3750 load balancing over dual links with seperated VLAN's

Discussion in 'Cisco' started by rsoft, May 1, 2009.

  1. rsoft

    rsoft Guest

    Hi,

    I'm trying to setup a system which uses 2 transparent networks as WAN.
    All "routers" are Cisco 3750 and each location has 5 VLAN's. VLAN 1 is
    isolated, VLAN 2, 3, 4 and 5 can route to each other on the local 3750
    stack. However: VLAN's 2, 3 and 4 should each have their own uplink to
    the transparent WAN's. So, for instance:

    VLAN 2 goes out on Fa1/0/2 and Fa2/0/2
    VLAN 3 goes out on Fa1/0/3 and Fa2/0/3
    VLAN 4 goes out on Fa1/0/4 and Fa2/0/4

    VLAN 1 and 5 are not to be routed over the WAN

    I've made a small sketch of the system which can be seen at
    http://rsoft.nl/network.jpg to clarify.

    What I'd like to reach is that VLAN 3 at Location 4 goes out of
    Fa1/0/3 and Fa2/03 only, Fa1/0/3 goes directly to location 1 (the main
    location). Fa2/0/3 goes to location 2 (the backup main location) and
    then up the fiber to location 1. I don't want EIGRP to select routes
    on links not intended for that VLAN.

    What I've done so far: I've enabled three EIGRP AS's. One for each of
    the VLAN's and assigned IP address to Fa1/0/2-4 and Fa2/0/2-4. They
    do find the appropriate neighbours, but if I unplug all links for VLAN
    4, I can still connect to VLAN 4 on another location over the WAN.

    I've tried setting ACL's to deny trafic between for instance Fa1/0/2
    and VLAN 3 and 4, but was unsuccesfull (sorry, didn't keep the ACL
    test config). All it did was block VLAN routing on the location
    itself.

    I've looked at setting the locations 3-5 as stub routers in EIGRP, but
    I'm not sure whether this should solve my problem.

    Here's my (edited) config for the router in Location 4:

    --------------------------------------------------------------------------------------------------------

    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname LOC4RTR
    !
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
    !
    username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    no aaa new-model
    clock timezone CET 1
    clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
    switch 1 provision ws-c3750-24ts
    switch 2 provision ws-c3750-24ts
    system mtu routing 1500
    ip subnet-zero
    ip routing
    !
    !
    mls qos
    !
    !
    no file verify auto
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    !
    interface FastEthernet1/0/2
    no switchport
    ip address 2.1.2.4 255.255.255.0
    speed 10
    duplex full
    flowcontrol receive desired
    !
    interface FastEthernet1/0/3
    no switchport
    ip address 2.1.3.4 255.255.255.0
    speed 10
    duplex full
    flowcontrol receive desired
    !
    interface FastEthernet1/0/4
    no switchport
    ip address 2.1.4.4 255.255.255.0
    speed 100
    duplex full
    flowcontrol receive desired
    !
    interface FastEthernet2/0/2
    no switchport
    ip address 2.2.2.4 255.255.255.0
    speed 10
    duplex full
    flowcontrol receive desired
    !
    interface FastEthernet2/0/3
    no switchport
    ip address 2.2.3.4 255.255.255.0
    speed 10
    duplex full
    flowcontrol receive desired
    !
    interface FastEthernet2/0/4
    no switchport
    ip address 2.2.4.5 255.255.255.0
    speed 100
    duplex full
    flowcontrol receive desired
    !
    interface Vlan1
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    ip address 1.4.2.1 255.255.255.0
    !
    interface Vlan3
    ip address 1.4.3.1 255.255.255.0
    !
    interface Vlan4
    ip address 1.4.4.1 255.255.255.0
    !
    interface Vlan5
    ip address 1.4.5.1 255.255.255.0
    !
    router eigrp 2
    variance 2
    network 2.1.2.4 0.0.0.255
    network 2.2.2.4 0.0.0.255
    network 1.4.2.1 0.0.0.255
    maximum-paths 2
    no auto-summary
    !
    router eigrp 3
    variance 2
    network 2.1.3.4 0.0.0.255
    network 2.2.3.4 0.0.0.255
    network 1.4.3.1 0.0.0.255
    maximum-paths 2
    no auto-summary
    !
    router eigrp 4
    variance 2
    network 2.1.4.4 0.0.0.255
    network 2.2.4.4 0.0.0.255
    network 1.4.4.1 0.0.0.255
    maximum-paths 2
    no auto-summary
    !
    ip classless
    ip http server
    ip http authentication local
    !
    !
    !
    control-plane
    !
    !
    line con 0
    login
    line vty 0 4
    login
    length 0
    line vty 5 15
    login
    !
    end

    ---------------------------------------------------------------------------------------------------------

    Thanks in advance for any help,

    Marc Rietman
    rsoft, May 1, 2009
    #1
    1. Advertising

  2. rsoft

    Trendkill Guest

    On May 1, 3:59 am, rsoft <> wrote:
    > Hi,
    >
    > I'm trying to setup a system which uses 2 transparent networks as WAN.
    > All "routers" are Cisco 3750 and each location has 5 VLAN's. VLAN 1 is
    > isolated, VLAN 2, 3, 4 and 5 can route to each other on the local 3750
    > stack. However: VLAN's 2, 3 and 4 should each have their own uplink to
    > the transparent WAN's. So, for instance:
    >
    > VLAN 2 goes out on Fa1/0/2 and Fa2/0/2
    > VLAN 3 goes out on Fa1/0/3 and Fa2/0/3
    > VLAN 4 goes out on Fa1/0/4 and Fa2/0/4
    >
    > VLAN 1 and 5 are not to be routed over the WAN
    >
    > I've made a small sketch of the system which can be seen athttp://rsoft.nl/network.jpgto clarify.
    >
    > What I'd like to reach is that VLAN 3 at Location 4 goes out of
    > Fa1/0/3 and Fa2/03 only, Fa1/0/3 goes directly to location 1 (the main
    > location). Fa2/0/3 goes to location 2 (the backup main location) and
    > then up the fiber to location 1. I don't want EIGRP to select routes
    > on links not intended for that VLAN.
    >
    > What I've done so far: I've enabled three EIGRP AS's. One for each of
    > the VLAN's and assigned IP address to Fa1/0/2-4 and  Fa2/0/2-4. They
    > do find the appropriate neighbours, but if I unplug all links for VLAN
    > 4, I can still connect to VLAN 4 on another location over the WAN.
    >
    > I've tried setting ACL's to deny trafic between for instance Fa1/0/2
    > and VLAN 3 and 4, but was unsuccesfull (sorry, didn't keep the ACL
    > test config). All it did was block VLAN routing on the location
    > itself.
    >
    > I've looked at setting the locations 3-5 as stub routers in EIGRP, but
    > I'm not sure whether this should solve my problem.
    >
    > Here's my (edited) config for the router in Location 4:
    >
    > --------------------------------------------------------------------------------------------------------
    >
    > version 12.2
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > no service password-encryption
    > !
    > hostname LOC4RTR
    > !
    > enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
    > !
    > username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    > no aaa new-model
    > clock timezone CET 1
    > clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
    > switch 1 provision ws-c3750-24ts
    > switch 2 provision ws-c3750-24ts
    > system mtu routing 1500
    > ip subnet-zero
    > ip routing
    > !
    > !
    > mls qos
    > !
    > !
    > no file verify auto
    > spanning-tree mode pvst
    > spanning-tree extend system-id
    > !
    > vlan internal allocation policy ascending
    > !
    > !
    > interface FastEthernet1/0/2
    >  no switchport
    >  ip address 2.1.2.4 255.255.255.0
    >  speed 10
    >  duplex full
    >  flowcontrol receive desired
    > !
    > interface FastEthernet1/0/3
    >  no switchport
    >  ip address 2.1.3.4 255.255.255.0
    >  speed 10
    >  duplex full
    >  flowcontrol receive desired
    > !
    > interface FastEthernet1/0/4
    >  no switchport
    >  ip address 2.1.4.4 255.255.255.0
    >  speed 100
    >  duplex full
    >  flowcontrol receive desired
    > !
    > interface FastEthernet2/0/2
    >  no switchport
    >  ip address 2.2.2.4 255.255.255.0
    >  speed 10
    >  duplex full
    >  flowcontrol receive desired
    > !
    > interface FastEthernet2/0/3
    >  no switchport
    >  ip address 2.2.3.4 255.255.255.0
    >  speed 10
    >  duplex full
    >  flowcontrol receive desired
    > !
    > interface FastEthernet2/0/4
    >  no switchport
    >  ip address 2.2.4.5 255.255.255.0
    >  speed 100
    >  duplex full
    >  flowcontrol receive desired
    > !
    > interface Vlan1
    >  ip address 192.168.1.1 255.255.255.0
    > !
    > interface Vlan2
    >  ip address 1.4.2.1 255.255.255.0
    > !
    > interface Vlan3
    >  ip address 1.4.3.1 255.255.255.0
    > !
    > interface Vlan4
    >  ip address 1.4.4.1 255.255.255.0
    > !
    > interface Vlan5
    >  ip address 1.4.5.1 255.255.255.0
    > !
    > router eigrp 2
    >  variance 2
    >  network 2.1.2.4 0.0.0.255
    >  network 2.2.2.4 0.0.0.255
    >  network 1.4.2.1 0.0.0.255
    >  maximum-paths 2
    >  no auto-summary
    > !
    > router eigrp 3
    >  variance 2
    >  network 2.1.3.4 0.0.0.255
    >  network 2.2.3.4 0.0.0.255
    >  network 1.4.3.1 0.0.0.255
    >  maximum-paths 2
    >  no auto-summary
    > !
    > router eigrp 4
    >  variance 2
    >  network 2.1.4.4 0.0.0.255
    >  network 2.2.4.4 0.0.0.255
    >  network 1.4.4.1 0.0.0.255
    >  maximum-paths 2
    >  no auto-summary
    > !
    > ip classless
    > ip http server
    > ip http authentication local
    > !
    > !
    > !
    > control-plane
    > !
    > !
    > line con 0
    >  login
    > line vty 0 4
    >  login
    >  length 0
    > line vty 5 15
    >  login
    > !
    > end
    >
    > ---------------------------------------------------------------------------------------------------------
    >
    > Thanks in advance for any help,
    >
    > Marc Rietman


    This just doesn't make much sense to me. What exactly are you trying
    to accomplish? It's definitely not load-balancing, as manually
    establishing hops like this is only going to limit you to one path or
    another, when you have 4 other ones that are perfectly good to use or
    load-balance, but you are effectively creating 3 WANs (1 for each
    vlan). Is this even a WAN, or is it a lab? I assume the latter since
    you mention 'transparent' WANs. Bottom line is that we need more
    information as to what your goals are before we get into how to
    engineer it. Policy-based routing is surely a great option to ensure
    different paths are used, but you seem to not want failover beyond
    what you have configured.....you are manually creating a routing
    protocol, and one that is inferior to the options you have today which
    could give you plenty of resiliency and aggregate bandwidth.
    Trendkill, May 1, 2009
    #2
    1. Advertising

  3. rsoft

    rsoft Guest

    On 1 mei, 13:32, Trendkill <> wrote:
    > This just doesn't make much sense to me.  What exactly are you trying
    > to accomplish?  It's definitely not load-balancing, as manually
    > establishing hops like this is only going to limit you to one path or
    > another, when you have 4 other ones that are perfectly good to use or
    > load-balance, but you are effectively creating 3 WANs (1 for each
    > vlan).  Is this even a WAN, or is it a lab?  I assume the latter since
    > you mention 'transparent' WANs.  


    I can assure you that this is not a lab situation. The customer has a
    nationwide network with (I believe) Alcatel equipment which is
    essentially configured as a big hub. Essentially, I've been assigned 3
    ports per location per WAN. Everything that I put in on a port is
    replicated out on all other locations on the same port. Why did I call
    it transparent: it doesn't filter out the EIGRP announcements and I
    don't have to abide by any IP scheme's already present in the Alcatel
    equipment

    > Bottom line is that we need more
    > information as to what your goals are before we get into how to
    > engineer it.  Policy-based routing is surely a great option to ensure
    > different paths are used, but you seem to not want failover beyond
    > what you have configured.....you are manually creating a routing
    > protocol, and one that is inferior to the options you have today which
    > could give you plenty of resiliency and aggregate bandwidth.


    Well, essentially we have 3 types of data: Audio, Video and Data (or
    Other). The customer's equipment can't supply more than 100Mbit per
    copper port, even though the total capacity of each WAN is in the
    Gbits. The Video part is now allotted the full 100Mbit, so Audio and
    Data have to go through a different copper port. The Audio part has to
    get riority over Data, but their not willing to allot another 100Mbit
    and have everything over these 2 ports. They're not (yet) willing to
    implement QOS as they haven't done that already on their Alcatel
    network.

    What I want is to have the 3 VLAN's on the seperate copper ports, load-
    balancing over the two different sets of Alcatel equipment. So the
    Audio may not pass over the Video or Data VLAN, even if both Audio
    links have failed.'

    I'm not interested in configuring redundancy in the Alcatel equipment
    as this is the customer's equipment. They say they have it configured
    an due to the nature of their bussiness, I accept that as truth.

    I hope I've made it clearer what I hope to achieve.

    Thanks, Marc
    rsoft, May 1, 2009
    #3
  4. rsoft

    Trendkill Guest

    On May 1, 4:12 pm, rsoft <> wrote:
    > On 1 mei, 13:32, Trendkill <> wrote:
    >
    > > This just doesn't make much sense to me.  What exactly are you trying
    > > to accomplish?  It's definitely not load-balancing, as manually
    > > establishing hops like this is only going to limit you to one path or
    > > another, when you have 4 other ones that are perfectly good to use or
    > > load-balance, but you are effectively creating 3 WANs (1 for each
    > > vlan).  Is this even a WAN, or is it a lab?  I assume the latter since
    > > you mention 'transparent' WANs.  

    >
    > I can assure you that this is not a lab situation. The customer has a
    > nationwide network with (I believe) Alcatel equipment which is
    > essentially configured as a big hub. Essentially, I've been assigned 3
    > ports per location per WAN. Everything that I put in on a port is
    > replicated out on all other locations on the same port. Why did I call
    > it transparent: it doesn't filter out the EIGRP announcements and I
    > don't have to abide by any IP scheme's already present in the Alcatel
    > equipment
    >
    > > Bottom line is that we need more
    > > information as to what your goals are before we get into how to
    > > engineer it.  Policy-based routing is surely a great option to ensure
    > > different paths are used, but you seem to not want failover beyond
    > > what you have configured.....you are manually creating a routing
    > > protocol, and one that is inferior to the options you have today which
    > > could give you plenty of resiliency and aggregate bandwidth.

    >
    > Well, essentially we have 3 types of data: Audio, Video and Data (or
    > Other). The customer's equipment can't supply more than 100Mbit per
    > copper port, even though the total capacity of each WAN is in the
    > Gbits. The Video part is now allotted the full 100Mbit, so Audio and
    > Data have to go through a different copper port. The Audio part has to
    > get riority over Data, but their not willing to allot another 100Mbit
    > and have everything over these 2 ports. They're not (yet) willing to
    > implement QOS as they haven't done that already on their Alcatel
    > network.
    >
    > What I want is to have the 3 VLAN's on the seperate copper ports, load-
    > balancing over the two different sets of Alcatel equipment. So the
    > Audio may not pass over the Video or Data VLAN, even if both Audio
    > links have failed.'
    >
    > I'm not interested in configuring redundancy in the Alcatel equipment
    > as this is the customer's equipment. They say they have it configured
    > an due to the nature of their bussiness, I accept that as truth.
    >
    > I hope I've made it clearer what I hope to achieve.
    >
    > Thanks, Marc


    Well, very interesting. So, if you unplug the two vlan 2 WAN
    connections at a site, how are the packets still getting to the other
    side? Do a sh ip route and see what neighbor is providing a path. I
    have architected/engineered very very large networks, but I haven't
    really run multiple instances of protocols in the wild, and don't have
    any service provider engineering experience. So, I would shut down
    the two vlan 2 wans, see where the advertisement is coming from, and
    then perhaps you do route maps to block routes on each interface to
    the other vlans. Meaning you would create 3 route maps, and apply
    each one to each of the pairs of WAN connections that only allow the
    desired subnets and block others. I was just thinking, could it be
    the default gateway that is getting you? If there is a DG associated
    with each of the WAN interface pairs, then even with one down, it
    would just not have a more specific route and the DG would still get
    you there. So you should keep an eye out for that as well.
    Trendkill, May 1, 2009
    #4
  5. rsoft

    Trendkill Guest

    On May 2, 1:41 am, Peter <> wrote:
    > Trendkill wrote:
    > > On May 1, 4:12 pm, rsoft <> wrote:
    > >> On 1 mei, 13:32, Trendkill <> wrote:

    >
    > >>> This just doesn't make much sense to me.  What exactly are you trying
    > >>> to accomplish?  It's definitely not load-balancing, as manually
    > >>> establishing hops like this is only going to limit you to one path or
    > >>> another, when you have 4 other ones that are perfectly good to use or
    > >>> load-balance, but you are effectively creating 3 WANs (1 for each
    > >>> vlan).  Is this even a WAN, or is it a lab?  I assume the latter since
    > >>> you mention 'transparent' WANs.  
    > >> I can assure you that this is not a lab situation. The customer has a
    > >> nationwide network with (I believe) Alcatel equipment which is
    > >> essentially configured as a big hub. Essentially, I've been assigned 3
    > >> ports per location per WAN. Everything that I put in on a port is
    > >> replicated out on all other locations on the same port. Why did I call
    > >> it transparent: it doesn't filter out the EIGRP announcements and I
    > >> don't have to abide by any IP scheme's already present in the Alcatel
    > >> equipment

    >
    > >>> Bottom line is that we need more
    > >>> information as to what your goals are before we get into how to
    > >>> engineer it.  Policy-based routing is surely a great option to ensure
    > >>> different paths are used, but you seem to not want failover beyond
    > >>> what you have configured.....you are manually creating a routing
    > >>> protocol, and one that is inferior to the options you have today which
    > >>> could give you plenty of resiliency and aggregate bandwidth.
    > >> Well, essentially we have 3 types of data: Audio, Video and Data (or
    > >> Other). The customer's equipment can't supply more than 100Mbit per
    > >> copper port, even though the total capacity of each WAN is in the
    > >> Gbits. The Video part is now allotted the full 100Mbit, so Audio and
    > >> Data have to go through a different copper port. The Audio part has to
    > >> get riority over Data, but their not willing to allot another 100Mbit
    > >> and have everything over these 2 ports. They're not (yet) willing to
    > >> implement QOS as they haven't done that already on their Alcatel
    > >> network.

    >
    > >> What I want is to have the 3 VLAN's on the seperate copper ports, load-
    > >> balancing over the two different sets of Alcatel equipment. So the
    > >> Audio may not pass over the Video or Data VLAN, even if both Audio
    > >> links have failed.'

    >
    > >> I'm not interested in configuring redundancy in the Alcatel equipment
    > >> as this is the customer's equipment. They say they have it configured
    > >> an due to the nature of their bussiness, I accept that as truth.

    >
    > >> I hope I've made it clearer what I hope to achieve.

    >
    > >> Thanks, Marc

    >
    > > Well, very interesting.  So, if you unplug the two vlan 2 WAN
    > > connections at a site, how are the packets still getting to the other
    > > side?  Do a sh ip route and see what neighbor is providing a path.  I
    > > have architected/engineered very very large networks, but I haven't
    > > really run multiple instances of protocols in the wild, and don't have
    > > any service provider engineering experience.  So, I would shut down
    > > the two vlan 2 wans, see where the advertisement is coming from, and
    > > then perhaps you do route maps to block routes on each interface to
    > > the other vlans.  Meaning you would create 3 route maps, and apply
    > > each one to each of the pairs of WAN connections that only allow the
    > > desired subnets and block others.  I was just thinking, could it be
    > > the default gateway that is getting you?  If there is a DG associated
    > > with each of the WAN interface pairs, then even with one down, it
    > > would just not have a more specific route and the DG would still get
    > > you there.  So you should keep an eye out for that as well.

    >
    > so if I understand this correctly, the problem is that you are getting
    > all of the vlan subnets advertised on all of the EIGRP ASs?
    >
    > I think this is due to your EIGRP configuration.  By default, EIGRP will
    > advertise all the subnets on all interfaces, so each switch will  be
    > advertising across all of your VLANs, you should see that for each EIGRP
    > AS there are three EIGRP neighbors on each other switch, one for each
    > VLAN, causing the multiple routing options.  My suggestion would be to
    > make most interfaces passive and only activate the interfaces needed for
    > a vlan.  So for example you would have
    >
    > router eigrp 2
    >    variance 2
    >    passive-interface default
    >    no passive-interface fa1/0/2
    >    no passive-interface fa2/0/2
    >    network 2.1.2.4 0.0.0.255
    >    network 2.2.2.4 0.0.0.255
    >    network 1.4.2.1 0.0.0.255
    >    maximum-paths 2
    >    no auto-summary
    >
    > Peter


    That's a good call. Passive will stop adjacencies being formed for
    that eigrp process on those other interfaces, which should then stop
    those networks from being advertised. That or the route-maps should
    work. Nice suggestion Peter.
    Trendkill, May 2, 2009
    #5
  6. rsoft

    Stephen Guest

    On Fri, 1 May 2009 00:59:50 -0700 (PDT), rsoft <>
    wrote:

    >Hi,
    >
    >I'm trying to setup a system which uses 2 transparent networks as WAN.
    >All "routers" are Cisco 3750 and each location has 5 VLAN's. VLAN 1 is
    >isolated, VLAN 2, 3, 4 and 5 can route to each other on the local 3750
    >stack. However: VLAN's 2, 3 and 4 should each have their own uplink to
    >the transparent WAN's. So, for instance:
    >
    >VLAN 2 goes out on Fa1/0/2 and Fa2/0/2
    >VLAN 3 goes out on Fa1/0/3 and Fa2/0/3
    >VLAN 4 goes out on Fa1/0/4 and Fa2/0/4
    >
    >VLAN 1 and 5 are not to be routed over the WAN
    >
    >I've made a small sketch of the system which can be seen at
    >http://rsoft.nl/network.jpg to clarify.
    >
    >What I'd like to reach is that VLAN 3 at Location 4 goes out of
    >Fa1/0/3 and Fa2/03 only, Fa1/0/3 goes directly to location 1 (the main
    >location). Fa2/0/3 goes to location 2 (the backup main location) and
    >then up the fiber to location 1. I don't want EIGRP to select routes
    >on links not intended for that VLAN.
    >

    the config looks like you are routing at each switch port such as Fa
    1/0/2, since you have "no switchport". that port connects to the WAN,
    but you talk about connecting VLANs?

    are you trying to get Layer 2 links across the WAN? - if so you
    probably want vlans trunked on each port, multiple spanning tree and
    alter the spanning tree costs to bias different vlans to different
    push.

    If you want multiple IP networks that are isolated, then i suggest you
    run VRF-lite on each switch and then each switch can act as multiple
    separate routers. The flip side here is that you dont then get to have
    1 big IP network.

    Finally if you want 1 routed IP network, then a better way may be to
    load balance across the set of WAN links at each site - EIGRP can do
    that, although i find OSPF much easier to work with.

    If you use session based load balance which is default then as long as
    there are a fair number of devices per site communicating you should
    get reasonable load balancing.

    there is yet another approach based on policy routing. Set up 1 set of
    "normal" traffic paths using the routing protocol.
    Then use ACLs to pick out some traffic at each switch and divert that
    to a different WAN port (IP telephony traffic, or everything marked
    DSCP "EF" would be 1 possiblity). You need to be careful to only use
    ACLs that can be handled in hardware or the switch degrades to a 5k
    pps software based router.

    >What I've done so far: I've enabled three EIGRP AS's. One for each of
    >the VLAN's and assigned IP address to Fa1/0/2-4 and Fa2/0/2-4. They
    >do find the appropriate neighbours, but if I unplug all links for VLAN
    >4, I can still connect to VLAN 4 on another location over the WAN.
    >

    Different ASes gives you different routing instances, but doesnt split
    the routing table on a single box on its own - controlling which
    routes go where can be painful.

    >I've tried setting ACL's to deny trafic between for instance Fa1/0/2
    >and VLAN 3 and 4, but was unsuccesfull (sorry, didn't keep the ACL
    >test config). All it did was block VLAN routing on the location
    >itself.
    >
    >I've looked at setting the locations 3-5 as stub routers in EIGRP, but
    >I'm not sure whether this should solve my problem.
    >
    >Here's my (edited) config for the router in Location 4:
    >
    >--------------------------------------------------------------------------------------------------------
    >
    >version 12.2
    >no service pad
    >service timestamps debug uptime
    >service timestamps log uptime
    >no service password-encryption
    >!
    >hostname LOC4RTR
    >!
    >enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
    >!
    >username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    >no aaa new-model
    >clock timezone CET 1
    >clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
    >switch 1 provision ws-c3750-24ts
    >switch 2 provision ws-c3750-24ts
    >system mtu routing 1500
    >ip subnet-zero
    >ip routing
    >!
    >!
    >mls qos
    >!
    >!
    >no file verify auto
    >spanning-tree mode pvst
    >spanning-tree extend system-id
    >!
    >vlan internal allocation policy ascending
    >!
    >!
    >interface FastEthernet1/0/2
    > no switchport
    > ip address 2.1.2.4 255.255.255.0
    > speed 10
    > duplex full
    > flowcontrol receive desired
    >!
    >interface FastEthernet1/0/3
    > no switchport
    > ip address 2.1.3.4 255.255.255.0
    > speed 10
    > duplex full
    > flowcontrol receive desired
    >!
    >interface FastEthernet1/0/4
    > no switchport
    > ip address 2.1.4.4 255.255.255.0
    > speed 100
    > duplex full
    > flowcontrol receive desired
    >!
    >interface FastEthernet2/0/2
    > no switchport
    > ip address 2.2.2.4 255.255.255.0
    > speed 10
    > duplex full
    > flowcontrol receive desired
    >!
    >interface FastEthernet2/0/3
    > no switchport
    > ip address 2.2.3.4 255.255.255.0
    > speed 10
    > duplex full
    > flowcontrol receive desired
    >!
    >interface FastEthernet2/0/4
    > no switchport
    > ip address 2.2.4.5 255.255.255.0
    > speed 100
    > duplex full
    > flowcontrol receive desired
    >!
    >interface Vlan1
    > ip address 192.168.1.1 255.255.255.0
    >!
    >interface Vlan2
    > ip address 1.4.2.1 255.255.255.0
    >!
    >interface Vlan3
    > ip address 1.4.3.1 255.255.255.0
    >!
    >interface Vlan4
    > ip address 1.4.4.1 255.255.255.0
    >!
    >interface Vlan5
    > ip address 1.4.5.1 255.255.255.0
    >!
    >router eigrp 2
    > variance 2
    > network 2.1.2.4 0.0.0.255
    > network 2.2.2.4 0.0.0.255
    > network 1.4.2.1 0.0.0.255
    > maximum-paths 2
    > no auto-summary
    >!
    >router eigrp 3
    > variance 2
    > network 2.1.3.4 0.0.0.255
    > network 2.2.3.4 0.0.0.255
    > network 1.4.3.1 0.0.0.255
    > maximum-paths 2
    > no auto-summary
    >!
    >router eigrp 4
    > variance 2
    > network 2.1.4.4 0.0.0.255
    > network 2.2.4.4 0.0.0.255
    > network 1.4.4.1 0.0.0.255
    > maximum-paths 2
    > no auto-summary
    >!
    >ip classless
    >ip http server
    >ip http authentication local
    >!
    >!
    >!
    >control-plane
    >!
    >!
    >line con 0
    > login
    >line vty 0 4
    > login
    > length 0
    >line vty 5 15
    > login
    >!
    >end
    >
    >---------------------------------------------------------------------------------------------------------
    >
    >Thanks in advance for any help,
    >
    >Marc Rietman

    --
    Regards

    - replace xyz with ntl
    Stephen, May 2, 2009
    #6
  7. rsoft

    rsoft Guest

    Hi All,

    Thanks for the tips. I will investigate on Monday when I'm back at the
    customer's site. The passive interfaces for EIGRP look like something
    which might solve my question. I've also read a bit more about setting
    stub routers which (I think) will eliminate routes from location 3
    through 4 to 1.

    About routing in stead of VLAN trunking. I'm worried that if I would
    trunk, I would create a large broadcast domain. For now the number of
    locations isn't big, but it might get big in the future and I would
    like to anticipate for that (> 200 locations)

    I will investigate VRF-lite.

    The load-balancing is a "nice-to-have", so if it's not completely
    balanced, then I'm not fussed. It's more important to have the
    redundancy of two WAN's than that we get to use double the bandwidth.
    My guess is that there are enough devices to load-balance, but then
    again, the proof is in the pudding...

    Again thanks for all the tips, I'll post back with the solution (or
    another question).

    Marc Rietman
    rsoft, May 2, 2009
    #7
  8. rsoft

    bpechtim

    Joined:
    Oct 19, 2009
    Messages:
    1
    Nice topic.
    What about in this case?
    Does passive-interface vlan cmd for router eigrp still advertise traffic if the other link drops?

    Example Below: All three running eigrp. The router sees both switches as equal metric. Switch A is primary Vlan running hsrp with Switch B. I don't want traffic from Switch B to advertise traffic to Router in steady state, only when when Switch A is down. Unfortunately, right now, traffic is going to both Switch A and B as they are equal metrics (I have no passive cmds yet). If I place a passive-int vlan cmd on eigrp at Switch B, will the traffic still pass to Switch B if Switch A goes down?

    [Layer3 Switch A] -----link---------\
    hsrp btwn swithes................[Router]----> to WAN
    [Layer3 Switch B] -----link---------/
    (passive int vlan on B)
    bpechtim, Oct 19, 2009
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hari
    Replies:
    5
    Views:
    540
  2. Will
    Replies:
    3
    Views:
    731
  3. Replies:
    1
    Views:
    2,313
    Vincent C Jones
    Nov 21, 2005
  4. nazeth
    Replies:
    0
    Views:
    2,737
    nazeth
    Mar 28, 2007
  5. palas_123
    Replies:
    1
    Views:
    2,077
    donjohnston
    Dec 28, 2009
Loading...

Share This Page