04-30-2013 04:20 AM - edited 03-07-2019 01:06 PM
Hi all, nice to meet everyone.
This is my first time posting a question so I hope you'll all bear with me!
I've turned up a new layer 2 WAN link between two data centres and i'm having some trouble trying to logically figure out how things should be configured.
As you can see from the diagram i've created, I have the link connected on port 13 on one switch and port 14 on the other. Both ports have an IP address assigned to them and they can both ping each other. Great!.
The problem comes when I need to add routes in order to get traffic flowing over the link.
I added an IP address to switch 2 on the link interface (port 14) as:
192.168.4.10
I then added an IP address to switch 1 on the link interface (port 13) as:
192.168.1.10
192.168.2.10
When I tried to add 192.168.3.10, it said "192.168.3.0 overlaps with VLAN2626". This would be correct as Vlan 2626 has an IP address of 192.168.3.15.
However, if I remove the IP address from vlan 2626 and add 192.168.3.10 to vlan 2 (the link port VLAN), I would surely lose remote access to the switch. (I'm telnetting into the switch from a machine on vlan 2626).
I started to tinker with this by manually adding a route to a server in each location and seeing if I could get traffic to flow:
On server 1: route add 192.168.4.0 MASK 255.255.255.0 192.168.1.10 METRIC 1
On server 2: route add 192.168.1.0 MASK 255.255.255.0 192.168.4.10 METRIC 1
If I try to tracert 192.168.1.20 from server 2, the first hop is the default gateway instead of 192.168.4.10.
Could someone tell me if i'm doing this correctly or if I need to change what i'm doing?
The ultimate goal is to add the static routes to the Layer 3 router/firewall, but before I do that, I need to be sure of what to add to that router (It's a manged firewall from the data centre, so I don't have access to it and I need to raise firewall change requests to get the work done, so want to ensure it's right first time.
Thanks to all in advance.
04-30-2013 06:51 AM
Could you put a description on the interfaces in your switch configs, sanitize passwords, and post them here? I feel like there are some bits of info that would be very helpful to see in there....
Thanks!
04-30-2013 07:23 AM
Building configuration...
Current configuration : 4294 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switch-01
!
boot-start-marker
boot-end-marker
!
enable secret 5 test
enable password test2
!
!
!
no aaa new-model
switch 1 provision ws-c2960s-48ts-l
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
ip address 10.1.0.1 255.255.255.0
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
switchport access vlan 2
switchport mode trunk
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 192.168.4.10 255.255.255.0
!
ip http server
ip http secure-server
ip sla enable reaction-alerts
snmp-server community public RO
!
line con 0
line vty 0 4
password test2
login
line vty 5 15
password test2
login
!
end
and
Building configuration...
Current configuration : 7132 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switch-02
!
boot-start-marker
boot-end-marker
!
enable secret 5 test
enable password test2
!
!
!
no aaa new-model
switch 1 provision ws-c2960s-48ts-l
!
!
vtp mode transparent
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
vlan 2,11,2622,2626
!
!
!
interface Port-channel1
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet1/0/1
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 2626
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/6
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 2
switchport mode trunk
!
interface GigabitEthernet1/0/14
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/20
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/21
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/22
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/23
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/25
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/26
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/27
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/28
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/29
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/30
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/31
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/32
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/33
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/34
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/35
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/36
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/37
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/38
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/39
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/40
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/41
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/42
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/43
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/44
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/45
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/46
switchport access vlan 2626
switchport mode access
!
interface GigabitEthernet1/0/47
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
!
interface GigabitEthernet1/0/48
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 192.168.1.10 255.255.255.0
!
interface Vlan11
no ip address
!
interface Vlan2622
no ip address
!
interface Vlan2626
description S604265_2626
ip address 192.168.2.10 255.255.255.0
!
ip http server
ip http secure-server
snmp-server community public RO
!
line con 0
line vty 0 4
password test
login
line vty 5 15
password test
login
!
end
04-30-2013 07:59 AM
I am a bit confused on exactly what you are trying to do. You say in your topology diagram that you have vlan 2 on the switches set as 10.240.31.1 and 10.240.31.1 yet in the configuration you have VLAN interface 2 set as 192.168.4.10/24 and 192.168.1.10/24 - Not in same subnet would which would cause a connection issue.
I don't see 10.240.31.x subnet on either switch? You also state this is a layer 2 WAN link. Is this a physical link between two Switches that are in the same datacenter?
04-30-2013 08:13 AM
I think the IP address confusion is not needed. The switches are L2 switches so really the only IP needed on those units is for managment. I would forget about the switch IPs for now.
My understanding is that Ian is trying to use the switch to extend the L2 WAN link up to the firewalls so it can be routed. Then how to set the routes in the firewall/router so that the L2 WAN link can be traversed.
Is that it in a nut shell Ian? I want to make sure I'm solving THE problem not what I think the problem is lol
04-30-2013 08:19 AM
Ian,
Let me ask this: What VLAN/subnet combos are for what? ie what is the subnet at the Data Center on the right and left and what subnet should be ran over the L2 WAN link?
04-30-2013 09:21 AM
We have a similiar setup and if you are just planning on using L2 trunking between the two switches just setup the two ports in the trunk mode and allow the VLANs. You don't need to put IP's on them, that would be for Layer 3. You'll need your L3 devices to handle the routing.
04-30-2013 01:40 PM
I'll try to answer all of your queries so here you go!
Kyle:
I had modified the IP's on the ports to try and get some static routes added to two test machines on either side of the link.
I figured if I had an IP in the respective ranges, that I could get traffic to flow, but i could not.
Schaef:
You're correct. My aim is to let the layer 3 firewalls handle the routing.
The ultimate question, is when I log a ticket with the data centre and ask them to put in routes for me, should I just leave the L2 link as layer 2 with no IP addresses, and basically ask the data centre to create a route to the destination network using the destination firewall as the gateway for the route?
E.G.
Assuming:
Firewall for switch 1 is 192.168.4.1
Firewall for switch 2 is 192.168.1.1
Firewall for switch 2 is also 192.168.2.1
On Firewall for switch 2:
route add 192.168.4.0 MASK 255.255.255.0 192.168.4.1 METRIC 1
On Firewall for switch 1:
route add 192.168.1.0 MASK 255.255.255.0 192.168.1.1 METRIC 1
route add 192.168.2.0 MASK 255.255.255.0 192.168.2.1 METRIC 1
Does this mean that Firewall 1 can see Firewall 2 through the Layer 2 link (and vice versa), and all it needs are routes?
Mohammad Ali:
If you put the ports into trunk mode, aren't all VLANs inherently allowed if you don't restrict them?
05-01-2013 09:08 AM
Yes that is correct.
05-02-2013 08:31 AM
Since its a L2 link the IP address are not needed. They really don't do anything from a connectivity standpoint asside from give you another address to telnet/ssh to. The only IPs needed on the switches are what ever is existing for managment currently really...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: