Just a simple article about something I recently did in my home network. I wanted to prepare the network for a Squid proxy, and design it in such a way that the client devices did not require proxy settings. Having trouble placing it inline, I decided I could use WCCP. However, that requires separate VLANs.
This did pose a problem: my home router did not support any kind of routing and multiple networks beyond a simple hide NAT (PAT) behind the public IP address. Even static routes weren’t possible.
And again my fanless 3560-8PC helped me out. The 3560 can do layer 3 so you can configure it with the proper VLANs and use it as the default gateway on all VLANs. Then you add another VLAN towards the router and point a default route towards that router.
That solves half of the problem: packets get to the router and out to the internet. However, the router does not have a return route for the VLANs. But it does not need that: you can use Proxy ARP. As the router will use a /24 subnet, you can subnet all VLANs inside that /24, e.g. a few /26 and a /30 for the VLAN towards the router, as my home network will not grow beyond a dozen devices in total. Now the router will send an ARP request for each inside IP address, after which the layer 3 switch answers on behalf of the client device. The router will forward all data to the layer 3 switch, who knows all devices in the connected subnets.
And problem solved. From the point of view of the router, there’s one device (MAC address, the layer 3 switch) in the entire subnet that uses a bunch of IP addresses.
Reggle 
running WCCP in your home; I swear, you’re just too damn cool for words!
Hi,
I have the following setup which is not working as expected :
PC A with 2 Nics on 2 distinct networks plugged to access ports (1 & 7) of a 3560-8PCS
-Nic1 = 192.168.70.99 /24 GW = 192.168.70.101
-Nic 2 = 192.168.5.2 /24 GW = 192.168.5.1
PC B with Nic 1 = 192.168.10.2 GW = 192.168.10.1 plugged to an access port (2) of a 3560-8PCS
Linksys WRT54G plugged to an access port (8) of a 3560-8PCS
3560-8PCS (IP Image Base | V15.x) configured with 3 Vlan Interfaces & 3 Vlans
Port 1 access Vlan 5, Port 2 access Vlan 10, Port 7 & 8 access Vlan 70
Int Vlan 5 = 192.168.5.1
Int Vlan 10 = 192.168.10.1
Int Vlan 70 = 192.168.70.101
Routing enabled
Issue: From Host A, i can’t ping Host B unless i disable Nic 1. When i do i tracert from Host A with all the interfaces ON, it shows that the packets are sent to GW of Nic 1 which is the Linksys Router.
The metrics from Host A are set to this order of precedence: Nic 2 – Nic 1
My goal is to get local traffic flow between Host A & Host B trough the switch while still being able to access internet from Host A.
In advance thank you for your input
Best Regards,
Ps: an image of the topology (http://hpics.li/e1e5ce0)
Rectification:
Actually the GW of Nic 1 = 192.168.70.1 instead of 192.168.70.101 stated.
Thanks.
Hi Gston,
I’m not going to solve this one for you in the current layout because I have generally bad experiences with end devices with NICs in two different subnets. It’s unpredictable out of which NIC they will sent packets, especially if you leave proxy ARP on on the Cisco switch. And I’ve had cases where despite proper definition of interface metric, it seemed as if Windows would sometimes not follow that too.
General recommendation: use a single NIC, or put both in the same subnet and make a port-channel out of it (Linux can do this, Windows with the proper third party tools for the NIC drivers as well). Then design it in such a way that it meets the requirements: A & B in the same subnet (VLAN), with one default gateway towards the internet.
Best regards,
Reggle
Hi,
Thanks a lot for the explanation.
It’s indeed a wild goose chase type of situation when trying to identify out of which NIC Windows sends the packets.
I stubbornly tried to isolate the traffic of each NIC within the Switch by applying ACL’s, VACL… to no avail; as the root of the issue seems to reside upstream, in Windows itself.
The ACL’s do work though, if i ping a Vlan interface with a source address of another Vlan interface; i get the desired result.
Back in Windows (Host A), any attempt to browse the internet will fail when i have a simultaneous RDP session to Host B
So no “multi-tasking” for me as for now.
If i do as per your recommendation to put both NICs on the same Subnet (Vlan), my lab setup will not work. I need to have 3 subnets : 1 from main Host A for daily internet; 1 from main Host A with Vm’s on local subnet; and 1 from Host B with Vm’s on local subnet.
But im pondering over how do SysAdmins and or Network Admins successfully segregate traffic within/between servers with multiple NICS.
I highly appreciate your input and thank you for your time and efforts.
Best regards,