How do route traffic from internal SAN subnet through Cisco Catalyst 6509?

I need to connect a Cisco 2960G subnet that has our SAN equipment in it, to our new Cisco 6509 switch.  The purpose is to provide the Cisco 2960G subnet (two nodes only) access to the Internet ultimately through our firewall.  Right now all the ports on the Cisco 6509 are set up as Switch Ports and there are no routing statements on the switch.

The plan in the future is to route all our hosts through the Cisco 6509 by using an ip route command to the firewall.




LVL 2
dazer1virginiaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MattShadboltCommented:
your san should be on a seperate vlan than your data network and shouldn't be exposed to the internet. create vlans on the new switch that correspond to the old switch and set up your trunks.
0
ZuluGrCommented:
Each subnet is on a separate VLAN, you should configure all VLANs on the 6500 switch. Then, for every vlan that you need to have routing, use as a gateway the ip address of the VLAN on the catalyst.
Add a default route at the 6500 pointing to your firewall for unknown routes. The 6500 should handle all the inter-VLAN traffic routing.
You dont have to use trunk ports on the other switches that are connected to the 6500 if their equipment only belongs to one VLAN.
0
dazer1virginiaAuthor Commented:
I understand how to do what you've suggested, but is there a way on the Catalyst 6500 to designate one port as a routing port, connect that to my Internet facing router, or to my firewall, and route traffic from the SAN subnet to the Internet?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

ZuluGrCommented:
The SAN subnet is just another VLAN. Whats the purpose of doing that?
If you do not want to have a default route to the router of firewall you can add a static route for the destination subnet, or even a policy route, if you want traffic from the SAN subnet to be treated differently.
All ports are capable of being routed.
If you want to have a router only for routing the SAN subnet traffic, you can connect it in an access port, on the 6506, any VLAN (it does not have to be the same as the SAN subnet), and route the SAN subnet traffic with policy routing through that router, and use your default route for the others.
0
dazer1virginiaAuthor Commented:
Can you provide the commands or point me to a link that will help me set that up on the Catalyst 6509?
0
ZuluGrCommented:
Which scenario? Policy routing the SAN VLAN traffic through one router connected at another port ?
You only need policy routing if you want the SAN VLAN traffic to use another gateway than your normal gateway. If you want to read more:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
0
Istvan KalmarHead of IT Security Division Commented:
ip routing
int vlan 1
ip address 192.168.1.1 255.255.255.0
!
int vlan 2
ip address 192.168.2.1 255.255.255.0
0
dazer1virginiaAuthor Commented:
ZuluGr,

Okay, I think I've got it now.  The Catalyst 6509 is connected to a subnet (10.10.10.x) that has access to a gateway (10.10.10.251), with no routing statements on the Catalyst (using a cross-over at the moment).  If I plug a cable from each SAN Switch (10.10.6.x) into the 6509's switchports, or do I have to make the ports I plug them into routing ports?, then I should be able to use policy routing to tell the 6509 that packets from those source addresses are going to route out to 10.10.10.251.  Is this correct?
0
ZuluGrCommented:
If 10.10.10.251 is your 6506's default gateway, and you have routing enabled on the switch (ip routing), then the 10.10.6.x subnet will automatically be routed to your default gateway for internet access. For example the 10.10.6.x subnet is VLAN 10 and the ip of VLAN 10 on the 6506 switch is 10.10.6.1, then if the devices on the 10.10.6.x subnet use 10.10.6.1 for their gateway, the will be routed to  the 10.10.10.251. ( assuming you have set the command 'ip route 0.0.0.0 0.0.0.0 10.10.10.251' on the 6506 switch, and 10.10.10.251 is the ip address of your wan router/firewall that is connected to the 6506 at another VLAN.
0
dazer1virginiaAuthor Commented:
I know all of this because I've done exactly what you've mentioned before :) but the 10.10.6.x subnet is completely separate and I don't want to put a global route statement or a VLAN relating to them on the 6509 right now. Devices on the 10.10.6.x are not going to use the 6509 as their global gateway...they just need to get to the Internet for calling-home issues that they may have.  
0
ZuluGrCommented:
If you do not want to put those on the 6509 as a VLAN and just need them to have internet access, you can directly link them with your router/fw.
If you dont want to create a VLAN  for those in the 6509, why not connecting the 2960 to the firewall? Put a secondary IP (10.10.6.x) at the firewalls internal interface, and use that as their gw
0
dazer1virginiaAuthor Commented:
Appreciate the comments, but the question was never fully answered as proposed.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Istvan KalmarHead of IT Security Division Commented:
ehat is the problem, did you tried what we recommended?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.