Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3471
Views
15
Helpful
16
Replies

Static routing on a switch to a specific server

Damon M.
Level 1
Level 1

‎04-29-2021 07:55 AM - edited ‎04-29-2021 11:43 PM

Hi guys,

 

In our environment we work with a router on stick kind of setup combined with HA.

Now, recently we added a new switch (Catalyst 9500) in our network with 40Gbps uplink and 10Gbps connections straight to some of our clients.

 

Now this is partially our setup and the routing that i'd like to talk about :

 

RoutingIssue.JPG

 

Our firewall goes to multiple switches, either for our clients, to our servers, and others. Clients have their own set of switches and so do our servers.

Now, when you look at the picture you can see 3 clients to a switch. In my case that would be our new Catalyst 9500. That goes to a LAN core switch and then to the firewall (which also serves as router btw).

 

Now that all works fine. What we would like to do is the following :

When you look at the bottom right server called file. It is both connected to our server switch and to the 9500 catalyst switch.

The server switch is connected to a regular 1Gbps connection on the server, while the catalyst is connected to a 40Gbps ethernet connection.

Normally, all of our user (even the ones that are not on this picture) go to the Firewall/Router, then to the server switch and so access the file server.

 

What we would like for those 3 clients, is that they do NOT go to the firewall/router but instead take a shortcut straight to the file server over 40Gbps and this is where i am stuck.

 

For the clients we work with VLAN's (lets say VLAN 45 for the clients) and the servers just work on the default vlan 1. There are firewall rules in place to keep them separated and safe.

 

What i did so far is i gave ForyGigabitEthernet 1/1/2 a static IP and i used that IP as the gateway on the fileserver and that connection works. I can ping the server from the 9500 and i can ping the interface on the switch from the server.

 

What i cannot is ping the server from the clients. I made an static ip route towards the server but i dont know how to get the clients towards the server instead of going towards the firewall/router.

 

Here is the config i can give :

 

File server config :

 

IP : 10.32.1.98 255.255.255.0

Default gateway : 10.32.1.97

 

interface FortyGigabitEthernet1/1/2
description CONNECTIE FILESERVER -> 10.32.1.98
no switchport
ip address 10.32.1.97 255.255.255.0

 

ip route 10.32.1.98 255.255.255.255 FortyGigabitEthernet1/1/2 (in the hope to force trafic towards that ip over this port).

 

---

 

My main question, how do i get this done without screwing both networks, the default gateway for all of the clients is the firewall/router : 10.32.45.2

 

I hope i gave all the information needed to solve this puzzle ^^ i feel like i'm missing a basic piece of networking but i'm looking over it.

If you guys could help that would be awesome!

 

Greetings & thanks in advance,

Damon

 

 

 

1 person had this problem
Labels:
16 Replies 16

Jon Marshall
Hall of Fame
Hall of Fame
In response to Richard Burts

‎05-18-2021 12:49 PM

 

Rick 

 

The biggest problem is the L3 interface for the clients is not on the 9500 so PBR is irrelevant as far as I can see. 

 

Jon

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎05-18-2021 01:33 PM

Jon

 

I believe that you and I are coming to similar conclusions (that this is not really going to work) from different perspectives. As I read the description of what they are trying to accomplish it seems that they want to route some clients to the server in a different way. That is a classic description of a problem for which PBR is the solution. So I would claim that PBR is indeed relevant - but not going to work in this architecture. So then I looked at why PBR is not working. And I found multiple issues about implementation of PBR here:

1) no IP on the SVI. (and what is the point of having a vlan interface if there is not going to be an IP on it)

2) acl not selective about source addresses

3) even if issues were fixed and PBR sent requests from clients to server using the alternate path, then the responses would be asymmetric and probably denied by the firewall.

So without major changes in the architecture of this network - especially routing for the vlan on the 9500 - this is not going to work. You come to similar conclusion from different perspective - where does L3 processing for the clients take place.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card