HPE Community
Switches, Hubs, and Modems
1752276 Members
5244 Online
108786 Solutions
New Discussion юеВ

Re: Procurve 7102DL VLAN

 
William E Howard
Regular Advisor

тАО03-13-2009 01:44 PM

тАО03-13-2009 01:44 PM

Procurve 7102DL VLAN

My company has a new internet T1 provider that has a technology they call Integrated LAN. Basically, any packet destined for the internet is supposed to be VLAN tagged with that specific VLAN tag. Anything that does not have that VLAN tag gets routed thru their backbone to our sister location, also using the same process.

We are using the 7102DL WAN routers, but the issue I'm running into is the selective VLAN tagging. I can create Virtual Interfaces, one with and one without a VLAN tag, but I havn't figured out how to:

a) Have 2 interfaces on the same subnet. With 2 virtual interfaces, should be 2 external IP's, but it blocks me from adding the second one, saying they are on the same subnet.

b) How to tell it to use which ethernet port. For the Integrated LAN, it shouldn't be hard, simply an IP route, but it won't let me select the interface to use. Since I am using Ethernet, instead of a T1 card, I can't use a PPP interface (or can I?). Once I get that selected, I have no found a route entry for 'everything that is not route a' to force it onto the VLAN tagged interface.

I'm beginning to suspect I'm going about this the wrong way, and should only have one interface, but I havn't found any rules about 'if not bound for this subnet, force all packets tagged' or anything even close to this kind of rule creation possibility. Since it is based on destination as to whether it gets VLAN tagged instead of source, its hard to deal with.
0 Kudos
10 REPLIES 10
William E Howard
Regular Advisor

тАО03-13-2009 02:13 PM

тАО03-13-2009 02:13 PM

Re: Procurve 7102DL VLAN

Ok, it looks like I can use a PPP Interface, at least that is how it look in the Basic Management config, and it presents Eth as an option, but whenever I do:
bind 1 eth 0/1.1 ppp 1 it comes back with a ^ under 0/1.1 saying Invalid Input.

If I /can/ get this working, should I simply then have to use Policy based routing to make it choose which PPP I want based on the source and destination? Simply make sure traffic to my second site is the first policy checked, then all other traffic goes to the other policy (which routes to the internet)?

I am still unable to figure out, though, how to have 2 virtual interfaces on the same subnet, unless I shouldn't be putting an IP on the 2nd virtual interface, if that is possible.
0 Kudos
Olaf Borowski
Respected Contributor

тАО03-18-2009 03:38 PM

тАО03-18-2009 03:38 PM

Re: Procurve 7102DL VLAN

William,

When you enable subinterfaces on the router, all interfaces will be tagged. You cannot select one being tagged and the other one untagged.

Example:

interface eth 0/1
encapsulation 802.1q
interface eth 0/1.1
ip address 1.1.1.1 /24
vlan-id 1
interface eth 0/1.2
ip address 2.1.1.1 /24
vlan-id 2


With this, you would have VLAN 1 and 2 tagged on ethernet 0/1. If you don't specify a "vlan-id", it is 0 but still tagged.

One way of solving this is adding another switch which supports having tagged and untagged VLANs on the same physical port. Most of the ProCurve managed switches can do this.
You would now tagged VLAN 1 and VLAN 2 on the ethernet 0/1 interface and connect this to a switch. The switch has VLAN 1 and 2 configured on port 1 for example (tagged). You would then take another port on the switch and connect it to your service provider and configure this port to be tagged on VLAN 2 and untagged VLAN 1. The switch allows you to have one untagged VLAN and multiple tagged VLANs on a port.

Hope this helps,

Olaf
0 Kudos
William E Howard
Regular Advisor

тАО03-19-2009 11:15 AM

тАО03-19-2009 11:15 AM

Re: Procurve 7102DL VLAN

Olaf,

Thanks for the information. I still can't figure out how to have two ports on the same subnet though. I need two external ports, but it refuses to let me add the second IP if they're on the same subnet.
0 Kudos
Olaf Borowski
Respected Contributor

тАО03-19-2009 04:30 PM

тАО03-19-2009 04:30 PM

Re: Procurve 7102DL VLAN

William,

That is against all rules. On a router, you cannot have two interfaces with IP addresses on the same subnet. I don't think anyone can do this (and if they do, they violate RFCs). I wouldn't mind a drawing of what you are trying to accomplish.

Olaf

0 Kudos
William E Howard
Regular Advisor

тАО03-20-2009 08:29 AM

тАО03-20-2009 08:29 AM

Re: Procurve 7102DL VLAN

Olaf,

What I am trying to do is setup multiple VLANs on the external interface. Traffic that is internet destined is tagged with a specific VLAN. Traffic that is going on the VPN to our second location is NOT Vlan tagged, and because it is not vlan tagged never leaves their backbone and is routed directly to my second location.

I couldn't find a way to tell it 'tag if destined for x.x.x.x subnet' therefor the only other way to handle it would be multiple PPP interfaces.
0 Kudos
Olaf Borowski
Respected Contributor

тАО03-21-2009 02:19 PM

тАО03-21-2009 02:19 PM

Re: Procurve 7102DL VLAN

William,
Again, you cannot have tagged and untagged ports on the router (same interface). I assume you use the router for its firewall/NATing feature, otherwise just use a switch.
What is your IP addressing sceme? Is the traffic going from your site to the remote site private addressing? Does this traffic need to be routed or switched?
You can tell the router via a "route" statement which interface to go out on (sub-interface one of two) but you still have the issue of both being tagged. You would need to connect this one physical port with 2 tagged VLANs from the router to a switch and "untagg" it there. You will also still have the problem of trying to configure the same IP subnet on the 2 interfaces, which is impossible. Send a drawing with IP addressing please.
0 Kudos
William E Howard
Regular Advisor

тАО03-24-2009 01:31 PM

тАО03-24-2009 01:31 PM

Re: Procurve 7102DL VLAN

Olaf,

Internal network Main: 192.168.97.0
Internal network Remote: 192.168.77.0

to go from 97.0 to google, it would go thru my router, get vlan tagged with a specific VLAN tag (1080). ALL internet traffic on my Time Warner T1 MUST have this VLAN tag, else it will never hit the internet.

to go from 97.0 to 77.0, I go thru a VPN tunnel on the router. The VPN tunnel, if I can make it NOT use the VLAN tag, will never leave Time Warner's backbone. I may be able to get by with using a DIFFERENT VLAN tag, but it CANNOT have 1080, else it can go out into the internet, then back into Time Warner at my Remote Site, and I increase latency.

I do not need 2 interfaces on the public side. That was just the first thing that came to mind to make it have VLAN tagging on some packets, and none on others.
0 Kudos
Olaf Borowski
Respected Contributor

тАО03-25-2009 04:04 PM

тАО03-25-2009 04:04 PM

Re: Procurve 7102DL VLAN

Howard,

in your setup, who does the NATing? Router (7000dl) or Service Provider? I assume 7000dl.
Did you only get one IP address from the Service provider? You might have to request 2 addresses on different subnets to make this work. The router cannot "selectively" tag packets but it can send out packets on different interfaces based on regular routing or policy-based routing. But, that would require 2 different interfaces = 2 different networks = 2 different IP addresses.
Also, did I understand you right: Is the connection between the 2 sites an IPSec VPN tunnel?

Olaf
0 Kudos
William E Howard
Regular Advisor

тАО03-30-2009 06:00 AM

тАО03-30-2009 06:00 AM

Re: Procurve 7102DL VLAN

We are NATing on both sides. I have 5 IP's from my provider, but they are contiguous. Changing one of them to a diff subnet may be difficult, but I can check. That is a good idea, and would probably solve all my problems, wouldn't it?.

We are going to be using an IPSec VPN tunnel between the two sites, correct.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.