A routing loop prevention scenario

Posted on 2006-11-15
Last Modified: 2012-06-27
Hi, we have got around this problem now, but I wanted to ask this question for future reference.

We have a cab in an ISP's co-lo and they have provided us with 2 ethernet cables from their core Internet network which we originally wanted to plug in to 2 Cisco Catalyst 3560 switches that we have in the cab.

The switches are clustered, and run an internal VLAN (default), and Vlans named "Internet 1" and "Internet 2". The default VLAN spanned the cluster whilst the two Internet Vlans were tied to one or other of the switches. This was to prevent a routing loop when plugging the feeds in to the switches.

Whilst the ISP agreed that this config would work, they basically told us that they wouldn't allow us to plug their core in to our switches because - potentially - we could reconfigure the port assignment and create a routing loop (which we wouldn't do but hey ho....i get their point).

So anyhow - what they suggested we do is basically issue the "no switchport" command on both of the ports used for the Internet subnet feeds (one on each of our switches) however I think I am right in saying that this would have basically rendered the port useless and we couldn't then switch the traffic to the other 3 ports on the same switch that were configured for the Internet 1 (or 2) Vlan.....I hope I'm not losing anyone.

So - basically - is there a way to make this work. I'm good with IP routing but no good with switching (yet) and so hence my question.

Oh - yeah - the underlying reason for needing this config was that we wanted to create a "no single point of failure" route in to a number of servers running off of the Switch Cluster (dual NICs that are teamed) and were using 2 2811 routers with HSRP and a 2 PIXs with failover to do this.

Thanks in advance.

Question by:prodriveit
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 17951297
You're right. Turning a switchport into a routed interface does not accomplish your goal of having 3 interfaces on each internet connection. Only a vlan interface will do this.

Unless you keep all of your redundancy at layer3, running BGP/OSPF or some other dynamic routing protocol between the ISP, your switches and PIX's.
With full L3 capability of the 3560, what it the function of the 2811 routers/HSRP?

Heres the guide to failover/backup routing on PIX V7.x /ASA

You  might be able to follow the logic in this thread where we're discussing vitrually the same thing


Author Comment

ID: 17954088
Hi - Thanks for the reply...

The 2811s are for VPNs to other sites, and we didn't really want them to go through the PIX as we wanted the PIX's doing one job and the 2811s doing another. The HSRP bit isn't really necessary to be honest as the VPNs are just using secondary peer config - bit of a red herring I suppose - sorry.

I'll take a look at the links - thanks very much for your help - don't know much about BGP but ok with OSPF.

The way we have worked round it is to just get the ISP to give us 2 more internet feeds and we are going to plug these in to the back of the PIXs and 2811s - but this may not always be an option.

Thanks again!

LVL 79

Expert Comment

ID: 18107907
Are you still working on this? Can you close out this question before the cleanup crew gets around to it?

Author Comment

ID: 18472527
Sorry - forgot to close this one out - thanks for your help lrmoore. We did the job with the 2 additional feeds but the advice was much appreciated as always.


Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question