3430
All:
I have a customer who is changing internet services from a private MPLS network through their provider to a Metro Ethernet connection. The issue I am having is configuring the 3430 1st GEN SW 17.08.02.00 (will upgrade soon) to allow subnet traffic. The customer currently has 5 locations.
Main: 192.168.0.xxx
Remote 1: 192.169.2.xxx
and so on.
I have the 3430 configured eth 0/1 on the local subnet 192.168.2.10 with DHCP (this is working), I have the Metro-E link assigned to eth 0/2 on 192.168.0.100 (this will direct connect to the main location). While I can ping across and talk from the .2 subnet to the main .0 network, I can not send traffic the other way .0 to .2. I have tried assigning static routes, as well as the firewall ACL suggestion in the discussion on "LAN to LAN routing" to no avail. Any help would be much appreciated.
First issue: Your default route points to the eth 0/2 interface of the router itself. It should point to the IP address of the interface of the main site connected to the metro-e.
Assuming that the main site has 192.168.0.1 connected to its metro-ethernet, then:
no ip route 0.0.0.0 0.0.0.0 192.168.0.100
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Add the command "no ip firewall" to disable the firewall.
On the main site, add a static route to your local LAN along the lines of:
ip route 192.168.2.0 255.255.255.0 192.168.0.100
More scalable and full mesh - add a new subnet for solely the metro ethernet, use statics at each site to all other sites, or better a dynamic routing protocol such as ospf.
Can you drop your config file (minus sensitive info) into this thread?
Looking at the config file, ETH 0/2 is in the Public policy class. That policy class has nothing in it, and therefore will implicitly deny all traffic accessing the router on ETH 0/2..
If devices on the other end of the metroE (a branch office, etc.), then you would need to allow the remote network to access the addresses on the 192.168.2.x network in the Private policy.
One step closer to a solution. I added the any to any rule to the Public COS and I can now receive ping responses from the eth 0/1 interface, but not beyond. The AOS documentation stated that the firewall rules were not needed in a LAN to LAN configuration, but this is still not working. I am sure that I am missing something very simple, but can not seem to figure it out.
First issue: Your default route points to the eth 0/2 interface of the router itself. It should point to the IP address of the interface of the main site connected to the metro-e.
Assuming that the main site has 192.168.0.1 connected to its metro-ethernet, then:
no ip route 0.0.0.0 0.0.0.0 192.168.0.100
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Add the command "no ip firewall" to disable the firewall.
On the main site, add a static route to your local LAN along the lines of:
ip route 192.168.2.0 255.255.255.0 192.168.0.100
More scalable and full mesh - add a new subnet for solely the metro ethernet, use statics at each site to all other sites, or better a dynamic routing protocol such as ospf.
jayh,
Thank you for the response, as soon as I cleared the firewall traffic passed like a charm.