cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2967
Views
0
Helpful
9
Replies

Layer 2 link configuration

ianmoroney
Level 1
Level 1

Hi all, nice to meet everyone.

This is my first time posting a question so I hope you'll all bear with me!

I've turned up a new layer 2 WAN link between two data centres and i'm having some trouble trying to logically figure out how things should be configured.

As you can see from the diagram i've created, I have the link connected on port 13 on one switch and port 14 on the other. Both ports have an IP address assigned to them and they can both ping each other. Great!.

The problem comes when I need to add routes in order to get traffic flowing over the link.

I added an IP address to switch 2 on the link interface (port 14) as:

192.168.4.10

I then added an IP address to switch 1 on the link interface (port 13) as:

192.168.1.10

192.168.2.10

When I tried to add 192.168.3.10, it said "192.168.3.0 overlaps with VLAN2626". This would be correct as Vlan 2626 has an IP address of 192.168.3.15.

However, if I remove the IP address from vlan 2626 and add 192.168.3.10 to vlan 2 (the link port VLAN), I would surely lose remote access to the switch. (I'm telnetting into the switch from a machine on vlan 2626).

I started to tinker with this by manually adding a route to a server in each location and seeing if I could get traffic to flow:

On server 1: route add 192.168.4.0 MASK 255.255.255.0 192.168.1.10 METRIC 1

On server 2: route add 192.168.1.0 MASK 255.255.255.0 192.168.4.10 METRIC 1

If I try to tracert 192.168.1.20 from server 2, the first hop is the default gateway instead of 192.168.4.10.

Could someone tell me if i'm doing this correctly or if I need to change what i'm doing?

The ultimate goal is to add the static routes to the Layer 3 router/firewall, but before I do that, I need to be sure of what to add to that router (It's a manged firewall from the data centre, so I don't have access to it and I need to raise firewall change requests to get the work done, so want to ensure it's right first time.

Thanks to all in advance.

9 Replies 9

schaef350
Level 1
Level 1

Could you put a description on the interfaces in your switch configs, sanitize passwords, and post them here?  I feel like there are some bits of info that would be very helpful to see in there....

Thanks!

- Be sure to rate all helpful posts

Building configuration...

Current configuration : 4294 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname switch-01

!

boot-start-marker

boot-end-marker

!

enable secret 5 test

enable password test2

!

!

!

no aaa new-model

switch 1 provision ws-c2960s-48ts-l

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

!

!

!

vlan internal allocation policy ascending

!

!

!

interface FastEthernet0

ip address 10.1.0.1 255.255.255.0

!

interface GigabitEthernet1/0/1

!

interface GigabitEthernet1/0/2

!

interface GigabitEthernet1/0/3

!

interface GigabitEthernet1/0/4

!

interface GigabitEthernet1/0/5

!

interface GigabitEthernet1/0/6

!

interface GigabitEthernet1/0/7

!

interface GigabitEthernet1/0/8

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

!

interface GigabitEthernet1/0/12

!

interface GigabitEthernet1/0/13

!

interface GigabitEthernet1/0/14

switchport access vlan 2

switchport mode trunk

!

interface GigabitEthernet1/0/15

!

interface GigabitEthernet1/0/16

!

interface GigabitEthernet1/0/17

!

interface GigabitEthernet1/0/18

!

interface GigabitEthernet1/0/19

!

interface GigabitEthernet1/0/20

!

interface GigabitEthernet1/0/21

!

interface GigabitEthernet1/0/22

!

interface GigabitEthernet1/0/23

!

interface GigabitEthernet1/0/24

!

interface GigabitEthernet1/0/25

!

interface GigabitEthernet1/0/26

!

interface GigabitEthernet1/0/27

!

interface GigabitEthernet1/0/28

!

interface GigabitEthernet1/0/29

!

interface GigabitEthernet1/0/30

!

interface GigabitEthernet1/0/31

!

interface GigabitEthernet1/0/32

!

interface GigabitEthernet1/0/33

!

interface GigabitEthernet1/0/34

!

interface GigabitEthernet1/0/35

!

interface GigabitEthernet1/0/36

!

interface GigabitEthernet1/0/37

!

interface GigabitEthernet1/0/38

!

interface GigabitEthernet1/0/39

!

interface GigabitEthernet1/0/40

!

interface GigabitEthernet1/0/41

!

interface GigabitEthernet1/0/42

!

interface GigabitEthernet1/0/43

!

interface GigabitEthernet1/0/44

!

interface GigabitEthernet1/0/45

!

interface GigabitEthernet1/0/46

!

interface GigabitEthernet1/0/47

!

interface GigabitEthernet1/0/48

!

interface GigabitEthernet1/0/49

!

interface GigabitEthernet1/0/50

!

interface GigabitEthernet1/0/51

!

interface GigabitEthernet1/0/52

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

ip address 192.168.4.10 255.255.255.0

!

ip http server

ip http secure-server

ip sla enable reaction-alerts

snmp-server community public RO

!

line con 0

line vty 0 4

password test2

login

line vty 5 15

password test2

login

!

end

and

Building configuration...

Current configuration : 7132 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname switch-02

!

boot-start-marker

boot-end-marker

!

enable secret 5 test

enable password test2

!

!

!

no aaa new-model

switch 1 provision ws-c2960s-48ts-l

!

!

vtp mode transparent

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

!

!

!

vlan internal allocation policy ascending

!

vlan 2,11,2622,2626

!

!

!

interface Port-channel1

switchport mode trunk

switchport nonegotiate

!

interface FastEthernet0

no ip address

!

interface GigabitEthernet1/0/1

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/2

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/3

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/4

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/5

switchport access vlan 2626

switchport mode access

no cdp enable

!

interface GigabitEthernet1/0/6

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/7

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/8

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/9

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/10

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/11

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/12

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/13

switchport access vlan 2

switchport mode trunk

!

interface GigabitEthernet1/0/14

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/15

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/16

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/17

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/18

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/19

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/20

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/21

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/22

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/23

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/24

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/25

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/26

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/27

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/28

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/29

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/30

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/31

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/32

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/33

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/34

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/35

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/36

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/37

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/38

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/39

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/40

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/41

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/42

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/43

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/44

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/45

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/46

switchport access vlan 2626

switchport mode access

!

interface GigabitEthernet1/0/47

switchport mode trunk

switchport nonegotiate

channel-group 1 mode on

!

interface GigabitEthernet1/0/48

switchport mode trunk

switchport nonegotiate

channel-group 1 mode on

!

interface GigabitEthernet1/0/49

!

interface GigabitEthernet1/0/50

!

interface GigabitEthernet1/0/51

!

interface GigabitEthernet1/0/52

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

ip address 192.168.1.10 255.255.255.0

!

interface Vlan11

no ip address

!

interface Vlan2622

no ip address

!

interface Vlan2626

description S604265_2626

ip address 192.168.2.10 255.255.255.0

!

ip http server

ip http secure-server

snmp-server community public RO

!

line con 0

line vty 0 4

password test

login

line vty 5 15

password test

login

!

end

I am a bit confused on exactly what you are trying to do. You say in your topology diagram that you have vlan 2 on the switches set as 10.240.31.1 and 10.240.31.1 yet in the configuration you have VLAN interface 2 set as 192.168.4.10/24 and 192.168.1.10/24 - Not in same subnet would which would cause a connection issue.

I don't see 10.240.31.x subnet on either switch? You also state this is a layer 2 WAN link. Is this a physical link between two Switches that are in the same datacenter?

I think the IP address confusion is not needed.  The switches are L2 switches so really the only IP needed on those units is for managment.  I would forget about the switch IPs for now.

My understanding is that Ian is trying to use the switch to extend the L2 WAN link up to the firewalls so it can be routed.  Then how to set the routes in the firewall/router so that the L2 WAN link can be traversed. 

Is that it in a nut shell Ian?  I want to make sure I'm solving THE problem not what I think the problem is lol 

- Be sure to rate all helpful posts

Ian,

Let me ask this:  What VLAN/subnet combos are for what?  ie what is the subnet at the Data Center on the right and left and what subnet should be ran over the L2 WAN link?

- Be sure to rate all helpful posts

We have a similiar setup and if you are just planning on using L2 trunking between the two switches just setup the two ports in the trunk mode and allow the VLANs.  You don't need to put IP's on them, that would be for Layer 3.  You'll need your L3 devices to handle the routing.

I'll try to answer all of your queries so here you go!

Kyle:

I had modified the IP's on the ports to try and get some static routes added to two test machines on either side of the link.

I figured if I had an IP in the respective ranges, that I could get traffic to flow, but i could not.

Schaef:

You're correct. My aim is to let the layer 3 firewalls handle the routing.

The ultimate question, is when I log a ticket with the data centre and ask them to put in routes for me, should I just leave the L2 link as layer 2 with no IP addresses, and basically ask the data centre to create a route to the destination network using the destination firewall as the gateway for the route?

E.G.

Assuming:

Firewall for switch 1 is 192.168.4.1

Firewall for switch 2 is 192.168.1.1

Firewall for switch 2 is also 192.168.2.1

On Firewall for switch 2:

route add 192.168.4.0 MASK 255.255.255.0 192.168.4.1 METRIC 1

On Firewall for switch 1:

route add 192.168.1.0 MASK 255.255.255.0 192.168.1.1 METRIC 1

route add 192.168.2.0 MASK 255.255.255.0 192.168.2.1 METRIC 1

Does this mean that Firewall 1 can see Firewall 2 through the Layer 2 link (and vice versa), and all it needs are routes?

Mohammad Ali:

If you put the ports into trunk mode, aren't all VLANs inherently allowed if you don't restrict them?

Yes that is correct.

Since its a L2 link the IP address are not needed.  They really don't do anything from a connectivity standpoint asside from give you another address to telnet/ssh to.  The only IPs needed on the switches are what ever is existing for managment currently really...

- Be sure to rate all helpful posts