Transfering AS from 1 carrier to another

pipsadmin · ‎08-13-2008

Hi,

I hvae an AS that comprises of 16 x /24s.

This peering is being done on a 3640.

Currently i'm only advertising/peering 8 of theses 16 like so:

interface FastEthernet0/0.3

encapsulation dot1Q 230

ip address 216.24.231.1 255.255.255.0 secondary

ip address 216.24.232.1 255.255.255.0 secondary

ip address 216.24.233.1 255.255.255.0 secondary

ip address 216.24.234.1 255.255.255.0 secondary

ip address 216.24.235.1 255.255.255.0 secondary

ip address 216.24.236.1 255.255.255.0 secondary

ip address 216.24.237.1 255.255.255.0 secondary

ip address 216.24.230.1 255.255.255.0

Is it good practice to do 3 vlans sub-interfaces on the FastEthernet, like for instance:

I need to bring in 5 more, but I'm thinking of changing this setup now.

My 3640 is connected to a 6500 as a trunk port and the firewall is on the 6500 with a trunk port also.

Could I do 3 netblocks each with it's own vlan and sub-interface on the 3640, trunk that to the 6500 and back to the firewall? The firewall is a fortigate and actualy supports up to 256 sub interfaces.

How many sub interfaces are you allowed to put on a 3640 Fastethernet?

Im thinking of this setup:

(This would be vlan 224 with Firewall Sub-Interface as 216.24.224.2/21)

interface FastEthernet0/0.3

encapsulation dot1Q 224

ip address 216.24.224.1 255.255.248.0

(This would be vlan 232 with Firewall Sub-Interface as 216.24.232.2/22)

interface FastEthernet0/0.4

encapsulation dot1Q 232

ip address 216.24.232.1 255.255.252.0

(This would be vlan 236 with Firewall Sub-Interface as 216.24.236.2/22)

interface FastEthernet0/0.5

encapsulation dot1Q 236

ip address 216.24.236.1 255.255.252.0

Edison Ortiz · ‎08-13-2008

I believe it's time to move your inter-vlan routing to a switch. You are relying on an old 3640 while having a 6500 in your network?

Something is definitely wrong with this design unless you aren't explaining the whole picture.

__

Edison.

pipsadmin · ‎08-14-2008

i know, trust me i know...

Keep saying the same thing over and over, but they dont want this...

I just need to know if the above would work, if not, what's another way to do this?

Edison Ortiz · ‎08-14-2008

I prefer the setup you are proposing (having each subnet on its owns Vlan) but I'm not sure about the limitation of subinterfaces in the 3640 nor I can find any documentation on the matter.

It's very rare someone using a router for this kind of setup when there are capable switches around.

__

Edison.

pipsadmin · ‎08-14-2008

ok, here is a more detailed scenerio diagram of what I'm thinking of doing, but I'm not sure... Something is telling me there's a better what to do this...

Edison Ortiz · ‎08-14-2008

Something is telling me there's a better what to do this...

Well, yes. Move the inter-vlan routing to the 6500 and have the 3640 connect to the 6500 in routed or access mode.

But then again, I said that already and you nixed the idea.

__

Edison.

tdrais · ‎08-14-2008

Not sure I see the purpose of the 6500 between the router and the firewall. All it is doing is to act as a crossover cable between the router and the firewall.

I am going to hope that you have another switch on the far side of firewall and have not cabled both the trust and untrust into the 6500. Still you are going to have to run the firewall in layer 2 mode which make things more challenging.

You will also need to change your BGP since it will not advertise out any of these subnets. You will need to verify with the ISP they will take a bgp advertisement with less than a /24 mask.

Have to agree with edison you really want to move the routing further into you network. Either on the firewall itself on the inside ports or to a layer 3 switch behind the firewall. With this many layer 2 networks running through the firewall one broadcast storm will bring the firewall to its knees.