Solved

Need help deploying metro ethernet VLANs

Posted on 2008-10-16
14
944 Views
Last Modified: 2011-10-19
What I am trying to achieve is bring Metro Ethernet with VLANs into an existing setup that has no VLANs. I will be deploying some number of Cisco 3550-12Ts to accomplish this (open to other suggestions, but the price point is pretty nice). Here's what I have...

Site A: 7507 with Internet connection and servers on Ethernet to 7507 in Site B.
Site B: 7507 with Internet connection #2 and DS-3 Hubs for client access.

I have to build this, and get it back to Site B and off to the Internet as required.
Site C: 3550-12T with Metro interface with multiple remote sites (VLANs assigned by carrier).

I followed the CityOfKerrville threads, and I think I need to do this on the 3550 in Site C.

VLAN(MGMT)
Not VLAN1, create VLANXX, assign range large enough for all devices to be managed

AGGREGATION - TRUNK, VLAN, ??I get lost here...
Single Ethernet interface from the provider. I've asked if the Metro links are Trunk or Access. No answer yet. The remote (CPE) device is a Hatteras box (HN400-CP, I think), and the provider is assigning a VLAN to each location. I want to then segment traffic (with a VLAN?) for the Customer Premise. We plan to do several of these Metro links. The backhaul to Site B will be on this same interface with a provider assigned VLAN.

Also, do I need, or should I use another 3550 at Site B, or can my trusty old 7507 drive/handle all of this? The routers at SItes A and B are eBGP for Internet and EIGRP for client routes.

Thanks in advance. Robert
0
Comment
Question by:ddcSupport
  • 7
  • 5
  • 2
14 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 250 total points
ID: 22740106
I wouldn't extend the broadcast domain(network) across the metroE link. Just route the traffic. Treat it like another ethernet network.

So on the 3550:

int f0/1
 description Metro Ethernet Link
 no switchport
 ip address 192.168.1.1 255.255.255.248
 no shut

Then with the remaining interfaces, create VLAN's as required and VLAN interfaces to go with them.

Then on your other sites, connect the metroE link to an interface on the 7507 and assign an IP address of 192.168.1.(2-6) 255.255.255.248




0
 
LVL 13

Expert Comment

by:kdearing
ID: 22740390
The SiteC 3550 MetroE connection will need to be configured as a dot1q trunk. The specific VLAN IDs will come from your ISP.

How you get it to SiteB depends on whether you plan to route the traffic at SiteC or extend (trunk) the VLANS all the way to SiteB.

What type of connection is SiteB---SiteC?
0
 

Author Comment

by:ddcSupport
ID: 22741054
The MetroE link at SiteC is an Aggregation link, all the remote sites are delivered to a single port. So are you suggesting dot1q on the SiteC 3550 as in

Interface F0/1.1
Description 1stLocation
encaps dot1q 1stAssignedVLANID
ip address 172.16.100.1 255.255.255.0

Interface F0/1.2
Description 2ndLocation
encaps dot1q 2ndAssigned VLANID
ip address 172.16.101.1 255.255.255.0

I will need to send all the SIteC traffic to SiteB. The link is another Ethernet connection delivered on the Aggregation link with an assigned VLAN.

On the router at SiteB

interface Loopback0
ip address x.x.x.x x.x.x.x. (currently for BGP and management )

interface FastEthernet0/0/0
ip address x.x.x.x x.x.x.x (core address space)

How do I get the VLAN traffic from SiteC onto this router? Would it be easier to add another FE to the VIP? I wouldn't mind upgrading the core to use a 3550 with VLANs, but of course NOTHING can go down. It's got to be right before it gets deployed.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22741732
>The MetroE link at SiteC is an Aggregation link, all the remote sites are delivered to a single port.

Is each site going to be tagged as a different VLAN?

If so, then your proposed config looks good. You will need to identify a native VLAN though.

>How do I get the VLAN traffic from SiteC onto this router?

Once again, it depends on whether the provider is offering you 802.1q frames or plain ethernet frames.Until we know that, we're just running around in circles. :-)
0
 

Author Comment

by:ddcSupport
ID: 22741812
Thanks. I'm calling them now. Will be back as soon as I know.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 22742637
You don't need to us sub-interfaces:

interface vlan 1
  ip address 10.1.1.1 255.255.255.0
interface vlan 2
  ip address 10.2.2.1 255.255.255.0
interface vlan 3
  ip address 10.3.3.1 255.255.255.0
interface fe 0/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  no ip address
  switchport trunk native vlan 2                  <---- sets native vlan (by default vlan1)
0
 

Author Comment

by:ddcSupport
ID: 22745649
Okay. If anyone's interested, the guys at Alpheus are top notch. Here's another go after talking to them.

Houston-Travis - 3550-12T
-------------------------
Interface VLAN 10
  Description Management VLAN
  ip address 192.168.116.4 255.255.255.0 <-- IP Range of Management/SNMP

Interface VLAN 310
  Description HoTX-SaTX Ckt-ID:
  ip address 192.168.88.4 255.255.255.0   <-- IP Range of San Antonio core

Interface VLAN 311
  Description HoTX-Weslayan Ckt-ID:
  ip address 192.168.49.1 255.255.255.0  <-- IP Range for Customer Site

interface GigE0/1
 Description HoTX EII Ckt-ID:
 no ip address
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,310,311

San Antonio-Navarro - 3550-12T
-------------------------
Interface VLAN 10
  Description Management VLAN
  ip address 192.168.116.6 255.255.255.0 <-- IP Range of Management/SNMP

Interface VLAN 310
  Description HoTX-SaTX Ckt-ID:
  ip address 192.168.88.6 255.255.255.0   <-- IP Range of San Antonio core

interface GigE0/1
 Description SaTX EII Ckt-ID:
 no ip address
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,310,311

interface GigE0/2
 Description to Core-1 Router
 no switchport
 ip address 192.168.88.?? 255.255.255.0    <--Config lifted from Cisco's InterVLAN routing guide

interface GigE0/3
  Description to Taylor/Servers/Core-2
  switchport mode access
  switchport access vlan 310
  no ip address

Additional items.
1. GigE0/2 and GigE0/3 both connect to Internet routers. GigE0/3 has an intermediate switch without VLAN configs and the router and servers are attached to it. I'm not sure how to route traffic to Core-1/Core-2 and I am interested in performance issues we might face with this config. Any reason to (or not to) put EIGRP on the 3550s to do this?

2. Customers at HoTX-Weslayan should be segmented by VLANs. The AI from Weslayan supports Q-in-Q, so can I add a VLAN device there and configure the 3550 as follows

Interface VLAN 409
  Description to Starcap - HoTX-Weslayan Ckt-ID:
  ip address 192.168.49.9 255.255.255.252  <-- IP Range for Starcap

Interface VLAN 413
  Description to Selected - HoTX-Weslayan Ckt-ID:
  ip address 192.168.49.13 255.255.255.252  <-- IP Range for Selected

I would then add the VLANs to GigE0/1.
switchport trunk allowed vlan 10,310,311,409,413

If I can do this, should I change the HoTX-Weslayan VLAN 311 ip address to a 252 WAN link? Any thoughts on the CP device to do this. Any ol' Linksys will do?
3. Is the VLAN Database a "better way" to do this?
4. Can the 'switchport trunk allowed vlan' be changed to ALL? I assume there are security considerations, are there performance issues? Adding to the list every time we install one ...

Thanks. Robert
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 250 total points
ID: 22746302
OK, a couple of things...

From a design perspective, I would make each inter-site link it's own subnet with a .252 mask, except for possibly the management VLAN.
Extending the users' VLANs across the links will add unnecessary traffic (mostly broadcasts).
See attached diagram for my recommendations.

The SA switch port GE0/2-
1. The no switchport command makes it a Layer3 interface, not a member of any VLAN. Therefore, it's IP address cannot be on the same subnet as VLAN310.
2. VLAN 311 does not need to be 'allowed' on the trunk port. That VLAN doesn't exist at that site.

Your questions-
1. I would attach both routers directly to the 3550 and load-balance them. This would involve a re-design of that network segment. As far as EIGRP; as long as all your equipment if Cisco, then definitely.
2. I wouldn't mess with Q-in-Q. Create as many VLANs as you need for user access and let the 3550 do the inter-VLAN routing.
3. I assume you are talking about VTP. I don't have enough experience with that feature to give you advice.
4. Yes. FYI, 'all' is the default.

This is one of the best questions I've commented on for a while. I really enjoy this type of design problem.

EE---Need-help-deploying-metro-e.pdf
0
 

Author Comment

by:ddcSupport
ID: 22746713
VLAN 311 will need access all the way through. Does it need to be defined on the other 3550? Also don't I rule out VTP by using extended VLANs like 1311 (I used 3110 in the config below). Otherwise, the config evolves into something like this?

Houston-Travis - 3550-12T
-------------------------
Interface VLAN 10
  Description Management VLAN
  ip address 192.168.116.4 255.255.255.0 <-- IP Range of Management/SNMP

Interface VLAN 310
  Description HoTX-SaTX Ckt-ID:
  ip address 192.168.69.2 255.255.255.252   <-- WAN Subnet

Interface VLAN 311
  Description HoTX-Weslayan Ckt-ID:
  ip address 192.168.69.5 255.255.255.252  <-- WAN Subnet

interface GigE0/1
 Description HoTX EII Ckt-ID:
 no ip address
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan 10
 switchport trunk allowed vlan ALL

router eigrp 100
  network 192.168.49.xx
  network 192.168.69.xx
  network 192.168.116.xx
  and so on...

ip route 192.168.49.0 255.255.255.0 (IP or Interface?)

Houston-Weslayan - (some VLAN switch connected to Hatteras CPE)
-------------------------
Interface VLAN 10
  Description Management VLAN
  ip address 192.168.116.5 255.255.255.0 <-- IP Range of Management/SNMP

Interface VLAN 311
  Description HoTX EII Ckt-ID:
  ip address 192.168.69.6 255.255.255.252  <-- WAN Subnet

Interface VLAN 3110
  Description Starcap @ HoTX-Weslayan Ckt-ID:
  ip address 192.168.49.5 255.255.255.252  <-- Cust Subnet

Interface VLAN 3111
  Description Selected @ HoTX-Weslayan Ckt-ID:
  ip address 192.168.49.9 255.255.255.252  <-- Cust Subnet

Interface F0/0
 Description to HoTX EII Ckt-ID:
 no ip address
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan 10
 switchport trunk allowed vlan ALL

Interface F0/1
  Description to Starcap
  switchport mode access
  switchport access vlan 3110

Interface F0/2
  Description to Selected
  switchport mode access
  switchport access vlan 3111

?How to set the default gateway or route on a non-L3 switch?
?Which switch to use for CPE?

San Antonio-Navarro - 3550-12T
-------------------------
Interface VLAN 10
  Description Management VLAN
  ip address 192.168.116.6 255.255.255.0 <-- IP Range of Management/SNMP

Interface VLAN 11
  Description Core VLAN
  ip address 192.168.88.4 255.255.254.0

Interface VLAN 310
  Description HoTX-SaTX Ckt-ID:
  ip address 192.168.69.1 255.255.255.252   <-- WAN Subnet

interface GigE0/1
 Description SaTX EII Ckt-ID:
 no ip address
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan 10
 switchport trunk allowed vlan ALL

interface GigE0/2
 Description to Core-1 Router (@192.168.88.1)
  switchport mode access
  switchport access vlan 11

interface GigE0/3
  Description to Core-2 Router (@192.168.88.3)
  switchport mode access
  switchport access vlan 11
  no ip address

router eigrp 100
  network 192.168.69.xx
  network 192.168.88.xx
  network 192.168.116.xx
  and so on...

Am I on the right track?

Thanks. Robert
0
 
LVL 13

Expert Comment

by:kdearing
ID: 22746984
On the Houston-Travis switch-
  You shouldn't need "ip route 192.168.49.0 255.255.255.0" because EIGRP will take care of it.
  In fact, the only ip route statement you should need on any of the switches is the GW

On the Houston-Weslayan switch-
  Shouldn't VLAN 3110 & 3111 subnet masks be 255.255.255.0 ?
  Unless there is another Layer3 device the customers connect through ?

Does all internet traffic on the network go through Core-1 or Core-2 ?

The next thing to do is to set default gateways so internet traffic flows correctly.

 
0
 

Author Comment

by:ddcSupport
ID: 22747160
If 192.168.49.0 is on the customer prem (e.g. not connected), and the customer prem doesn't speak EIGRP then there's no way to know the route without a static. What I put at the customer premise is a related question. I don't want to put another 3550 out there. The customers should all have firewalls and NAT devices in place.

Internet traffic flows through both Core-1 and Core-2. They each run BGP with multiple carriers.

I would be interested in what you were thinking about "the redesign" of the core segment you mentioned earlier, but I don't want the scope of this to "creep" away from the main topic.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 22747220
Are the customers going to be connected by copper, fiber? Ethernet connection?
If you're just handing them ethernet, then I'd use a small manageable Layer2 switch.
0
 

Author Comment

by:ddcSupport
ID: 22749603
It's a copper handoff from the Hatteras unit. That still leaves the question of how to deal with customer routes. I would like some more peer review of this config, also. It's critical that it works the first time out. I forsee enough structural changes that a roll-back in the face of failure would exhaust all of our maintenance windows. Thanks. Robert
0
 

Author Closing Comment

by:ddcSupport
ID: 31507044
The answer was in part no VLAN def was required on the customer prem(remote) - no switchport with EIGRP is propogating customer routes. The Metro VLANs had to be defined on the aggregation points.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now