06-24-2002 02:02 AM
I have a single CSS 11800 with connections to 4 VLANs within a server farm. I have disabled layer 3 routing between the VLANs using the ip opportunistic disable command because all traffic between the VLANs must be routed by the firewall (security policy mandate). However, I cannot add static routes to the CSS to route traffic via the firewall for each of these VLANs as the local VLAN interface has a lower weight (0) than a static (1). Any advice greatly appreciated?
Thanks,
Paul
06-28-2002 12:28 PM
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
Thank you for posting.
06-29-2002 01:06 AM
Paul,
Unfortunately the locally connected interfaces will always take priority over any routes that are configured. There is not way of changing this. The CSS will always route between vlans. There is no way of turning this off.
07-02-2002 06:51 AM
With the "ip opportunistic disable" you'll disable only "opportunistic" layer 3 routing, as defined in the "Basic Configuration Guide". If you refer the CSS VLAN ip address as the default router of an attached node, then the CSS will route traffic between VLAN. In order to avoid this, you should point another router on the same VLAN as defaul for your node (i.e. the PIX interface). It means that you should have 4 interfaces of the PIX, one for each VLAN, if you want that each flow between VLANs would pass through the PIX.
Regards, Fabrizio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide