10-10-2011 08:16 PM - edited 03-07-2019 02:43 AM
I'm setting up an edge router to share an internet connection for two separate offices. I'd like to have on gateway IP for both offices yet make sure the other IPs for the tenants can't access each other via L2 nor L3.
The switch ports have been configured as follows:
Port 22: trunk to the router vlan 2, untagged and PVID
Port 23: access vlan 900
Port 24: access vlan 901
The router has been configured as follows:
interface FastEthernet0/1
ip address ##.###.##.### 255.255.255.240
no ip redirects
no ip proxy-arp
duplex full
speed auto
vlan-id dot1q 2
exit-vlan-config
!
no cdp enable
no mop enabled
!
interface FastEthernet0/1.900
encapsulation dot1Q 900
ip unnumbered FastEthernet0/1
no cdp enable
!
interface FastEthernet0/1.901
encapsulation dot1Q 901
ip unnumbered FastEthernet0/1
no cdp enable
I can't get arp resolution as I get the "wrong cable" errors for the subinterfaces.
I can get it to work if I enable "ip mobile arp" on the subinterfaces or enter static ARP entries for the internal network devices. Both of these don't seem like viable workarounds. "ip mobile arp" seems to open things up to an IP being able to move around on the network too much and the static arp would require the subtenants to have us reconfigure the router should they change firewalls or network equipment south of our switch.
Anyone have ideas how to resolve the "wrong cable" issue with the subinterfaces?
I've tried creating a third subint and putting the IP on that one then using "ip unnumbered fa0/1.2" for the fa0/1.900 and fa0/1.901 interfaces but that didn't seem to work either.
Thanks,
Patrick
10-11-2011 12:40 AM
Hi,
Why do you want dot1q subinterfaces which are i different vlans to be in the same subnet? Furthermore I don't think ip unnumbered works well with ethernet, it was meant for serial interfaces.
I think you could use vrf-lite to segregate them at L3.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25ew/configuration/guide/vrf.html
The config is the same for routers.
Regards.
Alain.
10-11-2011 11:45 AM
Thanks for your response Alain.
In the second part of the article below, Multiple VLAN inside the same subnet, shows what I'm trying to accomplish.
http://gcharriere.com/blog/?p=620
The purpose was to share an internet link/gateway between two tenants yet prevent traffic from one of the tenant external IPs to that of the other while using the one external IP block that we've been given efficiently.
It'd be best if both tenants could use the same gateway but I need to secure/prevent traffic between the external IPs assigned for the subtenants firewalls.
The chain is like this:
ProviderEdge FastEth -> CustomerEdgeRouter FastEth -> Cisco 200e Switch -> tenant firewalls.
The customer router has two interfaces to be used. FaEth0/0 to the ISP and FaEth0/1 to the internal switch that the firewalls will be connected to.
I'm not too familiar with the VRF functionality. Would you still recommend it in this instance? Looks like VRF requires two physical interfaces on the inside and since I only have one ip block from the ISP, I'd need to subnet it and loose IPs.
Thanks,
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide