We help IT Professionals succeed at work.
Private

Network Design for Guest Internet Access

266 Views
Last Modified: 2016-08-31
Hello Experts

We are planning to deploy  Wireless Internet Access throughout campus. The campus consists of three buildings ( B1,B2 and B3). All the three buildings are networked together.
The campus cores are located in B1 Data  Center and each building has  its own Distribution Switches connected to Cores on L3 links. Access Switches are terminated to Distribution Switches

The Cores and Distribution Switches are configured with several VLANs.

We have already bought Cisco WAPs and Controller ready for deployment. Each WAP will be configured with 2 SSIDs
In this question, we are just concerned about Guest Internet Access.


We have got new Internet Connection of 50 Mbps and Cisco Router dedicated to Guests, the line is terminated in our DC and will be connected to Core Switch.

Now my concern is what is the best possible way to design secure network for Guests. The Guest traffic should not be talk to Staff and Servers networks.

Many thanks in advance.
Comment
Watch Question

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
A VLAN that is isolated from the main network will do precisely that - prevent guests on the VLAN from using / seeing the main network.

If you have any Wi-Fi on the main network, secure it very well so normal guests cannot crack it.

Author

Commented:
VLAN with L3 SVI or only Layer 2 VLAN.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Either will suffice for most uses.

Author

Commented:
I never liked the idea of just using Layer 2 VLAN or L3 with ACLs alone on the guest network..I'm not sure whether there are other options.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You can set up a guest router on a different DHCP network. That, too, will isolate and for most purposes is OK. It is not as secure as VLAN.

Author

Commented:
I've heard about using VRF, but not aware about its deployment and configuration
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I have not used that.

Author

Commented:
No problem, lets hear from other experts about their opinion.
Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
Here are some simple diagrams which you may find useful.  

The first page shows how you can cascade routers (which entails double or triple NAT but I find no particular disadvantage to that - in contrast to opinions of some).  When you cascade routers, the guest router should be at the "top" nearest the internet gateway.  In some cases, the computers at the "bottom" can "see" the computers higher up but not the reverse.  It is true that packets destined for the internet from the "private" LAN will traverse the upper LAN but without physical access I don't know how those packets could be sniffed.

The second page shows how you can run routers in parallel in which case there are no computers on common LANs.  There is still double NAT but not triple.  There are no computers on a LAN that shares traffic (even if on a separate subnet - as "LAN" and "subnet" aren't the same thing).

With this sort of thing in mind then, if you have VLAN-capable hardware you might effectively do the parallel method with a single router and two VLANs - a VLAN replacing a router each.
But, if you don't, then commodity routers will do just as shown.
Multiple-Subnets.pdf
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Samir, the right way to do this with a Cisco WLC is to use a dedicated WLC as an "anchor". It sits in a DMZ and terminates a secure tunnel between the dedicated guest internet circuit and your corporate WLC.

If you dont have an anchor WLC you can connect the guest internet circuit directly to the corporate WLC using a dedicated port and send guest wireless traffic straight out of the internet router. That sounds like the way forward here.
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
VRF is an option but less favourable if you can connect a circuit directly to the WLC.

Author

Commented:
Hi,
If I have multiple internet connections and dedicated for each provider in the buildings, how is that possible then ?
Because we have guests and different third party contracted providets requires only Internet Access and L2L VPN between us and them.

What is the best way to design such network ?
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
I'll need a diagram of what you currently have, Samir. It sounds like it'll need an anchor or VRF. Separate interfaces are probably out of the question.

Author

Commented:
Sure I will post a diagram shortly

Author

Commented:
Hi
Please find the attached diagram, it is just main layout without any showing any redundant links
screenshot.png
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Thanks, Samir. That would fit VRF perfectly. Each building is a separate "customer", right?
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Samir, actually it is simple. The WLC can do what you need easily with what you already have. You can group APs and separate their traffic per group, pushing guests over the guest VLAN from the core (which is where the WLC would be connected).

Author

Commented:
Sir
These internet connections will not be limited to Wireless only, many of users will be Wired Connections also.

Thanks
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Ok so VRF is still ok. You can put each building in its own VRF and still connect each to the internet, and do guest. I'm guessing you have ACLs at the moment?

Author

Commented:
I've never worked with VRF, can you please help with deployment and configuration.
Yes we have ACLs to prevent VLANs talking to each other.

Thanks
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Sure can. I'm not able to do anything until tomorrow now but I can show you what's needed.

Author

Commented:
No problem I can wait :) Highly Appreciating your usual help and support
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Ok, so we need to ask some questions before we VRF the network to get us started, to work out where we can and can't separate traffic.

1] Does each site need to see any other's traffic?
2] Are the Internet connections specific to particular sites, or does each site use P1 and P2?
3] What control do you have over the Internet routers?

Author

Commented:
Thank you Sir.

1. Sites should be able to see the traffic between each other, only Guest and Providers shouldn't be see each other and our production network.
2. Currently internet connections are dedicated for each providers and guests
3. Actually we controls to be honest, but I'm really interested to limit the traffic from bandwidth point of view.
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
This should be relatively easy then.  Last question... do you have wired connections that need to be on the guest network?

Author

Commented:
Yes Sir, there will wired connection for Guests and Providers Employees.
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Ok Sir,...if understood correctly the idea here is to first convert the link between Cores and Distribution Switches as L2 instead of L3.?
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Yes, if they're pure L3 they need to be L2, with an SVI to route the 'corporate' traffic and another SCI to route 'guest' traffic.  You'll still be doing L3, just over a L2 link.

Author

Commented:
Is it possible to have simple diagram to understand  the scenario?

Currently the SVIs for the VLANs are on distribution switches, so do I need to move all SVIs to Cores ?
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
No you dont need to move all SVIs to cores. All we're going to be doing is using a new SVI for the L3 link at the distribution switches instead of putting the IP on a physical interface. If you send me your L3 interface config from each end I'll show you how to convert.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
If you send me your L3 interface config from each end I'll show you how to convert.

As Craig knows he means publishing the configuration here in the Q&A forum.

Author

Commented:
Core Switch1

int gi2/10
description < Link to gi1/1/1 to  Distribution SW1 B1
ip address 10.41.23.1 255.255.255.252

Core Switch 2
int gi2/10
description < Link to Gi2/1/1 Distribution SW2 B1
ip address 10.41.24.1 255.255.255.252

DSW1
int gi1/1/1
ip address 10.41.23.2 255.255.255.252

DSW1
int gi2/1/1
ip address 10.41.24.2 255.255.255.252
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Thanks, Samir.

So you have 2 cores, not 1?
How does each core see each other?  Do you have L2 or L3 links between?
Does the Guest internet circuit connect to both cores?

Author

Commented:
Hi,
Yes we have 2 Cores at the Core Layer. They are connected as Layer 2. But after 2-3 months we are planning to add VSS.


Internet circuit is connected to a router and router is connected Core 1 only as of now without L2 or L3 configuration between router and core
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
I'd wait for the VSS at the core before you do this. It'll be a lot cleaner and a lot easier.

You can do the wireless bit easily but wired guest will be a little harder as VRF will be required to securely route traffic (as you have L3 links between core and dists).

What dist switches do you have, Samir?

Author

Commented:
Sir
VSS might take some time to implement and we need to Guest and Providers Internet

We have 3750x at Dist.

I have no issue to go with VSS with your kind support
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Do you already have providers internet?

Author

Commented:
Yes
We have already got the internet circuit
Just need to design and implement the solution
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Ok so of all the diagram you gave, how much of it is actually working already?

Author

Commented:
The Core,DSW and Access Switches
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Ok do you have IP Services on the 3750X?

Author

Commented:
Yes Sir
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Cool so we can VRF all the way to the 3750X.

I'll send a config tomorrow :-)

Author

Commented:
Thanks a lot
Network Architect
CERTIFIED EXPERT
Top Expert 2014
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks Sir
The config is complicated but I will try to work out
Just to clarify, why do we have loopback interfaces it is just for OSPF Router Id purposes?
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Yes loopbacks are for OSPF. If you don't use dynamic routing you don't necessarily need loopbacks.

Basically, all interfaces in the GUEST VRF are in a separate routing domain to the CORP interfaces. The GUEST interfaces are tagged in the GUEST VRF using the ip vrf forwarding GUEST command. This keeps them separate from the 'global' routing table where CORP interfaces live.

Author

Commented:
Thank you Sir
We have another site which has a separate Guest Internet Circuit. This site has collapsed core network so how the configuration will look if the Guest Internet Router was connected to Collapsed Core Switch

I'm going to office tomorrow to test all the config

Thanks
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
All you need to do is create a VRF at the core and put any interfaces related to the Guest service into the VRF. That will separate the Guest from everything else.

Have a look at each section of the config I gave you to see how it fits. The static default route is tagged in a VRF too.
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
If you have an IP Services image for a 3625 or similar you can use GNS3 to lab it.

Author

Commented:
Sure I will lab them in GNS and will post here if anything goes wrong

Author

Commented:
I'm actually out of office and will return tomorrow, I will lab them in GNS3 and will update you,
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
No rush, Samir. I'm away until Saturday too.

Author

Commented:
Hello
Sorry for the delay in reply.
This is topology I have setup in GNS3 but not configured anything yet.
screenshot.png

Author

Commented:
I've configure the VRFs

How I can inject VRF route into global routing table and vice versa

As I have monitoring station and I need to monitor the router placed in Guest and Providers VRFs
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Hi,

Thanks for the link

Just confused with some above configuration, why have you created two separate VLANs i.e Corp Transit and Guest Transit

Is it not possible with just 1 transit VLAN

Thanks
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
No - you have to route traffic for each VRF over its own link.  That requires a transit link in each VRF.

They're two separate routing domains, so if you pushed all traffic over one single L3 interface how would the next hop know which VRF to put the traffic on?

Author

Commented:
Thanks sir for clarification
It may sound a similar question Is this scenario not possible using L3 links ?
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Absolutely, if you have enough physical interfaces.  Instead of using trunks and SVIs you could do...

interface GigabitEthernet1/1/1
 description CORP TRANSIT
 no switchport
 ip address 10.0.0.1 255.255.255.252
!
interface GigabitEthernet1/1/2
 description GUEST TRANSIT
 no switchport
 ip vrf forwarding GUEST
 ip address 192.168.0.1 255.255.255.252
!

Open in new window

Author

Commented:
Hi Sir

I see you have different configuration for HSRP on Core 1 and Core 2. The default route for GUEST VRF is pointing to Standby  IP, however the route should point to GUEST internet Router interface

I am a bit puzzled.

Another thing, the Guest Subnet is /29, here what will be the subnet for Guest Users. I want to make the routers as a DHCP server for clients also,

Thanks
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Yes, I put the wrong IP as the GUEST default route. You're right.

The guest subnet is a /29 for the guest internet router VLAN at the core but guest users will be at DSWs so you can make them as big as you need. I used VLAN 666 with a /24 in my example.

Author

Commented:
Thanks Sir
Just another points
- Why you have added network statement for loopback interfaces
- Why default route is pointing to loopback ( 10.0.0.1) on Core Switche
- Also I noted you have not advertised VLAN 215,216 and 217 from Cores to DSW ?
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Network statements for loopbacks is habit, but the default information originate command injects a default route into the stub areas (each DSW) so really we don't need to advertise VLANs 215-217 as the DSWs route everything via the core anyway.
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Default route should point to your internet routers - that was a mistake on my part :-)

Author

Commented:
Thank you sir.

The switch port on Core Switch connecting guest and providers routers should not have "ip vrf forewarding" command? Right Sir
Howevever SVIs are part of there own VRFs
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
The switch port on Core Switch connecting guest and providers routers should not have "ip vrf forewarding" command? Right Sir

The Guest router should be in its own VRF.  It needs the ip vrf forwarding command.  If you don't use that command, the GUEST VRF can't use the router to route traffic.  Similarly, the corporate side of the network should't be able to get to the guest router.  Only GUEST traffic should be able to get to the router.

Author

Commented:
Because  Sir what happens here I configure the GUEST SVI as follows and switchport on which the GUEST router is connected

interface Vlan215
 description Link to GUEST Internet
 ip address 192.168.0.2 255.255.255.248
 standby 255 ip 192.168.0.1
 standby 255 priority 110
 standby 255 preempt

int gi0/2
switchport access vlan 215
switchport mode access

GUEST Router

int gi0/0
ip address 192.168.0.3 255.255.255.248

with the above configuration I was  able to ping SVI IP  from Router but not vice versa Actually I was puzzled how the traffic was returned from Core to Router if I didn't put the router into GUEST VRF
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks Sir Its cleared now
When I am trying to add "no interface-default for Vlan2002" under VRF OSPF Process but I recieved the error  "Interface %Interface specified does not belong to this process"
Any idea what could be the issue ?
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
You don't have this...

interface Vlan2002
 ip vrf forwarding GUEST

Open in new window

Author

Commented:
Thanks Sir
Everything is configured however the VRF Guest default is not advertised to DSW1
Below is the configured and routing table

Core 1

vlan 215
!
interface Vlan215
 description Link to GUEST Internet
 ip vrf forwarding GUEST
 ip address 192.168.0.2 255.255.255.248
 standby 255 ip 192.168.0.1
 standby 255 priority 110
 standby 255 preempt

vlan 2002
!
interface Vlan2002
 ip vrf forwarding GUEST
 ip address 172.17.1.1 255.255.255.252

router ospf 2 vrf GUEST
 passive-interface default
 no passive-interface Vlan2002
 network 172.17.1.0 0.0.0.3 area 0
 default-information originate always

interface Ethernet0/1
description **Link to DSW1**
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2001,2002
 switchport mode trunk

Open in new window


DSW1

vlan 666

interface Vlan666
 description GUEST VLAN
 ip vrf forwarding GUEST
 ip address 192.168.101.1 255.255.255.0

vlan 2002

interface Vlan2002
 ip vrf forwarding GUEST
 ip address 172.17.1.2 255.255.255.252

router ospf 2 vrf GUEST
 passive-interface default
 no passive-interface Vlan2002
 network 172.17.1.0 0.0.0.3 area 0
 network 192.168.101.1 0.0.0.0 area 0

interface Ethernet0/0
description **Link to Core*
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2001,2002
 switchport mode trunk
 duplex auto

Open in new window




Routing Tables


Core 1
CSW1#sh ip route 
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
C        1.1.1.1 is directly connected, Loopback0
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.0.1.0/29 is directly connected, Vlan216
L        10.0.1.2/32 is directly connected, Vlan216
C        10.0.2.0/29 is directly connected, Vlan217
L        10.0.2.2/32 is directly connected, Vlan217
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.1.0/30 is directly connected, Vlan2001
L        172.16.1.1/32 is directly connected, Vlan2001

CSW1#sh ip route vrf GUEST

Routing Table: GUEST

Gateway of last resort is 192.168.0.3 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.0.3
      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.17.1.0/30 is directly connected, Vlan2002
L        172.17.1.1/32 is directly connected, Vlan2002
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/29 is directly connected, Vlan215
L        192.168.0.2/32 is directly connected, Vlan215
O     192.168.101.0/24 [110/2] via 172.17.1.2, 00:08:42, Vlan2002

CSW1#sh ip route vrf GUEST ospf

Routing Table: GUEST

Gateway of last resort is 192.168.0.3 to network 0.0.0.0

O     192.168.101.0/24 [110/2] via 172.17.1.2, 00:09:13, Vlan2002

Open in new window


DSW1

DSW1#sh ip route
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Vlan100
L        10.1.1.1/32 is directly connected, Vlan100
C        10.1.2.0/24 is directly connected, Vlan110
L        10.1.2.1/32 is directly connected, Vlan110
      172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C        172.16.1.0/30 is directly connected, Vlan2001
L        172.16.1.2/32 is directly connected, Vlan2001
C        172.16.2.0/30 is directly connected, Vlan2003
L        172.16.2.2/32 is directly connected, Vlan2003
      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.17.2.0/30 is directly connected, Vlan2004
L        172.17.2.2/32 is directly connected, Vlan2004

DSW1#sh ip route vrf GUEST

Routing Table: GUEST
Gateway of last resort is not set

      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.17.1.0/30 is directly connected, Vlan2002
L        172.17.1.2/32 is directly connected, Vlan2002
      192.168.101.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.101.0/24 is directly connected, Vlan666
L        192.168.101.1/32 is directly connected, Vlan666

Open in new window

some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Hi Sir
But the problem is DSW is not receiving the default VRF route from but the Core received the VRF subnet
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Agreed, but tidying up OSPF won't hurt :-)

Author

Commented:
Sure Sir
I tried the above the command but still I don't see any route on DSW1 for Guest VRF


DSW1

DSW1#show ip route vrf GUEST ospf

Routing Table: GUEST
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

Open in new window


CSW- Core

CSW1#sh ip route vrf GUEST ospf

Routing Table: GUEST
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.0.3 to network 0.0.0.0

O E2  192.168.101.0/24 [110/20] via 172.17.1.2, 00:00:17, Vlan2002

Open in new window

some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
And you 100% have default-information originate in the OSPF config at the core? That should be all you need.

Author

Commented:
Yes Sir this is the OSPF config on Core

router ospf 2 vrf GUEST
 router-id 192.168.0.3
 passive-interface default
 no passive-interface Vlan2002
 network 172.17.1.0 0.0.0.3 area 0
 default-information originate

Open in new window

Author

Commented:
Sir, The issue is resolved.

I removed default-information originate from DSW1 Switch but no clue why it was causing this issue

router ospf 2 vrf GUEST
 redistribute connected subnets
 passive-interface default
 no passive-interface Vlan2002
 network 172.17.1.0 0.0.0.3 area 0
no default-information originate

Author

Commented:
Very last question in this thread, I need to have routes on Guest Router for Guest VLANs using OSPF, hence what will be the best approach
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Ok so if it was on DSW1 it thought itself was the default route. The default-information originate command tells other routers that it is the default router.

You can configure OSPF on the guest router to learn routes from the core and put default-information originate always there then the core will use the guest router as its default route.

Author

Commented:
I configured the router as follows but no routes were learned from Core

router ospf 1
network 192.168.0.3 0.0.0.0 area 0
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
You should advertise the network at the core too. That actually runs the routing process on the interface. You'll need to use no passive interface Vlan215 at the core too.

Author

Commented:
I configured the below on Core and Router but no adjacency took place

Core
router ospf 2 vrf GUEST
 router-id 192.168.0.3
 passive-interface default
 no passive-interface Vlan2002
 no passive-interface Vlan215
 network 172.17.1.0 0.0.0.3 area 0
 default-information originate

Router

router ospf 2
network 192.168.0.3 0.0.0.0 area0
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
As I said, you need to advertise the network at the router and the core.

network 192.168.0.0 0.0.0.3 area 0

Author

Commented:
Excellent Sir
Everything is working fine as desired

Thanks a lot for your usual excellent support and precious time
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
That's good to hear, Samir.  As always, glad to help :-)

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.