How to route a segmented LAN? - Page 2

christopher_hall · ‎07-14-2011

I had posted previously about segmenting LAN traffic ( https://supportforums.cisco.com/message/3393501#3393501 ) and have a follow-up question. The traffic flow on the network is fine, but we are not able to access our remote locations.

Using the example in that thread:

Let's use your example. If your Vlan interfaces are configured on the 3560:

interface Vlan10

description LAN A

ip address 10.20.102.1 255.255.255.0

interface Vlan 104

description LAN B

ip address 10.20.104.1 255.255.255.0

Device A has his default gateway set to 10.20.102.1 (interface Vlan10) and device B has his default gateway configured to 10.20.104.1 (interface Vlan104). If device A (10.20.102.55) wants to talk to device B (10.20.104.25), the traffic would have been routed on the 3560 between Vlans 102 and 104.

As for DHCP, if there is a server on a separate network (let's give the DHCP server an ip: 192.168.2.15) you would configure an 'ip helper-address' on each vlan, which will forward each DHCP Discover broadcast to the DHCP server as a unicast packet. This is done because by default the router (3560) will not forward broadcasts.

interface Vlan10

description LAN A

ip address 10.20.102.1 255.255.255.0

ip helper-address 192.168.2.15

interface Vlan 104

description LAN B

ip address 10.20.104.1 255.255.255.0

ip helper-address 192.168.2.15

Hope this makes sense.

Now lets say LAN A and LAN B are located in SITE1. A second site, SITE2, has the address of 10.20.128.1. I can't ping the Site2 location from the LAN B (10.20.104.x) segment in Site1. I think I should set a static route on our switch with something like this:

ip route 10.20.0.0 255.255.0.0 10.20.102.10

The address 10.20.102.10 would be a wan router in this example.

Am I right here?

Thanks,

Chris

Jon Marshall · ‎07-18-2011

Chris

So you can get to 10.20.128.10 from your workstation on 10.20.104.50 or not ?

Can you try a traceroute from a 10.20.128.x workstation and see how far it goes.

Jon

christopher_hall · ‎07-18-2011

Yes, I can get to 10.20.128.10 from 10.20.104.50. A traceroute from said workstation to 10.20.128.3 dies in the att network (12.83.16.30).

Jon Marshall · ‎07-18-2011

So just to clarify, you can get 10.20.128.10 which is in site B from 10.20.104.50. But trying to get to a workstation in the same vlan ie. 10.20.128.x it dies in the ATT network.

That doesn't make a lot of sense. Is there any way you can get onto 10.20.128.3 workstation/server and try and traceroute back to 10.20.124.50 ?

Jon

christopher_hall · ‎07-18-2011

Yes, that was correct. Weird huh? Site-B is in a different AS than Site-A, for whatever that's worth. When doing a trace back from 10.20.128.3 to 10.20.104.50, it stops at 10.20.128.1 (the data vlan for that location). Running sh ip bgp all on the switch, I do not see the network 10.20.104.0. Makes a little sense, as all devices on that network will run through that data vlan.

christopher_hall · ‎07-18-2011

Something is working right, as I can hit many of the other remote networks. Will check back tomorrow am. Thanks for your help!

milan.kulik · ‎07-19-2011

Hi,

so what is the router interface IP address in site B data VLAN?

10.20.128.10?

Why do you see 10.20.128.1 in the traceroute from 10.20.128.3 then?

Isn't there simply an incorrect default gw configured on the devices in 10.20.128.0/24 subnet?

That would explain all your symptoms.

HTH,

Milan

christopher_hall · ‎07-19-2011

Milan,

10.20.128.10 is the router interface for site b and 10.20.128.1 is the data vlan, so when a trace is run from 10.20.128.3, the first hop it's going to see is the data vlan. I checked again this morning and the results are the same: traceroute from the 10.20.140.0 network fails at 12.83.13.60 (att cloud) and a traceroute from 10.20.128.3 dies at 10.20.128.1. I've checked the switch and it doesn't have the 10.20.140.0 network. I added a static route to 10.20.128.1:

ip route 10.20.104.0 255.255.255.0 10.20.128.10

And the traffic still dies. Traceroute from 10.20.128.3 dies at 12.83.13.61 and traceroute from 10.20.104.50 dies at the same as above.

Since we're uing a couple different as numbers, would I have to add the 104 network to both locations?

Jon Marshall · ‎07-19-2011

Chris

Different ASs shouldn't matter.

I'm confused about site B setup. Can you confirm -

1) Site A switch running BGP has route to 10.20.128.0/24 (which it should due to traceroute)

2) site A router has same route

3) site B router has 10.20.104.0/24

4) site B switch has route (which you say you have added.

Jon

christopher_hall · ‎07-19-2011

Jon,

Site A Router **** network *** next hop

10.20.104.0 10.20.102.1

Site A Switch *** network *** next hop

10.20.104.0 0.0.0.0

Site B Router *** network *** next hop

10.20.104.0 192.168.0.77

Site B Switch # Not getting the bgp update, so I added a static route.

ip route 10.20.104.0 255.255.255.0 10.20.128.1

I will try a soft clear bgp and post any changes.

C

christopher_hall · ‎07-19-2011

Not sure why, but our switch on the 10.20.128.0 network shows the following in the configuration:

no bgp log-neighbor-changes

I'm trying to get clarification on this now.

C

christopher_hall · ‎07-19-2011

Well, after clearing bgp on the 10.20.128.0 switch, I seem to be getting traffic through, what's strange is that it still doesn't show the 104 network in BGP.

Jon Marshall · ‎07-19-2011

Chris

Showing the 104 network where ?

Jon

christopher_hall · ‎07-19-2011

The 104 network does not show in bgp routes on the Site B switch. I cleared bgp on the switch and added a static route.

Jon Marshall · ‎07-19-2011

Okay, you could look on the site B router and do a -

sh ip bgp neighbor x.x.x.x advertised-routes

where x.x.x.x is the switch and see if the router is advertising the route. You don't have any filters on the switch or router that would stop it being advertised ?

Jon

christopher_hall · ‎07-19-2011

I checked the router at site B (sh ip bgp neighbor x.x.x.x advertised-routes) and it is advertising the route. No filters.