Re: CSS routing problem

paul.pearston · ‎06-24-2002

I have a single CSS 11800 with connections to 4 VLANs within a server farm. I have disabled layer 3 routing between the VLANs using the ip opportunistic disable command because all traffic between the VLANs must be routed by the firewall (security policy mandate). However, I cannot add static routes to the CSS to route traffic via the firewall for each of these VLANs as the local VLAN interface has a lower weight (0) than a static (1). Any advice greatly appreciated?

Thanks,

Paul

ciscomoderator · ‎06-28-2002

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

lynchp · ‎06-29-2002

Paul,

Unfortunately the locally connected interfaces will always take priority over any routes that are configured. There is not way of changing this. The CSS will always route between vlans. There is no way of turning this off.

fds · ‎07-02-2002

With the "ip opportunistic disable" you'll disable only "opportunistic" layer 3 routing, as defined in the "Basic Configuration Guide". If you refer the CSS VLAN ip address as the default router of an attached node, then the CSS will route traffic between VLAN. In order to avoid this, you should point another router on the same VLAN as defaul for your node (i.e. the PIX interface). It means that you should have 4 interfaces of the PIX, one for each VLAN, if you want that each flow between VLANs would pass through the PIX.

Regards, Fabrizio