VLAN to external router.

Discussion in 'Cisco' started by Gary, Feb 24, 2005.

  1. Gary

    Gary Guest

    An external supplier has a VLAN in place to one of our border routers on a
    dedicated link but needs to be able to see an internal router via the border
    router.

    We have this on our border router side.
    interface FastEthernet4/1.503
    desc Handoff to External Supplier
    encapsulation dot1Q 503
    ip address 10.12.16.1 255.255.255.0
    no ip redirects
    no ip proxy-arp
    no cdp enable

    ip route 212.15.68.2 255.255.255.255 10.12.16.2

    They are 10.12.16.2 and we can see each other fine.

    We have an internal router on 212.15.68.4/24 which they need to be able to
    see.

    Our border router config is below for the inside facing interface
    interface FastEthernet0/0.504
    encapsulation dot1Q 504
    ip address 212.15.68.1 255.255.255.0
    no ip redirects
    no ip proxy-arp
    no cdp enable

    The internal router has
    interface FastEthernet0/1.504
    encapsulation dot1Q 504
    ip address 212.15.68.4 255.255.255.0
    no ip redirects
    no ip proxy-arp
    no cdp enable
    !
    ip route 212.15.68.2 255.255.255.255 FastEthernet0/1.504

    Now. The external supplier needs to be able to see the internal router at
    212.15.68.4, and if they ping it our internal router sees the pings, but
    nothing arrives back at the supplier.


    What can ping what?
    10.12.16.1 can ping 10.12.16.2 both ways
    212.15.68.4 can ping 212.15.68.1 both ways
    212.15.68.2 can ping 212.15.68.1 both ways

    PROBLEM:
    212.15.68.2 CANNOT ping 212.15.68.4 even though 212.15.68.4 does see the
    pings from 212.15.68.2 but for some reason the pings never get back?

    Gary
     
    Gary, Feb 24, 2005
    #1
    1. Advertising

  2. Gary

    Kevin Widner Guest

    Unless you are doing some sort of tunneling, this is really a poor
    design. The customer should not use an IP address that is in the same
    subnet as your internal network. This is a much higher level design
    issue that what I will tackle here, but what the problem will boil down
    to for you here is this. The reason it doesn't work is because your
    border router has an interface on the 212.15.68/24 subnet, so a
    "connect" route is populated int its routing table, you are trying to
    put a static route in your border router telling it that one address
    in that subnet should be routed out a different interface. That route
    is being ignored. Why? Because a connected interface has an
    administrative distance of 0 and a static route has an administrative
    distance of 1. The "connect" wins.

    ==>

    An external supplier has a VLAN in place to one of our border routers
    on a
    dedicated link but needs to be able to see an internal router via the
    border
    router.

    We have this on our border router side.
    interface FastEthernet4/1.503
    desc Handoff to External Supplier
    encapsulation dot1Q 503
    ip address 10.12.16.1 255.255.255.0
    no ip redirects
    no ip proxy-arp
    no cdp enable

    ip route 212.15.68.2 255.255.255.255 10.12.16.2

    They are 10.12.16.2 and we can see each other fine.

    We have an internal router on 212.15.68.4/24 which they need to be able
    to
    see.

    Our border router config is below for the inside facing interface
    interface FastEthernet0/0.504
    encapsulation dot1Q 504
    ip address 212.15.68.1 255.255.255.0
    no ip redirects
    no ip proxy-arp
    no cdp enable

    The internal router has
    interface FastEthernet0/1.504
    encapsulation dot1Q 504
    ip address 212.15.68.4 255.255.255.0
    no ip redirects
    no ip proxy-arp
    no cdp enable
    !
    ip route 212.15.68.2 255.255.255.255 FastEthernet0/1.504

    Now. The external supplier needs to be able to see the internal router
    at
    212.15.68.4, and if they ping it our internal router sees the pings,
    but
    nothing arrives back at the supplier.

    What can ping what?
    10.12.16.1 can ping 10.12.16.2 both ways
    212.15.68.4 can ping 212.15.68.1 both ways
    212.15.68.2 can ping 212.15.68.1 both ways

    PROBLEM:
    212.15.68.2 CANNOT ping 212.15.68.4 even though 212.15.68.4 does see
    the
    pings from 212.15.68.2 but for some reason the pings never get back?

    Gary
     
    Kevin Widner, Feb 24, 2005
    #2
    1. Advertising

  3. Gary

    Gary Guest

    "Kevin Widner" <> wrote in message
    news:...
    > Unless you are doing some sort of tunneling, this is really a poor
    > design. The customer should not use an IP address that is in the same
    > subnet as your internal network. This is a much higher level design
    > issue that what I will tackle here, but what the problem will boil down
    > to for you here is this. The reason it doesn't work is because your
    > border router has an interface on the 212.15.68/24 subnet, so a
    > "connect" route is populated int its routing table, you are trying to
    > put a static route in your border router telling it that one address
    > in that subnet should be routed out a different interface. That route
    > is being ignored. Why? Because a connected interface has an
    > administrative distance of 0 and a static route has an administrative
    > distance of 1. The "connect" wins.
    >
    > ==>
    >
    > An external supplier has a VLAN in place to one of our border routers
    > on a
    > dedicated link but needs to be able to see an internal router via the
    > border
    > router.
    >
    > We have this on our border router side.
    > interface FastEthernet4/1.503
    > desc Handoff to External Supplier
    > encapsulation dot1Q 503
    > ip address 10.12.16.1 255.255.255.0
    > no ip redirects
    > no ip proxy-arp
    > no cdp enable
    >
    > ip route 212.15.68.2 255.255.255.255 10.12.16.2
    >
    > They are 10.12.16.2 and we can see each other fine.
    >
    > We have an internal router on 212.15.68.4/24 which they need to be able
    > to
    > see.
    >
    > Our border router config is below for the inside facing interface
    > interface FastEthernet0/0.504
    > encapsulation dot1Q 504
    > ip address 212.15.68.1 255.255.255.0
    > no ip redirects
    > no ip proxy-arp
    > no cdp enable
    >
    > The internal router has
    > interface FastEthernet0/1.504
    > encapsulation dot1Q 504
    > ip address 212.15.68.4 255.255.255.0
    > no ip redirects
    > no ip proxy-arp
    > no cdp enable
    > !
    > ip route 212.15.68.2 255.255.255.255 FastEthernet0/1.504
    >
    > Now. The external supplier needs to be able to see the internal router
    > at
    > 212.15.68.4, and if they ping it our internal router sees the pings,
    > but
    > nothing arrives back at the supplier.
    >
    > What can ping what?
    > 10.12.16.1 can ping 10.12.16.2 both ways
    > 212.15.68.4 can ping 212.15.68.1 both ways
    > 212.15.68.2 can ping 212.15.68.1 both ways
    >
    > PROBLEM:
    > 212.15.68.2 CANNOT ping 212.15.68.4 even though 212.15.68.4 does see
    > the
    > pings from 212.15.68.2 but for some reason the pings never get back?
    >
    > Gary
    >



    Does not sound exactly true.

    Our border router sees.
    show ip route 212.15.68.2
    Routing entry for 212.15.68.2/32
    Known via "static", distance 1, metric 0
    Redistributing via eigrp 1
    Advertised by eigrp 1
    Routing Descriptor Blocks:
    * 10.12.16.2
    Route metric is 0, traffic share count is 1

    The link to the external supplier runs across 10.12.16.0/24
    The link to our internal router runs across 212.15.68.0/24

    The external supplier has 212.15.68.2 and 10.12.16.2 on their side and we
    have 212.15.68.1 and 10.12.16.1 on our border router.

    Does your explanation still apply.

    Gary
     
    Gary, Feb 25, 2005
    #3
  4. Gary

    Gary Guest

    "Gary" <> wrote in message
    news:n7uTd.23125$%U2.10257@lakeread01...
    >
    > "Kevin Widner" <> wrote in message
    > news:...
    > > Unless you are doing some sort of tunneling, this is really a poor
    > > design. The customer should not use an IP address that is in the same
    > > subnet as your internal network. This is a much higher level design
    > > issue that what I will tackle here, but what the problem will boil down
    > > to for you here is this. The reason it doesn't work is because your
    > > border router has an interface on the 212.15.68/24 subnet, so a
    > > "connect" route is populated int its routing table, you are trying to
    > > put a static route in your border router telling it that one address
    > > in that subnet should be routed out a different interface. That route
    > > is being ignored. Why? Because a connected interface has an
    > > administrative distance of 0 and a static route has an administrative
    > > distance of 1. The "connect" wins.
    > >
    > > ==>
    > >
    > > An external supplier has a VLAN in place to one of our border routers
    > > on a
    > > dedicated link but needs to be able to see an internal router via the
    > > border
    > > router.
    > >
    > > We have this on our border router side.
    > > interface FastEthernet4/1.503
    > > desc Handoff to External Supplier
    > > encapsulation dot1Q 503
    > > ip address 10.12.16.1 255.255.255.0
    > > no ip redirects
    > > no ip proxy-arp
    > > no cdp enable
    > >
    > > ip route 212.15.68.2 255.255.255.255 10.12.16.2
    > >
    > > They are 10.12.16.2 and we can see each other fine.
    > >
    > > We have an internal router on 212.15.68.4/24 which they need to be able
    > > to
    > > see.
    > >
    > > Our border router config is below for the inside facing interface
    > > interface FastEthernet0/0.504
    > > encapsulation dot1Q 504
    > > ip address 212.15.68.1 255.255.255.0
    > > no ip redirects
    > > no ip proxy-arp
    > > no cdp enable
    > >
    > > The internal router has
    > > interface FastEthernet0/1.504
    > > encapsulation dot1Q 504
    > > ip address 212.15.68.4 255.255.255.0
    > > no ip redirects
    > > no ip proxy-arp
    > > no cdp enable
    > > !
    > > ip route 212.15.68.2 255.255.255.255 FastEthernet0/1.504
    > >
    > > Now. The external supplier needs to be able to see the internal router
    > > at
    > > 212.15.68.4, and if they ping it our internal router sees the pings,
    > > but
    > > nothing arrives back at the supplier.
    > >
    > > What can ping what?
    > > 10.12.16.1 can ping 10.12.16.2 both ways
    > > 212.15.68.4 can ping 212.15.68.1 both ways
    > > 212.15.68.2 can ping 212.15.68.1 both ways
    > >
    > > PROBLEM:
    > > 212.15.68.2 CANNOT ping 212.15.68.4 even though 212.15.68.4 does see
    > > the
    > > pings from 212.15.68.2 but for some reason the pings never get back?
    > >
    > > Gary
    > >

    >
    >
    > Does not sound exactly true.
    >
    > Our border router sees.
    > show ip route 212.15.68.2
    > Routing entry for 212.15.68.2/32
    > Known via "static", distance 1, metric 0
    > Redistributing via eigrp 1
    > Advertised by eigrp 1
    > Routing Descriptor Blocks:
    > * 10.12.16.2
    > Route metric is 0, traffic share count is 1
    >
    > The link to the external supplier runs across 10.12.16.0/24
    > The link to our internal router runs across 212.15.68.0/24
    >
    > The external supplier has 212.15.68.2 and 10.12.16.2 on their side and we
    > have 212.15.68.1 and 10.12.16.1 on our border router.
    >
    > Does your explanation still apply.
    >
    > Gary
    >
    >
    >


    Are you suggesting we use a tunnel - Is that the *right* solution?
     
    Gary, Feb 25, 2005
    #4
  5. Gary

    Kevin Widner Guest

    Maybe the better solution would be to just use a different IP address
    on the router that is at your external supplier's site. Why do you want
    that router on the same segment as your internal routers? Just setup an
    IP address that isn't in that same subnet and let the router actually
    do "routing". I'm just trying to determine the reason why you chose to
    address an interface on a distant router not directly attached to your
    internal segment with a local subnet address. Not attacking you, just
    trying to understand your goal.


    Are you suggesting we use a tunnel - Is that the *right* solution?
     
    Kevin Widner, Feb 28, 2005
    #5
  6. Gary

    Gary Guest

    "Kevin Widner" <> wrote in message
    news:...
    > Maybe the better solution would be to just use a different IP address
    > on the router that is at your external supplier's site. Why do you want
    > that router on the same segment as your internal routers? Just setup an
    > IP address that isn't in that same subnet and let the router actually
    > do "routing". I'm just trying to determine the reason why you chose to
    > address an interface on a distant router not directly attached to your
    > internal segment with a local subnet address. Not attacking you, just
    > trying to understand your goal.
    >
    >
    > Are you suggesting we use a tunnel - Is that the *right* solution?
    >

    Actually that is where we are now.

    The VLAN to the external supplier is 10.12.16.1 on our border router and
    10.12.16.2 on their router.

    The VLAN from our border router to our internal router is 212.15.68.1 on the
    border router to 212.15.68.4 and 10.12.16.4 on internal router.

    The odd thing now is that our internal router can ping 10.12.16.2 [the
    external supplier] but they cannot ping 10.12.16.4 or 212.15.68.4?

    Everytyhing else pings fine.

    Gary
     
    Gary, Mar 1, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul

    VLAN or Not to VLAN

    Paul, Oct 27, 2003, in forum: Cisco
    Replies:
    0
    Views:
    573
  2. Neil Rowland

    Auxiliary VLAN V VLan

    Neil Rowland, Apr 13, 2004, in forum: Cisco
    Replies:
    1
    Views:
    582
    Phil Dotchon
    Apr 14, 2004
  3. PS2 gamer
    Replies:
    1
    Views:
    1,032
    Ivan Ostres
    May 28, 2004
  4. avraham shir-el
    Replies:
    4
    Views:
    8,555
    avraham shir-el
    Jul 20, 2004
  5. One's Too Many

    VoIP VLAN across router-router link?

    One's Too Many, Oct 24, 2006, in forum: Cisco
    Replies:
    6
    Views:
    1,781
    freeNAC
    Nov 1, 2006
Loading...

Share This Page