Routing to multiple Default Gateways

Answered Question
Feb 17th, 2010

This may be a simple process, but I can not find a difinity answer.  Hope someone can help.  I am designing a template that allows for multiple sites to connect to an MPLS network as well as support a separate isolated network at each site.  the isolated network will need to route to some of the subnets so I need to point the gateway to the core (3750).  The MPLS connected network will also be pointed to its respective vlan ip on the core switch for the site.  The issue I have is I need the isolated network to utilize a local internet connection while the MPLS side of the house will be connected up to the primary hub via the MPLS. 

In the example below VLAN 100 and 120 will be routed to the MPLS via the switches default gateway; VLAN 200 and 220 need to be routed to the local gateway (10.2.4.1).  So if my default route is as configured below, how do I redirect LANS 200 and 220?

interface GigabitEthernet1/0/1
description Network 1
switchport access vlan 100
!
interface GigabitEthernet1/0/2
description Network 2
switchport access vlan 120
!
interface GigabitEthernet1/0/3
description Network 3
switchport access vlan 200
!
interface GigabitEthernet1/0/4
description Network 4
switchport access vlan 220
!
interface Vlan100
description LAN1
ip address 10.100.100.1 255.255.255.0
!
interface Vlan120
description LAN2
ip address 10.4.123.254 255.255.255
!
interface Vlan200
description LAN3
ip address 10.100.200.1 255.255.255.0
!
interface Vlan220
description LAN4
ip address  10.2.4.254 255.255.255.0
!
Route 0.0.0.0 0.0.0.0 10.4.123.1

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 11 months ago

David

Glad you got it working.

As for directing traffic the key thing to be aware of is that only traffic matched in the acl will be sent to the next-hop specified in your route-map. And so it's all a question of configuring your acl properly so lets you wanted a host (192.168.5.1)  to go across the MPLS network to the antivirus server but out the other link for http traffic

access-list 101 deny ip host 192.168.5.1 host

access-list 101 permit tcp host 192.168.5.1 any eq http

route-map PBR permit 10

match ip address 101

set ip next-hop x.x.x.x

because the first line is a deny it will not be sent the next-hop of x.x.x.x but routed via the normal routing table. The second line for http traffic is a permit and so will be sent to the next-hop ip of x.x.x.x.

So you just need to be specific in your acls that you use with your route-maps.

Jon

Correct Answer by Jon Marshall about 6 years 11 months ago

davidjknapp wrote:


http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00802135d3.shtml

David

Did you enable the routing template ie. "sdm prefer routing"

Jon

Correct Answer by Jon Marshall about 6 years 11 months ago

davidjknapp wrote:

This may be a simple process, but I can not find a difinity answer.  Hope someone can help.  I am designing a template that allows for multiple sites to connect to an MPLS network as well as support a separate isolated network at each site.  the isolated network will need to route to some of the subnets so I need to point the gateway to the core (3750).  The MPLS connected network will also be pointed to its respective vlan ip on the core switch for the site.  The issue I have is I need the isolated network to utilize a local internet connection while the MPLS side of the house will be connected up to the primary hub via the MPLS. 

In the example below VLAN 100 and 120 will be routed to the MPLS via the switches default gateway; VLAN 200 and 220 need to be routed to the local gateway (10.2.4.1).  So if my default route is as configured below, how do I redirect LANS 200 and 220?


David

There are generally 2 approaches to this -

1) PBR (Policy Based routing) where you can route traffic based on the source IP address so you could tell your switch that for vlan 200 and 220 it should route traffic to 10.2.4.1

For PBR support you need IPServices on your 3750 and you need to enable the routing template ie. "sdm prefer routing"

2) VRF-lite. If your networks are islolated totally then you could use vrf-lite where you end up with literally 2 virtual routers on the same physical switch. vlan 100/120 would be in one virtual router and vlan 200/220 would be in the other. Each virtual router has completely separate routing tables so they could each have their own default route.

It depends on whether vlans 200/220 need to communicate with vlans 100/120 and vice-versa. If they do then i would go the PBR route. If they don't i would look at VRF-lite.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 02/17/2010 - 08:25

davidjknapp wrote:

This may be a simple process, but I can not find a difinity answer.  Hope someone can help.  I am designing a template that allows for multiple sites to connect to an MPLS network as well as support a separate isolated network at each site.  the isolated network will need to route to some of the subnets so I need to point the gateway to the core (3750).  The MPLS connected network will also be pointed to its respective vlan ip on the core switch for the site.  The issue I have is I need the isolated network to utilize a local internet connection while the MPLS side of the house will be connected up to the primary hub via the MPLS. 

In the example below VLAN 100 and 120 will be routed to the MPLS via the switches default gateway; VLAN 200 and 220 need to be routed to the local gateway (10.2.4.1).  So if my default route is as configured below, how do I redirect LANS 200 and 220?


David

There are generally 2 approaches to this -

1) PBR (Policy Based routing) where you can route traffic based on the source IP address so you could tell your switch that for vlan 200 and 220 it should route traffic to 10.2.4.1

For PBR support you need IPServices on your 3750 and you need to enable the routing template ie. "sdm prefer routing"

2) VRF-lite. If your networks are islolated totally then you could use vrf-lite where you end up with literally 2 virtual routers on the same physical switch. vlan 100/120 would be in one virtual router and vlan 200/220 would be in the other. Each virtual router has completely separate routing tables so they could each have their own default route.

It depends on whether vlans 200/220 need to communicate with vlans 100/120 and vice-versa. If they do then i would go the PBR route. If they don't i would look at VRF-lite.

Jon

davidjknapp Wed, 02/17/2010 - 08:55

Thanks for the fast follow-up.  This is exactly what I need.  Do to the fact that there will be a third vlan (Call it VLAN300) that will be able to communicated to either network, VRF will not work.  But great to know for other circumstatnces.  I will investigate Policy Based Routing and attempt to impliment in a lab enviorment.

Jon Marshall Wed, 02/17/2010 - 09:01

davidjknapp wrote:

Thanks for the fast follow-up.  This is exactly what I need.  Do to the fact that there will be a third vlan (Call it VLAN300) that will be able to communicated to either network, VRF will not work.  But great to know for other circumstatnces.  I will investigate Policy Based Routing and attempt to impliment in a lab enviorment.

David

No problem. glad to have helped.

Just for info you can actually "leak" routes between vrfs but i agree in your case PBR looks a better option.

Jon

davidjknapp Mon, 02/22/2010 - 12:47

I have Attempted to setup a lab using two 3750's and IPs from 10.1.1.0/24 - 10.1.5.0/24  I have a client using 10.1.1.5 (port 1) and another at 10.1.2.5 (port 47).  I want to route the 10.1.1.0 to the default gateway of 10.1.3.254 and the network 10.1.2.0 to the gateway 10.1.4.254.  Both of those ip's are the second switch witch also has the netowork 10.1.5.0.

When I traceroute from either client I see the default gateway of the switch (10.1.3.254).  Not sure where I am going wrong... I know that I have tried to enter the code "IP Policy Route-Map " at the vlan interfaces the traffic is comming from, and it does not show in the config.  Relavent code is below.  Any help would be awsome!! Thanks

!
interface GigabitEthernet1/0/1
description Network 1
switchport access vlan 100
switchport mode access
!
!
interface GigabitEthernet1/0/3
switchport access vlan 200

!
interface GigabitEthernet1/0/16
description Nework 3
switchport access vlan 300
switchport mode access
!
interface GigabitEthernet1/0/33
description Network 3
switchport access vlan 400
!
!
interface GigabitEthernet1/0/47
description Network 2
switchport access vlan 200
switchport mode access
!
!
interface Vlan100
description LAN1
ip address 10.1.1.1 255.255.255.0
!
interface Vlan200
description LAN3
ip address 10.1.2.1 255.255.255.0
!
interface Vlan300
description LAN3
ip address 10.1.3.1 255.255.255.0
!
interface Vlan400
description LAN4
ip address 10.1.4.1 255.255.255.0
!
!
ip route 0.0.0.0 0.0.0.0 10.1.3.254
!
!
access-list 10 permit 10.1.1.5
access-list 20 permit 10.1.2.5
!
route-map LAB permit 10
match ip address 10
set ip default next-hop 10.1.3.254
!
route-map LAB permit 20
match ip address 20
set ip default next-hop 10.1.4.254
!

Jon Marshall Mon, 02/22/2010 - 14:43

davidjknapp wrote:


!
!
interface Vlan100
description LAN1
ip address 10.1.1.1 255.255.255.0
!
interface Vlan200
description LAN3
ip address 10.1.2.1 255.255.255.0
!
interface Vlan300
description LAN3
ip address 10.1.3.1 255.255.255.0
!
interface Vlan400
description LAN4
ip address 10.1.4.1 255.255.255.0
!
!
ip route 0.0.0.0 0.0.0.0 10.1.3.254
!
!
access-list 10 permit 10.1.1.5
access-list 20 permit 10.1.2.5
!
route-map LAB permit 10
match ip address 10
set ip default next-hop 10.1.3.254
!
route-map LAB permit 20
match ip address 20
set ip default next-hop 10.1.4.254
!

David

Couple of things -

1) "set ip default next-hop" means use the routing table first and if there is no specific match then use PBR. I suspect you want to use PBR before the routing table so change this to "set ip next-hop

2) you need to apply the policy maps to the L3 vlan interfaces so -

int vlan 100

ip policy route-map LAB

int vlan 200

ip policy route-map LAB

Jon

davidjknapp Mon, 02/22/2010 - 15:12

I did see that the 'set ip defaul next-hop" runs as a post routing table solution - which is how I want it.  If there is an internal route - I want it to use it, however it there is not internal route (Internet bound traffic) then go to this route.  For the lab I did not using routing protocals to prevent the routes from getting transmitted...I just stuck to static routes.

I did entered the exact commands, and they did not appear to have any effect - including to the config.

int vlan 100

ip policy route-map LAB

int vlan 200

ip policy route-map LAB

I was using SSH so I may have missed an error if the switch did not accept the command.  I found a Cisco article discussing the command :

SDM Prefer Extended-Match

Which I implemented but have not tested after the reload.  I discovered this after I realized that "Policy Based Routing" was listed as "Disabled" when displaying "Show ip int Vlan 100"

Will be testing after re-entering the command in the Vlans Tomorrow.

Thanks again!!! I will post my results for others to see!

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00802135d3.shtml

davidjknapp Tue, 02/23/2010 - 12:29

I have got the lab working.  What was needed was to enter "SDM prefer routing" then reload.  After which I had to remove the "set ip default next-hop 10.1.4.254" and exchange it for "set ip next-hop 10.1.4.254" (the 3750 does not support default next-hop).

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_37_se/configuration/guide/swuncli.html

I do have a question related to this.  Our setup will consist of one 3750g-48ts, and then 2960G-24ts's as the access switches.  We will have 5 vlans at each site.  There will be two gateway routers: 1 going direct to the internet (linksys SOHO), and 2 going to datacenter via MPLS (1800 series).  the datacenter has different internet feed.  Lets call the network that uses local internet 100 and the network that goes through the MPLS 200.

With the configuration as it, the next-hop command will push all traffic to the local internet router from network 100.  How do I route traffic I want to keep in the network (going to say antivirus server at datacenter).  Wouldn't the next-hop command force all traffic to the internet gateway bypassing the routing table?  If this is the case - What other options to I have?  Route the traffic to a router and then to default next-hop there?

Correct Answer
Jon Marshall Tue, 02/23/2010 - 12:44

David

Glad you got it working.

As for directing traffic the key thing to be aware of is that only traffic matched in the acl will be sent to the next-hop specified in your route-map. And so it's all a question of configuring your acl properly so lets you wanted a host (192.168.5.1)  to go across the MPLS network to the antivirus server but out the other link for http traffic

access-list 101 deny ip host 192.168.5.1 host

access-list 101 permit tcp host 192.168.5.1 any eq http

route-map PBR permit 10

match ip address 101

set ip next-hop x.x.x.x

because the first line is a deny it will not be sent the next-hop of x.x.x.x but routed via the normal routing table. The second line for http traffic is a permit and so will be sent to the next-hop ip of x.x.x.x.

So you just need to be specific in your acls that you use with your route-maps.

Jon

davidjknapp Wed, 02/24/2010 - 07:15

Once again, Jon straitens me out!! - Cisco does not allow "Deny" ACL's on the 3750 Platform, however, I can do it the other way and tell the ACL to ignore anything on local lan by using : access-list 120 permit ip 10.1.2.0 0.0.0.255 10.0.0.0 0.255.255.255 - concidering our entire network sits in the 10.0.0.0 range and no internet traffic should be there.

Thanks Again!!

Jon Marshall Wed, 02/24/2010 - 07:16

davidjknapp wrote:

Once again, Jon straitens me out!! - Cisco does not allow "Deny" ACL's on the 3750 Platform, however, I can do it the other way and tell the ACL to ignore anything on local lan by using : access-list 120 permit ip 10.1.2.0 0.0.0.255 10.0.0.0 0.255.255.255 - concidering our entire network sits in the 10.0.0.0 range and no internet traffic should be there.

Thanks Again!!

David

No problem, glad to be of help. It's often surprising which bits of the full PBR set switches don't support !

Jon

Gregory Flett Thu, 11/18/2010 - 09:51

I have a similar question but a very different scenario.

We have a brand new site that uses full redundency on all connections and a connected by a port channel running at 20Gbps which is overkill

All outbound private address traffic travels via an MPLS router. The core switches are 4506s and the router is a 2800 series I believe. Right now the fa0/0 connection from the router is connected to one of the switches and we have an unconfigured fa0/1 interface that is supposed to connect to the other core switch to provide redundency and as a bonus load balancing.

The easiest way to accomplish this would be to load a routing protocol that supports load-balancing (ospf or eigrp) on to the router and use a couple of /30 networks to connect them to the switches - however the MPLS routers are managed by a team above mine and they refuse to load ANY routing protocols on the MPLS router.

Is it possible to set up a redundent connection, if even just for a failover, by any other means? PBR was close to the solution but I don't want to direct the traffic based on a policy, I just want it to have two routes to use.

Thanks!

Attachment: 
Jon Marshall Thu, 11/18/2010 - 15:58

Greg

Just to clarify.

You have a pair of 4500 switches that connect to a 2800 router that connects to MPLS. Only one of the links is active. ?

If so -

1) how are you telling that switchto send traffic to 2800 router ? - is it just a static route on the 4500 ?

2) what devices are connected to the 4500 switches ie. other switches or end devices.

3) Are the 4500 switches exchanging routes between themselves ie. if a device on the non 2800 connected switch wants to get to the MPLS clould how does the 4500 switch know it has to send the traffic to the other 4500 switch ?

4) How does the MPLS router know what networks are on the 4500 switch - do they have static routes.

5) If 4) is true then are the static routes only pointing to the connected 4500 switch ? If so would the MPLS group be happy to add statics for same networks pointing to other 4500 as well ?

I need answers to all of the above to understand how current routing works.

Note, as you mention, running a dynamic routing protocol such as OSPF/EIGRP between the 4500 switches and the 2800 router is by far the best solution and anything else is really just a bit of a bandaid. Did the MPLS router admin people actually give a good reason why they do not want to enable a routing protocol ?

Jon

Gregory Flett Thu, 11/18/2010 - 18:24

Hi Jon - thanks for the reply..

Yes the pair of 4500s are connected to the 2800 and only one of the links is active.

The switches are set up in HSRP and MDF01 is the active the virtual IP is 10.68.32.1, the 4500s are physically .2 and .3, they have matching routing tables as shown below:

     10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
S       10.0.0.0/8 [1/0] via 10.68.32.4
C       10.68.46.0/24 is directly connected, Vlan219
C       10.68.45.0/24 is directly connected, Vlan119
C       10.68.36.0/24 is directly connected, Vlan117
C       10.68.34.0/24 is directly connected, Vlan115
C       10.68.32.0/24 is directly connected, Vlan110
C       10.68.33.0/24 is directly connected, Vlan111
S*   0.0.0.0/0 [1/0] via 10.68.32.6
CZX-MDF-4506-01-L3#

The first static link is to the MPLS router and the gateway of last resort is to a pair of ASAs running in active/standby and connected to the "external" internet link. The active ASA is connected to MDF01, the standby to MDF02.

As you can see from the routing table there are multiple VLANs configured on each 4500. Each switch has a single gigabit connection to each of the 6 IDFs in the facility and the IDFs are on VLAN 110 (infrastructure) with IP addresses matching their name (e.g. IDF4 is 10.68.32.14, and IDF 5 is 10.68.32.15). There is also a Cisco 4400 wireless controller hanging off of MDF01. VTP is configured on the MDFs and all the connections to the IDFs are trunks. The 4500s work at L3, the 3750s run at L2.

The following is the output of the MPLS router, I don't have access to anything other than the running config:

router bgp 65***
no synchronization
bgp log-neighbor-changes
network 10.68.32.0 mask 255.255.240.0
network 172.21.193.36 mask 255.255.255.252
network 199.***.***.*** mask 255.255.255.255
neighbor 172.21.193.37 remote-as 1803
neighbor 172.21.193.37 soft-reconfiguration inbound
no auto-summary
!
ip forward-protocol nd
ip route 10.68.32.0 255.255.240.0 10.68.32.1

I think that answers all of your questions but just in case let me do it inline anyway...

1) how are you telling that switchto send traffic to 2800 router ? - is it just a static route on the 4500 ?

Yes. All 10.x traffic is routed via the MPLS router at 10.68.32.4

2) what devices are connected to the 4500 switches ie. other switches or end devices.

There are a total of 8 3750s in the network. Both IDF0 and IDF1 have two stacked 3750s, the remaining IDFs have a single 3750. There are a few end devices plugged in to the MDFs, a WeatherGoose and a WLAN controller and a few other little things that shouldn't affect routing.

3) Are the 4500 switches exchanging routes between themselves ie. if a device on the non 2800 connected switch wants to get to the MPLS clould how does the 4500 switch know it has to send the traffic to the other 4500 switch ?

Each MDF switch was configured separately with matching static routes, no dynamic exchange is currently taking place but HSRP is solving that. We have been waiting until the correct configuration is put on the router before addressing a dynamic routing protocol on the 4500s.

4) How does the MPLS router know what networks are on the 4500 switch - do they have static routes.

The router only has a single static route to the 10.68.32.0/20 network with next hop being the virtual HSRP interface. Spittling the static route into two seperate routes matching half of the VLANs wouldn't really be a "solution".

5) If 4) is true then are the static routes only pointing to the connected 4500 switch ? If so would the MPLS group be happy to add statics for same networks pointing to other 4500 as well ?

Techincally I don't think 4 is valid as completely "true" but I'm hoping the team would be willing to put additional static routes on the MPLS router if necessary. Would two static routes on different networks on the 2800 and a dynamic protocol between the switches work? I'm trying to think about how that would work without creating a loop.

Finally...

Did the MPLS router admin people actually give a good reason why they do not want to enable a routing protocol ?

The response was simply:

11/18/10 15:24:55 Greenwich/Universal (steven.********):

sorry greg no OSPF on the MPLS routers.

How's that for a good reason? HA!


Load-balancing is just an extra, there really isn't much need for it and I'm not quite sure how that would work with HSRP anyway. The main goal is just redundency. The only technician on site is reasonably unfamiliar with cisco management and if either MDF goes down I want to ensure that they will not lose connectivity to the private network (although we could set up a VPN on their ASAs but being 16 hours time difference from Changzhou we'd prefer the switchover to be dynamic). I'm not going to ask you to paint the sistine chapel here, if the only solution is just ridiculous I understand, and if so I'll go try to put some sense in to the MPLS admins group.

Thanks for your advice!

Jon Marshall Fri, 11/19/2010 - 01:23

Greg

A number of things spring to mind. Couple of clarifications needed

1) are all the vlans on the 4500 are on the 3750s. From your description it sounded lilke you only had vlan 110 on the switches but is that just the management vlan ie. all the other vlans are on the IDF switches as well ?

2) the 2800 router and the 4500 switches share a common vlan with HSRP running on it, actually the same vlan that the IDF switches uses ie. 10.68.32.0/24 ?

If so you could -

1) load-balance the vlans by having half the vlans have 4500_1 as STP root and the other half having 4500_2 as STP root. You would need to match the HSRP active gateway for the vlan with the STP root. That way traffic flows to both 4500 switches from the IDF switches.

You then need to get the MPLS admins to change the static route for 10.68.32.0 which points currently to the HSRP VIP of .1 to 2 static routes which point to the actual physical interface addresses of the 4500 connections.

With the above you then use both switches from the 3750 switches and both 4500 switches in the return traffic from the 2800  router.

2) a modification on this is to use GLBP which would automatically load-balance between the 2 4500 switches from the 3750 IDF switches. However problem here is that because you have a L2 trunk between the 4500 switches (which i'm assuming it is) then traffic for one of the 4500 switches from the IDF switches ie. the 4500 switch which has a blocking link to the IDFs, would need to keep going across the interconnect all the time.

GLBP works better if the link between your distribution switches (4500s) was a L3 links so both uplinks from the IDFs are non-blocking.

You would still need the MPLS group to modify the static route.

3) the other alternative would be to route the vlans off the IDF's and have L3 routed uplinks. This would automatically load-balance your traffic. However i can't see a lot of point in this as the 4500 then almost becomes a L2 switch only. And you would need to readdress some things because the 10.68.32.0/24 network exists both on the IDF and 4500 switches which it couldn't with this setup.

So, depending on the answers to the clarifications above i would go with 1). Note that all of the above have concentrated on the load-balancing aspect although they obviously cover redundancy as well.

If however you want to keep config to a minimum and only want redudancy then simply connect up the 2nd switch. I can't see anything from your description that would stop that being redundant ie. -

the 3750s have 2 uplinks one to each switch so if one of the switches fails it smply uses the other uplink.

same goes for the 2800 router , it has a route pointing to the VIP so if the active VIP 4500 fails it should move over to the other switch.

If i have misunderstood anything in the setup please let me know.

Jon

Jon Marshall Fri, 11/19/2010 - 01:33

Greg

Follow up to previous thread.

There is actually something that doesn't make sense. You say that the router points to the VIP for 10.68.32.0/24 network on the 4500 switches. And that the router interface that is connected is using 10.68.32.4 ?

If so you won't be able to give the 2800 router another IP from the 10.68.32.x network on another interface because it won't let you. So you won't be able to just connect up the 2nd switch without modifying the addressing on the MPLS router.

So what i would do is have 2 new P2P subnets eg.

192.168.5.0/30

192.168.5.4/30  (you can choose any addressing, this is just an example)

4500_1

int gi0/1 <-- this connects to 2800

no switchport

ip address 192.168.5.1 255.255.255.252

ip route 10.0.0.0 255.0.0.0 192.168.5.2

4500_2

int gi0/1 <-- this connects to 2800

no switchport

ip address 192.168.5.5 255.255.255.252

ip route 10.0.0.0 255.0.0.0 192.168.5.6

2800 router

========

int gi0/1   <-- to 4500_1

ip address 192.168.5.2 255.255.255.252

int gi0/2  <-- to 4500_2

ip address 192.168.5.6 255.255.255.252

ip route 10.68.32.0 255.255.240.0 192.168.5.1

ip route 10.68.32.0 255.255.240.0 192.168.5.5

Jon

Gregory Flett Fri, 11/19/2010 - 11:05

Jon -

These are some great suggestions. First let me clarify - the access switches (IDFs) have an IP address on VLAN 110 but they are VTP clients so they know of all the VLANS.

PvSTP is something I hadn't thought of, our VLANs aren't specific to areas but rather types of devices, so finding the "middle" of the traffic between VLAN 115 which is workstations and VLAN 117 which is phones would require a little analysis on my end so I could balance them manually by choosing which ones should go where. GLBP would also be a good technique to load-balance the access switches and I'll do some further research on that, should be pretty easy to implement. I can see if I can get approval for the licenses to implement L3 on the access switches.

You were correct in sniffing out the error in our communication. The router is at 10.68.32.4/24 and the single static route is to the VIP for 10.68.32/20.

Since as you said we can't put two interfaces in the same subnet then we have to transition to something like you suggested - using /30 networks like we were going to do with the routing protocol. Your example looks good except I don't see the reduncency... that is:

If the port on either side of let's say the 4500_1 connection goes down on either the router or the switch how would the switch know that it can send the traffic to 4500_2 to complete the connection. This could be said for 4500_2 as well. Would a second static route using the other switch with a higher AD solve this?

so on 4500_1 there would be:

ip route 10.0.0.0 255.0.0.0 192.168.5.2

ip route 10.0.0.0 255.0.0.0 10.68.32.3 100

and 4500_2:

ip route 10.0.0.0 255.0.0.0 192.168.5.6

ip route 10.0.0.0 255.0.0.0 10.68.32.2 100

the router would stay the same.

Essentially the end goal is the same as what a routing protocol would do except it's a little more dangerous because it's hardcoded. A coworker also told me this has the potential to create a loop which is why I didn't just go with this the instant the MPLS group told me no OSPF. Could you attest to this?

Thanks again for the information.

Greg

Jon Marshall Fri, 11/19/2010 - 11:18

greg

This could be said for 4500_2 as well. Would a second static route using the other switch with a higher AD solve this?

Good catch, yes you would need this or alternatively run EIGRP/OSPF between your 4500 switches so they know about each others routes. I was thinking only of a switch failure which meant the 3750s would never send traffic to the failed switch.

Essentially the end goal is the same as what a routing protocol would do except it's a little more dangerous because it's hardcoded. A coworker also told me this has the potential to create a loop which is why I didn't just go with this the instant the MPLS group told me no OSPF. Could you attest to this?

Could the coworker be a little more specific If you use floating statics you should be okay as far as i can see.

GLBP would also be a good technique to load-balance the access switches and I'll do some further research on that, should be pretty easy to implement. I can see if I can get approval for the licenses to implement L3 on the access switches.

Just to clarify, GLBP does not require L3 at the access-layer. I'm not even sure you gain that much from routing from the access-layer in this situation although it would mean not having to manually configure the vlan load-balancing.

GLBP would work much better if you used a L3 link betwee 4500 switches, that way both L2 uplinks from each 3750 are non-blocking because there is no L2 Loop anymore.

Jon

Gregory Flett Fri, 11/19/2010 - 14:25

Short and sweet. But it works.

Tried it out in a simulation and it worked perfectly. I like to think about routers and switches as fragile items hence I like to load-balance as much as possible. Even though these switches are capable of gigabits per second and they're doing probably 50Mbps I still like to treat them gingerly and share the load as much as possible. And who knows, in a few years it might turn out to be needed.

I'm going to toy around with GLBP because getting a L3 link between the networks will be easy as we have a /20 for the site, and I'd still be able to have HSRP and be able to simulate the etherchannel with an equal cost route. My manager may think I'm obsessed with this network because it's working perfectly fine in its current configuration but since this is my first major design/deployment I feel I need to make it as good as can be!

Thanks for all your help Jon, you are a gentleman and a scholar; I'll make sure to pay it forward by contributing back to the forum.

Thanks again

Greg

Actions

This Discussion