Cisco RV180W Static Routing

Hi folks.
Just needing to find out how to implement static routing in my router.  I can't seem to get it to work.  
I have an internal server that I want all of my requests to go to, and it has an internal IP of 192.168.1.7.  This router is 192.168.1.1, so it's pretty straight forward.  So I thought.  Also, can I break up various services to point to different machines?  Such as:
Machine
Ports
192.168.1.21
80, 443
192.168.1.7
25, 53, 110, 143, 995, 587
Firmware is 1.0.5.4
Any advice appreciated.  
Cheers

Hello,
Thank you for the information and I'm sorry you are having issues with your device.
I think your problem is related to the configuration you are using.
First of all, go ahead and delete all the static routing and the port forwarding rules you have created as it will be better to start from zero.
These are the requirements for this to work, make sure you met them:
1- Check the WAN IP of the router and make sure it is the public IP address. If you don't have the public IP address then contact your ISP to get the modem on bridge mode.
2- Make sure that the server you are trying to reach from the outside is using the IP address of the router as the default gateway
3- Go to the firewall and then to access rules and create all the rules needed for your server (Check the attached screenshot). Here is a document showing how to create the rules:
http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=01ef2188693e42058388dbfe3311ea1f_Access_Rules_Configuration_on_Cisco_Small_Business_RV120W_Wi.xml&pid=2&respid=0&snid=7&dispid=0&cpage=search
Keep in mind that this is everything that needs to be done to open the ports. When you create the access rules a matching port forwarding rule is created automatically.
Please let us know if you have any questions

Similar Messages

  • Too many errors after upgrading the firmware to 1.0.3.10 on Cisco RV180W wireless router

    My company purchased one Cisco RV180W wireless router few days ago and it worked normal with default firmware version of 1.0.0.30. Today I upgraded the firmware to version 1.0.3.10, the users can still access this router via wired and wireless devices, but on the dashboard I observed two major problems, one is the CPU utilization always shows 100%, another is the more and more errors appearing, on the Syslog Summary panel "Error" log has been up to 625 and is still increasing, there is one message repeatedly displaying in the log, see in below:
    Wed Nov 13 13:55:25 2013(GMT+0800) [rv180w][System][PLATFORM] /pfrm2.0/bin/bwLimitConfig /tmp/system.db 18 dot11STA 100 failed. status=-1
    Who can tell me what does this error message mean and how to elinate this error message ?  also how to deal with 100% CPU utilization ?
    Thanks.

    Hello,
    i have been looking at different VPN routers over the last few weeks and i was very close to buying the RV180W, but then i stumbled across many posts reffering to firmware issues, one issue is that the cpu sits at 100% useage, i just wondered if this is a bug in GUI or is the CPU actually max'd out? has anyone had any resolution into this?
    also the firmware on the emulator is a newer version than is listed on the support page, does anyone know when 1.0.3.14 will be released for download?
    when i buy a new product i like to ensure that the system is fully upto date before its put into use but i obviously dont want to add any performance issues from the ofset due to the CPU useage.
    i also have a could of questions if anyone can help
    the Ipsec VPN, will this work with the Built-in VPN client for apple devices? (New IOS7), i am unable to find a quickvpn application for apple IOS.
    is the site-to-site IPSec VPN also compatible with the Cisco Wvrs4400n router?
    thanks in advance.

  • Cisco ASA static route Administrative Distance

    Hello Dear Engineers,
    In Cisco ASA 8.2(5) version  I configured Static Route Floating with different Administrative Distances (for example, 10) , but IOS cannot accept this parameter.   for verifying, show route command  result shows  administrative distance as 1 .
    Configuration example:
    ip route 10.0.0.0 255.255.255.0 192.168.1.1 1 track 1
    ip route 10.0.0.0 255.255.255.0 192.168.2.1 10 
    S 10.0.0.0 255.255.255.0 [1/0] via 192.168.2.1, outside2
    Is this the bug of the IOS, or may-be I misconfigured something? 
    Thanks in advance.

    Hi Samir,
    Even Pix 8.0 version shows the correct ad value defined..... might be that would be a bug or misconfiguration from your end.
    pixfirewall(config-if)# sh route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default, U - per-user static route, o - ODR
           P - periodic downloaded static route
    Gateway of last resort is 1.1.1.2 to network 0.0.0.0
    C    1.1.1.0 255.255.255.0 is directly connected, out1
    C    2.2.2.0 255.255.255.0 is directly connected, out2
    S*   0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, out1
    pixfirewall(config-if)# shut
    pixfirewall(config-if)# sh route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default, U - per-user static route, o - ODR
           P - periodic downloaded static route
    Gateway of last resort is 2.2.2.2 to network 0.0.0.0
    C    2.2.2.0 255.255.255.0 is directly connected, out2
    S*   0.0.0.0 0.0.0.0 [100/0] via 2.2.2.2, out2
    pixfirewall(config-if)#
    Regards
    Karthik

  • Cisco UC560 Not Clearing Static Routes When VPN Connections Drop

    We have a Cisco UC560 (UC560-FXO-K9) running "Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M),
    Version 15.1(2)T2, RELEASE SOFTWARE (fc1)"  The issue is when we have end users connecting with the Cisco VPN Client to this device sometimes we are unable to connect to any devices on our LAN or sometimes we can't connect to the LAN on the other end of our site-to-site VPN.  The one symptom I've observed when this happens is that old VPN sessions that have disconnected appear to leave static routes from the user's outside IP at their home to an IP on our LAN to a Virtual-Access interface.  When this starts to happen, I restart the firewall to clear out the stale static routes and the problem is fixed, for a while at least.  Below is the current state where we have the site-to-site VPN connected to our branch office and 2 user's connected with Cisco VPN clients.  Below that is the static route table which has 5 total Virtual-Access interface routes (one is an extra route for a user currently connected so that their outside IP is in the static route table with 2 inside IP's associated.)  Is there a way to fix the cleanup of VPN connections when they terminate?
    #sh crypto isakmp peers
    Peer: <branch office outside IP> Port: 500 Local: <firewall's outside IP>
    Phase1 id: <branch office outside IP>
    Peer: <users's outside IP #1> Port: 50420 Local: <firewall's outside IP>
    Phase1 id: EZVPN_GRP_437
    Peer: <user's outside IP #2> Port: 49345 Local: <firewall's outside IP>
    Phase1 id: EZVPN_GRP_437
    Bugsy#sh ip ro st
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
           + - replicated route, % - next hop override
    Gateway of last resort is <next hop of ISP for firewall> to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via <next hop of ISP for firewall>
          10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks
    S        10.0.0.153/32 [1/0] via <non-connected IP of VPN user>, Virtual-Access2
    S        10.0.0.155/32 [1/0] via <non-connected IP of VPN user>, Virtual-Access2
    S        10.0.0.156/32 [1/0] via <user's outside IP #2>, Virtual-Access3
    S        10.0.0.158/32 [1/0] via <user's outside IP #1>, Virtual-Access3
    S        10.0.0.159/32 [1/0] via <user's outside IP #2 again>, Virtual-Access2
    S        10.1.10.1/32 is directly connected, Vlan90

    Hi Brian,
    This sounds like you are running into the following known issue:
      CSCtl03682 - EzVPN client: Several RRI routes  pointing to same virtual interface
    which is Dup'd to:
      CSCtf39056 - RRI routes not deleted
    This is fixed since 15.1(2)T4, so I would recommend upgrading to SWP 8.2 or higher.  The only other way to clean up the stuck routes is to reload the router.
    Thanks,
    Brandon

  • Setting up static routing in sa520. Im stuck.

    Hello,
    I finally got my cisco router and all excited about it i tried to set it up. Everything went fine until i wanted a local machine to get its own IP adress that is reachable from the outside.
    Basicly i used static IP setting in the wan/ip4v menu. This worked great and with the router assigning dhcp too all computers.
    Now all the local computers has internet connection and they share one ip adress on the outside.
    As for where im stuck. I have a xserve with 2 networkcards. It runs a FTP server which we use local but we also have customers needing to reach it from the outside. The local FTP works but im having difficulties assigning a outside IP too it. Our ISP has provided 5 different ipadresses.
    I have tried to do this in 2 different ways where the second way is preferable.
    first try:
    Use the optional port as a second wan. give it the same settings as the first wan got but another ip-adress.
    Then connect the xserves outside network card directly too that wan port and use dhcp. This did not work.
    second try:
    Assign a static routing from the wan2(optional port) too the local ipadress for the xserve.
    Can someone elaborate on how this should be done?
    Thank you.
    Edit:
    Later today i will try this firewall rule.
    http://bildr.no/view/580301
    Basicly i want to forward any connections from wan2 too 192.168.1.33 which is my server. Does that look correct?

    Thank you for your quick reply.
    Im using version 1.1.21.
    Im actully quite sure that its a user problem rather then firmware error. It´s the first time i evern touch a Cisco router and i havn´t done that much networking.
    I can show you how i did it on my xserve. Maybe you can elaborate on how i can do it the same way.
        redirect_port
                proto
                tcp
                targetIP
                192.168.1.50
                targetPortRange
                80
                aliasIP
                77.40.XXX.220
                aliasPortRange
                8888
    Basicly it says push whatever trafic from ip 77.40.xxx.220 too 192.168.1.50 on the local network.
    How can i do the same thing on my cisco router? It´s a NAT ip-forward rule.
    Edit:
    Screenshot shows what i have been trying.
    I have chosen optional wan which is set to use another external IP adress but this does not work. It would be so much easier if i could just type in the external IP adress there and use the same gateway, dns as the main WAN.
    Added config aswell.
    Thank you.

  • Cannot add static routes wrt350n

    Router has latest firmware and was just set to default values. I cannot add a static route, says "static route invalid" no matter what address I input (keeping it simple, trying 192.168.1.XXX)
    I have never had this problem with any other router and I'm thinking it's broken. Thought I'd ask here to make sure I wasn't missing a setting before I throw this thing out the window.
    Any help would be appreciated.
    Thanks, Nick.

    Thanks for the help, it is appreciated...
    I would like to use a static IP address for my LAN multimedia server, MythTV reccommends a static address for the backend server. I have also always used Static IP addresses for my LAN.
    I am a little confused, and my networking is very rusty so please bear with me. Perhaps I have not provided enough information, because I do not fully understand your response. I don't understand how subnetting is relevant.
    My network is a simple home network, with one router separating my LAN from the cloud. I have one LAN, no subnetting, 192.168.1.0/255.255.255.0.
    Every home router I have used before I have set up the LAN portion like this... And it has always worked in the past...
    gateway: 192.168.1.1/24.
    static routes 192.168.1.(2-5)/24 for my stationary hosts.
    dhcp range 192.168.1.(10-15)/24 for laptops and guests.
    In response:
    1) Yes it is LAN traffic, but the hosts still need addresses, right? Not sure what you're getting at here.
    2) Not sure what you mean... example host 192.168.1.20/24, and the router 192.168.1.1/24are both within the 192.168.1.0/24 network, right? So requests from the cloud are broadcast to all in my LAN, right? How is this relevant?
    3) I thought the gateway (on my only router) has to be part of the LAN addressing. By Linksys/Cisco default, the router LAN side gateway is 192.168.1.1/24 and it sends out dhcp addresses to 192.168.1.(100-149)/24.
    Am I severly confused or are we just on the wrong page?

  • ISE version 1.3 and static route not working

    This command works without any issues with ISE version 1.1 and 1.2:
    ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
    However, it does NOT work in ISE version 1.3.  See below:
    ciscoisedev/admin(config)# ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
    % Warning: Could not find outgoing interface for gateway 127.0.0.1 while trying to add the route.
    % Error: Error adding static route.
    ciscoisedev/admin(config)#
    Any ideas anyone?

    So it appears that there is no option to lock down access to the shell now that the command that you used to use is no longer valid. What is worse is that there isn't an option to create an ACL in the shell that you could attach to the interface. So I would recommend that you create a defect with Cisco TAC and get this re-added or request that ACL functionality is added. 
    For the GUI (in case you were not already aware of this), you can restrict access from Administration > Admin Access > Settings > Access > IP Access

  • Static routes within VRF

    Is there a limit to the number of static route one could use within a VRF ?
    We have a large customer connected to MPLS VRF based backbone and due to various limiting factors this customer uses static routing from a PE-CE perspective.
    We have been experiencing a problem where a static needsto be removed and placed back as routing to a site stops (No traffic passed) , this happes intermittently and to different sites within diffrent regions as well. All the general or expected troubleshooting procedures have been followed i.e. Check routing table , bgp , CEF tables , FIB etc. All seems fine , the only thing that reloves this is removing the static and then replacing it.
    My thinking is that there might be a limit to the number of static's that one can use within a VRF and that we have reached the limit for this customer , which causes the intermittent failure.
    Please advise.

    I know of a "maximum routes limit " command to limit the number of routes in a Vrf on a PE.
    From this command reference i find there are no default values for this.
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_r/xrfscmd3.htm#1032272
    So I assume, the default is to allow a huge value and the only limitations would be the memory/capacity and the number of vrfs on the PE router.
    If you are experiencing a problem in this regard and removing a static route is helping to overcome it, then I would only suspect a bug here.
    I am also curious to know how may many static routes you have in this particular vrf.

  • What syntax would I use to take off a DMZ, Outside static route from a Pix

    I am having a problem with mail coming in and currently have all smtp traffic going to a mail filtering server. I want to point the traffic directly to the exchange server instead, but, before I do I want to make sure that I can take that static route off after the test.
    This is the syntax that I have and would like to change.
    static (DMZ,outside) tcp xxx.xxx.xxx.xxx smtp 172.16.xxx.xxx smtp netmask 255.255.255.255 0 0
    I would like to point it to another IPA and then take it off.

    Hello,
    not sure if this is what you are asking, but check this link to the PIX command reference:
    static
    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694
    HTH,
    GP

  • Configuring Static Route Tracking Using ASDM 7.1(3) ASA 9.1(2)

    I have recently updated my ASA5520 to 9.1(2) and I am using ASDM 7.1(3) to configure Static Route Tracking. I have done this previoussy in earlier version of ASDM without a problem.  There seems to be a new field in the Tracked Options section.  What is the "Target Interface"?  Is it the interface I want to use as the standby route when the Monitor fails? Or is it the Interface that is doing the monitoring?
    I have looked through Cisco ASA Series General Operations ASDM Configuration Guide Software Version 7.1, as well as older ASDM books and this field is never listed or described.

    Hi,
    The target interface will be the interface through which you will be polling some destination IP address with ICMP Echos to determine if the route through that interface is still valid.
    So in your case you would use "Outside"
    Heres the link to the ASA Command Reference listing the above "type" command under the "sla monitor 1" configuration
    http://www.cisco.com/en/US/docs/security/asa/command-reference/t2.html#wp1568359
    - Jouni

  • Configuring static routes at the network edge

    We have some Cisco 1750 routers at the edge of our network which are running RIP. We were advised to use static routes on the router, since there was only one route (across a WAN link) for traffic to go from the hub connected to the router, as RIP would only waste the limited bandwidth to the router. We posted this problem previously and got a response which stated :You could set up a default static route on your edge router, run RIP on your internal routers in order to propagate the default, but block the RIP to the outside.
    On your edge router, make a default route to your external link. Keep RIP running as before, but add the line redistribute static in your rip configuration. That will get the default route propagated.
    Now to stop the RIP on the external interface: If the link is on a different major IP network to your internal network, you can simply not include it in the network commands under rip. But if it is in the same network, then RIP will be enabled on the interface, so you will have to add passive-interface xxxxx, where xxxxx refers to the interface carrying your external link,
    Alternatively, you could define your default route using the ip default-network command. This will get propagated automatically into the RIP even without the redistribute command.
    We tried it, the problem is that the router is unreachable, via the serial or Ethernet, although if connected to the router via console port, with the configuration screen , you are able to ping external locations, and are able to telnet into the router, but he PC's on the Ethernet side of the router cant see the network.
    Assistance\Advice requested.
    attached you wll find , the actual reply , and a copy of some info from our work file.

    Ernie
    I have looked at the config that you posted and I see several issues. The serial interface on Salvage is 172.20.2.2. Your message indicates that it is connected via serial to a 3640 which your message seems to indicate is 172.20.1.4. But that makes the 3640 on a different subnet. Connections over a serial link should be in the same subnet on both ends. (The exception to that is when you are using the ip unnumbered feature - which you are not). I suspect that part of your problem is that the routers do not see themselves on a connected subnet. When you run RIP over the link it can compensate for that to some degree. But when you stop RIP the problem has impact.
    Also I see that you have a static default route as Kevin suggested. And in RIP you have redistribute static. But there is no default metric defined. To redistribute into RIP you need a default metric. Another aspect of the problem with the default route is that the next hop for the default route is 172.20.1.4, but without RIP running I believe that Salvage has no idea how to get to that address. You can confirm this by doing show ip route 172.20.1.4 on Salvage. I suspect that you will get an error about route not in table.
    Beyond these issues I believe that there is a larger problem of misunderstanding. When I look at your original post in this thread it talks about not running RIP over the serial link. And when I read Kevin's response the first paragraph is describing not running RIP over the serial interface when it says do static default on your edge router and run RIP on your internal router. If you are not running RIP over the serial interface then I see no reason to run RIP on Salvage at all. There is one piece of this that Kevin did not address. If you do not run RIP over the serial link then how does the 3640 know about the Ethernet subnet at Salvage. I believe that the answer is that the 3640 needs to configure a static route to 172.20.27.0 with the 1750 serial interface as the next hop. And if there are other routers that the 3640 communicates with via RIP then the 3640 needs to redistribute static into RIP (remembering to have a default metric).
    If you address these issues I believe that you will have connectivity from the central network to the remote subnet on Salvage.
    HTH
    Rick

  • How can I configure static routes in a CUCM?

    Hi.
    I have seen that there is no-way to set static routes in a Call Manager but I have read that you can add static routes in the Linux that runs CUCM.
    If I do that, will I l lose the Cisco support for that server?
    I don't know why a Level 3 server (like a CUCM, Presence , Unity,...) doesn't permit routing configuration.
    Regards.
    Rafa

    Thanks for your answer, Jaime.
    That implies that we have to insert an intermediate router.
    I think that routing features should be implemented in Unified Comunications servers.
    Regards

  • Is it possible in IOS to have two static routes for the same subnet, one a higher priority and "failover" between the 2?

    Hi All
    Is it possible in IOS to have for a particular subnet:
    a) Two static routes?
    b) Make one static route a higher priority than the other?
    c) If one static router "goes down", failover to the lower priority static route?
    We have a l2tp/vpdn connection to a supplier which can be accessed via two vlans/routes. I would like to make one route the preferred one but the "route" to failover if the preferred route goes down.
    Again, many thanks in advance for all responses!
    Thanks
    John

    Hi John,
    Hope the below explaination will help you...
    R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2
    R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
    If you notice the Administrative Distance for the secondary route pointing to ISP2 is increased to 10 so that it becomes the backup link.
    The above configuration with just two floating static routes partially accomplishes our requirement as it will work only in the scenario where the routers interfaces connected to the WAN link are in up/down or down/down status. But in a lot of situations we see that even though the links remain up but we are not able to reach the gateway, this usually happens when the issue is at the ISP side.
    In such scenarios, IP SLAs becomes an engineer's best friend. With around six additional IOS commands we can have a more reliable automatic failover environment.
    Using IP SLA the Cisco IOS gets the ability to use Internet Control Message Protocol (ICMP) pings to identify when a WAN link goes down at the remote end and hence allows the initiation of a backup connection from an alternative port. The Reliable Static Routing Backup using Object Tracking feature can ensure reliable backup in the case of several catastrophic events, such as Internet circuit failure or peer device failure.
    IP SLA is configured to ping a target, such as a publicly routable IP address or a target inside the corporate network or your next-hop IP on the ISP's router. The pings are routed from the primary interface only. Following a sample configuration of IP SLA to generate icmp ping targeted at the ISP1s next-hop IP.
    R1(config)# ip sla 1
    R1(config)# icmp-echo 2.2.2.2 source-interface FastEthernet0/0
    R1(config)# timeout 1000
    R1(config)# threshold 2
    R1(config)# frequency 3
    R1(config)# ip sla schedule 1 life forever start-time now
    The above configuration defines and starts an IP SLA probe.
    The ICMP Echo probe sends an ICMP Echo packet to next-hop IP 2.2.2.2 every 3 seconds, as defined by the “frequency” parameter.
    Timeout sets the amount of time (in milliseconds) for which the Cisco IOS IP SLAs operation waits for a response from its request packet.
    Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation.
    After defining the IP SLA operation our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:
    R1(config)# track 1 ip sla 1 reachability
    The above command will track the state of the IP SLA operation. If there are no ping responses from the next-hop IP the track will go down and it will come up when the ip sla operation starts receiving ping response.
    To verify the track status use the use the “show track” command as shown below:
    R1# show track
    Track 1
    IP SLA 1 reachability
    Reachability is Down
    1 change, last change 00:03:19
    Latest operation return code: Unknown
    The above output shows that the track status is down. Every IP SLAs operation maintains an operation return-code value. This return code is interpreted by the tracking process. The return code may return OK, OverThreshold, and several other return codes.
    Different operations may have different return-code values, so only values common to all operation types are used. The below table shows the track states as per the IP SLA return code.
    Tracking
    Return Code
    Track State
    Reachability
    OK or over threshold
    (all other return codes)
    Up
    Down
    The Last step in the IP SLA Reliable Static Route configuration is to add the “track” statement to the default routes pointing to the ISP routers as shown below:
    R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
    R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
    The track number keyword and argument combination specifies that the static route will be installed only if the state of the configured track object is up. Hence if the track status is down the secondary route will be used to forward all the traffic.
    Please rate the helpfull posts.
    Regards,
    Naidu.

  • How do you promote a static route over a directly connected?

    Hi all,
    I have a need for a static route to be used instead of a directly connected route. (Long story - involving firewalls and anti-spoofing.. but can go further if required)
    I am using a Cisco 3750 switch. I notice directly connected routes have a metric of 0, and the highest metric I can give a static route is 1.
    Therefore, how is it possible for me to make the switch use the static route and not the directly connected?
    Any help would be appreciated!
    Cheers,
    Ben

    Hi Rick,
    Thanks for your patience.
    Maybe I should start again.
    Initially we had 16 VLANs within the 10.0/16 address space. We have some Cisco 3750's connected by dark fibre accross a couple of kms and then lower access switches all hanging of these by some means. The network is flat.
    We have a checkpoint firewall hanging off one of the 3750s connected using a TRUNK port. The firewall has an IP address on all VLANs and is used to route traffic between VLANs based on its ruleset.
    So if I have a user in VLAN 10 who wants to talk to VLAN 20, they travel to the firewall, if a rule permits the access, the firewall routes the packet on to VLAN 2 and the switches deliver at Layer 2.
    The switches all have their default VLAN 1 disabled, and have an IP address on our management VLAN to allow us to manage the switches.
    Its quite important that this IP is on a secured management VLAN as we don't want just anyone being able to snoop switch logins etc..
    If we need to login to a switch, the firewall routes our traffic from whatever VLAN we are on to the Management VLAN.
    One of our VLANs (the Desktop VLAN) is quite large (approx 1300 hosts) and suffers a great deal from too much arp broadcast traffic.
    As we have a flat switched network across several kms, the cost of putting in routers to subnet this large VLAN is excessive.
    However, the 3750's we have are perfectly capable of routing between VLANs, so we decide to create a load of new VLANs instead of subnetting our large VLAN. We don't want to use the firewall to route between these new VLANs as thats just giving the firewall more to do, and previously all these hosts were on a single subnet, so we have no need for any strict security - at most we can use ACLs on the switches if we even need that!
    So far so good.
    With 1300 hosts, we obviously can't make sudden topology changes. Therefore we need to be able to route between the Desktop VLAN and the new VLANs.
    We therefore introduce the static routes between the firewall and the switches.
    So the firewall says:
    route 10.1.0.0/16 via Multilayer switch IP on 10.1.0.0/16
    The multilayer switch says:
    route 10.0.0.0/16 via Firewall IP on 10.1.0.0/16
    This allows routing perfectly between the Desktop VLAN and the new VLANs.
    However the moment we enable ip routing on the switches we break access between the desktop VLAN and the Management VLAN.
    A packet leaves the desktop VLAN through the default gateway on the firewall. This is then routed to the Management VLAN. The return packet doesn't use the Management VLAN default gateway (firewall), it follows the static route on the switch and ends up at the firewall on 10.1.0.0/16. This is subsequently dropped as the firewall knows the packet hasn't come from the 10.1.0.0/16 network, it originally came from the desktop VLAN on 10.0.0.0/16.
    It might seem we can define a route on the switch to say:
    route 10.0.50.0/24 (management VLAN) via 10.0.50.254 (firewall). However, this would result in all packets from 10.1.0.0/16 being dropped by the firewall.
    The other problem is that if we are on a new VLAN and want to talk to the management VLAN. The packet goes to its default gateway on the switch. The switch says - "I have an IP on the management VLAN, its directly connected" - therefore it ignores the static route, and passes the packet on its way. We have now bypassed the firewall, which is bad.
    Incidentally the return packets get routed through the firewall and dropped, as the original packet didn't come through the firewall, there is no entry in the state table for its return.
    I think if we turned off the management interface on the switch and managed it through the interface on 10.1.0.0/16, I assume everything would work. However, we don't want to do this for a whole load of other reasons I wont go into.
    Im sure there must be a fairly simple solution - I just don't have enough experience!
    Cheers,
    Ben

  • Floating static routes

    if a rip enabled primary interface goes down and is backed up by a dialer 1 Floating static route with an admin distance of e.g 200 can a second Dialer 2 be configured to connect to the same location via a second floating static route e.g admin cost 240. In the event of Dialer 1 not connecting.

    Hi Larry,
    I've given this a bit of thought and believe that you can possibly get this going using the feature 'Reliable Static Routing Backup Using Object Tracking'. There's some info and examples regarding this here:
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123limit/123x/123xe/dbackupx.htm#wp1071672
    Essentially, you would use the 'track' keyword with the 'ip route' statement for the floating static route for your first dialer. The static route would only be installed if you had actual connectivity over this dialer. If your dialer does not come up, the track object will change status to down and bring down that floating static route, enabling your third static default route to kick in.
    I have not tried this personally but the approack makes sense...
    Hope that helps - pls rate the post if it does.
    Regards,
    Paresh

Maybe you are looking for