Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1178
Views
0
Helpful
2
Replies

Arp and fastethernet subinterfaces for spanning ip accross vlans

farallon
Level 1
Level 1

‎10-10-2011 08:16 PM - edited ‎03-07-2019 02:43 AM

I'm setting up an edge router to share an internet connection for two separate offices.  I'd like to have on gateway IP for both offices yet make sure the other IPs for the tenants can't access each other via L2 nor L3.

The switch ports have been configured as follows:

Port 22: trunk to the router vlan 2, untagged and PVID

Port 23: access vlan 900

Port 24: access vlan 901

The router has been configured as follows:

interface FastEthernet0/1

ip address ##.###.##.### 255.255.255.240

no ip redirects

no ip proxy-arp

duplex full

speed auto

vlan-id dot1q 2

  exit-vlan-config

!

no cdp enable

no mop enabled

!

interface FastEthernet0/1.900

encapsulation dot1Q 900

ip unnumbered FastEthernet0/1

no cdp enable

!

interface FastEthernet0/1.901

encapsulation dot1Q 901

ip unnumbered FastEthernet0/1

no cdp enable

I can't get arp resolution as I get the "wrong cable" errors for the subinterfaces.

I can get it to work if I enable "ip mobile arp" on the subinterfaces or enter static ARP entries for the internal network devices.  Both of these don't seem like viable workarounds.  "ip mobile arp" seems to open things up to an IP being able to move around on the network too much and the static arp would require the subtenants to have us reconfigure the router should they change firewalls or network equipment south of our switch.

Anyone have ideas how to resolve the "wrong cable" issue with the subinterfaces?

I've tried creating a third subint and putting the IP on that one then using "ip unnumbered fa0/1.2" for the fa0/1.900 and fa0/1.901 interfaces but that didn't seem to work either.

Thanks,

Patrick

Labels:
0 Helpful
2 Replies 2

cadet alain
VIP Alumni
VIP Alumni

‎10-11-2011 12:40 AM

Hi,

Why do you want dot1q subinterfaces which are i different vlans to be in the same subnet? Furthermore I don't think ip unnumbered works well with ethernet, it was meant for serial interfaces.

I think you could use vrf-lite to segregate them at L3.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25ew/configuration/guide/vrf.html

The config is the same for routers.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

farallon
Level 1
Level 1
In response to cadet alain

‎10-11-2011 11:45 AM

Thanks for your response Alain.

In the second part of the article below, Multiple VLAN inside the same subnet, shows what I'm trying to accomplish.

http://gcharriere.com/blog/?p=620

The purpose was to share an internet link/gateway between two tenants yet prevent traffic from one of the tenant external IPs to that of the other while using the one external IP block that we've been given efficiently.

It'd be best if both tenants could use the same gateway but I need to secure/prevent traffic between the external IPs assigned for the subtenants firewalls.

The chain is like this:

ProviderEdge FastEth -> CustomerEdgeRouter FastEth -> Cisco 200e Switch -> tenant firewalls.

The customer router has two interfaces to be used.  FaEth0/0 to the ISP and FaEth0/1 to the internal switch that the firewalls will be connected to.

I'm not too familiar with the VRF functionality.  Would you still recommend it in this instance?  Looks like VRF requires two physical interfaces on the inside and since I only have one ip block from the ISP, I'd need to subnet it and loose IPs.


Thanks,

Patrick

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card