Routing to multiple subnets

Unanswered Question
Dec 10th, 2009
User Badges:

Hi,


We have a network setup so that we have a feed coming in from the Internet to our router and the LAN behind our router consists of some webservers configured with a subnet of public IP addresses, our provider is routing packets to this network to our router and then our router routes them to the correct server on the LAN, this works fine.


The issue is that we now need some more IP addresses (for SSL hosted sites on the webservers) and the new block we will get most likely won't continue on from the block we already have. What I'm trying to do is work out how to setup our router so that the LAN has 2 (or more) networks configured so that the servers can listen on both blocks of addresses.


The router we have is a Cisco 861 and in the web inteface you can simply set a WAN IP and mask and a LAN (or rather VLan) IP and mask, this worried me that it wouldn't be possible but after connecting using SSH and checking out some of the CISCO commands I'm starting to think this may be possible with this router?


What I am currently thinking is I simply need to create a new VLAN for each block of IPs we need, is this correct? If so then I've been looking at this but it appears at that a VLAN is attached to a particular interface (or interfaces), there are 4 physical LAN ports on this router and it seems a bit wrong that I would have to connect a seperate cable to each port with a VLAN on it all going into the same router so they can get to the webserver.


So I guess my question is can I a) have multiple IP addresses/subnets on a single VLAN or b) can I set up multiple VLANs and attach them to a single phyical interface?



Thanks for taking the time to read this and I hope my questions is clear enough and makes sense.

Tom

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ganesh Hariharan Thu, 12/10/2009 - 04:03
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi,


Go with option 2 and configure multiple vlan in router interface connecting inwards towards teh LAN using sub interface.check out the below link for inter vlan routing using Router on a Stick concept.


Hope this will help on your query


http://www.cisco.com/en/US/docs/switches/lan/catalyst5000/hybrid/routing.html



Regards

Ganesh.H

MisterOatScl Thu, 12/10/2009 - 04:51
User Badges:

Thank you very much for your reply, it was the answer I was hoping for an looking at that link I can see the model for exactly what I am trying to create. I've been hacking away at the router console and I seem to have got the hang of vlans however I can't for the life of me work out how to create subinterfaces, I've tried commands such as


interface fastethernet 1.1


and unless I use 1.0 I get the following message back


% Invalid input detected at '^' marker


(the ^ is pointing at the f in fastethernet)


If i type "interface fastethernet" and hit ? I get a message saying I can basically type 0-4, it's making me wander if this is possible in the router.


I don't supposed you know how you do this in the 861 router or better still know where I can find a reference for the commands for this particular router?


Thanks again for your reply, your help is really appreciated!


Tom

davy.timmermans Thu, 12/10/2009 - 04:56
User Badges:
  • Silver, 250 points or more

The fastethernet ports are layer 2 ports.


I'm not sure if you'll be able to create two vlans on the router. If this is true, you'll ve to work with a secondary IP

MisterOatScl Thu, 12/10/2009 - 05:08
User Badges:

Please excuse me Davy, I'm feeling dense and confused about all of this. What do you mean I'd need 2 IP addresses, I'm already expecting the router to have an IP on each of the subnets I'd be configuring on the LAN, the issue is I'd like it so that the 1 physical interface on the router can send/receive packets on both networks rather than have 2 cable running from the router to the switch. Surely that should be possible?

davy.timmermans Thu, 12/10/2009 - 05:16
User Badges:
  • Silver, 250 points or more

How is your fastethernet port in use configured?


As a regular L2 port and a VLAN interface with one 1 ip address, serving as default-gateway for your servers?

davy.timmermans Thu, 12/10/2009 - 05:27
User Badges:
  • Silver, 250 points or more

There's a big chance that you can use only 1 vlan for all your fastethernet ports. Or that you're able to create only one L3 vlan interface.


interface vlan 1

ip add "Def gateway" SM


ip add "Def gateway2" SM secondary


if that's the case you'll be limited to one vlan and 2 subnets.



Unless you've a layer3 switch before the router? (3750/3560/3550/...





MisterOatScl Thu, 12/10/2009 - 06:14
User Badges:

Hmm, I it lets me create multiple vlans but your saying that I can only attach 1 vlan to an fastethernet port?


If this is true I could potentail create a vlan for each fastether port and then plug them all into the same switch right? This isn't ideal and I'd probably return this router and go for a different option (any suggestions on models to look at which are capable of this behviour?) but I'm just trying to get a picture of what is going on in my mind.


Thanks for you all help so far!

davy.timmermans Thu, 12/10/2009 - 07:14
User Badges:
  • Silver, 250 points or more

Which type of model of switch is connected to your router?


What is used as default gateway for your servers?


interface vlan x on the router?


If yes, are you able to create a second VTI (interface vlan y)

MisterOatScl Thu, 12/10/2009 - 07:34
User Badges:

I don't remember the make/model of the switch, it's nothing clever or complicated and has no managerment interface it's just a small gigabit ethernet switch.


The default gateway on the servers is indeed the IP address of vlan1 on the router, I can create a vlan y but I don't know what to do with it, presumably I attach it to an interface but because I don't seem to be able ot attach it to the same interface that vlan1 is attached to that would mean I'd have to connected up another port on a different interface?


The sub interface seems like the right thing (it looks similar to setting up ethernet aliases on linux?) but I just don't seem to be able to get this router to play the game.

davy.timmermans Thu, 12/10/2009 - 11:20
User Badges:
  • Silver, 250 points or more

What to do with the 'authentication required' server fed.cisco.com: etc???



Subinterfaces works only on physical layer 3 interfaces. The fastethernet ports are layer 2 ports.



For each vlan/subnet you require a default gateway at a Layer 3 device which has routing intelligence (eg. default route,...).


As you can't work with subinterfaces, you've to work with vlan interfaces.



vlan 1 has a corresponding layer 3 interface : interface vlan 1

vlan 2 has a corresponding layer 3 interface : interface vlan 2

etc.


which could be used as default gateway.


=the same as subinterfaces but in software. Via a trunk link the port has to be connected with the other switch.


BUT


In the first place I don't think you'll be able to create an extra vlan interface (interface vlan x). If you could try? (eg. interface vlan 2)



As your switch probably even won't recognize different vlans, I think you're limited to 1 VLAN and two subnets via secondary IP address. => won't understand dot1Q.


Or you've to put each port in a vlan with a dedicated cable connecting to the '1 vlan switch'. (if you can create multiple vlan interfaces)


Suppose if subinterfaces would work. You'll require a dot1Q link (vlan tagging) which is not compatible with your switch's capabilities

MisterOatScl Fri, 12/11/2009 - 04:16
User Badges:

I can create an extra vlan, it has not problem doing that, the problem is getting both vlans attached to a single physical interface (I'm still not sure if I'm understanding this properly).

glen.grant Fri, 12/11/2009 - 05:35
User Badges:
  • Purple, 4500 points or more

  If your switch is a unmanaged switch your only option will be to create a single vlan with a secondary address as umanaged switches have no trunking capability .

davy.timmermans Fri, 12/11/2009 - 06:01
User Badges:
  • Silver, 250 points or more

Indeed as I said,


interface vlan 1


ip address x.x.x.x y.y.y.y (=default gateway for first subnet)

ip address z.z.z.z a.a.a.a secondary ((=default gateway for second subnet)


=actually 1 vlan, serving to subnets.


Beside the non-trunking capability I think also you're not able to create a second vlan INTERFACE.

MisterOatScl Wed, 12/16/2009 - 08:55
User Badges:

Thanks for your help so far, i've now been talking to the network expert at Insight and he's lead me to the conclusion (as I expected) that this router simply isn't made for this purpose so were now talking about the possiblity of using a Cisco 1941 router plugged into a managed switch (Cisco 2960 or HP 2610).


Now the guy I've been speaking to has said that we'd create a VLAN for each network then configure the switch with each of these VLANs, however from my understanding each VLAN (say for example we have the blocks 210.210.210.160/27 and 222.222.222.160/27) would be assigned to it's own block of ports on the switch (e.g. 210.210.210.x on ports 1-8 and 222.222.222.x on ports 9-16) is this correct? If so this brings me back to the same problem, if I have a server running VMware with a virtual machine with a virtual network adapter configured with and address on the the 210.210.210.x network and a second virtual machine configured on the 222.222.222.x network then I'm going to need 2 interfaces on the vmware server connected to the 2 different ports on the switch?


What would be better would be if I could configure the router/switch so traffic to 210.210.210.x or 222.222.222.x goes to port 1-16 (or whatever) on the router then I can use a single cable to the vmware server hosting clients on either network, does anyone know if this would be possible before I order this equipment?


Many many thanks!

Jon Marshall Wed, 12/16/2009 - 10:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tom


The datasheet on the 860 routers clearly states that it support 2 vlans and 802.1q support. Have you tried


1) creating 2 L3 vlan interfaces

2) configuring the port connecting to the switch as a trunk link. Note that the switch end would also have to be a trunk and the switch would need to be 802.1q capable


The above aside, your new solution, if the VMWare server uses one NIC then you simply configure the port on the switch as a trunk link and then the link can carry traffic for both vlans. A 2960 switch is certainly capabale of trunking so there should be no problems there and you can create subinterfaces on the 1941 for each vlan.


Without wishing to confuse the issue, note that subinterfaces on a router is really a sub-optimal solution. This is what L3 switches were designed for. So you may want to talk to your network guy at Insight and compare the pros and cons of


1) 1941 with 2960 switch using subinterfaces

2) existing 860 router with L3 switch such as 3560 switch. A L3 switch does not need to use subinterfaces at all.


To be honest it's a long time since i have priced up Cisco kit and there may be other considerations that have led the Insight guy to recommend the 1941 but it may be worth having a discussion about it.


But yes, a 1941 + 2960 switch would do what you want.


Jon

MisterOatScl Thu, 12/17/2009 - 03:05
User Badges:

Jon,


Thank you very very much for your reply, I think you've almost completely solved this for me now but I have 1 last question.


You say the L2 & subinterface solution is sub-optimal, am I right in thinking it's only sub-optimal when it comes to communication between 2 networks on the the trunk (because a packet will have to go from the server to the switch to the router back to the switch back to the server) or are there other noticable performance hits? The reason I ask is because this will never (well at most very rarely) happen and in which case this is probably the solution for us, however if there are other hits then I think we will fork out the extra for L3.


Thanks again for your reply, I think we have this almost sorted!


Tom

Jon Marshall Thu, 12/17/2009 - 04:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

MisterOatScl wrote:


Jon,


Thank you very very much for your reply, I think you've almost completely solved this for me now but I have 1 last question.


You say the L2 & subinterface solution is sub-optimal, am I right in thinking it's only sub-optimal when it comes to communication between 2 networks on the the trunk (because a packet will have to go from the server to the switch to the router back to the switch back to the server) or are there other noticable performance hits? The reason I ask is because this will never (well at most very rarely) happen and in which case this is probably the solution for us, however if there are other hits then I think we will fork out the extra for L3.


Thanks again for your reply, I think we have this almost sorted!


Tom


Tom


The subinterface solution known as "routing-on-a-stick" was a precursor to L3 switches. It was a way to route between vlans when switches only worked at L2. So really if you need to route between multiple vlans the answer is a L3 switch.


It is suboptimal because -


a) the subinterfaces restrict the amount of bandwidth each vlan gets on the physical interface

b) the actual throughput of packets is much lower on a comparable router vs L3 switch because a L3 switch forwards packets at L3 in hardware


If neither of the above are a concern then yes, by all means use the routing-on-a-stick solution.


Jon

MisterOatScl Thu, 12/17/2009 - 04:53
User Badges:

Thank you very much, I've got a good understanding of how this all works now and know exactly what kit to get. Thanks for all your help!

Actions

This Discussion