Complex L3 and L2 switch design

Answered Question
Oct 18th, 2007
User Badges:

Hi all, need some advise on a setup i'm proposing. Basically, I want to deliver internet to different customers via a shared firewall as a gateway, using a layer 3 and layer 2 switches.


Basically, I can make this work with a L3 3560 and a firewall into a port and give each customer a port and L3 VLAN, few ACL and it works great. What I want to do is distribute this throughout the building using multliple L2 switches. What I don;t understand is will the L3 still work as I intend to use only a single trunk link between the switches. I noticed unless there is something in the port on the L3 routing doesn't work. I've attached a JPG diagram to help.


An alternative is that I just patch each customer into the VLAN port on the L3 using a dumb switch, but this uses far more L3 switch ports and I would like an all Cisco solution with a central VLAN database. I have toyed with the idea of doing this via L2 only, but most midrange firewalls only support 25 VLANs which is potentially too few.



Correct Answer by Kevin Dorrell about 9 years 7 months ago

For the first question, yes.


For the second question there is a condition. The layer 2 switch must have a management interface in the VLAN it is pinging, or it must have a default gateway configured (pointing to the 3560) in its management VLAN.


As part of you architecture you should set aside one VLAN for management and make sure it arrives at all the switches. The management VLAN should not have any production traffic on it. Most NetAdmins use VLAN 1 for that, and they also make sure that VLAN 1 is the native VLAN of each of the trunks. BUT no production traffic on it, and no access ports except perhaps for a Network Management Station.


Kevin Dorrell

Luxembourg


Correct Answer by Phillip Hichens about 9 years 7 months ago

Hi


Yes it will still work.


Use the following command in global config mode:


3560(Config)#int vlan 2

3560(Config-if)#ip add x.x.x.x y.y.y.y


This will create a logical L3 interface for the vlan, always being up and connected.


Trunk to your 2960s on ports 1,2,3 etc of your 3560. These trunk ports will be L2 only.


Regards

Phillip

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Kevin Dorrell Thu, 10/18/2007 - 02:34
User Badges:
  • Green, 3000 points or more

That should not be any problem at all.


Your observation that if all the ports in a VLAN are down on the 3560, then the L3 is down, is correct. But if you have trunks leading from the 3560 that are carrying the VLAN, then effectively the trunk port is up for that VLAN.


So, run trunks between the central 3560 and the layer-2 switches, each trunk carrying whatever VLANs are needed in the L2 switch. Each trunk can carry as many VLANs as are needed.


Tie all the switches together with VTP, putting the VTP server on the 3560 and VTP clients on the L2 switches. If you want to add a second 3560 at the center for redundancy, that would be great, 'cos it could provide router redundancy (through HSRP or similar) as well as VTP server redundancy.


A single VLAN could carry your traffic between your 3560(s) and your firewall(s), but with strictly no presence on the access switches.


Kevin Dorrell

Luxembourg


rasoftware Thu, 10/18/2007 - 03:03
User Badges:

Hi thanks for the quick response.


Would I still need to assign the VLAN to a physical port on the 3560 for the L3 to work. I ask because let say i have four L2 switches (thats 4 ports on the L3, plus one for the router). That allows me to create 19 L3 VLANs on the 3560 and assign to a physical port (using the trunk to make them appear up). Or can I simply create many mnay VLANs with L3 addresses?

Correct Answer
Phillip Hichens Thu, 10/18/2007 - 02:51
User Badges:

Hi


Yes it will still work.


Use the following command in global config mode:


3560(Config)#int vlan 2

3560(Config-if)#ip add x.x.x.x y.y.y.y


This will create a logical L3 interface for the vlan, always being up and connected.


Trunk to your 2960s on ports 1,2,3 etc of your 3560. These trunk ports will be L2 only.


Regards

Phillip

rasoftware Thu, 10/18/2007 - 05:41
User Badges:

hi thanks for the response. Can I confirm it is possible to creae the vlan as you say and not have to assign it to a physical port just include it in the vlan trunk for routing to work?


I assume then from the VLAN on the L2 switch I could ping the VLAN IP via the trunk and access the internet?

Correct Answer
Kevin Dorrell Thu, 10/18/2007 - 05:58
User Badges:
  • Green, 3000 points or more

For the first question, yes.


For the second question there is a condition. The layer 2 switch must have a management interface in the VLAN it is pinging, or it must have a default gateway configured (pointing to the 3560) in its management VLAN.


As part of you architecture you should set aside one VLAN for management and make sure it arrives at all the switches. The management VLAN should not have any production traffic on it. Most NetAdmins use VLAN 1 for that, and they also make sure that VLAN 1 is the native VLAN of each of the trunks. BUT no production traffic on it, and no access ports except perhaps for a Network Management Station.


Kevin Dorrell

Luxembourg


rasoftware Thu, 10/18/2007 - 06:12
User Badges:

That great news on the VLAN database on the L3 - which means I can have 1005 VLANs which is more than enough.


Just to clarify on the second point -


1) Create VLANs on L3, give it a IP - use VTP to the clients (L2) switches - don't assign to physical ports.

2) Add VLAN to the trunk between L3-L2 (this actives the routing)

3) Physically assign VLAN on the L2 - says 3 ports for the customer VLAN10 say.

4) They will pickup DHCP (which I set on L3) via their VLAN which give them a gateway - which will be the L3 Vlan address.

5) There traffic goes via the L2, up the trunk - gets routed to internet if required via our firewall which is sat on another VLAN.

6) I stop client-client inter VLAN routing via ACLs.



Kevin Dorrell Thu, 10/18/2007 - 06:18
User Badges:
  • Green, 3000 points or more

That's more or less it.


Don't allow more than 64 VLANs on each trunk, cos your layer2 switches will not handle that may Spanning Trees.


Make sure the VTP client-server mechanism is working before you start. For it to work, the uplink must aleady be a trunk. To test it, do show vtp status on the 3560 and on a layer-2 switch and make sure the configuration revisions are synchronised. Then you can start adding VLANs and see then automagically turn up in the layer2 switch show vlan list.


Seriously consider a second 3560, tie them together with a trunk, and have two uplinks from each L2 switch.


Good luck.


Kevin Dorrell

Luxembourg


rasoftware Thu, 10/18/2007 - 06:22
User Badges:

I was thinking just having the L2 switches connected by a single cable to the 3560 in a star configuration - due to them being on different floors of the building and different cabinet - would that still create a spanning tree problem as there would be no redudant links?



Like the idea of two L3 for redundancy. Also - as i'm only using 10/100 - can you aggregate (can't remember the cisco term) a trunk links bandwidth


Kevin Dorrell Thu, 10/18/2007 - 06:37
User Badges:
  • Green, 3000 points or more

In a simple hub-and-spoke, there is no redundancy.


Spanning Tree is fine with that, and its fine with redundancy too. Spanning Tree often gets unjustly blamed for loops. Spanning Tree does not cause loops - it prevents them. In fact loops usually ony occur when people try to bypass Spanning Tree in some way.


If you have redundant links to different distribution switches you cannot aggregate them as such, but you can distribute the VLANs evenly between them.


If you have parallel redundant links to one single distribution switch, then you can aggregate them using the technique "ether-channel".


Kevin Dorrell

Luxembourg

rasoftware Thu, 10/18/2007 - 06:43
User Badges:

Thanks Kevin,


You cleared up all my queries about this as I didn't have any spare kit to check.


Thanks for all your help - i'll let you know how it goes!

Actions

This Discussion