08-21-2013 10:45 AM - edited 03-04-2019 08:50 PM
I have two sites connected by an MPPLS line. My main site has a wireless Guest network that uses my ASA as a DHCP server. I would like to install a Guest network in my second site. My MPPLS line is a Layer 3 and needs to know the networks to be aware of. I am not sure how to configure the routing for this to work. I am attaching the router configs and a basic network drawing. Any advice would be appreciated.
08-21-2013 11:13 AM
It's hard to tell from your diagram, but what subnet is your guest vlan using and where is the internet connection in relation to this?
HTH,
John
*** Please rate all useful posts ***
08-21-2013 11:19 AM
The guest vlan is 192.168.99.0 and the Internet connection is at the main location (Bryan). Sorry for the drawing... I created it for myself just for a reference. The second location is Madison, where I am trying to get the Guest Vlan to work. The main switch in the Bryan location has a direct connection to the firewall for the Guest Vlan.
08-21-2013 11:38 AM
Okay..I'm a little confused about the config that you posted. I see the 192.168.99.0/24 subnet, but are you trying to bridge across the wan? If so, it's not necessary. It looks like you have only static routes, so all you should need to do is get rid of the bridging configuration and treat it like another subnet. You'll have a static route pointing from your Bryan router to 192.168.99.0/24 going to the next hop out of the MLP interface. Then on your firewall, you'd have a route from 192.168.99.0/24 going to the Bryan router. (I'm assuming 10.10.10.251 is the address for your FW).
HTH,
John
*** Please rate all useful posts ***
08-21-2013 11:51 AM
I was told by someone on another post that I would need to use IRB. Yes, all I am trying to do is get the Guest access to work in our second location. Yes, the 10.10.10.251 and the 192.168.99.1 are both on my firewall. I already have an Internal wireless network in Madison that uses the 10.10.141.0/24 subnet, but it uses a DHCP server on my 10.10.10.0/24 network. So you are saying I would need on my Bryan router: ip route 192.168.99.0 255.255.255.0 Multilink1 and the firewall would be: ip route 192.168.99.0 255.255.255.0 10.10.10.100? If I do this, will this cause any problems with my Guest access in the Bryan location?
08-21-2013 12:01 PM
Can you provide a much more detailed diagram along with subnets? I'm seeing FR circuits, MLP, bridging, etc. I'd be able to give you a better solution if you could provide that. Do you have a firewall at each location, and are the locations connected via mpls? Are you only concerned about routing over MLP interfaces and I can safely ignore FR?
HTH,
John
*** Please rate all useful posts ***
08-21-2013 12:24 PM
08-21-2013 02:52 PM
From this diagram, it looks like Madison gets internet access from Bryan, is that correct? Also, do you have guest access at the Bryan location that is also using 192.168.99.0/24? If so, that could be the reason you may need to bridge if you wanted both sites to use the same subnet. I'll have to lab that up though. Otherwise, if your 192.168.99.0/24 is only at the Madison side, then you don't need to bridge across....
HTH,
John
*** Please rate all useful posts ***
08-22-2013 05:14 AM
Yes, Madison gets Internet access from Bryan and yes, the Bryan location is also using the 192.168.99.0/24.
Thanks.
08-22-2013 07:57 AM
Ah, that makes more sense as to why you'd need to bridge it. Let me lab this up today and see what I can come up with for you..
HTH,
John
*** Please rate all useful posts ***
08-22-2013 11:12 AM
In all honesty, it would be easier if you were able to change the Madison subnet to something else so you wouldn't have to worry about bridging across. The problem that I'm running into is that in order to bridge, your serial interfaces (that lead to your MPLS cloud) and the vlan interface that is associated to this guest network need to be part of the bridge group in order to pass the traffic across the link. In other words, your vlan 99 subinterface and the serial interface need to both be associated to the same bridge group, but from my tests it is going to kill your wan interface.
I'm still playing around with some scenarios, but for now I'd suggest changing your Madison guest subnet to something other than 192.168.99.0/24 and then you can route to it instead.
HTH,
John
*** Please rate all useful posts ***
08-22-2013 11:15 AM
Yes, I found that out the other week... luckily I just rebooted the router so the old config came up.
I thought about using a different vlan but I wasn't sure how to have it get the DHCP address from the firewall... any suggestions with that?
08-22-2013 11:21 AM
Sure thing...Is your firewall hosting the pool and is it the one at Bryan location?
Here's the Madison "old" config:
interface FastEthernet0/0.99
encapsulation dot1Q 99
ip helper-address 10.10.10.251
ip helper-address 192.168.99.1
no snmp trap link-status
bridge-group 99
If you wanted to create vlan 199, you could change it to:
interface FastEthernet0/0.199
encapsulation dot1Q 199
ip address 192.168.199.1 255.255.255.0
ip helper-address 10.10.10.251
ip helper-address 192.168.99.1
no snmp trap link-status
The addresses can stay the same for your helper address. On the firewall/router/DHCP scope, you'd create another pool that matches 192.168.199.0/24 subnet and set the default-gateway (Madison router/firewall for your Madison users) and dns servers. You should be good to go after that. Then you'd set up all of your routes on the Bryan side for 192.168.199.0/24 to point to MPLS interface.
HTH,
John
*** Please rate all useful posts ***
08-22-2013 11:23 AM
Yes.
Thanks.
08-22-2013 11:25 AM
Sorry..I edited my last reply with some suggestions...
HTH,
John
*** Please rate all useful posts ***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide