03-25-2009 01:47 PM - edited 03-06-2019 04:49 AM
Maybe I am way off base here, but here is what I am trying to do:
We have a co0location site that hosts our web sites, and we run a fiber connection between HQ and the co-location. We can use the public handoff at the co-location for a backup internet connection from corp HQ. What I have done so far is set up a tunnel between HQ and the co-location, and that is working just fine. Now here is where I need some help. In the switch at the co-location, I have a seperate vlan set up for the public handoff to the co-lo POP. Right now there is a vlan interface for that vlan, but it has no IP address assigned. In order for my tunnel to work, I will need an IP address. My question is, can I use a private IP address for that vlan without screwing anything up, or will I have to use one of my publically assigned IP addresses?
03-25-2009 01:59 PM
Hello Erik,
I'm not sure to have understood your post.
However, if you want to setup a tunnel over the internet for a backup purposes you need:
two public ip addresses that are used in the external envelope (header) to allow packets to go between the two locations over the internet
one private subnet used over the tunnel that allows to build a logical point to point link.
So if you are referring to a L3 SVI associated to the l2 broadcast domain (vlan) where the internet link terminates yes you need to assign a public ip address to it and you need to protect your device from access from the internet.
using a private address there would be useless.
Rather you should assign a private ip address to the tunnel itself (I think of a GRE tunnel)
A GRE tunnel carried inside IPSec should be the best solution.
Hope to help
Giuseppe
03-25-2009 02:24 PM
Thanks for the fast response. Here are my configurations so far so that it makes a little more sense to you:
On my core L3 switch (4507R)
interface Tunnel1
description Tunnel to **** for Internet
ip address 10.0.0.1 255.255.255.252
tunnel source 172.16.6.241
tunnel destination 172.16.6.242
On my 3560 switch at the co-location:
interface Tunnel1
description Tunnel to Corp for Internet
ip address 10.0.0.2 255.255.255.252
tunnel source 172.16.6.242
tunnel destination 172.16.6.241
interface FastEthernet0/24
description PublicHandoff
switchport access vlan 2
switchport mode access
spanning-tree portfast
interface Vlan2
no ip address (I am assuming this needs to be a public IP)
03-25-2009 02:33 PM
Erik
What other addresses are used in vlan 2 ie. do you need to route from the tunnel to a public IP ? If you do then yes your vlan 2 interface will need a public IP.
If you route from the tunnel to a private IP then no you don't need a public IP.
Jon
03-25-2009 02:35 PM
Yes, VLAN 2 is my public handoff, IE, it uses a pool of public IP addresses.
03-25-2009 03:04 PM
Then yes if vlan 2 handoff's within the same vlan to the Internet you should use one of the public IP addresses.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: