Solved

How do route traffic from internal SAN subnet through Cisco Catalyst 6509?

Posted on 2009-07-15
13
895 Views
Last Modified: 2012-06-22
I need to connect a Cisco 2960G subnet that has our SAN equipment in it, to our new Cisco 6509 switch.  The purpose is to provide the Cisco 2960G subnet (two nodes only) access to the Internet ultimately through our firewall.  Right now all the ports on the Cisco 6509 are set up as Switch Ports and there are no routing statements on the switch.

The plan in the future is to route all our hosts through the Cisco 6509 by using an ip route command to the firewall.




0
Comment
Question by:dazer1virginia
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 4

Expert Comment

by:MattShadbolt
ID: 24866574
your san should be on a seperate vlan than your data network and shouldn't be exposed to the internet. create vlans on the new switch that correspond to the old switch and set up your trunks.
0
 
LVL 3

Expert Comment

by:ZuluGr
ID: 24868482
Each subnet is on a separate VLAN, you should configure all VLANs on the 6500 switch. Then, for every vlan that you need to have routing, use as a gateway the ip address of the VLAN on the catalyst.
Add a default route at the 6500 pointing to your firewall for unknown routes. The 6500 should handle all the inter-VLAN traffic routing.
You dont have to use trunk ports on the other switches that are connected to the 6500 if their equipment only belongs to one VLAN.
0
 
LVL 2

Author Comment

by:dazer1virginia
ID: 24869970
I understand how to do what you've suggested, but is there a way on the Catalyst 6500 to designate one port as a routing port, connect that to my Internet facing router, or to my firewall, and route traffic from the SAN subnet to the Internet?
0
 
LVL 3

Expert Comment

by:ZuluGr
ID: 24870719
The SAN subnet is just another VLAN. Whats the purpose of doing that?
If you do not want to have a default route to the router of firewall you can add a static route for the destination subnet, or even a policy route, if you want traffic from the SAN subnet to be treated differently.
All ports are capable of being routed.
If you want to have a router only for routing the SAN subnet traffic, you can connect it in an access port, on the 6506, any VLAN (it does not have to be the same as the SAN subnet), and route the SAN subnet traffic with policy routing through that router, and use your default route for the others.
0
 
LVL 2

Author Comment

by:dazer1virginia
ID: 24871785
Can you provide the commands or point me to a link that will help me set that up on the Catalyst 6509?
0
 
LVL 3

Expert Comment

by:ZuluGr
ID: 24871935
Which scenario? Policy routing the SAN VLAN traffic through one router connected at another port ?
You only need policy routing if you want the SAN VLAN traffic to use another gateway than your normal gateway. If you want to read more:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24871968
ip routing
int vlan 1
ip address 192.168.1.1 255.255.255.0
!
int vlan 2
ip address 192.168.2.1 255.255.255.0
0
 
LVL 2

Author Comment

by:dazer1virginia
ID: 24872541
ZuluGr,

Okay, I think I've got it now.  The Catalyst 6509 is connected to a subnet (10.10.10.x) that has access to a gateway (10.10.10.251), with no routing statements on the Catalyst (using a cross-over at the moment).  If I plug a cable from each SAN Switch (10.10.6.x) into the 6509's switchports, or do I have to make the ports I plug them into routing ports?, then I should be able to use policy routing to tell the 6509 that packets from those source addresses are going to route out to 10.10.10.251.  Is this correct?
0
 
LVL 3

Expert Comment

by:ZuluGr
ID: 24872900
If 10.10.10.251 is your 6506's default gateway, and you have routing enabled on the switch (ip routing), then the 10.10.6.x subnet will automatically be routed to your default gateway for internet access. For example the 10.10.6.x subnet is VLAN 10 and the ip of VLAN 10 on the 6506 switch is 10.10.6.1, then if the devices on the 10.10.6.x subnet use 10.10.6.1 for their gateway, the will be routed to  the 10.10.10.251. ( assuming you have set the command 'ip route 0.0.0.0 0.0.0.0 10.10.10.251' on the 6506 switch, and 10.10.10.251 is the ip address of your wan router/firewall that is connected to the 6506 at another VLAN.
0
 
LVL 2

Author Comment

by:dazer1virginia
ID: 24873111
I know all of this because I've done exactly what you've mentioned before :) but the 10.10.6.x subnet is completely separate and I don't want to put a global route statement or a VLAN relating to them on the 6509 right now. Devices on the 10.10.6.x are not going to use the 6509 as their global gateway...they just need to get to the Internet for calling-home issues that they may have.  
0
 
LVL 3

Expert Comment

by:ZuluGr
ID: 24874299
If you do not want to put those on the 6509 as a VLAN and just need them to have internet access, you can directly link them with your router/fw.
If you dont want to create a VLAN  for those in the 6509, why not connecting the 2960 to the firewall? Put a secondary IP (10.10.6.x) at the firewalls internal interface, and use that as their gw
0
 
LVL 2

Accepted Solution

by:
dazer1virginia earned 0 total points
ID: 25035114
Appreciate the comments, but the question was never fully answered as proposed.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 25067137
ehat is the problem, did you tried what we recommended?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now