cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
311
Views
10
Helpful
4
Replies
Beginner

Distribution Layer routing issues

Hi

 

I have two issues with my routes on the Switches in the distribution layer and I want to know if there are some protocols can solve those problems.

 

Diagram of the network

 

 

Diagrama en blanco.png

Explanation of the Escenario:

The arrows show the path that 2 different endpoints (in different networks) have to make.

  • The red path is for data wich I want to analyze in the Firewall for security
  • The green path is for some data wich I want to redirect directly to the servers.

Problem 1:

I know I can configure routes to redirect the packages in the Distribution Switch but how I can avoid the routing loop between the distribution Switch and the Firewall.
Is there a protocol that can save me?

Or it can be done with ACLs?

Problem 2:

In the case my Firewall get down, obviusly I will try to replace it as soon as possible, but in the meantime I dont want to lose the conectivity to the servers

I think it can be solved with an extra route by modifying the administrative distance of the second route? or is there a better practice of making this configuration?

 

Note: All te routes are Static.

 

Thanks to all

 

and best regards

Michael Z.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Re: Distribution Layer routing issues

Hello,

 

policy based routing on the Nexus 9300s could be a solution, have you tried that ? You can match on source and destination IP addresses...

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/unicast/configuration/guide/l3_cli_nxos/l3pbr.html#pgfId-1088282

4 REPLIES 4
Beginner

Re: Distribution Layer routing issues

Problem 1:

What routing loop are you referring to?

Are the red paths and green paths different subnets?

What type of traffic do you want to analyze through the FW. Is it only certain protocols?

 

Problem 2:

If you are only using static routes you can use an IP SLA with floating static route to redirect traffic if the firewall goes down

Beginner

Re: Distribution Layer routing issues

Hi, Thanks for the Reply  mpellegrino12

About the Problem2:

I will search more about the IP SLA with floating static route. thanks for that

 

About the Problem 1:

I was wrong with the static routing because I was thinking that the basic static routes can differentiate de packets by source IP, my bad.

I will reformulate the problem and answering the questions you made me:

 

In the picture above the red and the green path are different subnets, and I want to route or block the subnets by source IP and destination IP I will give some examples:

 

  • Subnet A: This is a subnet of guests and if they want to pass to the servers they have to been blocked (no routed, not even to the firewall)
  • Subnet B: This is a subnet of users (can be TV, Cameras, etc...) where all of this users can reach an especific IP (or a especific subnet of servers) and I prefer that they do not go through the firewall to not saturate the firewall and the network because they use to much resources almost all the time.
  • Subnet C: This is a subnet of users where some users can reach some servers.
    I will manage these permissions with the firewall but I must send these users to the firewall, which will grant or block access to the respective server. then if the user has access permissions the packet will be forwarded to the switch so that it can redirect it to the respective server subnet.

My doubt is here into the switches, how can I redirect the packet by analyzing source IP and destination IP (or source subnet and destination subnet; bot ways are useful) and after that, with the packets sent to the firewall, receive them again and forward them to the respective servers?

This can be done?

 

Note: The Switches in the distribution Layer will be the Default Gateway for all the Users in the Access Vlan

 

Thanks for the reply

VIP Mentor

Re: Distribution Layer routing issues

Hello,

 

policy based routing on the Nexus 9300s could be a solution, have you tried that ? You can match on source and destination IP addresses...

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/unicast/configuration/guide/l3_cli_nxos/l3pbr.html#pgfId-1088282

Highlighted
Beginner

Re: Distribution Layer routing issues

Thanks Georg Pauwen that works for me.

CreatePlease to create content
Content for Community-Ad