cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
644
Views
0
Helpful
6
Replies

LAN Routing Question

tohoken
Level 1
Level 1

My internal LAN is segmented into numerous VLANs.  The VLANs are routed via a Cisco 3550 switch.  The routing in the switch has a default to our firewall which then sends traffic on to the Internet.  We are going to be testing a new firewall and would like to have a single machine have its traffic routed to the new firewall.  The single machine will be an Exchange email server.  I need this internal server to still serve all VLANs but I want it to route to firewall 2 for Internet based traffic and not firewall 1.  How would I set up the routing in the 3550 so this one server's default route pointed to firewall 2?

Thanks for any help,

Ken

2 Accepted Solutions

Accepted Solutions

tohoken wrote:

Jon,

Our vlans are not summarisable.  Our network is scattered across a 10.x.x.x address scheme, segmented into 20+ vlans.  I would have a lot of entries to place in the hosts file of the email server.  Could I just put the gateway address 0.0.0.0 0.0.0.0 into the hosts file and have it work?  Would it use the routing table of the layer 3 switch to route between vlans and use the hosts file when it cannot find an entry in the routing table or would it use the layer 3 switch default route at that point and skip the host file?

Ken

Ken

If all your networks are 10.x.x.x then they don't need to be summarisable. All 10.x.x.x is not routable on the internet so you actually only need 2 routes entries ie.

ip route 10.0.0.0 255.0.0.0

ip route 0.0.0.0 0.0.0.0

Edit - in answer to your question host routes would take precedence. So with a default route it would send everything other than traffic for the server vlan to the firewall which is not what you want. Try the above 2 routes, it should work fine.

Jon

View solution in original post

Edison Ortiz
Hall of Fame
Hall of Fame

Another option is changing the Exchange Server's default gateway to point to FW 2

and under the DOS prompt enter a persistent route add for network 10.0.0.0/8 pointing to your 3550 switch.

http://www.howtogeek.com/howto/windows/adding-a-tcpip-route-to-the-windows-routing-table/

Note: This will only work if the FW and Exchange server are on the same subnet.

Regards

Edison

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

tohoken wrote:

My internal LAN is segmented into numerous VLANs.  The VLANs are routed via a Cisco 3550 switch.  The routing in the switch has a default to our firewall which then sends traffic on to the Internet.  We are going to be testing a new firewall and would like to have a single machine have its traffic routed to the new firewall.  The single machine will be an Exchange email server.  I need this internal server to still serve all VLANs but I want it to route to firewall 2 for Internet based traffic and not firewall 1.  How would I set up the routing in the 3550 so this one server's default route pointed to firewall 2?

Thanks for any help,

Ken

Is your 3550 running SMI image or EMI image ?

If it's EMI then PBR will do this for you. Can you confirm which image it is running ?

Jon

Jon,

Thanks for the quick reply.  The image is SMI.

Ken

tohoken wrote:

Jon,

Thanks for the quick reply.  The image is SMI.

Ken

Ken

Okay, that's PBR discounted then.

Are your other internal vlans summarisable ? Lets say you had a number of vlans that all had 192.168.x.x addressing.

What you could do is put the new firewall inside interface into the server vlan. Not very secure but i'm assuming you don't want to readdress the server ?

Then on the server you could add 2 routes -

ip route 192.168.x.x 255.255.0.0

ip route 0.0.0.0 0.0.0.0

obviously if there are other subnets internally you would need to add routes for these. And the routes will not be that syntax when you add them to the server.

Jon

Jon,

Our vlans are not summarisable.  Our network is scattered across a 10.x.x.x address scheme, segmented into 20+ vlans.  I would have a lot of entries to place in the hosts file of the email server.  Could I just put the gateway address 0.0.0.0 0.0.0.0 into the hosts file and have it work?  Would it use the routing table of the layer 3 switch to route between vlans and use the hosts file when it cannot find an entry in the routing table or would it use the layer 3 switch default route at that point and skip the host file?

Ken

tohoken wrote:

Jon,

Our vlans are not summarisable.  Our network is scattered across a 10.x.x.x address scheme, segmented into 20+ vlans.  I would have a lot of entries to place in the hosts file of the email server.  Could I just put the gateway address 0.0.0.0 0.0.0.0 into the hosts file and have it work?  Would it use the routing table of the layer 3 switch to route between vlans and use the hosts file when it cannot find an entry in the routing table or would it use the layer 3 switch default route at that point and skip the host file?

Ken

Ken

If all your networks are 10.x.x.x then they don't need to be summarisable. All 10.x.x.x is not routable on the internet so you actually only need 2 routes entries ie.

ip route 10.0.0.0 255.0.0.0

ip route 0.0.0.0 0.0.0.0

Edit - in answer to your question host routes would take precedence. So with a default route it would send everything other than traffic for the server vlan to the firewall which is not what you want. Try the above 2 routes, it should work fine.

Jon

Edison Ortiz
Hall of Fame
Hall of Fame

Another option is changing the Exchange Server's default gateway to point to FW 2

and under the DOS prompt enter a persistent route add for network 10.0.0.0/8 pointing to your 3550 switch.

http://www.howtogeek.com/howto/windows/adding-a-tcpip-route-to-the-windows-routing-table/

Note: This will only work if the FW and Exchange server are on the same subnet.

Regards

Edison

Review Cisco Networking for a $25 gift card