cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1643
Views
0
Helpful
16
Replies

route statements blowing my mind

KyleWhitaker
Level 1
Level 1

I have inherited a network that I believe is setup incorrectly.

 

Based on my provided graphic could someone tell me what route statements I would enter on each switch to get end-to-end connectivity.

 

 

all ip addresses are in VLAN 1 on each switch

 

all inter-switch links are trunk links

 

 

1 Accepted Solution

Accepted Solutions

Thanks for the explanation about why routing on the switches would be better than on sonicwall. I advocate that it is always better when the layer 2 design matches the layer 3 design and I suggest that in the longer term you make changes so that would be the case. But in the shorter term there are things you can do to make it run better. And changing the mask is the most simple of the things that you could do. Note that while changing the mask to /16 would certainly work that changing the mask to /22 (255.255.248.0) would put both sites into the same subnet. That would mean that traffic between sites would be local (devices would arp for the destination, receive an arp response, and send the Ethernet frame with the correct destination address with no need for any layer 3 routing on switches or sonicwall). 

 

HTH

 

Rick

HTH

Rick

View solution in original post

16 Replies 16

Hello,

 

which of these switches are layer 3 switches ?

 

If this is a Packet Tracer project, post the project file (zip the .pkt file first otherwise you cannot upload it)...

Richard Burts
Hall of Fame
Hall of Fame

I have looked at the diagram and read through the original post several times. I believe that the most significant statement in the post is that all IP addresses are in vlan 1. If all addresses are in the same vlan then there is no need for any routing statement on any switch. (and it really does not matter whether the switches are layer 2 or layer 3 because basically there is no "routing" required in this network. All IP communication is within the same vlan/same subnet and depends on arp entries rather than routing entries)

 

And considering the above logic I find it surprising that all inter switch links are trunks. That implies that there are multiple vlans. But nothing in the original post tells us that there are multiple vlans. Are there aspects of this network not shown in the diagram nor described in the post?

 

HTH

 

Rick

HTH

Rick

Richard,

 

My apologies. This is an emulation of my current internal network with some numbers changed etc. 

 

I have two sites : 

 

site 1 and site 2.

 

site 1 has two 3560G's 

 

At each site Vlan 1 consists of a different subnet.

 

at site 1 On Vlan 1 interface we have a subnet of 10.10.157.0/24 

 

at site 2 on Vlan 1 interface we have a subnet of 10.10.158.0/24

 

 

Currently we route all traffic to our sonicwall's which route them in between sites internally.

 

Our sonicwall is our bottleneck.

 

I would like to let my two internal subnets from site 1 and site 2 to be able to intercommunicate without having to be routed through my sonicwall. Doesnt that mean I would need to enter static route statements on my 3560's? 

 

 

Also worth mentioning that we have microwave connections in between site 1 and site 2 for inter-site connectivity.

Thanks for the additional information and the clarification that the diagram does not really reflect your network. It would probably be helpful if your diagram showed the sonic wall and how it connects. 

 

Your diagram seems to show that your network is a single broadcast domain in which an arp request from the pc on the left side would be received by the pc on the right side. I am guessing that is not really the case. It would make sense if the switch from site 1 connects to the sonic wall and the switch from site 2 connects to the sonic wall and that they do not connect directly as is shown in the diagram. Is that the case?

 

If I am understanding your situation correctly then I believe that you will want to implement something like this:

- some broadcast domain/vlan for site 1 which is separated from the broadcast domain/vlan of site 2. You might want to call each of them vlan 1 (but it might make things a bit more clear if you called each of them some other vlan).

- you want a vlan/subnet connecting the switches between sites that is not vlan 1 and is neither 10.10.157 nor 10.10.158.

- you want to enable routing on both switches that connect sites.

- you want a static route on the switch for site 1 that forwards to the subnet of site 2. you also want a default static route which forwards to the sonic wall.

- you want a static route on the switch for site 2 that forwards to the subnet of site 1. You also want a default static route which forwards to the sonic wall.

- you want to make sure that the sonic wall has routes for 10.10.157 and 10.10.158 and forwards to the respective switch (or if the sonic wall already has interfaces in both of those subnets then it can forward directly to the destination host).

- you want the hosts in each site to have their switch set as their default gateway rather than having them point to the sonic wall (as is probably the case now).

 

HTH

 

Rick

HTH

Rick

I believe you have hit the nail on the head with the default gateway comment. 

 

Currently the default gateway of all clients is to an ip address that is assigned in our sonicwall ( 10.10.157.1)

 

I will attach a more accurate reflection of our current network setup. 

 

At site 1 we have 3 switches

10.10.157.250 - Cisco 3560G

10.10.157.252 - Cisco 3560G

10.10.157.251 - Cisco 2960 layer 2 ( cant route)

 

At site 2 we have two switches

10.10.158.248 - cisco 2960

10.10.158.10 - cisco 3560G

 

we have a tower at each site with microwave radios that maintain point to point connections between site 1 and site 2 and all the respective "remotesite's" 

 

At each remotesite we just have end devices that need to communicate with site 1 servers.

 

Ideally I would like to plan to have enough layer 3 devices that I can route traffic from either side to the opposite side in the event of a major catasrophe.

 

so i guess my major question is if i need to change the default gateway on my clients to point to the ip of my site1 layer 3 switch ( 10.10.157.250) then do i need to add route statements to get it to the 10.10.158.0 subnet?

 

Thanks for the additional information and for the new diagram. I am not clear how much of this diagram is your lab attempting to model some parts of the real network, but having some things quite different from the real network. For example I had assumed a single sonic wall routing for both sites. Your diagram has 2 sonic wall and suggests that there is a sonic wall for site 1 and a different sonic wall for site 2. Is that the case?

 

I understand that you may need to create a testing environment and that some aspects of that testing environment will be different from your real environment. For this discussion I would much rather talk about and deal with the operation of the real network. So can you clarify a few things for us:

- is there a single sonic wall or multiple sonic walls?

- if there are multiple sonic walls how do they communicate with each other?

- is the connection from site 1 switch to tower1, from tower1 to tower2, from tower2 to site 2 switch part of the same vlan 1 or is it different?

- can you describe for us the path that data flows if a pc at site 2 wants to communicate with a server at site 1?

 

HTH

 

Rick

HTH

Rick

 Your diagram has 2 sonic wall and suggests that there is a sonic wall for site 1 and a different sonic wall for site 2. Is that the case?

Yes that is correct. The diagram accurately reflects our network

 

 

 

I understand that you may need to create a testing environment and that some aspects of that testing environment will be different from your real environment. For this discussion I would much rather talk about and deal with the operation of the real network. So can you clarify a few things for us:

 

 

- is there a single sonic wall or multiple sonic walls?

 

Multiple.

One at each site. ( site 1 and site 2)

 

- if there are multiple sonic walls how do they communicate with each other?

OSPFV2 routes have discovered? a route to the other sonicwall on vlan56

Links between office is a trunk link so i assume thats where the 56 vlan is passing over there

 

- is the connection from site 1 switch to tower1, from tower1 to tower2, from tower2 to site 2 switch part of the same vlan 1 or is it different?

they are trunk links with native vlan being 1 i am assuming this is a yes? 

 

- can you describe for us the path that data flows if a pc at site 2 wants to communicate with a server at site 1?

I believe the client sends the packets to their default gateway which would be 10.10.158.1 ( sonicwall ip address)

Sonicwall knows ospf routes to send to over vlan 56 so my thought is that it is going over the trunk links in between 10.10.157.251 - 10.10.158.248

I must apologize. It does not accurately reflect our network. Let me make a couple adjustments to better give you an idea.

Here is a more accurate reflection of the vlans on each switch

also take note that the switches 10.10.157.251 and 10.10.158.248 are only layer 2 switches (cisco 2960)

.0

iu4[.

Thank you for the new diagram and other information. It does help clarify how traffic flows. If we consider the network from a layer 3 perspective there is one isolated network at site 1, another isolated network at site 2, the 2 sonicwalls route for those networks over vlan 56. I assume that on the switches there is an interface vlan 56 and it is in some network that is different from the site 1 and site 2 networks. Your original question was whether you could enable routing on the switches between the sites and take some load off of the sonicwalls. I believe that the answer is yes you could do this. The steps that I suggested in a previous response would achieve this. I am not sure how much improvement it would make. (would the switches route that much more efficiently than the sonicwalls?) 

 

And I would like you to think a bit about why the sonicwalls were put into the network. Obviously part of the reason was to route between sites. But are there some other reasons as well? Are there security policies implemented on the sonicwalls? Or some network monitoring provided by sonic wall? If the sonicwall no longer sees all of the traffic will that make any difference that matters?

 

Having discussed the network at layer 3 I think we should also consider the network at layer 2. And at layer 2 it is a very different network. At layer 2 site 1 and site 2 are not separated. You have a single flat network at layer 2. In your original post you thought that the network was not set up correctly. And at layer 2 I agree with you. There is a significant mismatch between the design at layer 2 and at layer 3. I would like to see site 1 devices in a vlan different from vlan 1 and site 2 devices in another vlan different from vlan 1. That would align the layer 2 functions and the layer 3 functions much better.

 

HTH

 

Rick

HTH

Rick

Richard,

 

I agree that the network at layer 2 is not layed out correctly.  The sonicwall's have a DPI limit. DPI is deep packet inspection. Meaning everything that passes through them is limited to that DPI value. In my case it is only 300mb/s. Which our switch would route faster than this. In fact since our routing is being done through these sonicwall's it is limiting my intersite connections to 150mb/s after QOS gets ahold of it. There are ip phones that run over the inter-office link. 

 

I have recommended to my supervisor that we purchase 2 new layer 3 switches and replace the .251 and .248 switches with the layer 3 switches. Then we can change the ip address of our core switches to .1 on every vlan so we do not have to adjust the entire network's default gateways. Then we can assign new ip addresses to the sonicwall and tweak the policies. 

 

Also I sort of wondered if I took my ip statement in Vlan 1 at site 1 . --- 10.10.157.250 

if I changed it from 255.255.255.0 to 255.255.0.0 would that encompass the 10.10.158.0 network also? Effectively putting them in the same subnet?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco