swicth 3560 configuring OSPF with 2 process id on the same interface

Amadou48037 · ‎12-23-2019

Hello,

I am currently configuring a cisco switch 3560 layer 3 connected to another router to be able to reach a new network.

currently my switch is connected to another router with this interface :

interface GigabitEthernet1/2
description to PE_N
switchport access vlan 1016
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1016
switchport mode trunk

OSPF is enabled and I can reach all networks bellow is the current configuration to reach the other networks:

(Server in VLAN SIG testbed can reach network 10.29.105.0/28)

(Servers in VLAN OAM can reach a network)

...

vlan 35
name VLAN_OAM
!
vlan 178
name VLAN SIG testbed
!
vlan 1016
name Sig_PE3

!

.....

interface GigabitEthernet0/5
switchport access vlan 35
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 35
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 35
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 35
switchport mode access

....

interface GigabitEthernet0/17
description to server1_ETH5
switchport access vlan 178
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/18
description to server2_ETH5
switchport access vlan 178
switchport mode access
spanning-tree portfast

....

interface Vlan35
ip address 192.168.35.45 255.255.255.240
!
interface Vlan178
description VLAN_SIG_testbed
ip address 10.15.104.1 255.255.255.240
!
interface Vlan1016
description MPLS_Maquette
ip address 10.96.96.2 255.255.255.252
!

interface Vlan178
description VLAN_SIG_testbed
ip address 10.15.104.1 255.255.255.240

!
router ospf 12
network 10.15.104.0 0.0.0.15 area 0
network 10.96.96.0 0.0.0.3 area 0
network 192.168.35.32 0.0.0.15 area 0

I have to add another network (10.29.153.64/28 and 10.30.153.64/28) to be reachable from 192.168.35.16/28 and I am not sure if it can be added in this way by defining a new ospf id instance as if I am adding it in the instance id 12 a loop happen between my 3560 L3 switch and the adjacent router:

the first try I did was like bellow where I created a new VLAN 1017 and then I added the VLAN 1017 into the interface Gi1/2:

!

vlan 1017
name Diameter_PE3

!

....

!

interface GigabitEthernet0/12
switchport access vlan 188
switchport mode access
switchport mode access
spanning-tree portfast

!

....

!

interface GigabitEthernet1/2
description to PE3_NE40
switchport access vlan 1016
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1016,1017
switchport mode trunk

!
interface Vlan188
description VLAN_DMTR_mqt
ip address 192.168.35.19 255.255.255.240
!
interface Vlan1017
description MPLS__mqt
ip address 10.96.96.6 255.255.255.252
!
router ospf 12
network 10.15.104.0 0.0.0.15 area 0
network 10.96.96.0 0.0.0.3 area 0
network 10.96.96.4 0.0.0.3 area 0
network 192.168.35.16 0.0.0.15 area 0
network 192.168.35.32 0.0.0.15 area 0

===> then the opposite side was still not able to reach my server inside the network 192.168.35.16/28.

Now I am looking to create a new instance id so it will be like this :

router ospf 12
network 10.15.104.0 0.0.0.15 area 0
network 10.96.96.0 0.0.0.3 area 0
network 192.168.35.32 0.0.0.15 area 0

router ospf 13
network 10.96.96.4 0.0.0.3 area 0
network 192.168.35.16 0.0.0.15 area 0

Is it possible ? or should I have to create a virtual interface in Gi1/2 like

Gi1/2.1016

and

Gi1/2.1017

In order to reach both network ?

If I look after route it seems that everything is going through 10.96.96.1 instead of 10.96.96.5.

output from sh ip route cde:

SW_TB#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 10.96.96.1 to network 0.0.0.0

C 10.15.104.0/28 is directly connected, Vlan178
L 10.15.104.1/32 is directly connected, Vlan178

C 10.96.96.0/30 is directly connected, Vlan1016
L 10.96.96.2/32 is directly connected, Vlan1016

C 10.96.96.4/30 is directly connected, Vlan1017
L 10.96.96.6/32 is directly connected, Vlan1017

O 10.29.153.64/28 [110/42] via 10.96.96.1, 01:13:54, Vlan1016

O 10.30.153.64/28 [110/42] via 10.96.96.1, 01:13:55, Vlan1016

O 10.29.105.0/24 [110/107] via 10.96.96.1, 01:13:54, Vlan1016

C 192.168.35.16/28 is directly connected, Vlan188
L 192.168.35.19/32 is directly connected, Vlan188
C 192.168.35.32/28 is directly connected, Vlan35
L 192.168.35.45/32 is directly connected, Vlan35

Many thanks for your answers.

Reza Sharifi · ‎12-23-2019

Hi,

You only have one gateway to the router and that is interface g1/2. You are also peering OSPF with the neighbor router using vlan 1016 and that is all you need for peering. Why do you need to add a second vlan to the interface between the switch and the router (g1/2)? Also, there seem to be a default route installed on the switch that is pointing to gateway 10.96.96.1.

Gateway of last resort is 10.96.96.1 to network 0.0.0.0

Can you post the output of "sh run" and also "sh ip ospf nei"

The 3560 series switches are not capable of doing sub-interfaces. If you want to use a vrf, you would need the enterprise IOS installed first.

HTH

Amadou48037 · ‎12-23-2019

Dear Reza,

Thank you for your feedback,

Below is the output of the command :

SW_TB_DMC#sh run
Building configuration...

Current configuration : 6105 bytes
!
! Last configuration change at 01:17:38 UTC Fri Oct 4 2013
! NVRAM config last updated at 01:17:40 UTC Fri Oct 4 2013
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SW_T
!
boot-start-marker
boot-end-marker
!
enable secret 5 *********
!
no aaa new-model
system mtu routing 1500
ip routing
!
!
ip device tracking
vtp mode transparent
!
!
crypto pki trustpoint TP-self-signed-1620896128
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1620896128
revocation-check none
rsakeypair TP-self-signed-1620896128
!
!
crypto pki certificate chain TP-self-signed-1620896128
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363230 38393631 3238301E 170D3131 30333330 30313239
33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36323038
39363132 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AD28 C8653445 F05584FC E6B6912B 9F4E7408 2EC893B8 743905D6 0A87AE86
EA586B55 C57275F2 91946F79 95DFE70A 3F01BC88 CF66133E 188D9CF9 06B2AFBD
0C3115FA 77A5C263 70752ED8 1BCF5AC2 7248543F 1B69F01C 2C2B05B5 7A08D4B9
9876A0E9 29A06C5F 57753ECB E3D29A3A 5E4A0884 B2E512C8 1685B6A9 F1F2EB44
FCD10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14597918 2450FF0A CE76831F 3F0B6D72 6B2DDC02 68301D06
03551D0E 04160414 59791824 50FF0ACE 76831F3F 0B6D726B 2DDC0268 300D0609
2A864886 F70D0101 05050003 8181002B C97F7C25 92927D58 52961680 916D360E
6AE3FC4F 951F69B1 EA154512 EA0341C0 83C9A5F9 C263C672 341EFCDA 6C206828
959073B4 5630AFA3 29B5EDB0 923CAE1F 0342D488 EC217B19 2EDD7A0F FB01FA85
ABC93308 B9B3953F 3DB7887B 95411660 23153274 85547B83 FF5BC311 08FAF1C2
A94F7FC6 9A746D28 4D01B27B A62062
quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
vlan 29
name VLAN_SIGTRAN_B
!
vlan 30
name VLAN_SIGTRAN_A
!
vlan 35
name VLAN_OAM
!
vlan 155
name LAN_CVR
!
vlan 170
name VLAN_SYNC_MYSQL
!
vlan 171
name VLAN_BEP-SQL
!
vlan 178
name VLAN SIG testbed
!
vlan 188
name VLAN_DIAMETER
!
vlan 1016
name Sig_PE3
!
vlan 1017
name Diameter_PE3
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet0/1
switchport access vlan 155
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 155
switchport mode access
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
switchport access vlan 35
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 35
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 35
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 35
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 35
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 170
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 170
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 188
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 188
switchport mode access
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
switchport mode access
!
interface GigabitEthernet0/16
switchport mode access
!
interface GigabitEthernet0/17
description to server1_ETH5
switchport access vlan 178
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/18
description to server2_ETH5
switchport access vlan 178
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
description to PE_N
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1016,1017
switchport mode trunk
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan35
ip address 192.168.35.45 255.255.255.240
!
interface Vlan155
description To_LAN_CVR
ip address 10.16.60.87 255.255.255.0
!
interface Vlan178
description VLAN_SIG_testbed
ip address 10.15.104.1 255.255.255.240
!
interface Vlan188
description VLAN_DIAMETER_mqt
ip address 192.168.35.19 255.255.255.240
!
interface Vlan1016
description MPLS_Maquette
ip address 10.96.96.2 255.255.255.252
!
interface Vlan1017
description MPLS_DIAMETER_mqt
ip address 10.96.96.6 255.255.255.252
!
router ospf 12
network 10.15.104.0 0.0.0.15 area 0
network 10.96.96.0 0.0.0.3 area 0
network 10.96.96.4 0.0.0.3 area 0
network 192.168.35.16 0.0.0.15 area 0
network 192.168.35.32 0.0.0.15 area 0
!
ip default-gateway 192.168.35.33
ip forward-protocol nd
ip http server
ip http secure-server
!
!
!
!
!
end

Please note that my goal is to establish a communication between my server from network "192.168.35.16/28" to hosts in network (10.29.153.64/28 or 10.29.153.64/28) via VLAN 1017 toward gateway 10.96.96.5.

From my server I can ping hosts inside networks (10.29.153.64/28 or 10.29.153.64/28) but they cannot ping me.

BR,

Amadou

Georg Pauwen · ‎12-24-2019

Hello,

post a schematic drawing of your topology, including all devices, and indicate where the loop occurs. Also, post the full running configuration of the router...

Amadou48037 · ‎12-24-2019

Hello Georg,

I have posted a schema of my topology.

I provided the switch configuration before, please find it again.

Please note that I have visibility only on my switch and server, route PE_N and all device after it is not under my responsibility.

My concern is to be able to reach the network 10.29.153.64/28 or 10.29.153.64/28 from the interface ETH2 of my server (VLAN 188).

The loop happen between my switch and the router PE_N.

#############CISCO 3560 conf ####################
###########new switch config DMC #####
SW_T#sh run
Building configuration...

Current configuration : 6105 bytes
!
! Last configuration change at 01:17:38 UTC Fri Oct 4 2013
! NVRAM config last updated at 01:17:40 UTC Fri Oct 4 2013
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SW_T
!
boot-start-marker
boot-end-marker
!
enable secret 5 *********
!
no aaa new-model
system mtu routing 1500
ip routing
!
!
ip device tracking
vtp mode transparent
!
!
crypto pki trustpoint TP-self-signed-1620896128
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1620896128
revocation-check none
rsakeypair TP-self-signed-1620896128
!
!
crypto pki certificate chain TP-self-signed-1620896128
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363230 38393631 3238301E 170D3131 30333330 30313239
33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36323038
39363132 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AD28 C8653445 F05584FC E6B6912B 9F4E7408 2EC893B8 743905D6 0A87AE86
EA586B55 C57275F2 91946F79 95DFE70A 3F01BC88 CF66133E 188D9CF9 06B2AFBD
0C3115FA 77A5C263 70752ED8 1BCF5AC2 7248543F 1B69F01C 2C2B05B5 7A08D4B9
9876A0E9 29A06C5F 57753ECB E3D29A3A 5E4A0884 B2E512C8 1685B6A9 F1F2EB44
FCD10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14597918 2450FF0A CE76831F 3F0B6D72 6B2DDC02 68301D06
03551D0E 04160414 59791824 50FF0ACE 76831F3F 0B6D726B 2DDC0268 300D0609
2A864886 F70D0101 05050003 8181002B C97F7C25 92927D58 52961680 916D360E
6AE3FC4F 951F69B1 EA154512 EA0341C0 83C9A5F9 C263C672 341EFCDA 6C206828
959073B4 5630AFA3 29B5EDB0 923CAE1F 0342D488 EC217B19 2EDD7A0F FB01FA85
ABC93308 B9B3953F 3DB7887B 95411660 23153274 85547B83 FF5BC311 08FAF1C2
A94F7FC6 9A746D28 4D01B27B A62062
quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
vlan 29
name VLAN_SIGTRAN_B
!
vlan 30
name VLAN_SIGTRAN_A
!
vlan 35
name VLAN_OAM
!
vlan 155
name LAN_CVR
!
vlan 170
name VLAN_SYNC_MYSQL
!
vlan 171
name VLAN_BEP-SQL
!
vlan 178
name VLAN SIG testbed
!
vlan 188
name VLAN_DIAMETER
!
vlan 1016
name Sig_PE3
!
vlan 1017
name Diameter_PE3
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet0/1
switchport access vlan 155
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 155
switchport mode access
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
switchport access vlan 35
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 35
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 35
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 35
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 35
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 170
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 170
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 188
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 188
switchport mode access
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
switchport mode access
!
interface GigabitEthernet0/16
switchport mode access
!
interface GigabitEthernet0/17
description to server1_ETH5
switchport access vlan 178
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/18
description to server2_ETH5
switchport access vlan 178
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
description to PE_N
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1016,1017
switchport mode trunk
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan35
ip address 192.168.35.45 255.255.255.240
!
interface Vlan155
description To_LAN_CVR
ip address 10.16.60.87 255.255.255.0
!
interface Vlan178
description VLAN_SIG_testbed
ip address 10.15.104.1 255.255.255.240
!
interface Vlan188
description VLAN_DIAMETER_mqt
ip address 192.168.35.19 255.255.255.240
!
interface Vlan1016
description MPLS_Maquette
ip address 10.96.96.2 255.255.255.252
!
interface Vlan1017
description MPLS_DIAMETER_mqt
ip address 10.96.96.6 255.255.255.252
!
router ospf 12
network 10.15.104.0 0.0.0.15 area 0
network 10.96.96.0 0.0.0.3 area 0
network 10.96.96.4 0.0.0.3 area 0
network 192.168.35.16 0.0.0.15 area 0
network 192.168.35.32 0.0.0.15 area 0
!
ip default-gateway 192.168.35.33
ip forward-protocol nd
ip http server
ip http secure-server
!
!
!
!
!
line con 0
line vty 0 4
password 7 105D1E30253A1F1A1845
login
line vty 5 15
password 7 03174C2226222C5D5A48
login
!
!
!
!
end

Thanks.

Georg Pauwen · ‎12-24-2019

Hello,

thanks for the topology drawing. I am currently labbing this, will get back with you shortly...

Georg Pauwen · ‎12-24-2019

Hello,

the configuration of your switch is fine, you don't need a second OSPF instance:

router ospf 12
network 10.15.104.0 0.0.0.15 area 0
network 10.96.96.0 0.0.0.3 area 0
network 10.96.96.4 0.0.0.3 area 0
network 192.168.35.16 0.0.0.15 area 0
network 192.168.35.32 0.0.0.15 area 0

The thing is: you dont know what the other side (the PE_N) router is allowing through, most likely the ISP is only allowing traffic from 192.168.35.32/28. Your best option is probably to check if the PE_N router is actually getting the OSPF route for that network, and if it is progated across the MPLS core to the other side...

Amadou48037 · ‎12-24-2019

Hello Georg,

Thank you for the update.

Is there any recommendation I can provide to the other side ? Because they wanted to separate 2 VLANs 1016 and 1017 but from what I understand if I cannot create a virtual interface the only way probably will be to add another cable between my switch and PE_N router (ex: Gi 1/3) then pass the traffic from VLAN 1017 inside it and keep only VLAN 1016 inside Gi1/2 with ospf config.

I will try to get in // more information from the owner of PE_N.

Thank you.

Georg Pauwen · ‎12-24-2019

Hello,

first of all, you need to find out why the new network is not propagated. I am pretty sure it is being blocked somewhere by the ISP.

If your goal is to separate both VLANs (not allowing access to each other) you could simply create an access list on your layer 3 switch and apply it to the SVIs...

Amadou48037 · ‎12-25-2019

Hello Georg,

I've just seen your reply thank you again.

As I am not a Network expert :), Could you please tell me how to create an access list to differentiate traffic?

My goal is to allow VLAN (178, 35) via VLAN 1016 with GW (in my side 10.96.96.2) at customer side 10.96.96.1.

And VLAN 188 will go through VLAN 1017 with Gw in my side 10.96.96.6 and GW at customer side 10.96.96.5.

Should I have to keep the current OSPF config ?

Thank you.

Georg Pauwen · ‎12-24-2019

Hello,

also, check if the server with the dual NIC itself is not the problem. If you disconnect the NIC with the 10.15.104.x address, does that change anything when it comes to reachability ?

Amadou48037 · ‎12-25-2019

Hello,

From my point of view my server is not the problem, as I have connectivity established between network 10.15.104.0/28 and the network 10.29.105.0/28.

The bottleneck came when customer ask me establish a connectivity between network 192.168.35.16/28 to (10.29.153.64/28 &10.30.153.64/28).

Probably as you mentioned before we don't know how they are routing traffic from the PE_N.

They told me to segragate the traffic between VLAN 1016 and VLAN 1017 so is it better to plug another cable between there router and my switch and configure another instance ID for OSP where we will pass VLAN 1017 ?

Thanks.