Re: How to route a segmented LAN?

christopher_hall · ‎07-14-2011

I had posted previously about segmenting LAN traffic ( https://supportforums.cisco.com/message/3393501#3393501 ) and have a follow-up question. The traffic flow on the network is fine, but we are not able to access our remote locations.

Using the example in that thread:

Let's use your example. If your Vlan interfaces are configured on the 3560:

interface Vlan10

description LAN A

ip address 10.20.102.1 255.255.255.0

interface Vlan 104

description LAN B

ip address 10.20.104.1 255.255.255.0

Device A has his default gateway set to 10.20.102.1 (interface Vlan10) and device B has his default gateway configured to 10.20.104.1 (interface Vlan104). If device A (10.20.102.55) wants to talk to device B (10.20.104.25), the traffic would have been routed on the 3560 between Vlans 102 and 104.

As for DHCP, if there is a server on a separate network (let's give the DHCP server an ip: 192.168.2.15) you would configure an 'ip helper-address' on each vlan, which will forward each DHCP Discover broadcast to the DHCP server as a unicast packet. This is done because by default the router (3560) will not forward broadcasts.

interface Vlan10

description LAN A

ip address 10.20.102.1 255.255.255.0

ip helper-address 192.168.2.15

interface Vlan 104

description LAN B

ip address 10.20.104.1 255.255.255.0

ip helper-address 192.168.2.15

Hope this makes sense.

Now lets say LAN A and LAN B are located in SITE1. A second site, SITE2, has the address of 10.20.128.1. I can't ping the Site2 location from the LAN B (10.20.104.x) segment in Site1. I think I should set a static route on our switch with something like this:

ip route 10.20.0.0 255.255.0.0 10.20.102.10

The address 10.20.102.10 would be a wan router in this example.

Am I right here?

Thanks,

Chris

Thotsaphon Lueangwattanaphong · ‎07-14-2011

Hi,

Yes, you're right. However,I would try to add specific routes if I plan to add more in futher.

F.e. To route packets back from site2 to LAN-B on site1

!

site2Router(conf)#ip route 10.20.104.0 255.255.0.0 10.20.102.10 (WAN IP of Site1)

!

And you have to make sure that you have a routing on both sites to let packets go back and forth.

HTH,

Toshi

Jon Marshall · ‎07-14-2011

Chris

You can either use static routes or run a routing protocol between your switch and the WAN router.

If you use static routes then yes, add a route to your switch. But not the route you give, add the specific subnet eg.

ip route 10.20.128.0 255.255.255.0 10.20.102.10

But you must also make sure -

1) the WAN router then knows how to get to 10.20.128.0/24

assuming it does you the need to take care of the return traffic. So on your WAN router

2) add the following route -

ip route 10.20.104.0 255.255.255.0 10.20.102.1

3) then you need to go to site B and if that has a WAN router you need to also add a route there ie.

ip route 10.20.104.0 255.255.255.0 x.x.x.x <-- where x.x.x.x is the IP address of the site A wan interface, assuming a P2P link. If the WAN is MPLS you may need to do additional config to get site B to know how to get to 10.20.104.0/24.

As you can see with static routing you need to add routes at each individual L3 hop. This is one of the common reasons why people use dynamic routing protocols instead.

Jon

christopher_hall · ‎07-15-2011

Thanks for the replies; much appreciated!

Jon,

You mention routing protocols. We are running BGP between our sites via ATT's NetVPN network, so I'm thinking that adding the 10.20.104.0 network would be the best way to go, though, I can't say I really know/understand BGP. With BGP running on our WAN router and core switch (in site 1), how would I add the network? Would this get added to the router, then 'replicate' to the switch and other sites?

Thanks,

Chris

Jon Marshall · ‎07-16-2011

Chris

Is your core switch really running BGP or is it just the WAN router. If it's just the WAN router you might need to still add a static to the core switch and any L3 switches at SIte B. If it is the core switch then you can add it there. Wherever you add it you would do something like this -

router bgp

network 10.20.104.0 mask 255.255.255.0

note that it's difficult to be certain because you may also on your core switch have -

router bgp

redistribute connected

in which case you shouldn't need to add anything.

If only the WAN router is running BGP then simply add the "network" statement as above. The WAN router would still need to know how to get back to the 10.20.104.0/24 network and so would the other end, although not site B WAN router which should receive the route via BGP.

Jon

christopher_hall · ‎07-18-2011

Jon,

The switch definitely has BGP setup.

router bgp

bgp log-beighbor-changes

neighbor blah, blah remote-as

Then has a couple more statements. I'm posting this part of the config, but since it includes external addresses, I'll 'x' them out.

address-family ipv4

neighbor 10.20.102.10 activate

neighbor 10.20.102.10 default-originate route-map Check-Internet

neighbor A.B.C.D activate

neighbor A.B.C.D prefix-list 10 out

no auto-summary

no synchronization

network W.X.Y.Z mask 255.255.255.0

network 10.20.102.0 mask 255.255.255.0

I will add the network statement above, test and post the results.

Thanks,

Chris

christopher_hall · ‎07-18-2011

Jon,

One other thing: how long should it take to redistribute the new network? As I understand it, the process should kick off immediately, however, I haven't seen that to be true in our network.

christopher_hall · ‎07-18-2011

Okay, it looks like the route has shown up on the router. Show bgp all shows the new network with the next hop being 10.20.102.1, which is correct. I can ping the remote location from both my switch and router, but not the workstation that's on the 10.20.104.0 network. Running a tracert from that workstation to 10.20.128.1 dies in the att network. I've run into this before and it's apprently because they're not getting the update. I think the last time this happed, we restarted the equipment on our side, which fixed the problem. Thoughts?

milan.kulik · ‎07-18-2011

Hi,

it might be the prefix-list 10 denying the 10.20.104.0 from advertising possibly?

If not, you could try

clear ip bgp A.B.C.D soft

to refresh the BGP updates sent to the neighbor.

HTH,

Milan

christopher_hall · ‎07-18-2011

Nothing in the prefix-list. I'll try a restart this evening and post the results.

Jon Marshall · ‎07-18-2011

Chris

You should be able to run the "clear ip bgp x.x.x.x soft out" command without affecting existing traffic. Make sure you include the "soft" keyword.

Jon

christopher_hall · ‎07-18-2011

Jon,

I did a soft clear as above, but also did..... clear ip bgp * soft. No luck. Now, I completed this on the switch, but maybe this should be done on the router? The router would be first hop into the att network.

Jon Marshall · ‎07-18-2011

Chris

No, the switch is the place to do it. Once the router has received it from the switch it should simply forward it on. Have you logged onto site B router to see if the route has been received ?

Jon

christopher_hall · ‎07-18-2011

Yep. It has received it and shows an appropriate next hop.

christopher_hall · ‎07-18-2011

I can ping 10.20.104.1 and the one workstation setup on that network (10.20.104.50) from the site2 router, but can't hit the 10.20.128.1. I can hit the gateway for that location (10.20.128.10), but nothing past that--workstations, servers.