Loopback on same network unreachable

  • 0
  • 1
  • Problem
  • Updated 4 years ago
Hi, I am trying to connect another switch to my network to segregate customer vlan's.

I am announcing my networks as /24's and want to create smaller subnets of these on another switch within my network. So for example create a loopback vlan with a /29 for a single client server connection.

I am testing this in my lab where I have a single network of 192.168.1.1/24. I have created a vlan "InputLB" which is set as loopback and has ipforwarding on. This vlan has 1 port which is active and is connected to the main 192.168.1.1/24 network. This InputLB vlan is assigned the IP address 192.168.1.33/29.

When I try to ping the 192.168.1.33 from any devie on my network, it will not ping. What am I doing wrong? Will this configuration be possible?

Thanks for any help.
Photo of Michael Goodliffe

Michael Goodliffe

  • 670 Points 500 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,328 Points 50k badge 2x thumb
I'm not sure whether I unterstand your setup so....
Your main network is 192.168.1.0/24 and now you've configured 192.168.1.33/29 on the switch,
If that is the case then this is not correct - you can't use different masks for the same range = 192.168.1.33 is included in the 192.168.1.0/24 range.
Might be helpful if you post a network diagram and the configuration.
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Michael,

Your configuration is invalid. You can summarize the advertisement of several subnets with a smaller mask (larger subnet), but the separate subnets must not overlap.

Using a /29 mask you can have 32 non overlaping subnets:
  • 192.168.1.0/29
  • 192.168.1.8/29
  • 192.168.1.16/29
  • 192.168.1.24/29
  • .......
  • 192.168.1.224/29
  • 192.168.1.232/29
  • 192.168.1.240/29
  • 192.168.1.248/29

In your configuration subnets 192.168.1.0/24 and 192.168.1.32/29 overlap, which makes it impossible to determine if a computer using IP address 192.168.1.35 resides in the 192.168.1.0/24 subnet or in the 192.168.1.32/29 subnet.

What are you trying to accomplish with that?

Daniel
Photo of Michael Goodliffe

Michael Goodliffe

  • 670 Points 500 badge 2x thumb
Thanks I see what you mean. I have my /24's announced over bgp at the moment. Does this mean that I must have the /24 vlan's defined on my switch which correspond to these /24 networks I am announcing?

What I want to do is have one of my /24 networks split into multiple /29, /28 networks for clients, but still be able to announce it as a single /24

Thanks.
Photo of Michael Goodliffe

Michael Goodliffe

  • 670 Points 500 badge 2x thumb
For example I have 4 /24 subnets announced:

x.x.160.0/24
x.x.161.0/24
x.x.162.0/24
x.x.163.0/24

I want to take the 163 subnet and split it into multiple vlan's over different ports. For example take port 12 of my newly attached switch, make it a loopback interface and give it the network x.x.163.16/29

Do I need to change my announcements every time I want to create a new subnet? Or instead split them all up now and change the announcements so they match.

I have just tried removing the network of the 163.0/24 network on my router and creating it as 163.8/29 instead, however now the gateway of this new /29 is unreachable (x.x.163.9)
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
You should create the individual /28 or /29 vlans (no overlaping, remember) and then advertise them as a single /24 vlan.

If you're using Extreme switches running EXOS there's a feature called L3 VLAN Aggregation (check https://www.dropbox.com/s/jjyypvv524anlg7/EXOS_Concepts_Guide_15_3_2.pdf, page 1247) that can help you accomplish something similar to what you want.

Daniel
Photo of Michael Goodliffe

Michael Goodliffe

  • 670 Points 500 badge 2x thumb
Thanks, that looks like it will do exactly what I want.

I have one vlan with the /24 defined, then I can assign loopback subvlans with restricted IP's to that. Just tested it and it seems to work. This is a great method of doing it as you don't waste IP's on broadcast and gateway, thanks!

Just one question, will this work with IPv6 too?
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Nope, only for IPv4...
Photo of Michael Goodliffe

Michael Goodliffe

  • 670 Points 500 badge 2x thumb
Another quick question. There will be a vlan defined on my primary router, this will have a single connection to a new switch which has no knowledge of any configuration on the primary router.

The supervlan will be defined on the new switch on the port connecting the 2 switches. Then I will have individual subvlan's defined with ports for each customer's server.

Will this work?

primary router:
announces the /24
VLAN defined with a single connection to switch 2

switch 2:
supervlan defined on port linking to primary router, ip address assigned as x.x.163.1/24 gateway
subvlans defined for each client range with restricted ip's in x.x.163.1/24 range
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
I'm not sure you can extend the superVLAN outside of a switch...

Take a look at Private VLANs (same doc, page 526). There's an example in page 539 that looks very much like the one you need.
Photo of Michael Goodliffe

Michael Goodliffe

  • 670 Points 500 badge 2x thumb
Thanks again. I'm trying this configuration out and am running into issues with the subscriber vlan ip address.

I have set up the following:
Main loopback VLAN set as private VLAN's network VLAN - tagged 100
second loopback VLAN set as subscriber VLAN of private VLAN - tagged 101

now the second loopback VLAN would be used as an isolated client vlan with a specific IP range, lets say a /29. However I cannot add an ip address to this vlan:

Error: Subscriber VLAN vl_test_1 cannot be configured with IP address.

This seems to be the perfect solution apart from this issue.
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Michael,

I've never used this feature but the way I see it both the private vlans and the network vlan operate at layer 2.

You don't need to use /29 subnets to isolate different customers. The private vlans will do that for you.

The private vlans don't have an IP address, and the network vlan CAN have one, but does not need to have one configured. All the servers in the different pvlans would share the 192.168.1.0/24 subnet and use the router IP address as their default gateway.

Suppose you have one customer (customer1) with 3 servers, another customer (customer2) with 2 servers, and 10 customers (other), each one with a single server. An you want all the servers to be able to reach the router (their default gateway) while not being able to see the servers of other customers (but still be able to reach other servers from the same customer if they have more than one...).

I'm attaching a quick and dirty sketch of what I'd do.




I'd create one vlan for customer 1 with 3 ports, one vlan for customer2 with 2 ports and a vlan for the other customers with 10 (or more) ports.

I would then add these three vlans to a private vlan, the first two as non-isolated so the servers connected to each one of them can see each other (within the vlan), and the third one as isolated so the servers connected to it can't see each other.

I would then create a network vlan to allow all these customer vlans in the private vlan to reach the router (or any other shared services...)

All of the servers would have addresses in the 192.168.1.0/24 subnet, and all would have ip 192.168.1.1 as their default gateway (assuming that is the ip address of the router...)

The config for each switch would be something like this (just creating it on the fly, may have forgotten something...)

SW1:

#
# always remove ports from vlan default (best practice)
#
configure default delete ports all

#
# create network vlan and assign ports
#
create vlan nv1 tag 100
configure nv1 add ports 1
configure nv1 add ports 2 t

# --------------------------------------------------------------


SW2:

#
# always remove ports from vlan default (best practice)
#
configure default delete ports all

#
# create network vlan and assign ports
#
create vlan nv1 tag 100
configure nv1 add ports 1 t
#
# create customer vlans and assign ports
#
create vlan cust1 tag  201
create vlan cust2 tag 202
create vlan other tag 203
configure cust1 add ports 2-4
configure cust2 add ports 10-11
configure other add ports 15-24

#
# create private vlan and assign network vlan and subscriber vlans
#
create private-vlan pv1
configure private-vlan pv1 add network nv1
configure private-vlan pv1 add subscriber cust1 non-isolated
configure private-vlan pv1 add subscriber cust2 non-isolated
configure private-vlan pv1 add subscriber other

#
# create network vlan and assign ports
#
configure nv1 add ports 1 private-vlan translated

# --------------------------------------------------------------

As you can see, there's not a single ip address in all the config for either switch. It's all a pure layer 2 thing.

What about provisioning?
  • If you add a customer with a single server, you just add another port to vlan other.
  • If you add another server for a customer that already has a separate vlan, you just add aport to that vlan.
  • If a customer that had a single server wants to add another, create a separate vlan for them, add two ports to connect the servers, and add the vlan as susbscriber, non-isolated to the private vlan.

Will this work? I hope so. I haven't tested it. give it a try and let me know the result.

Daniel
Photo of Michael Goodliffe

Michael Goodliffe

  • 670 Points 500 badge 2x thumb
Thanks for the lengthy explanation, the detail is much appreciated.

This is exactly what I want to do, however the reason that I need to assign an IP address (range) to a loopback vlan port for a client is to restrict their IP addresses so that they do not try and steal IP's. My clients will have full control over their own machines and I want to be sure that the network is secure and no one is going to try and steal each other's IPs.

For example if I am renting a server to a client and the server gets compromised, as they do sometimes, then with this setup the attacker can then take control of all IP's in the range. And then for example start sending spam and get the whole range blacklisted.

A hybrid of both solutions would be ideal. Be able to give them a private vlan and also restrict the IP's they can use like the subvlan method.
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
I see...

There's a couple of features that may help you prevent this:
  • Disable ARP learning and statically configure the IP to MAC relation, so the customer can't simply change the IP address and keep on working.
  • Use ARP validation, forcing all servers to use a secure DHCP server to get their addresses and disallow statically configured IP addresses. In the DHCP server you could then fix the IP address you give each server based on their MAC.

You can read about this in the Security chapter of the documentation. (page 851).
Photo of Michael Goodliffe

Michael Goodliffe

  • 670 Points 500 badge 2x thumb
I have checked this config of using both methods and that seems to work ok. I think I need to step back and draw a network diagram. It's all in my head at the moment.

I think if I use my new switch and link it to my router by a tagged vlan, then create a supervlan on it and split it into multiple vlans with restricted IP's, this would be best.

I can then make this switch use the whole /24 range as required.

Thanks so much for all your help.
Photo of Michael Goodliffe

Michael Goodliffe

  • 670 Points 500 badge 2x thumb
Thanks. I'l just looking at the source-ip-lockdown now but can't seem to find the command to assign the locked IP to the port. How is this done?

I have enabled source-ip-lockdown on one port:

enable ip-security source-ip-lockdown ports 3:49

but the show command returns no ip address:

show ip-security source-ip-lockdown
Ports           Locked IP Address
3:49            None

Is this done via DHCP?
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Source IP lockdown is a feature that works in conjunction with trusted DHCP servers and DHCP snooping. It is not a functionality that you configure on its own.

You may want to start by experimenting with disabling ARP learning and manually configuring IP to MAC entries.
Photo of Michael Goodliffe

Michael Goodliffe

  • 670 Points 500 badge 2x thumb
OK, cheers. How do I go about locking Macs to up addresses?

Would this cause a problem for example if one of my clients has virtual machines on it's server? Would the switch see the virtual machines mac or the physical mac of the server?

I may just go with a simple option of using the subvlans and see if I can get this working on one extended switch from my router. I don't want to over complicate the security and make it unmanagable. :)

Thanks a lit for all the help. I've learnt a lot.
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Each VM should have its own MAC...

Security always means more work....