Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
383
Views
0
Helpful
3
Replies

Layer 3 vlan routing

psycrjps3
Level 1
Level 1

‎07-16-2017 06:47 AM - edited ‎03-08-2019 11:20 AM

Hello,

Am having some trouble finding information on what I believe should be a very simple setup. We have migrated datacenter, and the new provider operates on Layer 3 only. This means our existing setup using layer 2 vlans needs to be tweaked. Everything I have read and tried so far on creating layer3 vlans has not worked, and the new DC cut our connection temporarily when they detect layer 2, which makes trail and error testing near impossible (not only a 3 hour drive to the DC, but a 30 min ban on network activity when its wrong).

I have an SG300 switch for this which is set in Layer 3 mode. We have several vlans on the switch, but the routing between these are managed by a software firewall (running on centos7 and which has the require public IPs raised on an interface) which has a network cable directly into each of the vlans. Therefore all I need, is to understand how I take the incoming cable from the datacenter, have them see a layer 3 device, and for the rest of the vlan to be able to see/use the public IP addresses they have provided and communicate out to the internet.


For reference the DC have provided us two ranges of public IPs to use:

"We have 40.30.40.136/29 setup as your main range, with 40.30.40.140/141/142 as usable addresses by yourself, and the GW of 40.30.40.139.
The 100.100.100.160/27 IP range you have is statically routed to 40.30.40.141, so any traffic coming into our network for those addresses will get sent to which ever device has 40.30.40.141."


Is the above possible using a vlan? Firstly I tried having a vlan using ports 1-6. I gave that vlan an IP address of 40.30.40.141 and set up a default route for 0.0.0.0 to go out through the gateway 40.30.40.139 (Following the guide http://www.thewichitacomputerguy.com/blog/how-set-default-gateway-layer-3-l3-cisco-sg300-switch). Soon as this was plugged in, we got blocked claiming to be a level 2 device. The only way I managed to get their line to stay in an active (seeing a layer3) was through having the port their line connected to being unassigned from any vlans.

Am I barking up the wrong tree for this setup, as mentioned previously on layer 2 at the old provider a single vlan devices using a public IP just worked. I thought provided the vlan had an IP and therefore I thought would be see as layer 3, this should work.

Instead do I need to have the port they connect to as unassigned from any vlans, and then somehow share that traffic over. If so how would that work for passing both IP ranges back out from the vlan to that port?

Thanks in advance for any help,

J

Labels:
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎07-16-2017 07:49 AM

Hello,

please provide a schematic drawing of your current setup, and indicate what you want to achieve in the new setup. 

0 Helpful

psycrjps3
Level 1
Level 1
In response to Georg Pauwen

‎07-17-2017 02:25 AM

Hi Georg,

Uploaded an image of the planned layout. This is essentially the same as the current setup (other than the new provider having different IP address/ranges). All vlans other than NET can be layer 2 and have their internal routing managed by the firewalls. This has been tested and is working as expected, it is just the NET vlan I seem to be having trouble getting to work.

The only other difference between the existing working setup and the planned new one, is that the NET vlan must be seen by the data center provider as being layer3. Despite having an IP assigned to the NET vlan and the switch itself being L3 mode, we got cut off with the following message from the Data center provider "Our colo network will only accepting connecting with a layer 3 devices. Your switch went to shutdown mode as it received BPDU packets. Please change to use a layer 3 devices eg firewall/router or layer 3 switch to connect us"

Regards,

J

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to psycrjps3

‎07-17-2017 09:26 AM

J

Thank you for including the error message which indicates that the underlying problem is that your SG300 sent a BPDU over this interface. On many Catalyst switches there is a way to solve this issue which uses the interface command no switchport. This command changes the operation of the interface and makes it a routed port, and I believe that it suppresses the sending of BPDUs. I am not expert on the SG300 switch so I took a look at the switch administration guide. I did not find anything in the manual that seems to implement the logic of no switchport. Perhaps there is someone else in the forum who is more familiar with these switches and can provide the solution. But pending input from someone else it appears to me that the SG300 does not have a way to suppress sending BPDU on an interface.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents