Solved

Routing Between Sites

Posted on 2011-09-30
15
276 Views
Last Modified: 2012-12-23
My company has a 20Mbit P2P fiber connection with Time Warner, between our two main offices.  I've been having a lot of issues with connectivity, which I can not explain and TW has tested the link and said nothing is wrong on their end.

Site A - VLAN 10
   Cisco 3560 Handling VTP and IP Routing
   Several 2960's
   Two domain controllers

Site B - VLAN 20
   Cisco 3560 Handling IP Routing
   Several 2960's
   Two domain controllers

Sites are connected via a Trunk.

I'm having issues with several different things which I believe are all related, so lets start with a simple one.  From Site A, when I attempt to connect to an SSL website at site B, I will receive the initial, warning about the certificate, if I continue on nothing else is displayed.

There are no firewalls involved, below are the configurations of the switches as well as a wireshark capture of an attempt to access the website.  You'll need to rename the WireShark log to .PCAP.

Ideas?
WireShark-Log---HTTPS-Attempt-19.txt
0
Comment
Question by:Railroad
  • 8
  • 5
15 Comments
 

Author Comment

by:Railroad
ID: 36891721
Site A, 3560 Configuration
SITE A (3560)
-------------
Building configuration...

Current configuration : 4312 bytes
!
! Last configuration change at 14:02:10 EDT Tue Jun 14 2011 by asmith
! NVRAM config last updated at 10:13:09 EDT Tue Jun 14 2011 by asmith
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SITEA-4POST-01
!
enable password 7 *
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name *
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
 description SERVER: DC-01
 switchport access vlan 10
!
interface GigabitEthernet0/2
 description SERVER: DC-01
 switchport access vlan 10
!
interface GigabitEthernet0/3
 description SERVER: DC-02
 switchport access vlan 10
!
interface GigabitEthernet0/4
 description SERVER: DC-02
 switchport access vlan 10
!
interface GigabitEthernet0/5
 description SERVER: ESX
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast trunk
!
interface GigabitEthernet0/6
 description SERVER: ESX
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast trunk
!
interface GigabitEthernet0/7
 switchport access vlan 20
!
interface GigabitEthernet0/8
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast trunk
!
interface GigabitEthernet0/9
 description DRAC:
 switchport access vlan 10
!
interface GigabitEthernet0/10
 description DRAC:
 switchport access vlan 10
!
interface GigabitEthernet0/11
 description DRAC:
 switchport access vlan 10
!
interface GigabitEthernet0/12
 description DRAC:
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/13
 description UPLINK: 2POST-01
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 1000
 duplex full
!
interface GigabitEthernet0/14
 description UPLINK: 2POST-01
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 1000
 duplex full
!
interface GigabitEthernet0/15
 description UPLINK: 2POST-02
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 1000
 duplex full
!
interface GigabitEthernet0/16
 description UPLINK: 2POST-02
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 1000
 duplex full
!
interface GigabitEthernet0/17
 description UPLINK: 2POST-03
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 1000
 duplex full
!
interface GigabitEthernet0/18
 description UPLINK: 2POST-03
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 1000
 duplex full
!
interface GigabitEthernet0/19
 description UPLINk: 2POST-04
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 1000
 duplex full
!
interface GigabitEthernet0/20
 description UPLINk: 2POST-04
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 1000
 duplex full
!
interface GigabitEthernet0/21
 description DELL KVM
 switchport access vlan 10
!
interface GigabitEthernet0/22
 description APC UPS
 switchport access vlan 10
!
interface GigabitEthernet0/23
 description UPLINK: SITE B
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/24
 description UPLINK: INTERNET
 switchport access vlan 10
!
interface GigabitEthernet0/25
 switchport access vlan 10
!
interface GigabitEthernet0/26
 switchport access vlan 10
!
interface GigabitEthernet0/27
 switchport access vlan 10
!
interface GigabitEthernet0/28
 switchport access vlan 10
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description SITE A
 ip address 192.168.10.80 255.255.254.0
!
interface Vlan20
 description SITE B
 ip address 192.168.20.5 255.255.254.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
 password 7 *
 login local
 length 0
line vty 5 15
 password 7 *
 login local
 length 0
!
ntp clock-period 36028975
ntp server 192.168.10.20
end

Open in new window

0
 

Author Comment

by:Railroad
ID: 36891728
Site B 2960 and 3560 Configuration.  Connection dumps into the 2960 and then over to the 3560.
SITE B (2960)
-------------
Building configuration...

Current configuration : 5166 bytes
!
! Last configuration change at 13:18:06 EDT Thu Jun 30 2011 by asmith
! NVRAM config last updated at 10:24:36 EDT Tue Jun 14 2011 by asmith
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SITEB-2POST-01
!
boot-start-marker
boot-end-marker
!
enable password 7 *
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
ip subnet-zero
!
ip domain-name *
!
!
crypto pki trustpoint TP-self-signed-375545344
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-375545344
 revocation-check none
 rsakeypair TP-self-signed-375545344
!
!
crypto pki certificate chain TP-self-signed-375545344
 certificate self-signed 01
  30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33373535 34353334 34301E17 0D393330 33303130 30303034 
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3337 35353435 
  33343430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  DAAFEFF5 A4FCE280 2DD0BF6D 56377698 259FC5C2 C767A57B F2FF9A2A 7A5C41F3 
  7B95EA6C 1F1C6D7C A1B6BBB6 022C7DE1 0B18DE9A 9F6C7597 56D7B567 549F3B29 
  563A2339 212ECAD2 5D79F10E 3294478E 2A6DC5F9 B18F2D4A 90FD0DB0 1635D583 
  D301A031 81F9FE25 EB8216B6 F4758E12 41F5F974 F2B381B2 49DDA407 62B42613 
  02030100 01A37C30 7A300F06 03551D13 0101FF04 05300301 01FF3027 0603551D 
  11042030 1E821C57 4E59502D 32504F53 542D3031 2E524149 4C524F41 442E4C6F 
  63616C30 1F060355 1D230418 30168014 25EFBF4E 8D90ACA9 63C565D1 84490FDF 
  E31B5BE1 301D0603 551D0E04 16041425 EFBF4E8D 90ACA963 C565D184 490FDFE3 
  1B5BE130 0D06092A 864886F7 0D010104 05000381 81000CD2 EEBD8C00 2B185E13 
  8D4FB812 C30DBB6F 3147BA05 CBF6F7FF 55F882EC B937F6F7 88DFAFFF 470AB00F 
  ABC1EC09 E649E081 CA65406E 9370312C 22878B70 B0E615E8 334CEE06 02F64C9F 
  4E960784 8FBE5C80 2C92D572 27929B2D 440028F2 AE95DD0D 05BB38D0 5FC85077 
  0FD42081 6147CC8A 6E9DE1C6 D8249F5C 60605BF4 03E0
  quit
!
!
!
!
!         
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
 description UPLINK: Time Warner
 switchport mode trunk
!
interface FastEthernet0/2
 description *
 switchport access vlan 20
!
interface FastEthernet0/3
 description UPLINK: SHOP
 switchport mode trunk
!
interface FastEthernet0/4
 description UPLINK: *
 switchport trunk native vlan 20
 switchport mode trunk
 switchport nonegotiate
!
interface FastEthernet0/5
 description UPLINK: *
 switchport trunk native vlan 20
 switchport mode trunk
 switchport nonegotiate
!
interface FastEthernet0/6
 description UPLINK: *
 switchport trunk native vlan 100
 switchport mode trunk
 switchport nonegotiate
!
interface FastEthernet0/7
 switchport access vlan 20
!
interface FastEthernet0/8
 switchport access vlan 20
!
interface FastEthernet0/9
 switchport access vlan 20
!
interface FastEthernet0/10
 switchport access vlan 20
!
interface FastEthernet0/11
 switchport access vlan 20
!
interface FastEthernet0/12
 switchport access vlan 100
!
interface FastEthernet0/13
 description RADIO TUNNEL
 switchport access vlan 10
!
interface FastEthernet0/14
 description RADIO TUNNEL
 switchport access vlan 20
!
interface FastEthernet0/15
 description VLAN: Ethernet
 switchport access vlan 220
!
interface FastEthernet0/16
 description VLAN: Ethernet
 switchport access vlan 220
!
interface FastEthernet0/17
 description VLAN: Ethernet
 switchport access vlan 220
!
interface FastEthernet0/18
 description VLAN: Ethernet
 switchport access vlan 220
!
interface FastEthernet0/19
 description VLAN: Radios
 switchport access vlan 100
!
interface FastEthernet0/20
 description VLAN: Radios
 switchport access vlan 100
!
interface FastEthernet0/21
 description VLAN: Radios
 switchport access vlan 100
!
interface FastEthernet0/22
 description VLAN: Radios
 switchport access vlan 100
!
interface FastEthernet0/23
 description VLAN: Radios
 switchport access vlan 100
!
interface FastEthernet0/24
 description VLAN: Radios
 switchport access vlan 100
!
interface GigabitEthernet0/1
 description UPLINK: 4POST
 switchport mode trunk
!
interface GigabitEthernet0/2
 description UPLINK: 4POST
 switchport mode trunk
!
interface Vlan1
 no ip address
 no ip route-cache
!
interface Vlan20
 ip address 192.168.20.82 255.255.254.0
 no ip route-cache
!
interface Vlan100
 ip address 10.10.90.9 255.255.255.0
 no ip route-cache
!
interface Vlan220
 ip address 192.168.220.82 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.20.80
ip http server
ip http secure-server
logging 192.168.10.33
!
control-plane
!
!
line con 0
line vty 0 4
 password 7 046F3B565614425D1D16150713090001
 login local
 length 0
line vty 5 15
 password 7 122D35474B3E02173E24343832372E16
 login local
 length 0
!
ntp clock-period 36028690
ntp server 192.168.10.20 prefer
end




SITE B (3560)
-------------
Building configuration...

Current configuration : 3561 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SITEB-4POST-01
!
boot-start-marker
boot-end-marker
!
enable secret 5 *
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name *
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet0/1
 description SV: DC-03
 switchport access vlan 20
!
interface GigabitEthernet0/2
 description SV: DC-03
 switchport access vlan 20
!
interface GigabitEthernet0/3
 description SV: EX-03
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/4
 description SV: EX-03
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/5
 description SV: EX-03
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/6
 description SV: EX-03
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/7
 description SV: DISPATCH-01
 switchport access vlan 20
!
interface GigabitEthernet0/8
 description SV: DISPATCH-01
 switchport access vlan 220
!
interface GigabitEthernet0/9
 description SV: DISPATCH-02
 switchport access vlan 20
!
interface GigabitEthernet0/10
 description SV: DISPATCH-02
 switchport access vlan 220
!
interface GigabitEthernet0/11
 description SV: RECORDER
 switchport access vlan 100
!
interface GigabitEthernet0/12
 description UP: APC UPS
 switchport access vlan 20
!
interface GigabitEthernet0/13
 description UP: DELL DRAC
 switchport access vlan 20
!
interface GigabitEthernet0/14
 description UP: DELL DRAC
 switchport access vlan 20
!
interface GigabitEthernet0/15
 description UP: DELL DRAC
 switchport access vlan 20
!
interface GigabitEthernet0/16
 description UP: DELL DRAC
 switchport access vlan 20
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
 description UP: 2POST-03
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/20
 description UP: 2POST-03
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/21
 description UP: 2POST-02
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/22
 description UP: 2POST-02
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/23
 description UP: 2POST-01
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/24
 description UP: 2POST-01
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description SITE A
 ip address 192.168.10.5 255.255.254.0
!
interface Vlan20
 description SITE B
 ip address 192.168.20.80 255.255.254.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip route 192.168.30.0 255.255.255.0 192.168.10.1
ip http server
!
logging 192.168.10.33
!
control-plane
!
!
line con 0
line vty 0 4
 password 7 107A39495C221C18180B3A3B252A3F30
 login local
 length 0
line vty 5 15
 password 7 107A39495C221C18180B3A3B252A3F30
 login local
 length 0
!
ntp clock-period 36029143
ntp server 192.168.10.20
end

Open in new window

0
 

Author Comment

by:Railroad
ID: 36891781
Someone I spoke to thought there might be an issue with the MTU size.  In doing some testing an MTU of 1468 was the highest MTU I could use when not fragmenting and get a ping response from one of my machines at the other site.

With the 3560 I can not lower the MTU below 1500.  If you look at the WireShark log, last several attempts where using an MTU of 1514.

Could this be the issue?
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36894641
Hi,

If you are using 802.1q trunk between sites, your service provider will need to support an additional overhead of the 802.1q tag. The ethernet frame size can be as large as 1522 bytes. Ask you service provider if they can carry a 1522 byte frame.
0
 

Author Comment

by:Railroad
ID: 36904229
I spoke with Time Warner the MTU other end is set to 1536.  However I can still only get a response from ping with an MTU of 1468.  Using the command "ping -f 192.168.20.20 -l 1468

Ideas?
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36905151
What are you connected to at the local end?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:Railroad
ID: 36905309
SITE A:

Cisco 3560, Port Configuration:

interface GigabitEthernet0/23
 description UPLINK: SITE B
 switchport trunk encapsulation dot1q
 switchport mode trunk

SITE B:

Cisco 2960, Port Configuration:

interface FastEthernet0/1
 description UPLINK: SITE A
 switchport mode trunk

0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36906122
Is the service provider saying that the mtu is large enough at both ends of the link?
0
 

Author Comment

by:Railroad
ID: 36909434
Yes, they are saying the MTU is 1536.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36912558
what are you pinging when you perform the MTU test?
0
 

Author Comment

by:Railroad
ID: 36912594
From my workstation to one of my domain controllers.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36913412
can you do this from the site A switch to the site B 2960?
0
 

Accepted Solution

by:
Railroad earned 0 total points
ID: 36994019
The issue is with VLAN Tagging and the ISP not having a large enough MTU.  I setup a networking using vlan 1 (untagg) and I am able to do everything.  Forcing my computer to use a smaller MTU, while using a tagged VLAN also fixed the issue.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
OSPF Routing Problems 9 64
ADFS internal and external users 6 168
EIGRP Full Mesh 2 34
Connecting LAN to a new leased line 2 25
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now