what you want. Try the above 2 routes, it should work fine.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Mon, 12/07/2009 - 14:08

tohoken wrote:


My internal LAN is segmented into numerous VLANs.  The VLANs are routed via a Cisco 3550 switch.  The routing in the switch has a default to our firewall which then sends traffic on to the Internet.  We are going to be testing a new firewall and would like to have a single machine have its traffic routed to the new firewall.  The single machine will be an Exchange email server.  I need this internal server to still serve all VLANs but I want it to route to firewall 2 for Internet based traffic and not firewall 1.  How would I set up the routing in the 3550 so this one server's default route pointed to firewall 2?


Thanks for any help,


Ken


Is your 3550 running SMI image or EMI image ?


If it's EMI then PBR will do this for you. Can you confirm which image it is running ?


Jon

tohoken Mon, 12/07/2009 - 14:11

Jon,


Thanks for the quick reply.  The image is SMI.


Ken

Jon Marshall Mon, 12/07/2009 - 14:20

tohoken wrote:


Jon,


Thanks for the quick reply.  The image is SMI.


Ken


Ken


Okay, that's PBR discounted then.


Are your other internal vlans summarisable ? Lets say you had a number of vlans that all had 192.168.x.x addressing.


What you could do is put the new firewall inside interface into the server vlan. Not very secure but i'm assuming you don't want to readdress the server ?


Then on the server you could add 2 routes -


ip route 192.168.x.x 255.255.0.0

ip route 0.0.0.0 0.0.0.0


obviously if there are other subnets internally you would need to add routes for these. And the routes will not be that syntax when you add them to the server.


Jon

tohoken Mon, 12/07/2009 - 14:44

Jon,


Our vlans are not summarisable.  Our network is scattered across a 10.x.x.x address scheme, segmented into 20+ vlans.  I would have a lot of entries to place in the hosts file of the email server.  Could I just put the gateway address 0.0.0.0 0.0.0.0 into the hosts file and have it work?  Would it use the routing table of the layer 3 switch to route between vlans and use the hosts file when it cannot find an entry in the routing table or would it use the layer 3 switch default route at that point and skip the host file?


Ken

Correct Answer
Jon Marshall Mon, 12/07/2009 - 16:25

tohoken wrote:


Jon,


Our vlans are not summarisable.  Our network is scattered across a 10.x.x.x address scheme, segmented into 20+ vlans.  I would have a lot of entries to place in the hosts file of the email server.  Could I just put the gateway address 0.0.0.0 0.0.0.0 into the hosts file and have it work?  Would it use the routing table of the layer 3 switch to route between vlans and use the hosts file when it cannot find an entry in the routing table or would it use the layer 3 switch default route at that point and skip the host file?


Ken


Ken


If all your networks are 10.x.x.x then they don't need to be summarisable. All 10.x.x.x is not routable on the internet so you actually only need 2 routes entries ie.


ip route 10.0.0.0 255.0.0.0

ip route 0.0.0.0 0.0.0.0


Edit - in answer to your question host routes would take precedence. So with a default route it would send everything other than traffic for the server vlan to the firewall which is not what you want. Try the above 2 routes, it should work fine.


Jon

Correct Answer
Edison Ortiz Mon, 12/07/2009 - 16:48

Another option is changing the Exchange Server's default gateway to point to FW 2

and under the DOS prompt enter a persistent route add for network 10.0.0.0/8 pointing to your 3550 switch.


http://www.howtogeek.com/howto/windows/adding-a-tcpip-route-to-the-windows-routing-table/


Note: This will only work if the FW and Exchange server are on the same subnet.


Regards


Edison

Actions

This Discussion