Question on passing MAC addresses over switched metro ethernet

Discussion in 'Cisco' started by pfisterfarm, Dec 14, 2011.

  1. pfisterfarm

    pfisterfarm Guest

    I've got a situation where several remote sites are connected to a
    central location using AT&T's Customized Switched Metro Ethernet
    (CSME). The core switches at each location are Cisco 4500 series

    The problem is this... each remote site has a server assigned to it,
    which is being implemented as a virtual machine at the central
    location in the vlan belonging to the remote site's core network. The
    AT&T network learns the MAC addresses from each remote site, and the
    switch at the central location learns them from AT&T. This is working
    fine, but AT&T has to learn every MAC addresses from all the remote
    sites. This means we need to make sure they're allowing sufficient
    addresses to cover all the sites, plus they charge according to how
    many they're allowing through.

    I'm trying to research alternatives. Is there any way to pass the MAC
    addresses from the remote site to the switches connecting the VMWare
    servers (6 servers between 2 physical switches) without special setup
    on AT&T's part? If it will require additional hardware, that's fine,
    just need to look at all the options.
    pfisterfarm, Dec 14, 2011
    1. Advertisements

  2. pfisterfarm

    Rob Guest

    In a situation like that, we created an extra VLAN just for the links
    and used IP routing to route the traffic over that VLAN to the remote
    sites. Each links sees only the MAC addresses of the switches at each

    When you don't want IP routing you can of course use MAC-in-MAC tunneling.
    Rob, Dec 14, 2011
    1. Advertisements

  3. pfisterfarm

    pfisterfarm Guest

    When you don't want IP routing you can of course use MAC-in-MAC tunneling.

    Is this something the service provider needs to make happen, or can I
    do something on my end?
    pfisterfarm, Dec 14, 2011
  4. pfisterfarm

    Rob Guest

    I don't know. We use the IP routing, and it can be done with any layer 3
    switch. It cleanly solves the problem.

    Just create an extra VLAN, assign it a small subnet, put two different
    addresses on each end of the link and assign an untagged port for your
    link. Put in routes to route your traffic back and forth and go...
    Rob, Dec 14, 2011
  5. pfisterfarm

    pfisterfarm Guest

    Actually, that's the way we've got it set up now. Not many remote
    sites have "ip routing" enabled in their config, but those that do
    still have mac addresses showing up at the central site. Is there some
    way to stop that?
    pfisterfarm, Dec 14, 2011
  6. pfisterfarm

    Rob Guest

    Make sure the switchport that is connected to your link is only member
    of the link VLAN, not of the default VLAN you use at the remote site.
    Rob, Dec 14, 2011
  7. pfisterfarm

    pfisterfarm Guest

    It's set up as a trunk port
    pfisterfarm, Dec 15, 2011
  8. pfisterfarm

    Rob Guest

    That is not a good idea... at least not when this trunk port is also a
    member of the default VLAN.

    What we use is a port that is only a (tagged) member of the link VLAN.
    Untagged could be used as well, but in tagged mode there can be priority
    information with each frame.

    As soon as you remove the port from the default VLAN, you should no longer
    see the MAC addresses of the local devices on the link.
    Rob, Dec 15, 2011
  9. pfisterfarm

    pfisterfarm Guest

    As soon as you remove the port from the default VLAN, you should no longer
    So, we need to make it an access port? And this will allow the vlan to
    work at both locations?
    pfisterfarm, Dec 15, 2011
  10. pfisterfarm

    Rob Guest

    That is what you can do. Make it an access port for the vlan you use
    for the link. Then the traffic will be sent untagged across the link.

    It is possible to use a trunk port (tagged traffic) but you need to be
    sure that the vlan you use for the local devices is not configured on
    that port.

    (I use HP Procurve and 3com switches so my terminology may be a bit
    different than what you see on Cisco switches)

    Of course, you IP addressing plan should be such that this configuration
    is possible. I.e. you have some IP subnet at the locations and another
    IP subnet at the central site where the server is located, so that you
    can configure routing between the server and the site. The default gateway
    configured in the server and the clients is the address of the switch at
    each end (for the default VLAN). Then you need a third subnet, a /30
    at minimum, for the VLAN used for the link between the switches.
    Rob, Dec 15, 2011
  11. pfisterfarm

    pfisterfarm Guest

    It is possible to use a trunk port (tagged traffic) but you need to be
    I think I may have a problem then. There's a vlan assigned to the
    4500s on the central side and all remote switches. And then each
    remote site has a vlan which is used for servers and workstations, and
    that's the one we're using on the central end for the virtual servers.
    So, it would have to be a trunk port, wouldn't it?
    pfisterfarm, Dec 15, 2011
  12. pfisterfarm

    Rob Guest

    You cannot have the same VLAN on your central site and remote site,
    because then you see all the MAC addresses on the link. The way around
    that is to use routing, not a single VLAN. This will mean your central
    servers are reachable for the remote workstations only via routing, but
    that is not an issue other than that it means reconfiguration and some
    handling of special protocols that require broadcasting.

    (e.g. you must define a DHCP helper in the remote switches that forwards
    DHCP requests over the routed link to the central server, assuming it
    is the DHCP server for your remote workstations)
    Rob, Dec 15, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.