Comware

 Hello,

We are trying to use VLAN through a VPN IP MPLS.

Not successful.

According to our ISP that manages the MPLS, they don't have to modify anything on their Routers (Edge Router and MPLS Router).

At the Remote office, a PC on VLAN1 (10.3.34.x) can access data on servers (at the Head Office) and can go to internet.

At the Remote office, a PC on VLAN2 (192.168.2.x) cannot go to internet (even if Firewall rules are ok).

At the Remote office, a phone DECT IP on VLAN10 (192.168.10.x) cannot access the PABX on the same VLAN at the Head Office.

Please take a quick look to the Visio jpg as it will be easily understandable thanks to colors.

Do I need to modify the routing on the Edge Switch at the Branch Office?

Here's the configuration for the 3 HP switches that I manage.

On the Edge Switch at the Branch Office (10.3.34.2):

interface GigabitEthernet1/0/23
 description Connect To ISP Edge Router
 port link-type trunk
 port trunk permit vlan 1 to 2 10
 poe enable

#
 ip route-static 0.0.0.0 0.0.0.0 10.3.34.1

no other routes defined.

On the Distribution Switch at the Head Office:

interface GigabitEthernet3/0/32
 port link-mode bridge
 description To ISP MPLS Router
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 2 7 10
 port trunk pvid vlan 7
 speed 100
 duplex full
 broadcast-suppression pps 3000

#
 ip route-static 0.0.0.0 0.0.0.0 192.168.1.1

On the Core switch at the Head Office:

interface Bridge-Aggregation1
 description Agg to Distribution Switch
 port link-type hybrid
 port hybrid vlan 2 7 10 tagged
 port hybrid vlan 1 untagged
 link-aggregation mode dynamic
#

interface Ten-GigabitEthernet1/0/25
 port link-mode bridge
 description To Distribution Switch (Agg. Member)
 port link-type hybrid
 port hybrid vlan 2 5 710 tagged
 port hybrid vlan 1 untagged
 broadcast-suppression pps 3000
 port link-aggregation group 1
#

interface Ten-GigabitEthernet3/0/25
 port link-mode bridge
 description To Distribution Switch (Agg. Member)
 port link-type hybrid
 port hybrid vlan 2 5 710 tagged
 port hybrid vlan 1 untagged
 broadcast-suppression pps 3000
 port link-aggregation group 1

 #
 ip route-static 0.0.0.0 0.0.0.0 192.168.3.4
 ip route-static 192.168.2.0 255.255.255.0 192.168.3.4
 ip route-static 10.3.34.0 255.255.255.0 10.4.1.10

Thanks a lot for any advice.

Yann

1/ Your VLAN1 hosts are being routed to the rest of the network by the local branch office router.

2/ Based on your picture showing VLAN2, your Branch Office hosts on this subnet should be reaching the firewall on the HQ site by Layer2. If they can't reach the FW, I would suspect an interface VLAN configuration issue somewhere is at fault.

Troubleshoot it:

   (a)   Put 192.168.2.2 on the VLAN2 interface on the 5800. Does your firewall do LLDP? If so, check adjacency. Then use this interface to Ping 192.168.2.1. 

   (b)   Once a. succeeds, remove the IP address from the 5800 VLAN2 interface.
   Create an Access port in VLAN2 on the 5800, patch a host to that switchport and give it 192.168.2.2. From that host, ping 192.168.2.1.

   (c)   Once b. succeeds, repeat the same thing on the 5500. Ensure VLAN2 has been created on the 5500.

   (d)   Once c. succeeds, repeat the same thing on the 5120. 

3/ Repeat the same process with VLAN10. Assuming your WAN provider knows what they are doing, I suspect you will find either you've forgotten the create the VLANs on an intermediate switch, or you've stuffed up one of the trunks.

Thanks for the reply.

Actually the PC Office connected to the 5120

interface GigabitEthernet1/0/11
 poe enable
#

can ping the Firewall (192.168.2.1) = successful

but the PC BYOD connected to the 5120

interface GigabitEthernet1/0/24
 port access vlan 2
#

canNOT ping the same Firewall (192.168.2.1) = unsuccessful

PC Office can also access data on Server (it is the default VLAN 1 in both cases although VLAN 1 is not propagated explicitely through the VPN connection).

2 questions:

- is this possible to have the same address range in use in the Branch Office and in the HQ?

don't I need to have 2 different network subnets to communicate through a VPN?

- it seems possible to have 2 subnets in the same VLAN:

ip-subnet-vlan [ index ] ip ip-address { net-mask | net-mask-length }

anybody uses it? and could it be useful in my case?

Meaning for VLAN 10:

in the HQ: 192.168.10.x/24

in the Branch Office: 192.168.100.x/24

Yes the Branch office PC on VLAN1 has a local default gateway so it connects to the rest of the network via Layer3.

The Head Office VLAN1 is a different VLAN to the Branch Office VLAN1, with a different subnet. Using the same VLAN ID on seperate VLANs in a network is fine so long as they are on different subnets.

You don't need multiple subnets on each VLAN.

The host on VLAN2 needs to reach its default gateway via Layer2 over the WAN. This is why you need to investigate the VLAN trunking of VLAN2.

Good diagram by the way - properly informational.

hi Mairie

I dunno if you pasted the exact configuration, but om your BAGG interfaces you have written

"port hybrid vlan 2 5 710 tagged"

I assume you need a space in there in "710".

That however doesn't explain problems with vlan 2.

Regards

Hi,

Just looking at the original request it looks like you want to extend VLAN10 all the way from the Head Office out to the Branch? Does it really need Layer 2 adjacency, can you not just add a DHCP option in order for the phones to find the controller and auto-magically start working?

If you do need a single logical VOIP network you'll need to apply a "L2-psuedowire" Xconnect configuration to your Cisco Routers (rather than do anything specific with the HPN kit) as you need a way of encapsulating that L2 network tunnelled over the intervening routed network that your VPN runs over. Be warned that the xconnect feature was in a rather expensive upgrade license feature set (Data & Security license?) last time I did this on some 3900 routers to bodge some cross-site L2 for firewall HA. If the Routers are part of your managed service you'll need to have a conversation with your service provider.

Do some googling and look for things like "poor man's VPLS".

You could do something similar on the HPN kit if you had a bigger switch at the branch end. Unfortunately the 5120 doesn't have enough grunt. You might be able to do something interesting with MSR and even VSR routers for less expense that the Cisco license - have a word with your local friendly HP or Partner Presales techie.

Hope that helps

Ian

You can see what they are trying to do: they want VLAN2 segmented from other VLANs all the way back to the Main Site's firewall.
It seems they are trying to do something similar with VLAN10 in relation to the Branch Site only.

I took it from the original request that seeing as there were multiple VLANs trunked to the ISP router, the MPLS provider must be providing VPLS.  As he says he's spoken to his provider about this, you would *hope* they would set him straight if he had misunderstood the service.

---

@Vince-Whirlwind wrote:

You can see what they are trying to do: they want VLAN2 segmented from other VLANs all the way back to the Main Site's firewall.
It seems they are trying to do something similar with VLAN10 in relation to the Branch Site only.

 

I took it from the original request that seeing as there were multiple VLANs trunked to the ISP router, the MPLS provider must be providing VPLS.  As he says he's spoken to his provider about this, you would *hope* they would set him straight if he had misunderstood the service.

---

Actually, I tested on Friday and something's wrong with the VLAN2, my provider has to modify its configuration:

ping is possible from the 5120 at the Branch Office to the Firewall

ping is impossible from a PC on the VLAN2 connected to the 5120 at the Branch Office to the Firewall

I'm waiting for them to recontact me.

If you ping from the 5120 switch itself you are only testing VLAN1, which is the subnet the switch IP is in, and which you already know is working.

Just to be clear - is the ISP router configured to trunk multiple VLANs from you?

---

@Vince-Whirlwind wrote:

If you ping from the 5120 switch itself you are only testing VLAN1, which is the subnet the switch IP is in, and which you already know is working.

 

Just to be clear - is the ISP router configured to trunk multiple VLANs from you?

---

I spoke with a 3rd IT engineer of my ISP; one who actually understood what I was trying to do. Unfortunately, they don't support Layer2, only Layer3. So my VLAN cannot be extended from the HQ to the Branch Office.

I'll have to do routing at the Core with ACLs to prevent the PC BYOD (originally on VLAN2 at the Branch Office) to access services other than web access.

I'd like to thank everybody who contributed to this post and make me ask the good questions.

---

@Ian Vaughan wrote:

Hi,

Just looking at the original request it looks like you want to extend VLAN10 all the way from the Head Office out to the Branch? Does it really need Layer 2 adjacency, can you not just add a DHCP option in order for the phones to find the controller and auto-magically start working?

[...]

Hope that helps

Ian

---

Hello Ian,

This is exactly what I wanted to do. I have hoped it would work easily but this is not the case.

I think I will follow your advice on this DHCP option. I'll test it.

Thanks.

---

@sdide wrote:

hi Mairie

 

I dunno if you pasted the exact configuration, but om your BAGG interfaces you have written

 

"port hybrid vlan 2 5 710 tagged"

 

I assume you need a space in there in "710".

 

That however doesn't explain problems with vlan 2.

 

Regards

---

Hello,

You're right, it was a bad copy and paste as I slightly simplified the architecture.

Thanks