routing with multiple routers in one subnet

Discussion in 'Cisco' started by Pascal, Mar 22, 2007.

  1. Pascal

    Pascal Guest

    Hello,

    I have 2 subnets :
    Main subnet : 10.0.0.0/24
    Remote office subnet 10.0.1.0/24

    There are 2 routers connected to the Main subnet :
    - 1 that connects 10.0.0.0/24 to 10.0.1.0/24 with ip of 10.0.0.253
    - 1 that connects 10.0.0.0/24 to the internet with ip of 10.0.0.254

    If the default gateway on all machines in the Main subnet is 10.0.0.254
    How can I route properly my traffic without having to create a
    persistent route on all my machines in the 10.0.0.0/24 subnet for the
    10.0.1.0/24 subnet ?

    Thanks
    Pascal, Mar 22, 2007
    #1
    1. Advertising

  2. Pascal

    ghett0 Guest

    Pascal wrote:
    > Hello,
    >
    > I have 2 subnets :
    > Main subnet : 10.0.0.0/24
    > Remote office subnet 10.0.1.0/24
    >
    > There are 2 routers connected to the Main subnet :
    > - 1 that connects 10.0.0.0/24 to 10.0.1.0/24 with ip of 10.0.0.253
    > - 1 that connects 10.0.0.0/24 to the internet with ip of 10.0.0.254
    >
    > If the default gateway on all machines in the Main subnet is 10.0.0.254
    > How can I route properly my traffic without having to create a
    > persistent route on all my machines in the 10.0.0.0/24 subnet for the
    > 10.0.1.0/24 subnet ?
    >
    > Thanks


    It's a kludge, but point your workstations to the 10.0.0.254 address for
    their default gateway. Ensure that this router knows how to get to
    10.0.1.0/24 via 10.0.0.253. The router should issue ICMP redirects to
    the clients when they try to send traffic to the 10.0.1.0/24 subnet.

    You should consider creating a transit network. Create a third subnet
    and place your Internet edge router in it.

    Workstations 10.0.0.0/24 -> Main router -> Remote router (10.0.1.0/24)
    |
    | <- (Transit network)
    | 10.x.x.x/30
    |
    Internet edge

    The Internet edge router needs two routes. First, it has a default route
    to your ISP's next hop. Second, it has a route 10.0.0.0/8 pointing to
    the transit address of the main router.
    ghett0, Mar 22, 2007
    #2
    1. Advertising

  3. Pascal

    Pascal Guest

    Thanks ghett0 !

    You are right it will be a mess. Unfortunately those people who are
    setting up the Remote offices want me to set things up this way. I am
    trying to find a way to prove them that there should be a better one.

    Here's what they suggested me to do :
    http://www.duchemin.org/visio.vsd



    here's what I think you said I should do :
    http://www.duchemin.org/visio2.vsd
    Does this look right ?



    Thanks again !




    ghett0 wrote:
    > Pascal wrote:
    >> Hello,
    >>
    >> I have 2 subnets :
    >> Main subnet : 10.0.0.0/24
    >> Remote office subnet 10.0.1.0/24
    >>
    >> There are 2 routers connected to the Main subnet :
    >> - 1 that connects 10.0.0.0/24 to 10.0.1.0/24 with ip of 10.0.0.253
    >> - 1 that connects 10.0.0.0/24 to the internet with ip of 10.0.0.254
    >>
    >> If the default gateway on all machines in the Main subnet is 10.0.0.254
    >> How can I route properly my traffic without having to create a
    >> persistent route on all my machines in the 10.0.0.0/24 subnet for the
    >> 10.0.1.0/24 subnet ?
    >>
    >> Thanks

    >
    > It's a kludge, but point your workstations to the 10.0.0.254 address
    > for their default gateway. Ensure that this router knows how to get to
    > 10.0.1.0/24 via 10.0.0.253. The router should issue ICMP redirects to
    > the clients when they try to send traffic to the 10.0.1.0/24 subnet.
    >
    > You should consider creating a transit network. Create a third subnet
    > and place your Internet edge router in it.
    >
    > Workstations 10.0.0.0/24 -> Main router -> Remote router (10.0.1.0/24)
    > |
    > | <- (Transit network)
    > | 10.x.x.x/30
    > |
    > Internet edge
    >
    > The Internet edge router needs two routes. First, it has a default
    > route to your ISP's next hop. Second, it has a route 10.0.0.0/8
    > pointing to the transit address of the main router.
    Pascal, Mar 22, 2007
    #3
  4. Pascal

    Dave Guest

    On 22 Mar, 20:30, Pascal <> wrote:
    > Hello,
    >
    > I have 2 subnets :
    > Main subnet : 10.0.0.0/24
    > Remote office subnet 10.0.1.0/24
    >
    > There are 2 routers connected to the Main subnet :
    > - 1 that connects 10.0.0.0/24 to 10.0.1.0/24 with ip of 10.0.0.253
    > - 1 that connects 10.0.0.0/24 to the internet with ip of 10.0.0.254
    >
    > If the default gateway on all machines in the Main subnet is 10.0.0.254
    > How can I route properly my traffic without having to create a
    > persistent route on all my machines in the 10.0.0.0/24 subnet for the
    > 10.0.1.0/24 subnet ?
    >
    > Thanks


    Can you not simply insert a static route on the internet router...

    ip route 10.0.1.0 255.255.255.0 10.0.0.253

    this would route traffic destined for the 10.0.1.0 back out the
    interface to the remote network through the proper gateway router.

    Dave
    Dave, Mar 22, 2007
    #4
  5. Dave wrote:

    >Can you not simply insert a static route on the internet router...
    >
    >ip route 10.0.1.0 255.255.255.0 10.0.0.253
    >
    >this would route traffic destined for the 10.0.1.0 back out the
    >interface to the remote network through the proper gateway router.


    You can but as ghett0 already mentioned, this wouldn't result in real
    routing but rather in ICMP redirects. I had a similar setup and in my
    experience, this doensn't work reliably cause not all clients handle the
    redirects properly.

    But anyway, it's an interesting thing. How is this defined? If the remote
    end of the static route is in the same subnet as the source address an ICMP
    redirect is sent back?

    Regards

    fw
    Frank Winkler, Mar 23, 2007
    #5
  6. Pascal

    ghett0 Guest

    Pascal wrote:
    > Thanks ghett0 !
    >
    > You are right it will be a mess. Unfortunately those people who are
    > setting up the Remote offices want me to set things up this way. I am
    > trying to find a way to prove them that there should be a better one.
    >
    > Here's what they suggested me to do :
    > http://www.duchemin.org/visio.vsd
    >
    >
    >
    > here's what I think you said I should do :
    > http://www.duchemin.org/visio2.vsd
    > Does this look right ?
    >
    >
    >
    > Thanks again !
    >
    >
    >
    >
    > ghett0 wrote:
    >> Pascal wrote:
    >>> Hello,
    >>>
    >>> I have 2 subnets :
    >>> Main subnet : 10.0.0.0/24
    >>> Remote office subnet 10.0.1.0/24
    >>>
    >>> There are 2 routers connected to the Main subnet :
    >>> - 1 that connects 10.0.0.0/24 to 10.0.1.0/24 with ip of 10.0.0.253
    >>> - 1 that connects 10.0.0.0/24 to the internet with ip of 10.0.0.254
    >>>
    >>> If the default gateway on all machines in the Main subnet is 10.0.0.254
    >>> How can I route properly my traffic without having to create a
    >>> persistent route on all my machines in the 10.0.0.0/24 subnet for the
    >>> 10.0.1.0/24 subnet ?
    >>>
    >>> Thanks

    >>
    >> It's a kludge, but point your workstations to the 10.0.0.254 address
    >> for their default gateway. Ensure that this router knows how to get to
    >> 10.0.1.0/24 via 10.0.0.253. The router should issue ICMP redirects to
    >> the clients when they try to send traffic to the 10.0.1.0/24 subnet.
    >>
    >> You should consider creating a transit network. Create a third subnet
    >> and place your Internet edge router in it.
    >>
    >> Workstations 10.0.0.0/24 -> Main router -> Remote router (10.0.1.0/24)
    >> |
    >> | <- (Transit network)
    >> | 10.x.x.x/30
    >> |
    >> Internet edge
    >>
    >> The Internet edge router needs two routes. First, it has a default
    >> route to your ISP's next hop. Second, it has a route 10.0.0.0/8
    >> pointing to the transit address of the main router.

    Hi Pascal,

    Now that I see what you're trying to do, I'd suggest that you see if
    your MPLS vendor will let you connect the local switch at your "Main"
    location directly to the IAD. The IAD 2431 looks like it supports two
    fast ethernet interfaces. You could drop your local "Main" workstations
    into the IAD, and it would send traffic destined for the remote location
    directly to the MPLS cloud. Otherwise, the IAD could send Internet-bound
    traffic directly to the Fortigate. Check with your provider and see if
    they'll work with you on this.

    Another option would be to enable routing capability into your "Main"
    switch. The idea here, again, is that you put your workstations into
    their own subnet so that those end points don't have to have specific
    routing information or rely in ICMP redirects. Enabling a routing
    function on that switch could address this.

    I guess it comes down to if your comfortable having the MPLS provider
    treat your "Main" location as just another stub network. Also, how much
    "control" do you want in terms of handing off traffic to the remote
    sites and the Internet.

    Just throwing ideas out there! :)
    ghett0, Mar 23, 2007
    #6
  7. Pascal

    Pascal Guest

    ghett0,

    Please see my replies below

    ghett0 wrote:

    Hi Pascal,
    > Now that I see what you're trying to do, I'd suggest that you see if
    > your MPLS vendor will let you connect the local switch at your "Main"
    > location directly to the IAD. The IAD 2431 looks like it supports two
    > fast ethernet interfaces. You could drop your local "Main"
    > workstations into the IAD, and it would send traffic destined for the
    > remote location directly to the MPLS cloud. Otherwise, the IAD could
    > send Internet-bound traffic directly to the Fortigate. Check with your
    > provider and see if they'll work with you on this.


    Here's what I think you suggested :
    http://www.duchemin.org/visio3.vsd

    As you said, I am really not comfortable having the MPLS provider be in
    front of my firewall and route my internet traffic, I would lose too
    much control. And I'm worried that if I need something done someday they
    will take forever to fix it.

    >
    > Another option would be to enable routing capability into your "Main"
    > switch. The idea here, again, is that you put your workstations into
    > their own subnet so that those end points don't have to have specific
    > routing information or rely in ICMP redirects. Enabling a routing
    > function on that switch could address this.

    I kind of see the idea of that solution. The issue is that our switches
    do not have routing capabilities. ( By the way is it what a Layer 3
    switch is ? )

    >
    > I guess it comes down to if your comfortable having the MPLS provider
    > treat your "Main" location as just another stub network. Also, how
    > much "control" do you want in terms of handing off traffic to the
    > remote sites and the Internet.
    >
    > Just throwing ideas out there! :)
    >

    Thanks for all your advices.



    Now, in order to keep reasonable control of my traffic, do you think
    that http://www.duchemin.org/visio2.vsd is technically doable ?
    The fortigate firewall is also a router. It has 3 interfaces :
    - WAN1 connected to Iquest router ( xxx.xxx.xxx.129/27 );
    - WAN2 connected to Nuvox router ( 10.0.3.0/30 ),
    - LAN1 connected to Main office subnet ( 10.0.0.0/24 )

    If I would just create routes on the fortigate to route traffic
    from 10.0.0.0/24 to xxx.xxx.xxx.129/27 for internet access to WAN1
    and
    from 10.0.0.0/24 to 10.0.3.0/30 for 10.0.1.0/24 to WAN2



    Is this a way to do it too ?


    Thanks
    Pascal, Mar 23, 2007
    #7
  8. Pascal

    Pascal Guest

    Dave,

    Thanks for your reply. Based on Frank's experience, this might cause
    stability issues. So I'd rather not go this way.

    However do you or Frank know if this : http://www.duchemin.org/visio2.vsd
    could work ?

    The fortigate firewall is also a router. It has 3 interfaces :
    - WAN1 connected to Iquest router ( xxx.xxx.xxx.129/27 );
    - WAN2 connected to Nuvox router ( 10.0.3.0/30 ),
    - LAN1 connected to Main office subnet ( 10.0.0.0/24 )

    If I would just create routes on the fortigate to route traffic
    from 10.0.0.0/24 to xxx.xxx.xxx.129/27 for internet access to WAN1
    and
    from 10.0.0.0/24 to 10.0.3.0/30 for 10.0.1.0/24 to WAN2

    Is this a way to do it too ?


    Thanks guys !


    Dave wrote:
    > On 22 Mar, 20:30, Pascal <> wrote:
    >
    >> Hello,
    >>
    >> I have 2 subnets :
    >> Main subnet : 10.0.0.0/24
    >> Remote office subnet 10.0.1.0/24
    >>
    >> There are 2 routers connected to the Main subnet :
    >> - 1 that connects 10.0.0.0/24 to 10.0.1.0/24 with ip of 10.0.0.253
    >> - 1 that connects 10.0.0.0/24 to the internet with ip of 10.0.0.254
    >>
    >> If the default gateway on all machines in the Main subnet is 10.0.0.254
    >> How can I route properly my traffic without having to create a
    >> persistent route on all my machines in the 10.0.0.0/24 subnet for the
    >> 10.0.1.0/24 subnet ?
    >>
    >> Thanks
    >>

    >
    > Can you not simply insert a static route on the internet router...
    >
    > ip route 10.0.1.0 255.255.255.0 10.0.0.253
    >
    > this would route traffic destined for the 10.0.1.0 back out the
    > interface to the remote network through the proper gateway router.
    >
    > Dave
    >
    >
    Pascal, Mar 23, 2007
    #8
  9. Pascal wrote:

    >The fortigate firewall is also a router. It has 3 interfaces :
    >- WAN1 connected to Iquest router ( xxx.xxx.xxx.129/27 );
    >- WAN2 connected to Nuvox router ( 10.0.3.0/30 ),
    >- LAN1 connected to Main office subnet ( 10.0.0.0/24 )
    >
    >If I would just create routes on the fortigate to route traffic
    >from 10.0.0.0/24 to xxx.xxx.xxx.129/27 for internet access to WAN1
    >and
    >from 10.0.0.0/24 to 10.0.3.0/30 for 10.0.1.0/24 to WAN2
    >
    >Is this a way to do it too ?


    Sounds reasonable. But if you now have a triple-interface firewall,
    depending on what kind the link to 10.0.1.0/24 is, you could omit the
    transfer network. Or is it a kind of connection only the former 10.0.0.253
    can handle?

    Regards

    fw
    Frank Winkler, Mar 23, 2007
    #9
  10. Pascal wrote:

    >However do you or Frank know if this : http://www.duchemin.org/visio2.vsd
    >could work ?


    No clue - I can't view this file since I neither have Billy-OS nor Visio ;)

    Regards

    fw
    Frank Winkler, Mar 23, 2007
    #10
  11. Pascal

    Pascal Guest

    Pascal, Mar 23, 2007
    #11
  12. Pascal

    Pascal Guest

    Frank,

    Yes the Cisco 2431 needs to be there, it handles the connection through
    the MPLS traffic with a specific card ( It also manages the VOIP system
    routing ). So basically I cannot get rid of this "extra" router.

    Thanks



    Frank Winkler wrote:

    > Pascal wrote:
    >
    > >The fortigate firewall is also a router. It has 3 interfaces :
    > >- WAN1 connected to Iquest router ( xxx.xxx.xxx.129/27 );
    > >- WAN2 connected to Nuvox router ( 10.0.3.0/30 ),
    > >- LAN1 connected to Main office subnet ( 10.0.0.0/24 )
    > >
    > >If I would just create routes on the fortigate to route traffic
    > >from 10.0.0.0/24 to xxx.xxx.xxx.129/27 for internet access to WAN1
    > >and
    > >from 10.0.0.0/24 to 10.0.3.0/30 for 10.0.1.0/24 to WAN2
    > >
    > >Is this a way to do it too ?

    >
    > Sounds reasonable. But if you now have a triple-interface firewall,
    > depending on what kind the link to 10.0.1.0/24 is, you could omit the
    > transfer network. Or is it a kind of connection only the former
    > 10.0.0.253 can handle?
    >
    > Regards
    >
    > fw
    Pascal, Mar 23, 2007
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Vass

    Subnet a subnet mask?

    Vass, Aug 26, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    721
  2. Replies:
    16
    Views:
    4,733
  3. Replies:
    5
    Views:
    1,100
    Walter Roberson
    Jan 18, 2007
  4. Big Phil
    Replies:
    3
    Views:
    1,734
    NetExpert
    May 1, 2007
  5. Amadej

    Cisco 1812 subnet to subnet NAT

    Amadej, Sep 3, 2007, in forum: Cisco
    Replies:
    1
    Views:
    3,223
Loading...

Share This Page