Solved

How do route traffic from internal SAN subnet through Cisco Catalyst 6509?

Posted on 2009-07-15
13
900 Views
Last Modified: 2012-06-22
I need to connect a Cisco 2960G subnet that has our SAN equipment in it, to our new Cisco 6509 switch.  The purpose is to provide the Cisco 2960G subnet (two nodes only) access to the Internet ultimately through our firewall.  Right now all the ports on the Cisco 6509 are set up as Switch Ports and there are no routing statements on the switch.

The plan in the future is to route all our hosts through the Cisco 6509 by using an ip route command to the firewall.




0
Comment
Question by:dazer1virginia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 4

Expert Comment

by:MattShadbolt
ID: 24866574
your san should be on a seperate vlan than your data network and shouldn't be exposed to the internet. create vlans on the new switch that correspond to the old switch and set up your trunks.
0
 
LVL 3

Expert Comment

by:ZuluGr
ID: 24868482
Each subnet is on a separate VLAN, you should configure all VLANs on the 6500 switch. Then, for every vlan that you need to have routing, use as a gateway the ip address of the VLAN on the catalyst.
Add a default route at the 6500 pointing to your firewall for unknown routes. The 6500 should handle all the inter-VLAN traffic routing.
You dont have to use trunk ports on the other switches that are connected to the 6500 if their equipment only belongs to one VLAN.
0
 
LVL 2

Author Comment

by:dazer1virginia
ID: 24869970
I understand how to do what you've suggested, but is there a way on the Catalyst 6500 to designate one port as a routing port, connect that to my Internet facing router, or to my firewall, and route traffic from the SAN subnet to the Internet?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:ZuluGr
ID: 24870719
The SAN subnet is just another VLAN. Whats the purpose of doing that?
If you do not want to have a default route to the router of firewall you can add a static route for the destination subnet, or even a policy route, if you want traffic from the SAN subnet to be treated differently.
All ports are capable of being routed.
If you want to have a router only for routing the SAN subnet traffic, you can connect it in an access port, on the 6506, any VLAN (it does not have to be the same as the SAN subnet), and route the SAN subnet traffic with policy routing through that router, and use your default route for the others.
0
 
LVL 2

Author Comment

by:dazer1virginia
ID: 24871785
Can you provide the commands or point me to a link that will help me set that up on the Catalyst 6509?
0
 
LVL 3

Expert Comment

by:ZuluGr
ID: 24871935
Which scenario? Policy routing the SAN VLAN traffic through one router connected at another port ?
You only need policy routing if you want the SAN VLAN traffic to use another gateway than your normal gateway. If you want to read more:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24871968
ip routing
int vlan 1
ip address 192.168.1.1 255.255.255.0
!
int vlan 2
ip address 192.168.2.1 255.255.255.0
0
 
LVL 2

Author Comment

by:dazer1virginia
ID: 24872541
ZuluGr,

Okay, I think I've got it now.  The Catalyst 6509 is connected to a subnet (10.10.10.x) that has access to a gateway (10.10.10.251), with no routing statements on the Catalyst (using a cross-over at the moment).  If I plug a cable from each SAN Switch (10.10.6.x) into the 6509's switchports, or do I have to make the ports I plug them into routing ports?, then I should be able to use policy routing to tell the 6509 that packets from those source addresses are going to route out to 10.10.10.251.  Is this correct?
0
 
LVL 3

Expert Comment

by:ZuluGr
ID: 24872900
If 10.10.10.251 is your 6506's default gateway, and you have routing enabled on the switch (ip routing), then the 10.10.6.x subnet will automatically be routed to your default gateway for internet access. For example the 10.10.6.x subnet is VLAN 10 and the ip of VLAN 10 on the 6506 switch is 10.10.6.1, then if the devices on the 10.10.6.x subnet use 10.10.6.1 for their gateway, the will be routed to  the 10.10.10.251. ( assuming you have set the command 'ip route 0.0.0.0 0.0.0.0 10.10.10.251' on the 6506 switch, and 10.10.10.251 is the ip address of your wan router/firewall that is connected to the 6506 at another VLAN.
0
 
LVL 2

Author Comment

by:dazer1virginia
ID: 24873111
I know all of this because I've done exactly what you've mentioned before :) but the 10.10.6.x subnet is completely separate and I don't want to put a global route statement or a VLAN relating to them on the 6509 right now. Devices on the 10.10.6.x are not going to use the 6509 as their global gateway...they just need to get to the Internet for calling-home issues that they may have.  
0
 
LVL 3

Expert Comment

by:ZuluGr
ID: 24874299
If you do not want to put those on the 6509 as a VLAN and just need them to have internet access, you can directly link them with your router/fw.
If you dont want to create a VLAN  for those in the 6509, why not connecting the 2960 to the firewall? Put a secondary IP (10.10.6.x) at the firewalls internal interface, and use that as their gw
0
 
LVL 2

Accepted Solution

by:
dazer1virginia earned 0 total points
ID: 25035114
Appreciate the comments, but the question was never fully answered as proposed.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 25067137
ehat is the problem, did you tried what we recommended?
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question