Solved

A routing loop prevention scenario

Posted on 2006-11-15
4
783 Views
Last Modified: 2012-06-27
Hi, we have got around this problem now, but I wanted to ask this question for future reference.

We have a cab in an ISP's co-lo and they have provided us with 2 ethernet cables from their core Internet network which we originally wanted to plug in to 2 Cisco Catalyst 3560 switches that we have in the cab.

The switches are clustered, and run an internal VLAN (default), and Vlans named "Internet 1" and "Internet 2". The default VLAN spanned the cluster whilst the two Internet Vlans were tied to one or other of the switches. This was to prevent a routing loop when plugging the feeds in to the switches.

Whilst the ISP agreed that this config would work, they basically told us that they wouldn't allow us to plug their core in to our switches because - potentially - we could reconfigure the port assignment and create a routing loop (which we wouldn't do but hey ho....i get their point).

So anyhow - what they suggested we do is basically issue the "no switchport" command on both of the ports used for the Internet subnet feeds (one on each of our switches) however I think I am right in saying that this would have basically rendered the port useless and we couldn't then switch the traffic to the other 3 ports on the same switch that were configured for the Internet 1 (or 2) Vlan.....I hope I'm not losing anyone.

So - basically - is there a way to make this work. I'm good with IP routing but no good with switching (yet) and so hence my question.

Oh - yeah - the underlying reason for needing this config was that we wanted to create a "no single point of failure" route in to a number of servers running off of the Switch Cluster (dual NICs that are teamed) and were using 2 2811 routers with HSRP and a 2 PIXs with failover to do this.

Thanks in advance.

DS
0
Comment
Question by:prodriveit
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17951297
You're right. Turning a switchport into a routed interface does not accomplish your goal of having 3 interfaces on each internet connection. Only a vlan interface will do this.

Unless you keep all of your redundancy at layer3, running BGP/OSPF or some other dynamic routing protocol between the ISP, your switches and PIX's.
With full L3 capability of the 3560, what it the function of the 2811 routers/HSRP?

Heres the guide to failover/backup routing on PIX V7.x /ASA
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

You  might be able to follow the logic in this thread where we're discussing vitrually the same thing
http://www.experts-exchange.com/Security/Firewalls/Q_22059936.html


0
 
LVL 2

Author Comment

by:prodriveit
ID: 17954088
Hi - Thanks for the reply...

The 2811s are for VPNs to other sites, and we didn't really want them to go through the PIX as we wanted the PIX's doing one job and the 2811s doing another. The HSRP bit isn't really necessary to be honest as the VPNs are just using secondary peer config - bit of a red herring I suppose - sorry.

I'll take a look at the links - thanks very much for your help - don't know much about BGP but ok with OSPF.

The way we have worked round it is to just get the ISP to give us 2 more internet feeds and we are going to plug these in to the back of the PIXs and 2811s - but this may not always be an option.

Thanks again!

DS
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18107907
Are you still working on this? Can you close out this question before the cleanup crew gets around to it?
Thanks!
0
 
LVL 2

Author Comment

by:prodriveit
ID: 18472527
Sorry - forgot to close this one out - thanks for your help lrmoore. We did the job with the 2 additional feeds but the advice was much appreciated as always.

DS
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now