Static Routing Problems

Unanswered Question
Jun 10th, 2010
User Badges:

See attached drawings..

We can't get the Cisco 3560 to route traffic properly.

We need all traffic that comes in on the 172 network to go back out over it.  Currently all traffic is routing out to the 192.168.10.X network regardless of where it comes in from.

Switch CLI posted...

Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gatlin007 Thu, 06/10/2010 - 13:52
User Badges:
  • Silver, 250 points or more

All the traffic is going to because that’s the default gateway on the 3560.  What traffic would you want to utilize the network?


jwcasey007 Thu, 06/10/2010 - 13:57
User Badges:

any traffic that comes in over the Eth 0/2 port I need to be routed back out over that port. this port is used for VPN traffic only.  how do we specify that the traffic coming in over this port is routed back out over this port...

gatlin007 Thu, 06/10/2010 - 14:03
User Badges:
  • Silver, 250 points or more

There are ways to do what you are describing; vrf-lite on the 3560 comes to mind.  But I believe it would become difficult to support.

Are there VPN tunnels terminated on the Adtran router today?  If so migrate these tunnels to your ASA and the routing problems disappear.


gatlin007 Thu, 06/10/2010 - 14:57
User Badges:
  • Silver, 250 points or more

I generally avoid PBR as I consider it a break fix option and not a scalable solution.

That said if you know the VPN addresses you want to route from the 3560 to the Adtran @ you could create a policy that would facilitate it.  Armed with that information you could simply use static routes to force the selected networks to the Adtran vs. the ASA.  Both of these options are less than desirable for a ‘predicable supportable network’

Routing everything though the ASA will result in a more supportable topology.  If you have a syslog server and point the ASA at it; you will also gather valuable data about the traffic traversing these devices.



This Discussion