Question on passing MAC addresses over switched metro ethernet

Discussion in 'Cisco' started by pfisterfarm, Dec 14, 2011.

  1. pfisterfarm

    pfisterfarm Guest

    I've got a situation where several remote sites are connected to a
    central location using AT&T's Customized Switched Metro Ethernet
    (CSME). The core switches at each location are Cisco 4500 series
    units.

    The problem is this... each remote site has a server assigned to it,
    which is being implemented as a virtual machine at the central
    location in the vlan belonging to the remote site's core network. The
    AT&T network learns the MAC addresses from each remote site, and the
    switch at the central location learns them from AT&T. This is working
    fine, but AT&T has to learn every MAC addresses from all the remote
    sites. This means we need to make sure they're allowing sufficient
    addresses to cover all the sites, plus they charge according to how
    many they're allowing through.

    I'm trying to research alternatives. Is there any way to pass the MAC
    addresses from the remote site to the switches connecting the VMWare
    servers (6 servers between 2 physical switches) without special setup
    on AT&T's part? If it will require additional hardware, that's fine,
    just need to look at all the options.
     
    pfisterfarm, Dec 14, 2011
    #1
    1. Advertising

  2. pfisterfarm

    Rob Guest

    pfisterfarm <> wrote:
    > I've got a situation where several remote sites are connected to a
    > central location using AT&T's Customized Switched Metro Ethernet
    > (CSME). The core switches at each location are Cisco 4500 series
    > units.
    >
    > The problem is this... each remote site has a server assigned to it,
    > which is being implemented as a virtual machine at the central
    > location in the vlan belonging to the remote site's core network. The
    > AT&T network learns the MAC addresses from each remote site, and the
    > switch at the central location learns them from AT&T. This is working
    > fine, but AT&T has to learn every MAC addresses from all the remote
    > sites. This means we need to make sure they're allowing sufficient
    > addresses to cover all the sites, plus they charge according to how
    > many they're allowing through.
    >
    > I'm trying to research alternatives. Is there any way to pass the MAC
    > addresses from the remote site to the switches connecting the VMWare
    > servers (6 servers between 2 physical switches) without special setup
    > on AT&T's part? If it will require additional hardware, that's fine,
    > just need to look at all the options.


    In a situation like that, we created an extra VLAN just for the links
    and used IP routing to route the traffic over that VLAN to the remote
    sites. Each links sees only the MAC addresses of the switches at each
    end.

    When you don't want IP routing you can of course use MAC-in-MAC tunneling.
     
    Rob, Dec 14, 2011
    #2
    1. Advertising

  3. pfisterfarm

    pfisterfarm Guest

    > When you don't want IP routing you can of course use MAC-in-MAC tunneling.

    Is this something the service provider needs to make happen, or can I
    do something on my end?
     
    pfisterfarm, Dec 14, 2011
    #3
  4. pfisterfarm

    Rob Guest

    pfisterfarm <> wrote:
    >> When you don't want IP routing you can of course use MAC-in-MAC tunneling.

    >
    > Is this something the service provider needs to make happen, or can I
    > do something on my end?


    I don't know. We use the IP routing, and it can be done with any layer 3
    switch. It cleanly solves the problem.

    Just create an extra VLAN, assign it a small subnet, put two different
    addresses on each end of the link and assign an untagged port for your
    link. Put in routes to route your traffic back and forth and go...
     
    Rob, Dec 14, 2011
    #4
  5. pfisterfarm

    pfisterfarm Guest

    On Dec 14, 3:51 pm, Rob <> wrote:
    > Just create an extra VLAN, assign it a small subnet, put two different
    > addresses on each end of the link and assign an untagged port for your
    > link.  Put in routes to route your traffic back and forth and go...


    Actually, that's the way we've got it set up now. Not many remote
    sites have "ip routing" enabled in their config, but those that do
    still have mac addresses showing up at the central site. Is there some
    way to stop that?
     
    pfisterfarm, Dec 14, 2011
    #5
  6. pfisterfarm

    Rob Guest

    pfisterfarm <> wrote:
    > On Dec 14, 3:51 pm, Rob <> wrote:
    >> Just create an extra VLAN, assign it a small subnet, put two different
    >> addresses on each end of the link and assign an untagged port for your
    >> link.  Put in routes to route your traffic back and forth and go...

    >
    > Actually, that's the way we've got it set up now. Not many remote
    > sites have "ip routing" enabled in their config, but those that do
    > still have mac addresses showing up at the central site. Is there some
    > way to stop that?


    Make sure the switchport that is connected to your link is only member
    of the link VLAN, not of the default VLAN you use at the remote site.
     
    Rob, Dec 14, 2011
    #6
  7. pfisterfarm

    pfisterfarm Guest

    On Dec 14, 4:45 pm, Rob <> wrote:
    > pfisterfarm <> wrote:
    > > On Dec 14, 3:51 pm, Rob <> wrote:
    > >> Just create an extra VLAN, assign it a small subnet, put two different
    > >> addresses on each end of the link and assign an untagged port for your
    > >> link.  Put in routes to route your traffic back and forth and go...

    >
    > > Actually, that's the way we've got it set up now. Not many remote
    > > sites have "ip routing" enabled in their config, but those that do
    > > still have mac addresses showing up at the central site. Is there some
    > > way to stop that?

    >
    > Make sure the switchport that is connected to your link is only member
    > of the link VLAN, not of the default VLAN you use at the remote site.


    It's set up as a trunk port
     
    pfisterfarm, Dec 15, 2011
    #7
  8. pfisterfarm

    Rob Guest

    pfisterfarm <> wrote:
    > On Dec 14, 4:45?pm, Rob <> wrote:
    >> pfisterfarm <> wrote:
    >> > On Dec 14, 3:51?pm, Rob <> wrote:
    >> >> Just create an extra VLAN, assign it a small subnet, put two different
    >> >> addresses on each end of the link and assign an untagged port for your
    >> >> link. ?Put in routes to route your traffic back and forth and go...

    >>
    >> > Actually, that's the way we've got it set up now. Not many remote
    >> > sites have "ip routing" enabled in their config, but those that do
    >> > still have mac addresses showing up at the central site. Is there some
    >> > way to stop that?

    >>
    >> Make sure the switchport that is connected to your link is only member
    >> of the link VLAN, not of the default VLAN you use at the remote site.

    >
    > It's set up as a trunk port


    That is not a good idea... at least not when this trunk port is also a
    member of the default VLAN.

    What we use is a port that is only a (tagged) member of the link VLAN.
    Untagged could be used as well, but in tagged mode there can be priority
    information with each frame.

    As soon as you remove the port from the default VLAN, you should no longer
    see the MAC addresses of the local devices on the link.
     
    Rob, Dec 15, 2011
    #8
  9. pfisterfarm

    pfisterfarm Guest

    >> As soon as you remove the port from the default VLAN, you should no longer
    > see the MAC addresses of the local devices on the link.


    So, we need to make it an access port? And this will allow the vlan to
    work at both locations?
     
    pfisterfarm, Dec 15, 2011
    #9
  10. pfisterfarm

    Rob Guest

    pfisterfarm <> wrote:
    >>> As soon as you remove the port from the default VLAN, you should no longer

    >> see the MAC addresses of the local devices on the link.

    >
    > So, we need to make it an access port? And this will allow the vlan to
    > work at both locations?


    That is what you can do. Make it an access port for the vlan you use
    for the link. Then the traffic will be sent untagged across the link.

    It is possible to use a trunk port (tagged traffic) but you need to be
    sure that the vlan you use for the local devices is not configured on
    that port.

    (I use HP Procurve and 3com switches so my terminology may be a bit
    different than what you see on Cisco switches)

    Of course, you IP addressing plan should be such that this configuration
    is possible. I.e. you have some IP subnet at the locations and another
    IP subnet at the central site where the server is located, so that you
    can configure routing between the server and the site. The default gateway
    configured in the server and the clients is the address of the switch at
    each end (for the default VLAN). Then you need a third subnet, a /30
    at minimum, for the VLAN used for the link between the switches.
     
    Rob, Dec 15, 2011
    #10
  11. pfisterfarm

    pfisterfarm Guest

    > It is possible to use a trunk port (tagged traffic) but you need to be
    > sure that the vlan you use for the local devices is not configured on
    > that port.


    I think I may have a problem then. There's a vlan assigned to the
    4500s on the central side and all remote switches. And then each
    remote site has a vlan which is used for servers and workstations, and
    that's the one we're using on the central end for the virtual servers.
    So, it would have to be a trunk port, wouldn't it?
     
    pfisterfarm, Dec 15, 2011
    #11
  12. pfisterfarm

    Rob Guest

    pfisterfarm <> wrote:
    >> It is possible to use a trunk port (tagged traffic) but you need to be
    >> sure that the vlan you use for the local devices is not configured on
    >> that port.

    >
    > I think I may have a problem then. There's a vlan assigned to the
    > 4500s on the central side and all remote switches. And then each
    > remote site has a vlan which is used for servers and workstations, and
    > that's the one we're using on the central end for the virtual servers.
    > So, it would have to be a trunk port, wouldn't it?


    You cannot have the same VLAN on your central site and remote site,
    because then you see all the MAC addresses on the link. The way around
    that is to use routing, not a single VLAN. This will mean your central
    servers are reachable for the remote workstations only via routing, but
    that is not an issue other than that it means reconfiguration and some
    handling of special protocols that require broadcasting.

    (e.g. you must define a DHCP helper in the remote switches that forwards
    DHCP requests over the routed link to the central server, assuming it
    is the DHCP server for your remote workstations)
     
    Rob, Dec 15, 2011
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chris
    Replies:
    8
    Views:
    713
    shope
    Apr 15, 2004
  2. Pedro Ribeiro
    Replies:
    4
    Views:
    1,453
    Erik Tamminga
    Jul 21, 2004
  3. P.Schuman

    upgrading -> metro Ethernet vs DS3

    P.Schuman, Apr 17, 2007, in forum: Cisco
    Replies:
    0
    Views:
    691
    P.Schuman
    Apr 17, 2007
  4. Lawrence D'Oliveiro

    Circuit-Switched vs Packet-Switched

    Lawrence D'Oliveiro, Jan 16, 2009, in forum: NZ Computing
    Replies:
    7
    Views:
    685
    Lawrence D'Oliveiro
    Jan 19, 2009
  5. Steve Pfister
    Replies:
    0
    Views:
    554
    Steve Pfister
    Nov 4, 2012
Loading...

Share This Page