cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3171
Views
0
Helpful
15
Replies

static routes on L3 switch with two connected routers

john.wright
Level 3
Level 3

    We are introducing a third router (R3) (in order to conenct them to our vendor managed MPLS) and a L3 switch into a site that currently has one router (R1) connected via serial links to another router (R2 192.168.0.0/24) for warehouse access. All business is done via the internet. No private network.

They also have cisco asa firewall in their current subnet 192.168.1.0/24 which is the default destination for R1.

We plan to change the FW inside addr to our new network 10.48.1.252 and maintain this new addr as the default destination.

R1 (192.168.1.2) and R3 (10.48.1.254) will connect to the new L3 switch (10.48.1.237) on two different vlans.

The current clients will stay on the old network in phase one. 192.168.1.0/24 and continue to do business via the internet and the warehouse.

And anything new will be placed in the new network.10.48.1.0/24

We use static routes

Here are my prosed static routes to use in the L3 switch.

Do these look correct to allow access from and to the L3 switch to ASA, R1 and R3?

              ip route 0.0.0.0 0.0.0.0 10.48.1.252 name asa
              ip route 10.0.0.0 255.0.0.0 10.48.1.254 name R3
              ip route 192.168.253.0 255.255.255.0 10.48.1.252 name asa
              Ip route 192.168.0.0 255.255.255.0 192.168.1.2 name R1
              Ip route 10.0.1.0 255.255.255.252 192.168.1.2 name R1
              Ip route 10.0.0.0 255.255.255.252 192.168.1.2 name R1

192.168.253. is the vpn addr range.
the 10.0.1.0 and 10.0.0.0 are the addresses of the serial links that connect R1 to R2.

thanks for the help

1 Accepted Solution

Accepted Solutions

John

Then that sounds fine.

I think your routing should all work now.

If you do have any problems when you implement please feel free to come back.

Jon

View solution in original post

15 Replies 15

Jon Marshall
Hall of Fame
Hall of Fame

John

Is ther any chance of doing a quick diagram showing all subnets and where they are in relation to the routers and the firewall.

It's very difficult to say yes or not based on what you have posted.

In addition don't forget return traffic ie. you have pointed the L3 switch to the firewall but you may well need to point the firewall to the L3 switch etc.

Jon

Thanks for the reply Jon.

I have included the routes from R1 and the asa as well. R2 is not changing.

I don't see how you insert a file.  I have a map showing before and after but I need to be able to attach a file. I know it can be done. what am I missing?

R1
ip route 0.0.0.0 0.0.0.0 10.48.1.252
ip route 10.48.1.0 255.255.255.0 10.48.1.237
ip route 192.168.253.0 255.255.255.0 10.48.1.252  = client vpn
ip route 192.168.0.0 255.255.255.0 10.0.1.2
ip route 192.168.0.0 255.255.255.0 10.0.0.2

asa
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.0.0 255.255.255.252 192.168.1.2
route inside 10.0.1.0 255.255.255.252 192.168.1.2

route inside 10.0.0.0 255.0.0.0 10.48.1.254
route inside 192.168.1.0 255.255.255.0 192.168.1.2
route inside 192.168.0.0 255.255.255.0 192.168.1.2

John

When you click reply and get the text box along the top of the box is a link "Use advanced editor". Click on that and then at the bottom of the new text box there is an option to add attachments. Just click on that and it should let you add your diagram.

Jon

                   Thanks for the help

I use green to show what is being added.

Red is remove

and black is what remains from original

Lines with arrow heads are new connections.

Lines with no arrow heads are being removed.

John

I'm still working through it but you have this route for R1 -

ip route 0.0.0.0 0.0.0.0 10.48.1.252

R1's LAN interface is 192.168.2.1 so that won't work because the next hop IP needs to be in the same subnet, unless you are doing recursive routing lookups which i suspect you are not.

Basically the L3 switch needs to have a routed port or a L3 vlan interface in 192.168.2.x to connect to R1. Then the default route on R1 would be -

ip route 0.0.0.0 0.0.0.0

ie. you can't just point to an IP on a different subnet as you have with your current default route. Unless as i say you are doing recursive lookups but i suspect you are not.

Does this make sense and can you clarify ?

Jon

Jon

Thanks again for your help. As you can tell we have never been asked to do this kind of thing.

The route you site as incorrect is the default to the ASA

Are you saying I need something like this on the LAN side?

interface GigabitEthernet0/45

no switchport

ip address 192.168.1.3 255.255.255.0  (the R1 is 192.168.1.2)

logging event link-status

Or can I just do an SVI on L3 switch and connect the R1 to a lan port in the correct vlan?

John

You can do either. If there is nothing else in the vlan/IP subnet then i would use a routed port ie. "no switchport". The subnet can be a /30 if there is nothing else in it but it won;t hurt if it is a /24.

If there are other devices in that subnet though you will need to use an SVI on the L3 switch.

I have been a bit busy so i am just catching up with threads so i'll look over the rest of it as soon as possible. If there are other routes like this you will need a similiar thing.

I'll let you know.

Jon


Jon

I appreciate very much the help.

The lagecy system is just one vlan the default vlan 1. So I will use the SVI.

I'll wait for anything else you might find.

Thanks

Jon Marshall
Hall of Fame
Hall of Fame

John

Below are the modified routes for R1 and the ASA. Most of them have a different next hop and there are a few queries.

R1
ip route 0.0.0.0 0.0.0.0 192.168.1.3   <---  assuming this is the IP you decided to use
ip route 10.48.1.0 255.255.255.0 192.168.1.3
ip route 192.168.253.0 255.255.255.0 192.168.1.3 

ip route 192.168.0.0 255.255.255.0 10.0.1.2
ip route 192.168.0.0 255.255.255.0 10.0.0.2

the above two routes on R1. Where is the 192.168.0.0/24 network. Is it via R2 ? If so then i assume R1 has two serial interface using 10.0.0.x and 10.0.1.x addresses. If they are then they are fine.

R2 is not changing so it will not be able to get to the new 10.48.1.0/24 network. Just wanted to point that out.

asa
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.0.0 255.255.255.252 10.48.1.237

route inside 10.0.1.0 255.255.255.252 10.48.1.237

route inside 10.0.0.0 255.0.0.0 10.48.1.254
route inside 192.168.1.0 255.255.255.0 10.48.1.237
route inside 192.168.0.0 255.255.255.0 10.48.1.237

couple of things about the above. You say in your original post that R1 and R3 will connect in two different vlans. Your diagram suggests that R3 IP is in the same vlan as the firewall. If this is the case the R3 route in italics is fine ie. it will not go via the 10.48.1.237 SVI to get to the firewall it will go direct (unlike R2 which is in a different vlan/IP subnet).

Does that make sense ?

Also you didn't post R3's routes separately. If you want to me have a look then feel free to post.

Apologies for the delay in responding.

Any queries etc. then please feel free to come back.

Jon

Jon Marshall
Hall of Fame
Hall of Fame

John

One additional point that just occured -

R1
ip route 0.0.0.0 0.0.0.0 192.168.1.3   <---  assuming this is the IP you decided to use
ip route 10.48.1.0 255.255.255.0 192.168.1.3
ip route 192.168.253.0 255.255.255.0 192.168.1.3 

you only actually need the first one and not the others as they are all pointing to the same next hop and the default route will take care of all the traffic.

Jon

Jon

Are my routes in the L3 switch good?

And do I understand this correctly that because R1 is directly connected to the L3 switch I do not need a route stmt?

John

Yes your L3 switch routes look fine as long as you create a L3 interface with an IP from the 192.168.1.x subnet.

You do not need routes for directly connected devices eg.

R1 192.168.1.2

L3 switch 192.168.1.3

you do not need a route for the 192.168.1.x subnet on either R1 or the L3 switch as they are directly connected to this subnet.

If i have misunderstood please clarify.

Jon

The L3 switch will have two SVI's.

The 192.168.1.3 for the R1 router. This will be vlan 1

And 10.48.1.237 for the vendor router R3. This will be vlan 60.

The R3 vendor router will have an addr of 10.48.1.254 on the ethernet connection to the L3 switch.

John

Then that sounds fine.

I think your routing should all work now.

If you do have any problems when you implement please feel free to come back.

Jon

Review Cisco Networking for a $25 gift card