Need help deploying metro ethernet VLANs
What I am trying to achieve is bring Metro Ethernet with VLANs into an existing setup that has no VLANs. I will be deploying some number of Cisco 3550-12Ts to accomplish this (open to other suggestions, but the price point is pretty nice). Here's what I have...
Site A: 7507 with Internet connection and servers on Ethernet to 7507 in Site B.
Site B: 7507 with Internet connection #2 and DS-3 Hubs for client access.
I have to build this, and get it back to Site B and off to the Internet as required.
Site C: 3550-12T with Metro interface with multiple remote sites (VLANs assigned by carrier).
I followed the CityOfKerrville threads, and I think I need to do this on the 3550 in Site C.
VLAN(MGMT)
Not VLAN1, create VLANXX, assign range large enough for all devices to be managed
AGGREGATION - TRUNK, VLAN, ??I get lost here...
Single Ethernet interface from the provider. I've asked if the Metro links are Trunk or Access. No answer yet. The remote (CPE) device is a Hatteras box (HN400-CP, I think), and the provider is assigning a VLAN to each location. I want to then segment traffic (with a VLAN?) for the Customer Premise. We plan to do several of these Metro links. The backhaul to Site B will be on this same interface with a provider assigned VLAN.
Also, do I need, or should I use another 3550 at Site B, or can my trusty old 7507 drive/handle all of this? The routers at SItes A and B are eBGP for Internet and EIGRP for client routes.
Thanks in advance. Robert
Site A: 7507 with Internet connection and servers on Ethernet to 7507 in Site B.
Site B: 7507 with Internet connection #2 and DS-3 Hubs for client access.
I have to build this, and get it back to Site B and off to the Internet as required.
Site C: 3550-12T with Metro interface with multiple remote sites (VLANs assigned by carrier).
I followed the CityOfKerrville threads, and I think I need to do this on the 3550 in Site C.
VLAN(MGMT)
Not VLAN1, create VLANXX, assign range large enough for all devices to be managed
AGGREGATION - TRUNK, VLAN, ??I get lost here...
Single Ethernet interface from the provider. I've asked if the Metro links are Trunk or Access. No answer yet. The remote (CPE) device is a Hatteras box (HN400-CP, I think), and the provider is assigning a VLAN to each location. I want to then segment traffic (with a VLAN?) for the Customer Premise. We plan to do several of these Metro links. The backhaul to Site B will be on this same interface with a provider assigned VLAN.
Also, do I need, or should I use another 3550 at Site B, or can my trusty old 7507 drive/handle all of this? The routers at SItes A and B are eBGP for Internet and EIGRP for client routes.
Thanks in advance. Robert
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The MetroE link at SiteC is an Aggregation link, all the remote sites are delivered to a single port. So are you suggesting dot1q on the SiteC 3550 as in
Interface F0/1.1
Description 1stLocation
encaps dot1q 1stAssignedVLANID
ip address 172.16.100.1 255.255.255.0
Interface F0/1.2
Description 2ndLocation
encaps dot1q 2ndAssigned VLANID
ip address 172.16.101.1 255.255.255.0
I will need to send all the SIteC traffic to SiteB. The link is another Ethernet connection delivered on the Aggregation link with an assigned VLAN.
On the router at SiteB
interface Loopback0
ip address x.x.x.x x.x.x.x. (currently for BGP and management )
interface FastEthernet0/0/0
ip address x.x.x.x x.x.x.x (core address space)
How do I get the VLAN traffic from SiteC onto this router? Would it be easier to add another FE to the VIP? I wouldn't mind upgrading the core to use a 3550 with VLANs, but of course NOTHING can go down. It's got to be right before it gets deployed.
Interface F0/1.1
Description 1stLocation
encaps dot1q 1stAssignedVLANID
ip address 172.16.100.1 255.255.255.0
Interface F0/1.2
Description 2ndLocation
encaps dot1q 2ndAssigned VLANID
ip address 172.16.101.1 255.255.255.0
I will need to send all the SIteC traffic to SiteB. The link is another Ethernet connection delivered on the Aggregation link with an assigned VLAN.
On the router at SiteB
interface Loopback0
ip address x.x.x.x x.x.x.x. (currently for BGP and management )
interface FastEthernet0/0/0
ip address x.x.x.x x.x.x.x (core address space)
How do I get the VLAN traffic from SiteC onto this router? Would it be easier to add another FE to the VIP? I wouldn't mind upgrading the core to use a 3550 with VLANs, but of course NOTHING can go down. It's got to be right before it gets deployed.
>The MetroE link at SiteC is an Aggregation link, all the remote sites are delivered to a single port.
Is each site going to be tagged as a different VLAN?
If so, then your proposed config looks good. You will need to identify a native VLAN though.
>How do I get the VLAN traffic from SiteC onto this router?
Once again, it depends on whether the provider is offering you 802.1q frames or plain ethernet frames.Until we know that, we're just running around in circles. :-)
Is each site going to be tagged as a different VLAN?
If so, then your proposed config looks good. You will need to identify a native VLAN though.
>How do I get the VLAN traffic from SiteC onto this router?
Once again, it depends on whether the provider is offering you 802.1q frames or plain ethernet frames.Until we know that, we're just running around in circles. :-)
ASKER
Thanks. I'm calling them now. Will be back as soon as I know.
You don't need to us sub-interfaces:
interface vlan 1
ip address 10.1.1.1 255.255.255.0
interface vlan 2
ip address 10.2.2.1 255.255.255.0
interface vlan 3
ip address 10.3.3.1 255.255.255.0
interface fe 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
switchport trunk native vlan 2 <---- sets native vlan (by default vlan1)
interface vlan 1
ip address 10.1.1.1 255.255.255.0
interface vlan 2
ip address 10.2.2.1 255.255.255.0
interface vlan 3
ip address 10.3.3.1 255.255.255.0
interface fe 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
switchport trunk native vlan 2 <---- sets native vlan (by default vlan1)
ASKER
Okay. If anyone's interested, the guys at Alpheus are top notch. Here's another go after talking to them.
Houston-Travis - 3550-12T
-------------------------
Interface VLAN 10
Description Management VLAN
ip address 192.168.116.4 255.255.255.0 <-- IP Range of Management/SNMP
Interface VLAN 310
Description HoTX-SaTX Ckt-ID:
ip address 192.168.88.4 255.255.255.0 <-- IP Range of San Antonio core
Interface VLAN 311
Description HoTX-Weslayan Ckt-ID:
ip address 192.168.49.1 255.255.255.0 <-- IP Range for Customer Site
interface GigE0/1
Description HoTX EII Ckt-ID:
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,310,311
San Antonio-Navarro - 3550-12T
-------------------------
Interface VLAN 10
Description Management VLAN
ip address 192.168.116.6 255.255.255.0 <-- IP Range of Management/SNMP
Interface VLAN 310
Description HoTX-SaTX Ckt-ID:
ip address 192.168.88.6 255.255.255.0 <-- IP Range of San Antonio core
interface GigE0/1
Description SaTX EII Ckt-ID:
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,310,311
interface GigE0/2
Description to Core-1 Router
no switchport
ip address 192.168.88.?? 255.255.255.0 <--Config lifted from Cisco's InterVLAN routing guide
interface GigE0/3
Description to Taylor/Servers/Core-2
switchport mode access
switchport access vlan 310
no ip address
Additional items.
1. GigE0/2 and GigE0/3 both connect to Internet routers. GigE0/3 has an intermediate switch without VLAN configs and the router and servers are attached to it. I'm not sure how to route traffic to Core-1/Core-2 and I am interested in performance issues we might face with this config. Any reason to (or not to) put EIGRP on the 3550s to do this?
2. Customers at HoTX-Weslayan should be segmented by VLANs. The AI from Weslayan supports Q-in-Q, so can I add a VLAN device there and configure the 3550 as follows
Interface VLAN 409
Description to Starcap - HoTX-Weslayan Ckt-ID:
ip address 192.168.49.9 255.255.255.252 <-- IP Range for Starcap
Interface VLAN 413
Description to Selected - HoTX-Weslayan Ckt-ID:
ip address 192.168.49.13 255.255.255.252 <-- IP Range for Selected
I would then add the VLANs to GigE0/1.
switchport trunk allowed vlan 10,310,311,409,413
If I can do this, should I change the HoTX-Weslayan VLAN 311 ip address to a 252 WAN link? Any thoughts on the CP device to do this. Any ol' Linksys will do?
3. Is the VLAN Database a "better way" to do this?
4. Can the 'switchport trunk allowed vlan' be changed to ALL? I assume there are security considerations, are there performance issues? Adding to the list every time we install one ...
Thanks. Robert
Houston-Travis - 3550-12T
-------------------------
Interface VLAN 10
Description Management VLAN
ip address 192.168.116.4 255.255.255.0 <-- IP Range of Management/SNMP
Interface VLAN 310
Description HoTX-SaTX Ckt-ID:
ip address 192.168.88.4 255.255.255.0 <-- IP Range of San Antonio core
Interface VLAN 311
Description HoTX-Weslayan Ckt-ID:
ip address 192.168.49.1 255.255.255.0 <-- IP Range for Customer Site
interface GigE0/1
Description HoTX EII Ckt-ID:
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,310,311
San Antonio-Navarro - 3550-12T
-------------------------
Interface VLAN 10
Description Management VLAN
ip address 192.168.116.6 255.255.255.0 <-- IP Range of Management/SNMP
Interface VLAN 310
Description HoTX-SaTX Ckt-ID:
ip address 192.168.88.6 255.255.255.0 <-- IP Range of San Antonio core
interface GigE0/1
Description SaTX EII Ckt-ID:
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,310,311
interface GigE0/2
Description to Core-1 Router
no switchport
ip address 192.168.88.?? 255.255.255.0 <--Config lifted from Cisco's InterVLAN routing guide
interface GigE0/3
Description to Taylor/Servers/Core-2
switchport mode access
switchport access vlan 310
no ip address
Additional items.
1. GigE0/2 and GigE0/3 both connect to Internet routers. GigE0/3 has an intermediate switch without VLAN configs and the router and servers are attached to it. I'm not sure how to route traffic to Core-1/Core-2 and I am interested in performance issues we might face with this config. Any reason to (or not to) put EIGRP on the 3550s to do this?
2. Customers at HoTX-Weslayan should be segmented by VLANs. The AI from Weslayan supports Q-in-Q, so can I add a VLAN device there and configure the 3550 as follows
Interface VLAN 409
Description to Starcap - HoTX-Weslayan Ckt-ID:
ip address 192.168.49.9 255.255.255.252 <-- IP Range for Starcap
Interface VLAN 413
Description to Selected - HoTX-Weslayan Ckt-ID:
ip address 192.168.49.13 255.255.255.252 <-- IP Range for Selected
I would then add the VLANs to GigE0/1.
switchport trunk allowed vlan 10,310,311,409,413
If I can do this, should I change the HoTX-Weslayan VLAN 311 ip address to a 252 WAN link? Any thoughts on the CP device to do this. Any ol' Linksys will do?
3. Is the VLAN Database a "better way" to do this?
4. Can the 'switchport trunk allowed vlan' be changed to ALL? I assume there are security considerations, are there performance issues? Adding to the list every time we install one ...
Thanks. Robert
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
VLAN 311 will need access all the way through. Does it need to be defined on the other 3550? Also don't I rule out VTP by using extended VLANs like 1311 (I used 3110 in the config below). Otherwise, the config evolves into something like this?
Houston-Travis - 3550-12T
-------------------------
Interface VLAN 10
Description Management VLAN
ip address 192.168.116.4 255.255.255.0 <-- IP Range of Management/SNMP
Interface VLAN 310
Description HoTX-SaTX Ckt-ID:
ip address 192.168.69.2 255.255.255.252 <-- WAN Subnet
Interface VLAN 311
Description HoTX-Weslayan Ckt-ID:
ip address 192.168.69.5 255.255.255.252 <-- WAN Subnet
interface GigE0/1
Description HoTX EII Ckt-ID:
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan ALL
router eigrp 100
network 192.168.49.xx
network 192.168.69.xx
network 192.168.116.xx
and so on...
ip route 192.168.49.0 255.255.255.0 (IP or Interface?)
Houston-Weslayan - (some VLAN switch connected to Hatteras CPE)
-------------------------
Interface VLAN 10
Description Management VLAN
ip address 192.168.116.5 255.255.255.0 <-- IP Range of Management/SNMP
Interface VLAN 311
Description HoTX EII Ckt-ID:
ip address 192.168.69.6 255.255.255.252 <-- WAN Subnet
Interface VLAN 3110
Description Starcap @ HoTX-Weslayan Ckt-ID:
ip address 192.168.49.5 255.255.255.252 <-- Cust Subnet
Interface VLAN 3111
Description Selected @ HoTX-Weslayan Ckt-ID:
ip address 192.168.49.9 255.255.255.252 <-- Cust Subnet
Interface F0/0
Description to HoTX EII Ckt-ID:
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan ALL
Interface F0/1
Description to Starcap
switchport mode access
switchport access vlan 3110
Interface F0/2
Description to Selected
switchport mode access
switchport access vlan 3111
?How to set the default gateway or route on a non-L3 switch?
?Which switch to use for CPE?
San Antonio-Navarro - 3550-12T
-------------------------
Interface VLAN 10
Description Management VLAN
ip address 192.168.116.6 255.255.255.0 <-- IP Range of Management/SNMP
Interface VLAN 11
Description Core VLAN
ip address 192.168.88.4 255.255.254.0
Interface VLAN 310
Description HoTX-SaTX Ckt-ID:
ip address 192.168.69.1 255.255.255.252 <-- WAN Subnet
interface GigE0/1
Description SaTX EII Ckt-ID:
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan ALL
interface GigE0/2
Description to Core-1 Router (@192.168.88.1)
switchport mode access
switchport access vlan 11
interface GigE0/3
Description to Core-2 Router (@192.168.88.3)
switchport mode access
switchport access vlan 11
no ip address
router eigrp 100
network 192.168.69.xx
network 192.168.88.xx
network 192.168.116.xx
and so on...
Am I on the right track?
Thanks. Robert
Houston-Travis - 3550-12T
-------------------------
Interface VLAN 10
Description Management VLAN
ip address 192.168.116.4 255.255.255.0 <-- IP Range of Management/SNMP
Interface VLAN 310
Description HoTX-SaTX Ckt-ID:
ip address 192.168.69.2 255.255.255.252 <-- WAN Subnet
Interface VLAN 311
Description HoTX-Weslayan Ckt-ID:
ip address 192.168.69.5 255.255.255.252 <-- WAN Subnet
interface GigE0/1
Description HoTX EII Ckt-ID:
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan ALL
router eigrp 100
network 192.168.49.xx
network 192.168.69.xx
network 192.168.116.xx
and so on...
ip route 192.168.49.0 255.255.255.0 (IP or Interface?)
Houston-Weslayan - (some VLAN switch connected to Hatteras CPE)
-------------------------
Interface VLAN 10
Description Management VLAN
ip address 192.168.116.5 255.255.255.0 <-- IP Range of Management/SNMP
Interface VLAN 311
Description HoTX EII Ckt-ID:
ip address 192.168.69.6 255.255.255.252 <-- WAN Subnet
Interface VLAN 3110
Description Starcap @ HoTX-Weslayan Ckt-ID:
ip address 192.168.49.5 255.255.255.252 <-- Cust Subnet
Interface VLAN 3111
Description Selected @ HoTX-Weslayan Ckt-ID:
ip address 192.168.49.9 255.255.255.252 <-- Cust Subnet
Interface F0/0
Description to HoTX EII Ckt-ID:
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan ALL
Interface F0/1
Description to Starcap
switchport mode access
switchport access vlan 3110
Interface F0/2
Description to Selected
switchport mode access
switchport access vlan 3111
?How to set the default gateway or route on a non-L3 switch?
?Which switch to use for CPE?
San Antonio-Navarro - 3550-12T
-------------------------
Interface VLAN 10
Description Management VLAN
ip address 192.168.116.6 255.255.255.0 <-- IP Range of Management/SNMP
Interface VLAN 11
Description Core VLAN
ip address 192.168.88.4 255.255.254.0
Interface VLAN 310
Description HoTX-SaTX Ckt-ID:
ip address 192.168.69.1 255.255.255.252 <-- WAN Subnet
interface GigE0/1
Description SaTX EII Ckt-ID:
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan ALL
interface GigE0/2
Description to Core-1 Router (@192.168.88.1)
switchport mode access
switchport access vlan 11
interface GigE0/3
Description to Core-2 Router (@192.168.88.3)
switchport mode access
switchport access vlan 11
no ip address
router eigrp 100
network 192.168.69.xx
network 192.168.88.xx
network 192.168.116.xx
and so on...
Am I on the right track?
Thanks. Robert
On the Houston-Travis switch-
You shouldn't need "ip route 192.168.49.0 255.255.255.0" because EIGRP will take care of it.
In fact, the only ip route statement you should need on any of the switches is the GW
On the Houston-Weslayan switch-
Shouldn't VLAN 3110 & 3111 subnet masks be 255.255.255.0 ?
Unless there is another Layer3 device the customers connect through ?
Does all internet traffic on the network go through Core-1 or Core-2 ?
The next thing to do is to set default gateways so internet traffic flows correctly.
You shouldn't need "ip route 192.168.49.0 255.255.255.0" because EIGRP will take care of it.
In fact, the only ip route statement you should need on any of the switches is the GW
On the Houston-Weslayan switch-
Shouldn't VLAN 3110 & 3111 subnet masks be 255.255.255.0 ?
Unless there is another Layer3 device the customers connect through ?
Does all internet traffic on the network go through Core-1 or Core-2 ?
The next thing to do is to set default gateways so internet traffic flows correctly.
ASKER
If 192.168.49.0 is on the customer prem (e.g. not connected), and the customer prem doesn't speak EIGRP then there's no way to know the route without a static. What I put at the customer premise is a related question. I don't want to put another 3550 out there. The customers should all have firewalls and NAT devices in place.
Internet traffic flows through both Core-1 and Core-2. They each run BGP with multiple carriers.
I would be interested in what you were thinking about "the redesign" of the core segment you mentioned earlier, but I don't want the scope of this to "creep" away from the main topic.
Internet traffic flows through both Core-1 and Core-2. They each run BGP with multiple carriers.
I would be interested in what you were thinking about "the redesign" of the core segment you mentioned earlier, but I don't want the scope of this to "creep" away from the main topic.
Are the customers going to be connected by copper, fiber? Ethernet connection?
If you're just handing them ethernet, then I'd use a small manageable Layer2 switch.
If you're just handing them ethernet, then I'd use a small manageable Layer2 switch.
ASKER
It's a copper handoff from the Hatteras unit. That still leaves the question of how to deal with customer routes. I would like some more peer review of this config, also. It's critical that it works the first time out. I forsee enough structural changes that a roll-back in the face of failure would exhaust all of our maintenance windows. Thanks. Robert
ASKER
The answer was in part no VLAN def was required on the customer prem(remote) - no switchport with EIGRP is propogating customer routes. The Metro VLANs had to be defined on the aggregation points.
How you get it to SiteB depends on whether you plan to route the traffic at SiteC or extend (trunk) the VLANS all the way to SiteB.
What type of connection is SiteB---SiteC?