Question on passing MAC addresses over switched metro ethernet

I've got a situation where several remote sites are connected to a central location using AT&T's Customized Switched Metro Ethernet (CSME). The core switches at each location are Cisco 4500 series units.

The problem is this... each remote site has a server assigned to it, which is being implemented as a virtual machine at the central location in the vlan belonging to the remote site's core network. The AT&T network learns the MAC addresses from each remote site, and the switch at the central location learns them from AT&T. This is working fine, but AT&T has to learn every MAC addresses from all the remote sites. This means we need to make sure they're allowing sufficient addresses to cover all the sites, plus they charge according to how many they're allowing through.

I'm trying to research alternatives. Is there any way to pass the MAC addresses from the remote site to the switches connecting the VMWare servers (6 servers between 2 physical switches) without special setup on AT&T's part? If it will require additional hardware, that's fine, just need to look at all the options.

Reply to
pfisterfarm
Loading thread data ...

In a situation like that, we created an extra VLAN just for the links and used IP routing to route the traffic over that VLAN to the remote sites. Each links sees only the MAC addresses of the switches at each end.

When you don't want IP routing you can of course use MAC-in-MAC tunneling.

Reply to
Rob

Is this something the service provider needs to make happen, or can I do something on my end?

Reply to
pfisterfarm

I don't know. We use the IP routing, and it can be done with any layer 3 switch. It cleanly solves the problem.

Just create an extra VLAN, assign it a small subnet, put two different addresses on each end of the link and assign an untagged port for your link. Put in routes to route your traffic back and forth and go...

Reply to
Rob

Actually, that's the way we've got it set up now. Not many remote sites have "ip routing" enabled in their config, but those that do still have mac addresses showing up at the central site. Is there some way to stop that?

Reply to
pfisterfarm

Make sure the switchport that is connected to your link is only member of the link VLAN, not of the default VLAN you use at the remote site.

Reply to
Rob

It's set up as a trunk port

Reply to
pfisterfarm

That is not a good idea... at least not when this trunk port is also a member of the default VLAN.

What we use is a port that is only a (tagged) member of the link VLAN. Untagged could be used as well, but in tagged mode there can be priority information with each frame.

As soon as you remove the port from the default VLAN, you should no longer see the MAC addresses of the local devices on the link.

Reply to
Rob

So, we need to make it an access port? And this will allow the vlan to work at both locations?

Reply to
pfisterfarm

That is what you can do. Make it an access port for the vlan you use for the link. Then the traffic will be sent untagged across the link.

It is possible to use a trunk port (tagged traffic) but you need to be sure that the vlan you use for the local devices is not configured on that port.

(I use HP Procurve and 3com switches so my terminology may be a bit different than what you see on Cisco switches)

Of course, you IP addressing plan should be such that this configuration is possible. I.e. you have some IP subnet at the locations and another IP subnet at the central site where the server is located, so that you can configure routing between the server and the site. The default gateway configured in the server and the clients is the address of the switch at each end (for the default VLAN). Then you need a third subnet, a /30 at minimum, for the VLAN used for the link between the switches.

Reply to
Rob

I think I may have a problem then. There's a vlan assigned to the

4500s on the central side and all remote switches. And then each remote site has a vlan which is used for servers and workstations, and that's the one we're using on the central end for the virtual servers. So, it would have to be a trunk port, wouldn't it?
Reply to
pfisterfarm

You cannot have the same VLAN on your central site and remote site, because then you see all the MAC addresses on the link. The way around that is to use routing, not a single VLAN. This will mean your central servers are reachable for the remote workstations only via routing, but that is not an issue other than that it means reconfiguration and some handling of special protocols that require broadcasting.

(e.g. you must define a DHCP helper in the remote switches that forwards DHCP requests over the routed link to the central server, assuming it is the DHCP server for your remote workstations)

Reply to
Rob

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.