Still struggling to set up this EVPL. Can someone help?

Using EPL's is real simple for the most part...let me see your configs , you can private message me if you don't wanna post them here...if you do post them here X out your public address's thought

VAHokie56 wrote: »

Using EPL's is real simple for the most part...let me see your configs , you can private message me if you don't wanna post them here...if you do post them here X out your public address's thought

i will post them here in case someone else can learn from this. Here is one side.

ADTRAN, Inc. OS version 18.01.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1129AM816
!
!
hostname "Falmouth"
enable password XXXX001
!
clock timezone -1-Cape-Verde
!
ip subnet-zero
ip classless
ip routing
ipv6 unicast-routing
!
!
!
!
no auto-config
!
event-history on
no logging forwarding
no logging email
!
no service password-encryption
!
!
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
!
!
!
!
no ethernet cfm
!
interface eth 0/1
encapsulation 802.1q
no shutdown
!
interface eth 0/1.3711
vlan-id 3711
ip address X.X.X.2 255.255.255.0
no shutdown
!
interface eth 0/2
ip address 172.22.2.253 255.255.255.0
no shutdown
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip route 0.0.0.0 0.0.0.0 172.22.2.1
ip route 172.22.1.0 255.255.255.0 X.X.X.1
!
no tftp server
no tftp server overwrite
no ip http server
no ip http secure-server
no ip snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
no login
!
line telnet 0 4
login
password XXXX001
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
!
!
!
end

heres the differences from the other side i believe.

no ethernet cfm
!
interface eth 0/1
encapsulation 802.1q
no shutdown
!
interface eth 0/1.3711
vlan-id 3711
ip address x.x.x.1 255.255.255.0
no shutdown
!
interface eth 0/2
ip address 172.22.1.253 255.255.255.0
no shutdown
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip route 0.0.0.0 0.0.0.0 172.22.1.240
ip route 172.22.2.0 255.255.255.0 x.x.x.2

now, the problem is how do i set this up so 1.0 and 2.0 can "talk". the gateways are ASA's 1.240 and 2.1

the current e-lan is running through the ASA's with ip's 10.xx.xx.1 and 2.

your FW's currently plug into your interface eth 0/1 interfaces I assume? if this is the case and you now have an EPL between your two sites you should just be able to created a /30 between them and lose the FW's. since you are not running a routing protocol you will have to change your static routes up to accommodate your new network connecting the sites

does your topology look something like ...

SiteA Lan----Router

new epl

Router----SiteB lan ?

VAHokie56 wrote: »

your FW's currently plug into your interface eth 0/1 interfaces I assume? if this is the case and you now have an EPL between your two sites you should just be able to created a /30 between them and lose the FW's. since you are not running a routing protocol you will have to change your static routes up to accommodate your new network connecting the sites

does your topology look something like ...

SiteA Lan----Router
new epl
Router----SiteB lan ?

Yes!! this is what i want it to look like!

currently with the e-lan its LanA ---ASA----elan---ASA---LanB

Sooooo, what i was trying to avoid is LanA---ASA---router---EVPL---Router---ASA---LanB

But if thats the only way to do it b/c we have different subnets, then thats the way it has to be.

Am i making sense?

well without knowing what else your ASA's are doing its tough for me to tell you to lose them...but you could just make your EPL a routed link...

Like just use a a network between then

routerA
int e0/0
ip add 172.21.1.1 255.255.255.252
no sh

RouterB
int e0/0
ip add 172.21.1.2 255.255.255.252
no sh

then change your default routes...

routerA
0.0.0.0 0.0.0.0 172.21.1.2

routerB
0.0.0.0 0.0.0.0 172.21.1.1

or you could just run a routing protocol....I would find out what all those ASA's do first before I axed them however

VAHokie56 wrote: »

well without knowing what else your ASA's are doing its tough for me to tell you to lose them...but you could just make your EPL a routed link...

Like just use a a network between then

routerA
int e0/0
ip add 172.21.1.1 255.255.255.252
no sh

RouterB
int e0/0
ip add 172.21.1.2 255.255.255.252
no sh

then change your default routes...

routerA
0.0.0.0 0.0.0.0 172.21.1.2

routerB
0.0.0.0 0.0.0.0 172.21.1.1

or you could just run a routing protocol....I would find out what all those ASA's do first before I axed them however

Yeah, i cant get rid of the ASA's. I was just wondering if there was a way to get the EVPL going without going through them.

Would i be able to plug the EVPL in as currently configured and work on it without causing issues on the lans?

does your current WAN connection plug into your asa's or the routers ?

EVPL is usually a layer 2 point to point connection. It doesnt make sense to have the data go through the ad tran and the firewall, you will get a double NAT. I am going to reach and assume the ad tran is for PRIs. Actually it looks like a SIP trunk or something. It should look like this:

CPE - dirty switch - port one into ad tran, port two into ASA
ADTRAN into phone switch.

mirror on your other site

simple route between the two ASAs.

VAHokie56 wrote: »

does your current WAN connection plug into your asa's or the routers ?

ASA's. Each site has its own internet connection into the respective ASA's.

the routers were supposed to be specifically for the EVPL so we didnt have to go through the ASA's but i am having doubts about all that now.

it_consultant wrote: »

EVPL is usually a layer 2 point to point connection. It doesnt make sense to have the data go through the ad tran and the firewall, you will get a double NAT. I am going to reach and assume the ad tran is for PRIs. It should look like this:

CPE - dirty switch - port one into ad tran, port two into ASA
ADTRAN into phone switch.

mirror on your other site

simple route between the two ASAs.

I think they were used for the phones before, but not since i've been here. it goes Verizon NID --> port 0/1 AdTran on both sides. i just dont know where to plug 0/2!!

I mean I am reaching because I don't know what you really got going on...but you most likely had the ASA's because you had VPN tunnel for site to site connection via internet but if you have an epl now I don't see why you would need the ASA's as you don't need the tunnel anymore. Does that sound right to your situation? And you should not need the adtran anymore because VZ should have delivered new equipment for the EPL and left an extension for you to plug into your CE I assume?

So you have a cheap internet connection plus an EVPL for your two sites to talk to each other. Forget about the adtrans, they add confusion to this mess. Believe it or not you can plug the EVPL into your switch stack, grab an IP from your other site and ping away. You need ONE router (remember a firewall is a router) which will be your ASA. Put your cheap internet into the ASA and your EVPL into the ASA. Give the EVPL interface an IP and route out to the other network. Mirror this config on the other side. When your clients request a connection to the other side of the EVPL, the computer will throw the packets to the default gateway(the ASA) which will examine its routing table and toss the packets across the EVPL to the interface of the other ASA. Virtually, EVPL is exactly like running a cable between the two sites. The two ASAs need to be configured as if they are plugged directly into each other. If the PCs ask for google they will be sent out the cheap internet.

If cheap internet goes down, change the default route to go over the EVPL - you get a little resilience this way.

VAHokie56 wrote: »

I mean I am reaching because I don't know what you really got going on...but you most likely had the ASA's because you had VPN tunnel for site to site connection via internet but if you have an epl now I don't see why you would need the ASA's as you don't need the tunnel anymore. Does that sound right to your situation? And you should not need the adtran anymore because VZ should have delivered new equipment for the EPL and left an extension for you to plug into your CE I assume?

He still needs the ASA's because he has another WAN connection in the office. The EVPL appears as a point to point layer 2 connection. I think what is confusing is the ad trans, which need to go away, they are not doing anything of use. The ASA should be able to handle the EVPL plus the other WAN connection - parsing traffic bound for the internet over the WAN connection and traffic bound for the other end of the EVPL over the verizon connection.

This is a very similar set up to many of my offices which use various types of layer 2 internet connections. From verizon's standpoint you don't actually need a router because it is a layer 2 connection. From his perpective he needs to route it OR have all the switch broadcasts going over the pipe - which can be fine if there are only a few computers on each end of the connection. Otherwise you need to plug EVPL into a router...the ASA.

it_consultant wrote: »

So you have a cheap internet connection plus an EVPL for your two sites to talk to each other. Forget about the adtrans, they add confusion to this mess. Believe it or not you can plug the EVPL into your switch stack, grab an IP from your other site and ping away. You need ONE router (remember a firewall is a router) which will be your ASA. Put your cheap internet into the ASA and your EVPL into the ASA. Give the EVPL interface an IP and route out to the other network. Mirror this config on the other side. When your clients request a connection to the other side of the EVPL, the computer will throw the packets to the default gateway(the ASA) which will examine its routing table and toss the packets across the EVPL to the interface of the other ASA. Virtually, EVPL is exactly like running a cable between the two sites. The two ASAs need to be configured as if they are plugged directly into each other. If the PCs ask for google they will be sent out the cheap internet.

If cheap internet goes down, change the default route to go over the EVPL - you get a little resilience this way.

Yeah rekon this would work as long as your ASA's have 3 interfaces to play with. Also need to change the static routes you put in for your LAN at each site to use the EPL's network

@ IT
ya I dont know what I just assumed he would not need a connection back out to internet lol, so yes we still need the asa's

The trick is to think of it like it is logically to the network. Take two ASAs (or switches), connect them together with an ethernet(or crossover to be old school) cable. That is how the EVPL looks to a router or switch. It has no idea it is traversing what is probably a MPLS network. That is the beauty of it really, the configs for the client are so simple. Simple route and a default route. The ad trans should only be used if they are delivering a PRI over the EVPL which need to be split off to go into a phone switch.

OK boys, on my way in now. This looks promising. i will be able to check out the ASA when i get there.

it_consultant wrote: »

So you have a cheap internet connection plus an EVPL for your two sites to talk to each other. Forget about the adtrans, they add confusion to this mess. Believe it or not you can plug the EVPL into your switch stack, grab an IP from your other site and ping away. You need ONE router (remember a firewall is a router) which will be your ASA. Put your cheap internet into the ASA and your EVPL into the ASA. Give the EVPL interface an IP and route out to the other network. Mirror this config on the other side. When your clients request a connection to the other side of the EVPL, the computer will throw the packets to the default gateway(the ASA) which will examine its routing table and toss the packets across the EVPL to the interface of the other ASA. Virtually, EVPL is exactly like running a cable between the two sites. The two ASAs need to be configured as if they are plugged directly into each other. If the PCs ask for google they will be sent out the cheap internet.

If cheap internet goes down, change the default route to go over the EVPL - you get a little resilience this way.

heres where you confuse me. lets say i am going to config the one on our 2.1 network. i can give the port something like 2.253 and add a route to the 1.0. but when you say "mirror this" do you mean on another ASA at the other site?

Also, they said it has to run in VLAN 3811.... how is that done? Also on the ASA?

tdean wrote: »

heres where you confuse me. lets say i am going to config the one on our 2.1 network. i can give the port something like 2.253 and add a route to the 1.0. but when you say "mirror this" do you mean on another ASA at the other site?

Also, they said it has to run in VLAN 3811.... how is that done? Also on the ASA?

So you have your two offices connected by EVPL which is a layer 2 connection.

Lets say (this is a real example) your one office is 192.168.1.xxx (office a) and your other office is 192.168.2.xxx (office b) /24, then the interfaces on the ASA plugged into verizon's network are on their own broadcast domain with each other. Set something simple like 192.168.3.xxx /24 for your two ASA interfaces. Lets say office A asa has port 2 plugged into EVPL - assign it 192.168.3.2. Office B asa also uses port 2 plugged into EVPL - assign it 192.168.3.3. From the CLI of the respective ASA's you should now be able to ping the two interfaces you just set up.

Now you want your clients to be able to talk across the link. In the asa in site A add network route - 192.168.2.0 255.255.255.0 192.168.3.3.
In the asa in site B you add network route - 192.168.1.0 255.255.255.0 192.168.3.2

Think of the route like this "destination network by way of interface whatever".

Strictly speaking, you may not need to tag VLAN 3811 since it makes no difference to the router. They tell you this in case your switches are VLAN'd already.

OK, i follow all that, but if its a layer 2 circuit, dont we need to add the vlan in there somewhere?

this is driving me crazy.

tdean wrote: »

OK, i follow all that, but if its a layer 2 circuit, dont we need to add the vlan in there somewhere?

this is driving me crazy.

No, only if you need to pass the VLAN information to the switches, which you are not doing. The presence of a firewall or router between the verizon link and your switch stack makes VLAN tagging unnecessary.

it_consultant wrote: »

No, only if you need to pass the VLAN information to the switches, which you are not doing. The presence of a firewall or router between the verizon link and your switch stack makes VLAN tagging unnecessary.

Oh, and we dont need to do that b/c we dont have any other vlans defined?

VLAN tags don't pass a router traditionally. That is why when you have your "router on a stick" you configure the interface with sub-interfaces as opposed to VLANs.

UPDATE:
Hi guys... well, i decided to keep the AdTrans in the picture. Part of the problem was that we were havign trouble passing traffic across the e-lan when moving to the ASA. this way i plug the router to the switches and on the workstations at the remote site, i am changing the gateway to the AdTran (tested and working) and at the main site, thats a little tricky. i dont want to have to change the default gateway on our entire virtual network and all workstations with static ip's soooooo, im going to change the IP of the AdTran default gateway to the IP of current firewall (default gateway), and tomorrow night when we put in the new firewall, just use a new IP for that and route internet traffic out the ASA.

Thanks for all your help guys.

I hope that works. The ASA's can be tricky to set up in non-standard configurations. I have similar setups to yours but I use different networking hardware that is, in my opinion, easier to use. Remember, you can set up more than one default gateway for your PCs with DHCP. The network I am on right now makes use of two default gateways.

it_consultant wrote: »

I hope that works. The ASA's can be tricky to set up in non-standard configurations. I have similar setups to yours but I use different networking hardware that is, in my opinion, easier to use. Remember, you can set up more than one default gateway for your PCs with DHCP. The network I am on right now makes use of two default gateways.

Ooooohhh, yeah.... hmmm. Thats just by adding the new ip to scope options/003 router, isnt it?

Bl8ckr0uter

it_consultant wrote: »

I hope that works. The ASA's can be tricky to set up in non-standard configurations. I have similar setups to yours but I use different networking hardware that is, in my opinion, easier to use. Remember, you can set up more than one default gateway for your PCs with DHCP. The network I am on right now makes use of two default gateways.

Why would you set up more than 1 DG vs using something like GLBP or HSRP on the routers/gateways? Windows won't load balance off of the default gateways will it?

No, it won't load balance. It will provide a slight measure of high availability and, for tdean's purposes, do what he wants it to do. In my case the seconday GW is across a couple of MPLS links (I have a backdoor internet connection into the datacenter) and I don't control the router. In case the main internet and firewall gets funky the traffic can go across the backdoor and have some measure of business continuance. My main GW for the servers at the datacenter is that router - in case I need to download huge files I don't impact the performance of the rest of the metro lan network.