cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1677
Views
0
Helpful
3
Replies

802.1q in q on cisco 3750 for metro e

keithsauer507
Level 5
Level 5

Hello,

I am trying to test a new metro e circuit for internet, keep in mind this is a test and I am out of interfaces on our 2811 router at the moment to run this new test network AND our current production network.

So I am wondering if I can do this simular config just by vlanning two ports on our cisco 3750 switch stack with one port connected to the overture isg24 provided by our ISP (ethernet handoff) and another port connected to a test machine assigned with one of the external IP addresses in the block provided by our ISP.

They sent us this sample configuration, and of course this does not work on a 3750 switch because it has subinterfaces. 

interface eth 0/1

  description VLAN trunk interface connected to ISP ethernet handoff

  speed 100

  encapsulation 802.1q

  max-reserved-bandwidth 100

  qos-policy out shape_policy

  no shutdown

!

interface eth 0/1.10                      

  description => Internet

  vlan-id 10

  ip address  64.x.x.10  255.255.255.252

  ip access-group NOSPOOF in

  no shutdown

interface eth 0/1.20

  description => MPLS VPN

  vlan-id 20

  ip address  66.x.x.246  255.255.255.252

  no shutdown

!

interface eth 0/2

  description => Direct connection to PUBLIC LAN

  ip address  63.x.x.113  255.255.255.240

  no shutdown

What I'm trying to do is get this translated into something that works with the switch.  I tried this and I don't think the WAN side is working.  I'm hoping I can test this entirely via the switch stack but if it requires a real router then its just going to have to wait until after hours when we can take the live internet down.

interface FastEthernet7/0/13

description vlan trunk to internet test - Overture ISG24 handoff

switchport trunk encapsulation dot1q

switchport trunk native vlan 10

switchport trunk allowed vlan 10,20

switchport mode trunk

speed 100

spanning-tree portfast

max-reserved-bandwidth 100

!

interface FastEthernet7/0/14

no switchport

ip address 63.x.x.113 255.255.255.240

spanning-tree portfast

!

interface Vlan10

ip address 64.x.x.10 255.255.255.252

!

Then my test PC is given the public IP: 63.x.x.114 255.255.255.240 (which is within the block) with default gateway of 63.x.x.113 which pings fine.

The thing is I can't really put a quad 0 route in because this switch stack is our core switch.  Currently the 0.0.0.0 route points to our firewall, which points to our internet router that has 3 T1's on it.  I just want to test this ONE PORT fe7/0/14 to go out the Overture ISG fast ethernet 100mbps handoff which is in turn connected to a fujitsu lightwave sonet multiplexer (all provided by the ISP).

Is what I am trying to do even possible?

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Keith,

a L2 trunk port to the ISP device is fine but you don't need the native vlan 10 unless required/stated by ISP to emulate suggested configuration you need two SVIs one for vlan 10 and one for vlan 20

You can use a VRF to make a more meaningful test without impacting the real user traffic.

You just need to put SVIs Vlan10 and Vlan20 in the test VRF and you have a separate standalone routing table that allows you to use a default route without impact.

ip vrf TEST

rd 100:100

!

interface vlan 10

ip vrf forwarding TEST

! you need to retype the IP address as it is removed when the SVI is associated to a VRF

ip address

the same for vlan 20

You can create a static default route in VRF using

ip route vrf TEST 0.0.0.0 0.0.0.0 vlan10

Ping tests can be done using

ping vrf TEST command

Hope to help

Giuseppe

View solution in original post

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Keith,

a L2 trunk port to the ISP device is fine but you don't need the native vlan 10 unless required/stated by ISP to emulate suggested configuration you need two SVIs one for vlan 10 and one for vlan 20

You can use a VRF to make a more meaningful test without impacting the real user traffic.

You just need to put SVIs Vlan10 and Vlan20 in the test VRF and you have a separate standalone routing table that allows you to use a default route without impact.

ip vrf TEST

rd 100:100

!

interface vlan 10

ip vrf forwarding TEST

! you need to retype the IP address as it is removed when the SVI is associated to a VRF

ip address

the same for vlan 20

You can create a static default route in VRF using

ip route vrf TEST 0.0.0.0 0.0.0.0 vlan10

Ping tests can be done using

ping vrf TEST command

Hope to help

Giuseppe

Thanks, I didn't even realize about the vrf command.

I believe I now have internet connectivity from the switch to the new circuit.  I just can't seem to figure out how to get the test PC on port fe 7/0/14 to communicate with the outside world.

Lookup google and ping it from the switch...

#ping vrf test 173.194.75.105

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 173.194.75.105, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/26 ms

I guess I am confused by the configuration sheet my ISP gave me.

The INTERNET side has an ip of 64.x.x.10 on MY end, and their gateway is 64.x.x.9.  Its a 255.255.255.252 so those are the only two IP addresses available.

They assigned me a /28 starting at 63.x.x.113 through 63.x.x.126.  (s/n 255.255.255.240)

So I put this on Fe 7/0/14 but when you put an IP address on an interface I'm not sure how I can some how tie that into whats going on with vlan10 for example

interface FastEthernet7/0/14

no switchport

ip address 63.x.x.113 255.255.255.240           (this should be my default gateway on my test PC)

spanning-tree portfast

!

I think I'm missing another route statement.

Nevermind, I got it to work.

I moved the public ip block address into a vlan 11 and route between vlan 11 and 10.

See I am used to bouncing off multiple devices.  In the production environment the switch stack routes quad 0 to an asa firewall pair, then that asa firewall pair routes to a 2811 in turn which is connected to the internet.

So in that mindset is where my head is. 

Testing the new circuit on a test machine and its working great.  Good bandwidth, far better than 3xt1's from what we are moving from, thats for sure.  I can play around with it a bit and feel confident moving it live after hours.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: