cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
27957
Views
19
Helpful
8
Replies

Possible to give static route priority over a directly connected route ?

acraick
Level 1
Level 1

I have a layer 3 switch that has a VLAN interface configured just for mangement.

The problem is its routing traffic from other VLANs into the management VLAN rather than routing it to the firewall.

I have tried adding a static route on the device to route traffic from other VLANs back to the gateway but the directly connected route is taking precedence.

Any idea's on the best way to configure management on a layer 3 switch.

Thanks

1 Accepted Solution

Accepted Solutions

Hi,

As a work around, you can create two static routes which have more specific subnets than the connected subnets.

Let's take an example

The subnets of vlan1 is 192.168.1.0/24. Now you want the traffic with destination address within this range to be routed to vlan2. You can create two static routes as following:

ip route 192.168.1.0 255.255.255.128 vlan2

ip route 192.168.1.128 255.255.255.128 vlan2

Because the addresses 192.168.1.127 and 192.168.1.128 cannot be used, you can add two more static routes:

ip route 192.168.1.127 255.255.255.255 vlan2

ip route 192.168.1.128 255.255.255.255 vlan2

The final routing table will look like this

C 192.168.1.0/24 connected

S 192.168.1.0/25 via vlan2

S 192.168.1.128/25 via vlan2

S 192.168.1.127/32 via vlan2

S 192.168.1.128/32 via vlan2

Now, when a packet with any destination address in the range 192.168.1.1~192.168.1.254 come to this router, it will be routed to vlan2

Hope this help

SSLIN

View solution in original post

8 Replies 8

spremkumar
Level 9
Level 9

Hi Andrew

The normal static route pointing towards a next hop ip which i feel matches your case has an admin distance of 1 and if its pointing towards an outgoing interface its 0.

I don think it will be possible to change the same but post about your topology (possibly a network diagram) and the config so that we can suggest accordingly..

regds

No diagram.

I have a layer 3 3750 connected via a trunk to a ASA5510. The Management VLAN should be using the firewall as a default gateway. The firewall is setup with a subinterface with an IP address as the default gateway. *.*.*.1

The 3750 has a Vlan interface configured with an IP address of *.*.*.2 on the management subnet.

The traffic gets routed from the source to the firewall, the firewall passes the traffic onto the switch via the trunk, which fowards traffic to the correct VLAN.

The return traffic from the destination to the source goes via the switch as the default gateway for the destination VLANS. The problem is, the switch then routes the traffic to the management VLAN directly via its VLAN interface and not to the firewall for routing into the management VLAN.

The source then sends the next packet to firewall which drops the packet as it's out of state as it didn't return by the original gateway.

I could make the switch the default gateway for the management traffic but would rather have it protected by the firewall.

You say that:

"The problem is, the switch then routes the traffic to the management VLAN directly via its VLAN interface and not to the firewall for routing into the management VLAN"

Since the 3750 has a SVI in the management VLAN, it should be in the same IP subnet as the other hosts in the management VLAN, and shouldn't need to go through the firewall, because it is directly connected.

I'm confused because you say the traffic initially gets routed to the firewall, because it is the default gateway. But you seem to be describing traffic from the 3750, to another host that is also in the management VLAN, and these should not need to use a default gateway to communicate with each other, they shouldn't need any layer 3 routing at all.

So a few questions:

1) Is the firewall configured as the default gateway for all VLANS?

2) Are you describing communication between hosts that are both in the managment VLAN, or communication between hosts that are not both in the management VLAN (one in the managment VLAN, on in a different VLAN)?

3) Are there more than one IP configured on your 3750 and is it performing routing functions?

Hi friend,

I understand your problem. You have a subnet which is behind the firewall. The same subnet also has a SVI configured on the layer 3 switch.

SO traffic from the subnet to the outside world goes through the firewall as it would have been configured as your gateway.

The return traffic however when hits the switch is forwarding it directly as it has an inetrface in the vlan.

To avoid this problem, you have to remove the SVI configuration from the switch and keep it only as a L2 vlan with no L3 configuration.

You can then add a static route to the management subnet poiting to the firewall and it should work.

HTH, rate if it does

Narayan

Narayan,

I think there is more to it. The confusion here is that original poster has said that he has only one SVI on the switch which is the managemnt SVI. I think we have to wait for his inputs for better understanding of the problem.

-amit singh

There are multiple SVIs. Some of the networks should be routing via the switch. Its just i dont want the management network to.

If i disable the SVI on that VLAN then the switch no longer has an IP address that i can connect to it on.

Hi,

If you have multiple SVI's on the switch with IP address configured then you should be able to telnet to the switch using any SVI address.This is possible in the case when you are trying to telnet to the switch from the switches or the hosts connected to the LAN segment i.e the traffic is not passing through the firewall.

If you are trying to access the switch from any other segment which is behind the firewall i.e the traffic is passing through the firewall then you need ACL's to allow the traffic and also you need static routes on the firewall to route the traffic to the vlans connected to the switches.

HTH,

-amit singh

Hi,

As a work around, you can create two static routes which have more specific subnets than the connected subnets.

Let's take an example

The subnets of vlan1 is 192.168.1.0/24. Now you want the traffic with destination address within this range to be routed to vlan2. You can create two static routes as following:

ip route 192.168.1.0 255.255.255.128 vlan2

ip route 192.168.1.128 255.255.255.128 vlan2

Because the addresses 192.168.1.127 and 192.168.1.128 cannot be used, you can add two more static routes:

ip route 192.168.1.127 255.255.255.255 vlan2

ip route 192.168.1.128 255.255.255.255 vlan2

The final routing table will look like this

C 192.168.1.0/24 connected

S 192.168.1.0/25 via vlan2

S 192.168.1.128/25 via vlan2

S 192.168.1.127/32 via vlan2

S 192.168.1.128/32 via vlan2

Now, when a packet with any destination address in the range 192.168.1.1~192.168.1.254 come to this router, it will be routed to vlan2

Hope this help

SSLIN

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: