Alrighty then. I've been passed the ball on this new network infrastructure the company is doing. And I can't, for the life of me, figure out exactly what's wrong here.
Situation: Switch Stack configured to 10.20.13.2.
MPLS Router is 10.20.13.1
VoIP VLAN Configured for 10.90.0.1/24
And we're adding a wireless DSL router as an alternate gateway/internet source for specific access only (IT prefers not to use the MPLS thanks to better bandwidth from DSL...)
I've got it configured on VLAN 91, with 10.91.0.1 being the switch, 10.91.0.254 being the router. The reason for this is we want it to be separate from the rest of the networks, no unsolicited traffic coming in, etc. It seems to work great! I can ping from the 10.20.13.x subnet to the router. It responds. Every thing's happy... until I try using it as a default Gateway.
Here's the problem: I configure a computer with 10.91.0.254 as the default gateway, but when I try to tracert out, it goes through the MPLS! Here's the info...
IP Address: 10.20.13.203
Subnet Mask: 255.255.255.0
Default Gateway : 10.91.0.254
Tracing route to vnsc-bak.sys.gtei.net [18.104.22.168]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.20.13.1
2 4 ms 4 ms 4 ms 22.214.171.124
And what's weird is if I configure it as a gateway, and try to ping it, it gives me 10.20.13.1: Destination net unreachable. But if it's not set as the gateway, I can ping it just fine. Any ideas?
I will note: by default the gateway is the switch: 10.20.13.2, and when that is the gateway I can ping 10.91.0.254. I attempt to set the gateway as 10.91.0.254 and it stops talking to the switch and tries going straight through the MPLS.
When the default gateway is 10.20.13.2, it goes from that to the internet. When it is 10.91.0.254 it tries going through 10.20.13.1, our MPLS connection to the internet. Shouldn't it, if it is 10.20.13.2, be going from 10.20.13.2 to 10.20.13.1 to the internet? I'm confused!!!
What am I missing?
Normally, but here's the thing. We've got a corporate gateway which goes over a slow connection, and a wireless DSL router with a fast connection. We'd like to have our PC's be in the VLAN 90 so we can access and monitor the network but able to use the gateway in VLAN 91 for internet traffic. We'd like to keep it on a seperate VLAN to prevent somebody from getting in to the wireless, and through that into our network. We've got an access list set up for this purpose from our Cisco friend, but he's stumped too as to the behavior of the connection.
What we've currently got at this (old) facility is a dsl modem plugged into a router with a 10.20.12.10 address, and we just use that as a default gateway.
So why can't we create a VLAN and be able to access across the VLAN the same way?
Why is it, with no default gateway, the switch acts like a router (it becomes the gateway, and a tracert shows the switch, then the internet, instead of the switch, the mpls, the internet). Why is it, when we set a gateway, the switch, instead of forwarding the traffic it recieves to the VLAN that the gateway's IP is on, it forwards it to 10.20.13.1, the MPLS, who tries to forward it to that address? Shouldn't the switch automatically forward it to the VLAN, instead of trying to use the 10.20.13.1 address?
- Are you performing any kind of routing on the Switch or is it purely layer 2?
- You cannot configure an IP address as default gateway if it is not in the same subnet as the PCs IP address. The PC uses the default gateway to send traffic to subnets/networks that it does not belong to. In this case, the PC does not know how to get to 10.91.0.254. In your case, the Switch is very likely doing a Proxy ARP to re-route traffic to the MPLS cloud.
Send the configuration of the Switch and the router so we can troubleshoot better.
I believe it is a layer 3 setup. I did not configure this switch, I'm just trying to work with what I was given. Shall I just post the configuration straight in here?
Ok, here it is. I think....
I didn't set this up, but would like to think that the guy who did knew what he was doing.
We will be moving our network to these switches in a month or so, which means that this configuration will likely change as well.
I think that the ICMP redirects (see #1 below) that the switch is issuing for the MPLS router is causing this mysterious behavior. I stand by my recommendation to use PBR combined with the last remark in #1 to put the IT traffic on that DSL router.
1) Your 10.20.13.0/24 net is dependent upon ICMP redirects (http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml) to go off-net. Your DHCP scope router option is set to the SVI address and the switch's default route is the MPLS router. You could encounter some inconsistent behavior and some large client routing tables with this config. Better to put the MPLS and peer switch interface/SVI on a separate network
2) You have ip helper-address on the vlan SVI and are running a dhcp scope at the same time. I guess this could be for redundancy in case the switch's dhcpd crashes but I've not seen that happen before. The switch will respond with its offer before 10.20.12.11 does so you could see some inconsistencies in the client configs. You said that you didn't set it up so be aware that its there.
Reproduce the behavior you're seeing and then do a "route PRINT" on the host and paste it in here.
Yup, see those host routes to 13.1? Thats ICMP redirection at work. Other than implementing the measures I described I'm not sure what else to tell you.
I'm not at all familiar with work through the CLI with this kind of stuff, sadly. Can you be more specific with what needs to be done so I can read up on it?
I did find this in the configuration:
Gateway of last resort is 10.20.13.1 to network 0.0.0.0
10.0.0.0/24 is subnetted, 3 subnets
C 10.20.13.0 is directly connected, Vlan20
C 10.90.0.0 is directly connected, Vlan90
C 10.91.0.0 is directly connected, Vlan91
S* 0.0.0.0/0 [1/0] via 10.20.13.1
Yes, I configured the static route back. Sec...:
Subnet IP Subnet Mask Gateway Interface
127.0.0.1 255.255.255.255 127.0.0.1 lo0
10.91.0.254 255.255.255.255 10.91.0.254 bridge0
10.20.13.0 255.255.255.0 10.91.0.1 --
The last is the one I added. Naturally I removed the public IP parts.
Wow. What you're describing sounds sort of like proxy-arp, 'cept the host's mask is too long. I think we're missing something in the description here cause it...well it doesn't make sense. To clear it up I think diagrams and configs will be necessary.
Best thing do to is to set the thing to best practices, hosts' gateway on same subnet with hosts etc. Then you ip-policy the hosts you want using the DSL to the DSL router.