cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2108
Views
0
Helpful
17
Replies

Network Upgrade and int vlan routing question

forgetoo
Level 1
Level 1

I want to give a breif overview of the current setup and what I had planned to do in the future.  This is also where a few questions come into play.  Currently we have 3 10.x.x.x subnets between three buildings with a wan connection.  This connection is invisible to us so it can be seen as just a lan.  The speed is 100mb.  We have a 2811 router sitting at each building translating their traffic back to 10.3.1.1.  We then have a router in the main building which ships the 10.3.x.x traffic to a ASA and then out the door to a ISP.

My plan was to upgrade this 100mb WAN connection to 10g fiber between our buildings as they are in extremely close range of each other.  I would need a equipment upgrade as a 2811 won't support 10g traffic.  Rather than replacing 3 routers in each of the buildings it seemed logical that I could get something like a catalyst 4500 or 6500 and do int vlan routing making it all one huge campus lan.  Creating a vlan for each building to segment the traffic between them.  My understanding was that a cat 3500/4500/6500 did not need a router with sub interfaces in a one arm setup to bridge this traffic.  This is where the problem comes in.

I used the following guide from cisco.

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

I tested with a cat 3560 and was unable to get the vlans to route correctly.  Do I have to have a router to get int vlan routing to work?  If so then I might as well get a Router which can handle multiple 10g fiber for the core instead of a cat 4500/6500 since I'd need the router to do the int vlan routing anyway?

Any help with these questions would be much appreciated.

1 Accepted Solution

Accepted Solutions

Jon ,

    the solution is :     a) configure a 2 static routes on the router

                                       ip route 10.6.1.0 255.255.0.0 10.3.3.110

                                       ip route 10.7.1.0 255.255.0.0 10.3.3.110

                                        OR

                                b) start eigrp 1 on the switch

                                          router eigrp 1

                                              netwrok 10.3.3.110 0.0.0.0

                                               no auto

                                               redistribute connected

                                    and delete the static route that is configured on the Switch only

Later edit :  Does EIGRP run between the router and the ASA ? Also the ISP has static routes toward the ASA ?

View solution in original post

17 Replies 17

dan.cicioiu
Level 1
Level 1

Hi Jon,

First of all , I did not understood very well your setup, but currently there is no need.

You can use any of Cat 3560/4500/6500 switches for this upgrade. Either of them can do Inter Vlan routing and supports 10G.

So basicaly you can have a Layer 3 distribution switch per Building that has the SVI ( interface vlans/gateways for the PCs) and also the routing between buildings.

HTH

Dan

I figured that was the case, and I have a cat 3560 24 fe ports with 2 1g sfp ports in the network already.  So I attempted to add a extra vlan and have it route out as a test.  However I guess the trouble I'm having is that historically you use vlans to seperate traffic.  So which command allows them to talk with each other and route correctly?  I'll post parts of the config below.  Basically as a test I'm trying to add a 10.6.1.1 vlan and assign a 10.6.1.2 ip to a computer to test int vlan routing.

I'm running c3560-ipservicesk9-mz.122-55.SE4

!

system mtu routing 1500

ip routing

!

interface FastEthernet0/5   // the router 10.3.3.1 is located here

!

interface FastEthernet0/11   //  a dns server with ip 10.3.3.10 is located here

!

interface FastEthernet0/13  // Test vlan pc located here

switchport access vlan 2

switchport mode access

!

interface Vlan1

ip address 10.3.3.110 255.255.0.0

!

interface Vlan2

ip address 10.6.1.1 255.255.0.0

!

ip route 0.0.0.0 0.0.0.0 10.3.3.1

!

I can check via "show vlan" to see VLAN0002 has FE0/13 assigned and doing "show int vlan2" that vlan2 is up and line protocol is up.  From the PC on FE0/13 I can ping 10.6.1.1 and the switch can ping 10.6.1.2 (pc).  PC can ping 10.3.3.110 (vlan1), however it cannot ping 10.3.3.10 or 10.3.3.1.  From what I can see.  All I have done so far is created a vlan which should not be able to ping 10.3.x.x.  So what exactly makes this inter vlan routing?  What parts of the config am I missing?

From the article posted earlier I have omitted this

Switch(config)#interface FastEthernet 0/1
Switch(config-if)#no switchport
Switch(config-if)#ip address 200.1.1.1 255.255.255.0
Switch(config-if)#no shutdown

I am not able to take FE0/5 (port to router 10.3.3.1) issue no switchport and make it 10.3.x.x because it already conflicts with the vlan1 range.

Hi Jon,

You got the basic config for intervaln routing on te switch. 'No switchport' makes the port as routed (L3) port, so you do not need to make that change.Can you post the configs on Fast E0/5, Fash Eth0/11 & show ip route from switch?

Make sure the IP settings on both router and DNS server are correct.

Thx

MS

I posted what was listed under FE0/5 and FE0/11 there is nothing in the switch config other than what was posted on those ports.  They don't have a vlan assigned in the config via switchport access vlan 1.  However when I do show vlan all ports are listed on vlan1 labeled default.  I figured this might cause a issue but I was unsure and this switch is in production so I am unable to play with it during work hours to test.

#show vlan

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Fa0/1, Fa0/3, Fa0/4, Fa0/5

                                                Fa0/6, Fa0/7, Fa0/8, Fa0/9

                                                Fa0/10, Fa0/11, Fa0/12, Fa0/15

                                                Fa0/16, Fa0/17, Fa0/18, Fa0/19

                                                Fa0/20, Fa0/21, Fa0/22, Fa0/23

                                                Fa0/24, Gi0/1

2    VLAN0002                         active    Fa0/13

3    VLAN0003                         active    Fa0/14

#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.3.3.1 to network 0.0.0.0

     10.0.0.0/16 is subnetted, 3 subnets

C       10.3.0.0 is directly connected, Vlan1

C       10.6.0.0 is directly connected, Vlan2

C       10.7.0.0 is directly connected, Vlan3

S*   0.0.0.0/0 [1/0] via 10.3.3.1

#

I have since created a vlan3 10.7.1.1 and both pcs from 10.6.1.1 can ping each other but both have problems contacting 10.3.3.1 or 10.3.3.10

Router config is as follows.  This router connects the main building to a second location via wan.  We have a ASA on the switch in FE0/1 which goes to the ISP.  The ip of the ASA is 10.3.3.254 and you will see a static route in the 10.3.3.1 router pointing all traffic to it.  Both devices are directly connected via FE0/1 and FE0/5.  I inherrited this network and I've been working out some oddities for a while, this is just another part of the puzzle.  Ignore the ipx as servers no longer run ipx.

!

interface FastEthernet0/0

ip address 10.3.3.1 255.255.0.0

duplex auto

speed auto

ipx network FA7D1D45 encapsulation SAP

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0:0

description Serial Interface to EIS

no ip address

shutdown

ipx network FFFFFFBB

!

interface Serial0/0/1:0

description Serial Interface to EHS

no ip address

shutdown

ipx network FFFFFFAA

!

interface GigabitEthernet0/1/0

description Wireless Interface to EHS

ip address 192.168.1.10 255.255.255.252

negotiation auto

ipx network FFFFFFAA

!

!

router eigrp 1

network 10.3.0.0 0.0.255.255

network 192.168.1.8 0.0.0.3

network 192.168.1.12 0.0.0.3

redistribute static

!

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 10.3.3.254

!

Beyound getting into the other parts of the 192 networks.  Basically this router should route all packets back to 10.3.3.254 and out to the ISP.  How exactly can it route 10.6.x.x and 10.7.x.x without sub interfaces?  Does not something need convert the ips from 10.6.x.x and 10.7.x.x so it can talk with 10.3.3.254 and 10.3.3.1?  I am a bit rusty.  Which is why my original question was posed as do I need a router with sub interfaces to make int vlan work.

Jon ,

    the solution is :     a) configure a 2 static routes on the router

                                       ip route 10.6.1.0 255.255.0.0 10.3.3.110

                                       ip route 10.7.1.0 255.255.0.0 10.3.3.110

                                        OR

                                b) start eigrp 1 on the switch

                                          router eigrp 1

                                              netwrok 10.3.3.110 0.0.0.0

                                               no auto

                                               redistribute connected

                                    and delete the static route that is configured on the Switch only

Later edit :  Does EIGRP run between the router and the ASA ? Also the ISP has static routes toward the ASA ?

I had tried putting static routes in the switch to point to the router.  Which I guess was my issue.  After putting in the route for 10.6.0.0 and 10.7.0.0 in the router it's working correctly.  What is the reason behind running eigrp on the switch?  I have yet to put that in the switch.

Edit: Because then the switch will directly know where all the routes are.

Jon Barnes wrote:

I had tried putting static routes in the switch to point to the router.  Which I guess was my issue.  After putting in the route for 10.6.0.0 and 10.7.0.0 in the router it's working correctly.  What is the reason behind running eigrp on the switch?  I have yet to put that in the switch.

Edit: Because then the switch will directly know where all the routes are.

What is the usage of the EIGRP on the router.?  Do you have any neighbor on it ?

We have 2 other buildings in a chain.  It looks like this

10.3.3.1 <-building1-> 192.168.1.10

192.168.1.9? <-building2-router2-> 10.1.1.1

192.168.1.11? <-building2-router2->

192.168.1.12? <-building3-router3-> 10.2.2.1

I think originally it was supposed to form a triangle which was the point of eigrp.  From what I can make of the configs.  This however was all before my time, and I've spent a bit of time correcting various issues to make things run more smooth.

My plan is to get fiber and actually connect the other two buildings back to the main office.  Then use a 3560 or 4500 with 10g X2 to connect one building back into the siwtch on a vlan and then the other building into the main switch on the different vlan.  Take a 3rd 10g X2 port and put the now 10.3.x.x network on it.  Take a 4th 10g port and route that to the internet.  I might take a 5th and put all the servers into that.  But obviously making any changes like this is alot of effort reconfiguring various ip ranges/server/swtiches/etc.

I do not think that the IP addressing must be changed if you change the links  between the Buildings.

In this case we have 3 2811 routers.  Which I don't believe would handle a 10g link.  Thus I either have to change the core switch and make it one big lan using fiber to extend the vlans out into the buildings (preserving the ip ranges via vlans).  Otherwise I would need to replace 3 routers which could handle the new fiber (costly).  Unless I have missed another possibility.

Is it possible to change one of the switch ports to layer3 (via no switchport) assign it the range and have it handle routing?  I'm not sure a 3560 can handle this traffic with routing?  Also certainly if I went that way I would still need to replace the central 3560 because it doesn't handle 10g fiber.

On a layer 3 switch ( as 3560/4500/6500 ) you can use a port as :

  • a layer 3 ( routed port ) via no switchport command  applied on the interface or
  • a layer 2 ( trunk or access) an the Layer 3 address will be on a SVI ( interface vlan ).

Now it depents on your setup.

HTH

Dan

I'll probably mess around with it this weekend and bypass the router and test out the port as layer3 and see what the results are.  I have no intention of renumbering the two buildings 10.2.x.x and 10.3.x.x.  Whatever solution I end up choosing there won't be a complete renumber for any reason as their are hundreds of devices, and we have only myself and another doing IT.

If you what to bypass the router :

   interface vlan 1

   no ip address

   !

   interface x/x

    description ASA - INSIDE interface

    no switchport

    ip add 10.3.3.1 255.255.0.0

    no ip proxy

    !

    ip route 0.0.0.0 0.0.0.0 10.3.3.254

- remove the router

- plug the cable from the ASA inside port into the configured switch port

- using the IP that is currently configured on the router directly on the switch it will leave the ASA unchanged ( static routes ), but there is a posibility that you should clear ther arp table.

HTH

Dan

This actually didn't work for everything as I just tested this.  It did work for 10.6 and 10.7.x.x networks.  However I am guessing what that no switchport command does is place the network out of that port.  By that I mean if I used no switchport FE0/1 and gave it a 10.3.3.1 IP in this example.  It's making everything 10.3.x.x network on that single port.  What I found was when I tried this.  I could no longer get to all servers (dns, old router, any 10.3.x.x) ips directly connected to that switch as 10.3.x.x was now only FE0/1.  I have servers in the 10.3.3.x range plugged into those various ports as I listed ie DNS earlier.  So while I was able to ping out on the internet via the pc on 10.6.1.2.  All other devices did not work because of the 10.3.x.x network range.  I imagine if I had a extra switch I could plug it into FE0/1 and then connect all the 10.3.3.x devices to it, and it would work since they would now be on that network.  There are multiple ways I can fix this, I'll just have to figure out what the best way to go about it will be.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco