Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2361
Views
5
Helpful
2
Replies

Using Switch as a "media converter" and routing using the same switch.

Go to solution
codemsittc
Level 1
Level 1

‎02-23-2020 04:52 AM

Hello Guys,

 

My first time posting a question here. Have a problem that requires people with experience on this issue

 

Previous set up:

remote site --(fiber)--> Media converter --(RJ45)--> Link Encryptor --> L3 Switch with routing capabilities --> 3 different VLANS and beyond.Switch Media Converting, Catalyst Switch, LAN Switching

 

1) Link encryptor has an external and internal port, all traffic must go through this link encryptor.

New set up:
As we realised that media converter sometimes causes problem for us, we would like to use only one switch for this similar set up. Lets call this switch (c3850 4SFP and 24RJ45 ports), Switch A

remote site --(fiber)--> Switch A VLAN 200 --> Link Encryptor --> Switch A VLAN 20 -->  To other VLANs and beyond

This is my planned set up. However, when I tested this using EVE/GNS3, I realised because all configuration is done on only one switch (Switch A), the returning traffic to the remote site will bypass the Link Encryptor.

VLAN 200 = External (Encrypted channel)

Ports that are in VLAN 200

1) link between remote site and switch

2) link between switch and the link encryptor external interface

VLAN 20 = Internal (Unencrypted channel)

Ports that are in VLAN 20

1) link between switch and link encryptor's internal interface

 

Note that there are also other VLANs within/behide the internal segment, and all traffic that wants to get out to the remote site will need to go through the link encryptor.

Would PBR be able to solve this issue?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎02-23-2020 01:21 PM

Hi there,

From you description it sounds like VLAN200 should be pure layer2 as far as the switch is considered. The outside interface of the encryptor should have the only Layer3 interface at your end of the segment.

The fact that you mention traffic is bypassing the encryptor suggests that VLAN200 on the switch must have an Layer3 interface configured.

 

You need to configure VRF-lite on the switch. Create an additional VRF, I suggest one called CIPHER which just contain VLAN200. Since you have only one VLAN 'outside' it lowers the workload not having to configure the ip vrf forwarding command for the remaining VLANs.

All other interfaces on the switch will be placed in the default VRF.

 

I assume you are using the the encrypted link as your default route? As for routing it will look like:

ip route vrf CIPHER 0.0.0.0 0.0.0.0 <far_end_encrypted_link>
ip route 0.0.0.0 0.0.0.0 <inside_ip_of_encryptor>

cheers,

Seb.

View solution in original post

2 Replies 2

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎02-23-2020 01:21 PM

Hi there,

From you description it sounds like VLAN200 should be pure layer2 as far as the switch is considered. The outside interface of the encryptor should have the only Layer3 interface at your end of the segment.

The fact that you mention traffic is bypassing the encryptor suggests that VLAN200 on the switch must have an Layer3 interface configured.

 

You need to configure VRF-lite on the switch. Create an additional VRF, I suggest one called CIPHER which just contain VLAN200. Since you have only one VLAN 'outside' it lowers the workload not having to configure the ip vrf forwarding command for the remaining VLANs.

All other interfaces on the switch will be placed in the default VRF.

 

I assume you are using the the encrypted link as your default route? As for routing it will look like:

ip route vrf CIPHER 0.0.0.0 0.0.0.0 <far_end_encrypted_link>
ip route 0.0.0.0 0.0.0.0 <inside_ip_of_encryptor>

cheers,

Seb.

Go to solution
codemsittc
Level 1
Level 1
In response to Seb Rupik

‎02-24-2020 06:05 AM - edited ‎02-24-2020 06:05 AM

Hi Seb,

I was about to try using VRF when you reply!

Great that I get assurance on the idea of VRF too!

 

Once again, thank you.

 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card