1

First off, I'm a vlan-virgin.

We have two offices (OfficeA & OfficeB) and we have two core switches (Cisco 45XXs) in each office (OfficeA-CSW & OfficeB-CSW). In OfficeB we also have a Cisco 35XX switch.

Our provider has provided us with an MPLS link to connect both offices and informed us that the VPN assigned to it is 777.

In officeA, it's connected directly to a port on the OfficeA-CSW while in OfficeB, it's connected to the 35XX switch (it has to pass by this switch)

What I want to achieve is to connect the link in OfficeB to OfficeB-CSW by running a cable from a port on the 35xx switch to port on the OfficeB-CSW. Normally, this should just work but given the VLAN setting given by the provider, how should I setup the ports on both offices (vlan-wise). Which one should I designate as trunk so the link would work and traffic will flow on both sides of the link? Do I need to set a separate IP block for the link?

Thanks in advance! -georgette

Georgette Taala
  • 11
  • 3
  • 1
    You're probably in over your head. I'd be asking your MPLS provider if they have a networking specialist that you can hire for a day to get this working for you. – Mark Henderson Apr 16 '15 at 06:29

1 Answers1

1

This is just one way to do this: you'll need to use the L3 capabilities of those switches to route between the sites.

  1. Move the MPLS onto the 4500-series switches. The 3500 is a L2 only switch and can't route.

  2. Assign IP addresses in a /31 to each switch on VLAN777 at both ends (e.g. 10.55.7.0/31 and 10.55.7.1/31)

    a. You'll do by creating a new 802.1Q vlan with ID 777 and assigning it as a trunk to the port that the MPLS comes in on (on both switches)

    b. Assign the IP addresses to the switch's interface on those 802.1Q VLANs (on both switches)

  3. I'm guessing you are not using a dynamic routing protocol, so on the devices on either end of the MPLS VPN you will need to add a static route to tell the switches (which are actually acting as router in this scenario) to route traffic to each of the destination networks to the IP address on that side of the link. eg 10.1.0.0/24 -> 10.55.7.1 and on the other side, 10.2.0.0/24 -> 10.55.7.0)

  4. On your default gateway on each side of the network, if this is not already your switches, then you will need to add a static route to point the traffic to the other network to the switch's IP address
  5. If you have firewalls inside the network, then your configuration is going to differ, becuase when your default gateway and your VPN gateway are on the same subnet as your end user, you're going to end up with assymetrical routing.

E.g, the traffic might flow from 10.1.0.75 to 10.2.0.661 as

10.1.0.75 -> 10.1.0.1 -> 10.1.0.2 -> 10.55.7.1 -> 10.2.0.66

Which is Client > Default Gateway > MPLS Gateway -> Other end of MPLS Link > remote site

But the packets back will go:

10.2.0.66 -> 10.2.0.1 -> 10.2.0.2 -> 10.55.7.0 -> 10.1.0.75

Which bypasses 10.1.0.1 on the way back. So if there's a firewall in there, it probably won't recognise that stream and will drop the connection.

But if you are using the Catalysts as your default gateways for your local network, then your setup will be a bit simpler.

Mark Henderson
  • 68,823
  • 31
  • 180
  • 259