paclaiborne
asked on
Problems with IP Routing over Point-to-Point Ethernet Connection
Hello all -
We have two locations, HQ and a Datacenter. We've been using a site-to-site VPN over the public Internet to connect the two locations.
We recently had a point-to-point ethernet circuit installed by FPL Fibernet and want to utilize that and remove the site-to-site VPN. Here is the equipment at each end:
Each location is a separate VTP domain with it's own VLANs. The FPL connection is plugged into int gig 2/0/47 in the Datacenter and int gig 1/0/48 in HQ. Here's my problem...
I'm unclear how each site will see the other if both interfaces are merely configured as trunk ports. Since the HQ switches don't know where the vlans/subnets live in the Datacenter, how will they know to pick up the L2 traffic off the trunk and route it?
I thought that perhaps it would be better to configure the interface on each end to be an IP port, then add static routes on each switch to point to the subnets/VLANs on the other side. However, when I do this I'm unable to ping the interface on the other side or any subnets in the other site.
Could you help point me in the right direction? Happy to provide configs or diagrams if needed.
We have two locations, HQ and a Datacenter. We've been using a site-to-site VPN over the public Internet to connect the two locations.
We recently had a point-to-point ethernet circuit installed by FPL Fibernet and want to utilize that and remove the site-to-site VPN. Here is the equipment at each end:
ASA 5510s providing Internet access and site-to-site VPN
2 Cisco 3750s as core switch stack in each location, directly connected to the inside interface on the ASA
Dell Servers/SAN hanging off various ports on the 3750s at each location
Each location is a separate VTP domain with it's own VLANs. The FPL connection is plugged into int gig 2/0/47 in the Datacenter and int gig 1/0/48 in HQ. Here's my problem...
I'm unclear how each site will see the other if both interfaces are merely configured as trunk ports. Since the HQ switches don't know where the vlans/subnets live in the Datacenter, how will they know to pick up the L2 traffic off the trunk and route it?
I thought that perhaps it would be better to configure the interface on each end to be an IP port, then add static routes on each switch to point to the subnets/VLANs on the other side. However, when I do this I'm unable to ping the interface on the other side or any subnets in the other site.
Could you help point me in the right direction? Happy to provide configs or diagrams if needed.
Soulja
Diags and configs please. :)
ASKER
Here's the HQ config. May take me a little bit to get the datacenter one but it is essentially the same, just without all the QOS for voice since we don't have voice up there.
HQconfig.txt
HQconfig.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks - I've go them set up as just l3 interfaces right now and intended to do static routing, but I can't even ping the l3 interface on the other side. So 1/0/48 on the hq side is 172.16.0.65 and ip on the other end is .66 but no ping traffic goes through. I don't have any acls in place and the vendor assured me the connection would pass l3 and l2 traffic. If I went the trunk route and had to configure all vlans on each side, how would I do that since the vlan ids on each side overlap.? I guess change the vlan ids and access ports on one side so that they don't overlap?
I guess I forgot to mention... Configuring all the vlans at every site is an option... But a poor one. routing is the better choice whether done via l3 interface or l3 vlan.
If the interfaces are up on both sides and you cannot ping, I would contact the ISP. If you want to be very diligent, connect a laptop to the layer 3 port and do a ping test to make sure the port can ping altogether. This takes away the ISP link from the situation.
If the interfaces are up on both sides and you cannot ping, I would contact the ISP. If you want to be very diligent, connect a laptop to the layer 3 port and do a ping test to make sure the port can ping altogether. This takes away the ISP link from the situation.
ASKER
Thanks - your responses helped us confirm the different options available to us. I agree with you that we'd prefer to do L3 routing via interface or vlan. We contacted the ISP and there were separate issues with the Tier 2 providers on both ends - one issue with a cross connect in the data center and one issue with all the VLAN tags not being stripped off. Closing the question and awarding points...