routing with multiple routers in one subnet
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by Pascal on March 22, 2007, 4:30 pm
Please log in for more thread options I have 2 subnets : Main subnet : 10.0.0.0/24 Remote office subnet 10.0.1.0/24 There are 2 routers connected to the Main subnet : - 1 that connects 10.0.0.0/24 to 10.0.1.0/24 with ip of 10.0.0.253 - 1 that connects 10.0.0.0/24 to the internet with ip of 10.0.0.254 If the default gateway on all machines in the Main subnet is 10.0.0.254 How can I route properly my traffic without having to create a persistent route on all my machines in the 10.0.0.0/24 subnet for the 10.0.1.0/24 subnet ? Thanks | ||||||||||||||||
|
Posted by ghett0 on March 22, 2007, 4:54 pm
Please log in for more thread options It's a kludge, but point your workstations to the 10.0.0.254 address for their default gateway. Ensure that this router knows how to get to 10.0.1.0/24 via 10.0.0.253. The router should issue ICMP redirects to the clients when they try to send traffic to the 10.0.1.0/24 subnet. You should consider creating a transit network. Create a third subnet and place your Internet edge router in it. Workstations 10.0.0.0/24 -> Main router -> Remote router (10.0.1.0/24)
|
| <- (Transit network) | 10.x.x.x/30 | Internet edge The Internet edge router needs two routes. First, it has a default route to your ISP's next hop. Second, it has a route 10.0.0.0/8 pointing to the transit address of the main router. | ||||||||||||||||
|
Posted by Pascal on March 22, 2007, 5:12 pm
Please log in for more thread options Thanks ghett0 !
You are right it will be a mess. Unfortunately those people who are setting up the Remote offices want me to set things up this way. I am trying to find a way to prove them that there should be a better one. Here's what they suggested me to do : http://www.duchemin.org/visio.vsd here's what I think you said I should do : http://www.duchemin.org/visio2.vsd Does this look right ? Thanks again ! ghett0 wrote: > Pascal wrote:
>> Hello,
>> >> I have 2 subnets : >> Main subnet : 10.0.0.0/24 >> Remote office subnet 10.0.1.0/24 >> >> There are 2 routers connected to the Main subnet : >> - 1 that connects 10.0.0.0/24 to 10.0.1.0/24 with ip of 10.0.0.253 >> - 1 that connects 10.0.0.0/24 to the internet with ip of 10.0.0.254 >> >> If the default gateway on all machines in the Main subnet is 10.0.0.254 >> How can I route properly my traffic without having to create a >> persistent route on all my machines in the 10.0.0.0/24 subnet for the >> 10.0.1.0/24 subnet ? >> >> Thanks >
> It's a kludge, but point your workstations to the 10.0.0.254 address > for their default gateway. Ensure that this router knows how to get to > 10.0.1.0/24 via 10.0.0.253. The router should issue ICMP redirects to > the clients when they try to send traffic to the 10.0.1.0/24 subnet. > > You should consider creating a transit network. Create a third subnet > and place your Internet edge router in it. > > Workstations 10.0.0.0/24 -> Main router -> Remote router (10.0.1.0/24) > | > | <- (Transit network) > | 10.x.x.x/30 > | > Internet edge > > The Internet edge router needs two routes. First, it has a default > route to your ISP's next hop. Second, it has a route 10.0.0.0/8 > pointing to the transit address of the main router. | ||||||||||||||||
|
Posted by ghett0 on March 23, 2007, 9:50 am
Please log in for more thread options Pascal wrote:
> Thanks ghett0 !
> > You are right it will be a mess. Unfortunately those people who are > setting up the Remote offices want me to set things up this way. I am > trying to find a way to prove them that there should be a better one. > > Here's what they suggested me to do : > http://www.duchemin.org/visio.vsd > > > > here's what I think you said I should do : > http://www.duchemin.org/visio2.vsd > Does this look right ? > > > > Thanks again ! > > > > > ghett0 wrote: >> Pascal wrote:
>>> Hello,
>>> >>> I have 2 subnets : >>> Main subnet : 10.0.0.0/24 >>> Remote office subnet 10.0.1.0/24 >>> >>> There are 2 routers connected to the Main subnet : >>> - 1 that connects 10.0.0.0/24 to 10.0.1.0/24 with ip of 10.0.0.253 >>> - 1 that connects 10.0.0.0/24 to the internet with ip of 10.0.0.254 >>> >>> If the default gateway on all machines in the Main subnet is 10.0.0.254 >>> How can I route properly my traffic without having to create a >>> persistent route on all my machines in the 10.0.0.0/24 subnet for the >>> 10.0.1.0/24 subnet ? >>> >>> Thanks >>
Hi Pascal,
>> It's a kludge, but point your workstations to the 10.0.0.254 address >> for their default gateway. Ensure that this router knows how to get to >> 10.0.1.0/24 via 10.0.0.253. The router should issue ICMP redirects to >> the clients when they try to send traffic to the 10.0.1.0/24 subnet. >> >> You should consider creating a transit network. Create a third subnet >> and place your Internet edge router in it. >> >> Workstations 10.0.0.0/24 -> Main router -> Remote router (10.0.1.0/24) >> | >> | <- (Transit network) >> | 10.x.x.x/30 >> | >> Internet edge >> >> The Internet edge router needs two routes. First, it has a default >> route to your ISP's next hop. Second, it has a route 10.0.0.0/8 >> pointing to the transit address of the main router. Now that I see what you're trying to do, I'd suggest that you see if your MPLS vendor will let you connect the local switch at your "Main" location directly to the IAD. The IAD 2431 looks like it supports two fast ethernet interfaces. You could drop your local "Main" workstations into the IAD, and it would send traffic destined for the remote location directly to the MPLS cloud. Otherwise, the IAD could send Internet-bound traffic directly to the Fortigate. Check with your provider and see if they'll work with you on this. Another option would be to enable routing capability into your "Main" switch. The idea here, again, is that you put your workstations into their own subnet so that those end points don't have to have specific routing information or rely in ICMP redirects. Enabling a routing function on that switch could address this. I guess it comes down to if your comfortable having the MPLS provider treat your "Main" location as just another stub network. Also, how much "control" do you want in terms of handing off traffic to the remote sites and the Internet. Just throwing ideas out there! :-) | ||||||||||||||||
|
Posted by Pascal on March 23, 2007, 10:57 am
Please log in for more thread options ghett0,
Please see my replies below ghett0 wrote: Hi Pascal, > Now that I see what you're trying to do, I'd suggest that you see if
> your MPLS vendor will let you connect the local switch at your "Main" > location directly to the IAD. The IAD 2431 looks like it supports two > fast ethernet interfaces. You could drop your local "Main" > workstations into the IAD, and it would send traffic destined for the > remote location directly to the MPLS cloud. Otherwise, the IAD could > send Internet-bound traffic directly to the Fortigate. Check with your > provider and see if they'll work with you on this. Here's what I think you suggested : http://www.duchemin.org/visio3.vsd As you said, I am really not comfortable having the MPLS provider be in front of my firewall and route my internet traffic, I would lose too much control. And I'm worried that if I need something done someday they will take forever to fix it. >
I kind of see the idea of that solution. The issue is that our switches
> Another option would be to enable routing capability into your "Main" > switch. The idea here, again, is that you put your workstations into > their own subnet so that those end points don't have to have specific > routing information or rely in ICMP redirects. Enabling a routing > function on that switch could address this. do not have routing capabilities. ( By the way is it what a Layer 3 switch is ? ) >
Thanks for all your advices.
> I guess it comes down to if your comfortable having the MPLS provider > treat your "Main" location as just another stub network. Also, how > much "control" do you want in terms of handing off traffic to the > remote sites and the Internet. > > Just throwing ideas out there! :-) > Now, in order to keep reasonable control of my traffic, do you think that http://www.duchemin.org/visio2.vsd is technically doable ? The fortigate firewall is also a router. It has 3 interfaces : - WAN1 connected to Iquest router ( xxx.xxx.xxx.129/27 ); - WAN2 connected to Nuvox router ( 10.0.3.0/30 ), - LAN1 connected to Main office subnet ( 10.0.0.0/24 ) If I would just create routes on the fortigate to route traffic from 10.0.0.0/24 to xxx.xxx.xxx.129/27 for internet access to WAN1 and from 10.0.0.0/24 to 10.0.3.0/30 for 10.0.1.0/24 to WAN2 Is this a way to do it too ? Thanks | ||||||||||||||||
>
> I have 2 subnets :
> Main subnet : 10.0.0.0/24
> Remote office subnet 10.0.1.0/24
>
> There are 2 routers connected to the Main subnet :
> - 1 that connects 10.0.0.0/24 to 10.0.1.0/24 with ip of 10.0.0.253
> - 1 that connects 10.0.0.0/24 to the internet with ip of 10.0.0.254
>
> If the default gateway on all machines in the Main subnet is 10.0.0.254
> How can I route properly my traffic without having to create a
> persistent route on all my machines in the 10.0.0.0/24 subnet for the
> 10.0.1.0/24 subnet ?
>
> Thanks