13 Replies Latest reply on Jul 2, 2013 8:31 AM by haakebecks

    Comcast EPL 2 Sites - 801.Q for Beginners

    haakebecks New Member

      So this is where things are at. We had a Comcast EPL set up at two locations. This is a Comcast Layer 2 product that utilizes 802.1Q. We have a two 3305 Routers in place and our mindset was that Eth 0/1 was the WAN port and Eth 0/2 was the LAN Port.

       

      We configured the Eth 0/2 LAN Ports as follows:

       

      Site 1: 192.168.2.1 / 255.255.255.0

      Site 2. 192.168.3.1 / 255.255.255.0

       

      We configured the Eth 0/1 WAN Ports as follows:

       

      Site 1: 802.1Q with a VLAN Tag of 1 and Native Set

      Site 2: 802.1Q with a VLAN Tag of 1 and Native Set

       

      We then added a sub policy with an IP Address for each.

       

      Site 1: 192.168.4.1 / 255.255.255.0   

      Site 2. 192.165.4.2 / 255.255.255.0

       

      I can take a laptop and configure it to use 192.168.2.4 at Site 1 and am able to ping across the LAN interface and get a response from 192.168.4.1 which is the WAN interface. I can also do the same thing at Site 2 utilizing the appropriate IPs. However, I cannot ping across the EPL so no traffic is being routed across the EPL from what I can tell.

       

      We are VERY, VERY new to this and trying to figure it all out as we go. I'm sure we are missing a bunch of things. Any help, anybody can provide would be greatly appreciated. Are we making this too complex? Should be routers have LAN IP addresses in the same range? Do we even need the sub policy or is the 802.1Q and VLAN tagging enough? Do we need to do anything with the built-in firewall on the 3305 to allow this traffic? If so, can we simply disable the firewall to test?

       

      A step by step would be wonderful!

        • Re: Comcast EPL 2 Sites - 801.Q for Beginners
          jayh Hall_of_Fame

          Setting the VLAN to 1 native is essentially the same as having no VLAN at all.  You'll likely find that if you had just plugged in the devices without configuring VLANs it would work the same way.

           

          802.1q VLANs are a means to isolate logical Ethernet networks over a single physical wire by adding a "tag" value to the frame entering the 802.1q domain and removing the tag leaving it. 

           

          A trunk port is a switch port that has multiple VLANs passing through it, each with a unique tag from 1 to 4096.  The native VLAN on a trunk is that VLAN that has no tag.  Only one VLAN can be native on a trunk.  By default traffic is in VLAN 1 and it is native.

           

          An access port is a member of a single VLAN.

           

          Say that you have several separate IP networks, they can have overlapping IP addresses or different, and you have a single wire or fiber between two (or more) sites.  You want to be able to share this single link among the several networks, but isolate their traffic from each other. 

           

          At each site you would put a switch and on the first ports do something like:

           

          int sw 0/1

            switchport access vlan 10

          int sw 0/2

            switchport access vlan 20

          int sw 03

             switchport access vlan 30

           

          int sw 24

          switchport mode trunk

           

          Now connect switchport 24 from each switch the shared medium. 

           

          Any traffic you send to port 1 on one end will come out port 1 on the other and not be seen by any other port.  Ditto port 2 to port 2, and port 3 to port 3.  What happens "in the middle" is that anything entering port 1 on one side gets a "tag" saying "This frame belongs to VLAN 10" applied before it leaves the switch on the trunk.  When it arrives on the receiving side, the tag is examined, the traffic is switched to all ports that are assigned to VLAN 10, and the tag is removed before it exits the access port.  "Native" is one (and only) one VLAN that doesn't get a tag on the trunk side.  On the other side, any traffic appearing on a trunk with no tag will be switched to the native VLAN for the trunk.

           

          The VLANs can represent separate customers, voice vs. data traffic, or anything where you want separation between the traffic.

           

          There are tweaks to prioritize one type of traffic over another, route between VLANs on a single trunk (router-on-a-stick), etc. but that's the basic idea.

           

          However, VLAN 1 native as the only VLAN on a trunk is pretty much the same thing as a plain old port with no 802.1q at all. There are some subtle differences in the ethernet frame flagging it as trunk-capable.

          1 of 1 people found this helpful
            • Re: Comcast EPL 2 Sites - 801.Q for Beginners
              haakebecks New Member

              So in this instance I don't want to use Native. Correct?

               

              Also, just so we are clear... before I dig into things further, I am just trying to establish connectivity between the two routers at this point and Comcast says I have to use 802.1Q.

               

              In a perfect world, my assumption was that I could just plug in a laptop in Eth 0/2 at both locations and Eth 0/1 at both locations is configured for 802.1q and plugged into Comcast's Layer 2 Ciena box and connectivity would be established. However, that is clearly not the case.

               

              So in the scenario I am painting above, how do I need to configure the router to establish that connectivity?

            • Re: Comcast EPL 2 Sites - 801.Q for Beginners
              jayh Hall_of_Fame

              Your problem pinging across may be simply that you need a static route to the LAN subnet at the other side, not related to 802.1q at all

               

              At site 1 add the following:

               

              ip route 192.168.3.0 255.255.255.0 192.168.4.2

               

              And at site 2, add:

               

              ip route 192.168.2.0 255.255.255.0 192.168.4.1


               

                • Re: Comcast EPL 2 Sites - 801.Q for Beginners
                  haakebecks New Member

                  We'll give this a try Monday. Closing up shop now. I REALLY appreciate your help Jay and we'll post back on Monday letting you know what our results were. Thanks again and have a great weekend!

                    • Re: Comcast EPL 2 Sites - 801.Q for Beginners
                      haakebecks New Member

                      Alright, we setup those static routes on each side and still no joy. Please see attached screen shots. Perhaps I am missing something and doing it in the wrong location? Still cannot ping through to the other side. My though when looking at the routes is that it should be routing any traffic with any subnet mask to the 192.168.4.x address

                       

                      IMG_1288.JPGIMG_1289.JPGIMG_1290.JPGIMG_1291.JPGIMG_1292.JPGIMG_1293.JPG

                        • Re: Comcast EPL 2 Sites - 801.Q for Beginners
                          jayh Hall_of_Fame

                          You may need to talk to Comcast to determine if they want you to use a specific VLAN ID.  You may be making this more complicated than it needs to be. I would first try it without any 802.1q at all.  Just configure 192.168.4.1 and 192.168.4.2 on the eth 0/1 interfaces directly. 

                           

                          Also, you have a default route 0.0.0.0/0 on each side pointing to the other.  While this may be OK for a lab test setup, it will cause problems in the real world.  Any traffic not destined for the subnets at each side will loop between the routers and go nowhere.  Is this network connected to the Internet anywhere?  If so, that's where the default belongs.  I would just route the specific subnets at each end to the other. 

                          1 of 1 people found this helpful
                            • Re: Comcast EPL 2 Sites - 801.Q for Beginners
                              haakebecks New Member

                              So, ideally it would look like so to avoid any issues or are you telling me to remove 192.168.3.0 and 192.168.4.0 from the Route Table? I didn't build those routes, the router put them in there automatically.

                               

                              IMG_1294.JPG

                               

                              We will also test without 802.1q, although we were told we must use it.

                                • Re: Comcast EPL 2 Sites - 801.Q for Beginners
                                  jayh Hall_of_Fame

                                  I was more concerned with the 0.0.0.0 routes shown in your previous screen shots.  The specific static routes to the other side's LAN are correct and necessary.

                                   

                                  When they told you to use 802.1q did they also assign a specific VLAN? 

                                   

                                  Try it without 802.1q first, just put the 192.168.4.x IPs on the eth 0/1 interfaces.

                                   

                                  If this doesn't work, then complete the 802.1q configuration.  If they specified a VLAN, use it.  If not then try any VLAN other than VLAN 1, and don't make it native.

                                  1 of 1 people found this helpful
                                    • Re: Comcast EPL 2 Sites - 801.Q for Beginners
                                      haakebecks New Member

                                      Well, to start peeling back the layers, I turned off 802.1q on both routers, assigned them the same 192.168.4.1 and 192.168.4.2 IP addresses on Eth 0/1 and plugged them into a local switch. I pulled all routing
                                      out except as shown in the last screenshot. I can ping from end to end so at least I know the routing is setup correctly. I'll give that a shot and go from there.