01-10-2012 02:33 AM - edited 03-04-2019 02:51 PM
Guys,
I have an issue where I have the following scenario -
8 customers each segregated on a switch stack using VLANs and SVIs for their gateways, for example -
Customer A
Network ID - x.210.24.64
Subnet Mask - 255.255.255.248
SVI IP Address - x.210.24.65
Client IPs - x.210.24.66 - x.210.24.70
Broadcast - x.210.24.71
Customer B
Network ID - x.210.24.72
Subnet Mask - 255.255.255.248
SVI IP Address - x.210.24.73
Client IPs - x.210.24.74 - x.210.24.78
Broadcast - x.210.24.79
I then have a layer 3 routed port connected to an upstream layer 3 switch (managed by external supplier) using the following details -
Layer 3 Routed Port
Network ID - x.210.24.124
Subnet Mask - 255.255.255.252
Port IP - x.210.24.125
Broadcast - x.210.24.127
Finally, I have a default route which is configured as follows -
ip route 0.0.0.0 0.0.0.0 x.210.24.126
This is the next hop IP of the external supplier switch which performs the internet routing.
I am experiencing the following problems with this -
1) I am unable to obtain internet access from any of the customer VLANs. I can successfully ping the SVI address for the VLAN. I can successfully ping the layer 3 routed port, but I am unable to ping the external supplier switch (x.210.24.126) or any internet address.
2) If I remove the SVI configuration and use a simple layer 3 routed port instead I receive the same problem. For example, if I configure a port with the IP address x.210.24.65 (as per Customer A above) and plug my laptop into the port and configure it with (x.210.24.66 and a gateway of x.210.24.65) I receive the same problem.
As a side note, the switch can successfully access the internet without any problems. It is ONLY when connected to one of the customer subnets that I am unable to route to the internet.
Any help as to the cause would be greatly appreciated.
01-10-2012 03:03 AM
Are you running NAT?
If not sounds like the next hop device connected to the switch does not have a route for either the Customer A, or Customer B networks.
Can hosts in either VLAN ping the other end of the layer-3 routed port x.210.24.126 ?
Does the next hop device(x.210.24.126) connect to the switch have a route for the Customer A, and Customer B networks?
01-10-2012 05:45 AM
Thanks for the reply, no there is no NAT taking place. I would tend to agree with what you have stated "the next hop device connected to the switch does not have a route for either the Customer A, or Customer B networks". I think the external supplier has not entered an aggregate route for the x.210.24.64/26 range.
01-10-2012 06:52 AM
You have a 255.255.255.252 assigned to your internet space. Meaning the .125 address is the only thing routable to the internet.
How are the other subnets assigned to you? Are they ADDITIONAL subnets assigned to your circuit? If they are assigned to your circuit, you need to have the ISP add route statement something like this:
ip route x.210.24.72 255.255.255.248 x.210.24.125
Thanks,
Sean Brown
01-10-2012 07:02 AM
Apologies, I should have made the original post a little clearer. The supplier has supplied me with the network x.210.24.64/26. I am then taking this subnet and dividing it into smaller subnets. The x.210.24.124/30 subnet is purely used for routing purposes. I need this subnet to ensure I can route upstream to the supplier router, therefore my default route is - 0.0.0.0 0.0.0.0 x.210.24.126.
I think what I need to make this work is a route on the external supplier equipment to forward all requests for x.210.24.64/26 to my switch on x.210.24.125. My switch can then perform the routing as they are all directly connected routes.
Thanks
Nick
01-10-2012 07:07 AM
Can you PM me your subnets/IP assignments....
Sean
01-10-2012 07:32 AM
Sean,
Unfortunately not, I would be in breach of my companies security policy. The addresses above are the best real life example I could think of without exposing anybody's actual address.
Thanks
Nick
01-10-2012 07:36 AM
No worries....
Can you post a full sh run... sh vlan and sh ip route....
essentially, you're having a subnetting/routing problem here, which can be fixed, just need to see how it's setup.
Sean
01-11-2012 12:37 AM
Thanks for the help yesterday, apologies for the delay in getting back to you. I have been liaising with the ISP over the configuration at their end, and they have sent me the following -
interface TenGigabitEthernet1/x.3016
description ### ###
encapsulation dot1Q 3016
ip vrf forwarding xx.INET.3016
ip address x.210.24.65 255.255.255.192
no ip redirects
no cdp enable
standby 116 ip x.210.24.9
standby 116 timers 1 3
standby 116 priority 95
standby 120 ip x.210.24.126
standby 120 timers 1 3
standby 120 priority 95
service-policy input xx
service-policy output xx
I have removed the real IPs and used the previous examples. It would appear they are using VRF and HSRP for redundancy. The VRF instance for me will therefore maintain a copy of the x.210.24.64/26 network.
My configuration is as follows -
Layer 3 Port
interface FastEthernet1/0/24
description XXX
ip address x.210.24.125 255.255.255.252
spanning-tree portfast
Customer A VLAN
interface Vlan101
description ****xxx****
ip address x.210.24.66 255.255.255.248
Customer A Ports
interface FastEthernet1/0/1
description XXX
switchport access vlan 101
switchport mode access
mls qos vlan-based
spanning-tree portfast
Default Route
ip route 0.0.0.0 0.0.0.0 x.210.24.126
I dont currently have access to the switch to post a sh ip route, or sh vlan but the configuration is as basic as above with regards to routing and subnetting, i have removed most of the other configuration from the examples above as its not needed. Im guessing the problem is due to me passing different subnets upstream? Although I thought the aggregate route for the x.210.24.64/26 network would have handled this.
01-11-2012 02:56 AM
Hi Nicholas,
Had a quick look at this thread. My thoughts here.Lets do some ground work here before we jump into the issue you are having.
The ISP has given you a /26 to play with and you subnetted that into /29's and a /30.
The subnets are as below
Customer A
Network ID - x.210.24.64/29
Customer B
Network ID - x.210.24.72/29
Routed Link between switch and ISP
Network ID : x.210.24.124/30
Now, the ISP doesn't care how you route these between themselves. so essentially what they do is to route everything to /26 towards your GW which is .125. The problem you are having seems to be a return traffic You advised that you are unable to ping the GW IP of the ISP which is .126 from your PC's. If you can't ping .126 from your PC's somtimes it can be due to an accesslist at their end trying to mitigate DoS attacks. Anyway basically looks like that the ISP doesnt have a route to your subnets.
get them to check the static route for the /26. They should have something like this on their end.
ip route x.210.24.64 255.255.255.192 x.210.24.125.
Now, also not sure why is the ISP using your whole /26 at their end. They should pick a /29 if they want to use HSRP from the /26 which you won't be using on your end and then when they advertise your network into BGP towards upstream they would advertise it as a /26.
HTH
Kishore
01-11-2012 04:53 AM
Kishore,
Thanks for the response, I fully agree with the requirement for a return route to my switch.
Can you clarify what you mean by "not sure why is the ISP using your whole /26 at their end. They should pick a /29 if they want to use HSRP from the /26 which you won't be using on your end and then when they advertise your network into BGP towards upstream they would advertise it as a /26."
Are you suggesting the ISP should alter the subnet mask within the port configuration to a 255.255.255.248? I am confused as to why they are providing me with a /26 network, but then using one of the IPs on their port configuration???
See below -
interface TenGigabitEthernet1/x.3016
description ### ###
encapsulation dot1Q 3016
ip vrf forwarding xx.INET.3016
ip address x.210.24.65 255.255.255.192
no ip redirects
no cdp enable
standby 116 ip x.210.24.9
standby 116 timers 1 3
standby 116 priority 95
standby 120 ip x.210.24.126
standby 120 timers 1 3
standby 120 priority 95
service-policy input xx
service-policy output xx
I would have thought that if they are providing me with a /26 network, all of those addresses can be used by me. Their configuration should not encroach on this.
01-11-2012 07:38 AM
A quick thankyou to everybody that provided information on this thread. I have finally convinced the ISP it was a fault at their end, and that they were encroaching on my IP range within their port configuration. I have managed to convince them to create a different subnet and advertise my network into BGP from this new subnet.
I now have a fully functional /26 network and can fully subdivide the network into smaller segements with the ability to route to the internet.
Thanks
Nick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: