Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1363
Views
10
Helpful
4
Replies

Distribution Layer routing issues

Go to solution
michaelmfzv1
Level 1
Level 1

‎04-18-2019 09:36 AM

Hi

 

I have two issues with my routes on the Switches in the distribution layer and I want to know if there are some protocols can solve those problems.

 

Diagram of the network

 

 

Diagrama en blanco.png

Explanation of the Escenario:

The arrows show the path that 2 different endpoints (in different networks) have to make.

  • The red path is for data wich I want to analyze in the Firewall for security
  • The green path is for some data wich I want to redirect directly to the servers.

Problem 1:

I know I can configure routes to redirect the packages in the Distribution Switch but how I can avoid the routing loop between the distribution Switch and the Firewall.
Is there a protocol that can save me?

Or it can be done with ACLs?

Problem 2:

In the case my Firewall get down, obviusly I will try to replace it as soon as possible, but in the meantime I dont want to lose the conectivity to the servers

I think it can be solved with an extra route by modifying the administrative distance of the second route? or is there a better practice of making this configuration?

 

Note: All te routes are Static.

 

Thanks to all

 

and best regards

Michael Z.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to michaelmfzv1

‎04-22-2019 12:26 AM

Hello,

 

policy based routing on the Nexus 9300s could be a solution, have you tried that ? You can match on source and destination IP addresses...

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/unicast/configuration/guide/l3_cli_nxos/l3pbr.html#pgfId-1088282

View solution in original post

4 Replies 4

Go to solution
mpellegrino12
Level 1
Level 1

‎04-18-2019 12:41 PM

Problem 1:

What routing loop are you referring to?

Are the red paths and green paths different subnets?

What type of traffic do you want to analyze through the FW. Is it only certain protocols?

 

Problem 2:

If you are only using static routes you can use an IP SLA with floating static route to redirect traffic if the firewall goes down

Go to solution
michaelmfzv1
Level 1
Level 1
In response to mpellegrino12

‎04-21-2019 07:14 PM - edited ‎04-21-2019 07:18 PM

Hi, Thanks for the Reply  mpellegrino12

About the Problem2:

I will search more about the IP SLA with floating static route. thanks for that

 

About the Problem 1:

I was wrong with the static routing because I was thinking that the basic static routes can differentiate de packets by source IP, my bad.

I will reformulate the problem and answering the questions you made me:

 

In the picture above the red and the green path are different subnets, and I want to route or block the subnets by source IP and destination IP I will give some examples:

 

  • Subnet A: This is a subnet of guests and if they want to pass to the servers they have to been blocked (no routed, not even to the firewall)
  • Subnet B: This is a subnet of users (can be TV, Cameras, etc...) where all of this users can reach an especific IP (or a especific subnet of servers) and I prefer that they do not go through the firewall to not saturate the firewall and the network because they use to much resources almost all the time.
  • Subnet C: This is a subnet of users where some users can reach some servers.
    I will manage these permissions with the firewall but I must send these users to the firewall, which will grant or block access to the respective server. then if the user has access permissions the packet will be forwarded to the switch so that it can redirect it to the respective server subnet.

My doubt is here into the switches, how can I redirect the packet by analyzing source IP and destination IP (or source subnet and destination subnet; bot ways are useful) and after that, with the packets sent to the firewall, receive them again and forward them to the respective servers?

This can be done?

 

Note: The Switches in the distribution Layer will be the Default Gateway for all the Users in the Access Vlan

 

Thanks for the reply

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to michaelmfzv1

‎04-22-2019 12:26 AM

Hello,

 

policy based routing on the Nexus 9300s could be a solution, have you tried that ? You can match on source and destination IP addresses...

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/unicast/configuration/guide/l3_cli_nxos/l3pbr.html#pgfId-1088282

Go to solution
michaelmfzv1
Level 1
Level 1
In response to Georg Pauwen

‎04-25-2019 02:15 PM - edited ‎04-25-2019 02:16 PM

Thanks Georg Pauwen that works for me.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card