Trunking/routing vlans from core switch puzzle

Answered Question
Apr 19th, 2008
User Badges:

We have two 6509 switches as our core network.


These two switches are a hsrp pair, one upstairs, one downstairs.


VTP configured as well, Upstairs switch is the server, downstairs switch is client.


The upstairs switch has a trunk configured to the downstairs 6509.

And a trunk configured to a 7206 router that connects our branches and dr site to the core switches.


OSPF is on the core switches and router.


We recently lost the upstairs 6509 switch.


In order to have the upstairs workstation/server links work while we were trying to get the switch replaced, we had to trunk two 3500 series switches to the downstairs 6509 and router in place of the upstairs 6509.


So, we ended up with:


One 3500 switch ended up as the other core switch, with a trunk to downstairs and a trunk to the router, with an additional trunk to another 3500 for additional ports.


There was no routing protocol on the 3500 series switches and we lost the VTP server.


The Downstairs 6509 was configured with all of the vlans and SVIs with inter vlan routing going on.


With no routing protocol on the 3500 switches (out of the box), what would have been the proper way to configure the 3500s to ensure that all vlans could communicate with the downstairs switch and branches?


The 3500s have servers and workstations. The workstations had to have DHCP addresses from the servers also.


workstations on vlan 10

servers on vlan 20

printers on vlan 30

routers on vlan 40

switch management on vlan 50



Attachment: 
Correct Answer by lamav about 8 years 11 months ago

Wilson:


I'm really glad you figured out the DHCP mystery! :-)


This was a really good VLAN thread. A lot of basic operational concepts were discussed, so I think you should mark the particular post that actually solved your problem, and Cisco will archive it.


That said, it may be a better idea to start a new thread for the OSPF scenario you want to present to everyone for analysis. This way the thread remains easy to follow along one specific track. Yes?


By the way, thank you kindly for your generous ratings.


Victor

Correct Answer by Jon Marshall about 8 years 11 months ago

As long as the vlan that the router and the 6500 have in common is allowed on all the trunk links then yes they will exchange LSA's.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (12 ratings)
Loading.
Istvan_Rabai Sat, 04/19/2008 - 23:48
User Badges:
  • Gold, 750 points or more

Hi Richard,


The solution may be to configure a dot1q trunk between the 3500 switch and the 7206 router.


Then configure the router port in a router-on a-stick config to route between the vlans and the branches, similarly to this:



interface fa0/1

no ip address


interface fa0/1.10

ip address x.x.x.x x.x.x.x

encapsulation dot1q 10


interface fa0/1.20

ip address y.y.y.y y.y.y.y

encapsulation dot1q 20


.. etc for each vlan


Cheers:

Istvan


wilson_1234_2 Sun, 04/20/2008 - 07:16
User Badges:

Thanks for the reply,


I was thinking more along the lines of how to configure the VLANs and routing on the 3500s (no routing protocol).


For example, do both 3500s need a vlan interface in each of the vlans that will be communicating or no?


I was able to get this patially working.


The trunk from the downstatis 6509 to the 3500s carried all vlans, but I did not create vlan interfaces in all of the vlans needing connection.


For example, one switch was all workstations, I did not create a vlan interface in the workstation vlan on that switch, but made all of the ports members of the workstation vlan and I could communicate with everything as long as the workstation (on the upstairs 3500 port) was pointing to the downstatis 6509 SVI as its default gateway.


The downstairs 6509 was capable of routing across all vlans configured.

Istvan_Rabai Sun, 04/20/2008 - 07:56
User Badges:
  • Gold, 750 points or more

Hi Richard,


In this case it is enough for 1 3500 to have vlan interfaces, that is connected to the 7206.

You should just make sure each vlan you have reaches into your 3500 on layer2 trunks.


For a router or a layer3 switch it is not necessary to have a routing protocol to route packets. If the 'ip routing' command is enabled, then it will route packets between its OWN (Connected) vlans right out of the box.


A routing protocol is necessary to learn about subnets located on OTHER routers or layer3 switches.


I think your question is not about the routing between the vlans, rather between the vlans and the branches.


For this, you either need a routing protocol to advertise your subnets or you may configure static routes on the 3500 to point to the 7206.


Without a routing protocol you will also need to configure static routes on the other side (at the branches) to the subnets contained within your vlans here at this side.


I hope this helps you.


Cheers:

Istvan

wilson_1234_2 Sun, 04/20/2008 - 08:32
User Badges:

Thanks for the reply,


In the original scenario:

I have a 3500 trunked to a 6509 carying all vlans.


VTP configured and The 3500 is acting as a client.


I have no vlan interface configured on the 3500 for the workstations, but I put all ports in the workstation vlan.


I am assuming that since VTP is configured and the 3500 now knows about all vlans, I do not need an interface in the workstation vlan on the 3500 in order for the workstations to ping the workstation SVI on the downstairs 6509.


Correct? because this is what was happening.



But, the workstations on the 3500, which did not have a workstation vlan interface on it,

had to have one created and IP Helper configured on the interface before the workstation would get an IP address from the DHCP server in the server vlan.


Even though the 6509 had IP helper configured.



Istvan_Rabai Sun, 04/20/2008 - 09:19
User Badges:
  • Gold, 750 points or more

Hi Richard,


Yes that's correct.


But that's very interesting why the workstations needed to create a workstation vlan SVI on the 3500 to be able to get the ip address through the DHCP offer.


If the workstations can reach the 6509 on a layer2 trunk then they should get the DHCP offer without the SVI interface on the 3500 as well.


Strange behavior. I have no idea why it is occurring that way.


Thanks for the information and the ratings.


Istvan


wilson_1234_2 Sun, 04/20/2008 - 10:47
User Badges:

You are wlcome,


This is what was needed on the 3500:


interface Vlan10

ip address 10.10.10.254 255.255.255.0

ip helper-address 10.1.10.2




lamav Sun, 04/20/2008 - 11:03
User Badges:
  • Blue, 1500 points or more

Wilson:


I dont know if you are happy with the way things are now, but it seems to me that you had to do something pretty weird on the 3500 switch to get the workstations on vlan 10 to obtain an ip address.


If your 3500 switch has vlan 10 configured (Layer 2, not an SVI), and the workstations that use DHCP are connected to switch ports on the 3500 that have been placed in that vlan, and that vlan is being allowed on the trunk ports on both ends (3500 and 6509), and the vlan's SVI is configured on the 6509 -- with a helper address, then there is no reason why you should have to create another SVI for the same vlan on the 3500 to get DHCP to work for those workstations. If you did, somethings not right.


Perhaps it would be easier to help you if you attached all the configs for each device in question.


HTH


Victor





wilson_1234_2 Sun, 04/20/2008 - 11:37
User Badges:

That is what I was thinking.


When you say Layer 2, you are talking only configuring the switchports as members of vlan 10 correct?


That is what I originally had on the 3500:


Trunk to 6509 passing all vlans

Management Vlan SVI only

All ports member of workstation vlan


I could connect to everything with the above config, and ping servers, as long as I manually configured IP Address on workstation using the 6509 SVI as default gateway.


But I could not get a DHCP address from server unless the SVI in workstation subnet was created on the 3500 with IP Helper address of DHCP server.


I will try to get configs tomorrow.


Also, what are your thoughts about "ip routing" being configured on the 3500?


Was it needed?



Jon Marshall Sun, 04/20/2008 - 11:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


If you want the 3550 to act as purely L2 switches then you do not want to enable IP routing on it.


To answer your other question. The 3550 switches should be connected to each other via trunks and there should be a trunk between the 3550 and the 6500.


Vlan 10 needs to exist on all 3 switches and be allowed across the trunk links.


Jon

wilson_1234_2 Sun, 04/20/2008 - 13:45
User Badges:

Thanks jon,


That is the thing, I am not sure if I need layer 3 or just layer 2.


If all ports on one 3550 ar workstations and I need to have the workstations get a DHCP address from another vlan, can the 3550 be a layer 2 or does it need to be layer 3?


The other 3550 trunked to the core replacement 3550 will have several vlans all accessing each other.


This is where I am getting stuck, If I create an SVI on the 3550s, then I make the Default gateway of each device in its respective vlan the SVI on the 3550 correct?


If that is the case, why did not having the SVI on the 3550 allow me to access everything that the 6509 sees but not get a DHCP address?


In that case the 3550 (what I had) was a layer 2, but I could get to everything but get a DHCP address.


"Vlan 10 needs to exist on all 3 switches"


Means SVI with an IP address in vlan 10?




lamav Sun, 04/20/2008 - 13:46
User Badges:
  • Blue, 1500 points or more

Wilson:


Here is a sample of the configs that you might want to have.



3500 switch


[This will be a Layer 2 switch that does NOT do any inter-vlan routing.


IP routing will NOT be enabled.


The only Layer 3 interface that should be configured is the management interface to support remote access.


The management interface can be placed in the same vlan as the user vlan, although, oftentimes, administrators create separate management vlans.


Since no IP routing will be enabled on the Layer 2 device, you will need to configure the default gateway for this switch so it will know how to return IP traffic being sent to it from the network manager's telnet session.


I will not show it now for simplicity's sake, but since it will be part of a switched access layer design, you should configure RPVST+, with ancillary features, like UDLD aggressive, bpduguard, port fast, etc.]



[configure the vlan in Layer 2]


vlan 10

name user-vlan



[configure typical end-user interface that user PCs will plug into]


interface xxxx

switchport

switchport mode access

switchport access vlan 10

speed auto

duplex auto

no shutdown



[configure dot1q trunk between the 3500 and the 6509. All vlans will be allowed by default]


interface yyyyy

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

speed auto

duplex auto

no shutdown


interface vlan 10

description MANAGEMENT INTERFACE FOR THIS SWITCH

ip address 10.10.20.5 255.255.255.0

no shut


ip default-gateway 10.10.20.2 [SVI INTERFACE ON 6509]




6509 Switch


[IP routing will be configured on the 6509 switch to support inter-vlan routing and enterprise-wide communication]


ip routing


vlan 10

name user_vlan


interface yyyyy

description dot1q trunk between 3500 and 6509

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

speed auto

duplex auto

no shutdown


interface vlan 10

description Layer 3 SVI for vlan 10

ip address 10.10.20.2 255.255.255.0

ip helper-address x.x.x.x

no shut



Remember, this is just a general approach, but I have addressed the major points that you need to think of. I did not address the routing protocol config, but I am sure the 6509 is already configure for that.


HTH


Victor




lamav Sun, 04/20/2008 - 13:55
User Badges:
  • Blue, 1500 points or more

Wilson:


I edited my post above a bit after you rated it (Im assuming it was you), so Im letting you know so you can read it again and make sure you got it all.


Thanks


Victor

wilson_1234_2 Sun, 04/20/2008 - 14:20
User Badges:

Thanks,I had this for jon, but not sure if he will see it:


That is the thing, I am not sure if I need layer 3 or just layer 2.


If all ports on one 3550 ar workstations and I need to have the workstations get a DHCP address from another vlan, can the 3550 be a layer 2 or does it need to be layer 3?


The other 3550 trunked to the core replacement 3550 will have several vlans all accessing each other.


This is where I am getting stuck, If I create an SVI on the 3550s, then I make the Default gateway of each device in its respective vlan the SVI on the 3550 correct?


If that is the case, why did not having the SVI on the 3550 allow me to access everything that the 6509 sees but not get a DHCP address?


In that case the 3550 (what I had) was a layer 2, but I could get to everything but get a DHCP address.


"Vlan 10 needs to exist on all 3 switches"


Means SVI with an IP address in vlan 10?

lamav Sun, 04/20/2008 - 15:17
User Badges:
  • Blue, 1500 points or more

Wilson:


That is the thing, I am not sure if I need layer 3 or just layer 2.


If all ports on one 3550 are workstations and I need to have the workstations get a DHCP address from another vlan, can the 3550 be a layer 2 or does it need to be layer 3?


Wilson, I think the problem is that you dont understand how DHCP works and what a vlan is.


A vlan is a Layer 2 braodcast domain. That means all devices that are part of the same vlan will receive the layer 2 broadcast traffic from any sender on that vlan.


When a DHCP-configured client (be it a computer or any other network aware device) connects to a network, the DHCP client sends a layer 2 broadcast query requesting necessary information from a DHCP server. Thats how it announces its presence on the network.


If the DHCP server is sitting on that vlan, just like every other host on the vlan, it will receive the DHCP request packet and respond. BUT,if it is not located on the same vlan, you will need to configure the helper address on the SVI interface for that vlan. The SVI interface will receive the DHCP broadcast (remember, it IS a host on the vlan) and forward it to the helper address. It will act as a proxy between the DHCP client and the DHCP server, which sits on ANOTHER vlan.


So, go back to you inititial questions...


Do you need to configure an L3 SVI on the 3500? No, not at all. The client's DHCP request will be broadcast throughout the vlan to the SVI interface on the 6509, which will forward the DHCP traffic to the DHCP server (the helper address).


All the L2 broadcast traffic will travel up the trunk and into the 6509's vlan domain.


As far as your other 3500, its the same thing. Leave it an L2 switch, configure all the vlans you want, and trunk them all to the 6509. Thats it.


I hope you dont think of this as a schizophrenic dissociation, but just try to think of the vlan members in an L2 switch as prisoners sitting in locked cell blocks in a jail. Can they communicate with each other? No. They are isolated.


BUT, when they all travel on the chow line (a trunk) to the chow hall (the 6509 switch), THEN they can talk to each other. So, all the prisoners in cell block A (vlan 10) and all the prisoners in cell block B (vlan 20) and all the prisoners in cell block C (vlan 30), have to get out of their cells in their layer 2 cell blocks, travel up the chow line to the chow hall (6509), and THEN they can talk to each other and plan a riot.


Get it?


The 6509 will do all the intervlan routing for all the vlans configured on the 3500 switches.


Lastly, a vlan must be configured/activated on ALL switches that are meant to carry its traffic. Either the config is a L2 config or L3 SVI config. I have displayed how to do both.


HTH


Victor



wilson_1234_2 Sun, 04/20/2008 - 16:12
User Badges:

Victor,


Thanks for your input.


I am trying to grasp the concept and I have an annoying charactersitic of my learning that I keep asking questions until I understand it.


So let me run down this again (your explanations are excellent by the way).


In my scenario in the 3550 switch that was trunked to the 6509, we are saying I only need layer 2 vlans and that if all ports are configured for workstations, that all workstations will "see" the SVI on the 6509 as their default gateway.


The same with the other switch that had Servers connected,which had a trunk from it to the first 3550 (trunked to the 6509), so it had to go through trunk #1 from itself to 3550 (trunked to the 6509) then through the second trunk, to the 6509 and it still would "see" the SVI of the server?


Is that correct? if so, I think I am getting it.


I could have put as many trunks in series that I wanted and as long as all vlans were trunked, I would get to he SVI on the 6509 from that respective vlan as long as the port was a memeber?


Correct and those are layer 2 vlans?


Please confirm the above.


If all of the above is correct, then I had a problem because I could not get an address from the server, even though ip helper was configured on the 6509 workstation vlan.


Also, I have an additional component to the scenario if you are up for it:


OSPF from the 6509.





lamav Sun, 04/20/2008 - 19:07
User Badges:
  • Blue, 1500 points or more

Wilson:


I am trying to grasp the concept and I have an annoying charactersitic of my learning that I keep asking questions until I understand it.


That's OK. That's what you're supposed to do.



In my scenario in the 3550 switch that was trunked to the 6509, we are saying I only need layer 2 vlans and that if all ports are configured for workstations, that all workstations will "see" the SVI on the 6509 as their default gateway.


Yes, that's pretty much it.


You should understand that there isn't really a layer 2 vlan, per se, or a layer 3 vlan. A vlan is a vlan. It is a virtual LAN. There are different existential components of it, though. There is the layer 2/switched/ethernet component of it, and then there is the layer 3/routed/IP component.


So, depending on a switch's capabilities, you can, if you wanted to, configure the switch to perform both layer 2 and layer 3 functions of the vlan.


In your scenario, you have a 3550 and it has been decided by you that it will perform the layer 2 functions of the vlan. OK, no big deal. You create the vlan in layer 2, name it, and then place different access ports in that vlan. So, any workstation/server/IP host in general that is plugged into that switch port will be placed in the vlan for that port.


Now, since the switch is only performing the layer 2 component, the vlan's ethernet traffic will have to be sent "up" to the next layer switch to be routed so that users on that vlan can communicate with users on other vlans. On the switch performing the layer 3 functions of the vlan is where you will configure the layer 3 interface for that vlan.


The layer 2 interfaces were all the end user interfaces that devices were plugged into, as well as the trunk ports on the layer 2 switch.


The layer 3 interface on the switch that will perform the layer 3 functions of the vlan is called the SVI -- switched virtual interface. It is a layer 3/routed/IP interface with an IP address assigned to it. That interface will have a routing protocol running on it if you want to advertise reachability information for the network (vlan) it belongs to. I think that may be what you wanted to discuss regarding OSPF.


Think of the SVI as the gateway to the rest of the vlans. If traffic wants to leave or enter the vlan, it will pass through the SVI.


And you are correct again, the hosts on the vlan will "see" the SVI, meaning the SVI will be reachable through layer 2 because it's just another host on the vlan. An ethernet broadcast from one host will be "seen" by every other host on that vlan because a vlan is one broadcast domain. It's this ability to communicate over layer 2 with the SVI that allows it to obtain an IP address so that it can start communicating over layer 3.


I could have put as many trunks in series that I wanted and as long as all vlans were trunked, I would get to he SVI on the 6509 from that respective vlan as long as the port was a memeber?


Correct. You can extend the layer 2 domain with trunks over 3, 4, 5, 6 hops and more. So, a user on vlan 10 in switch 1 can communicate over layer 2 with a host in vlan 10 on switch 6.


If all of the above is correct, then I had a problem because I could not get an address from the server, even though ip helper was configured on the 6509 workstation vlan.


I do agree that you have a problem with users in a vlan being able to obtain an IP address, even though you do have the ip helper address configured. That is exactly why I joined in on this thread in the first place and why I asked you to post the configs of the 3500 switches, as well as the 6509.


HTH


Victor




wilson_1234_2 Mon, 04/21/2008 - 03:25
User Badges:

Thank you for the outstanding explanations,


I found out why the DHCP did not work:


The DHCP server was not configured on the downstairs SVI interface as ip-helper.


The only server that was configured, was not up when we were trying to get communication up with the 3550s.


I have a scenario concernig OSPF it you are up for it that happened that same night.

Correct Answer
lamav Mon, 04/21/2008 - 09:07
User Badges:
  • Blue, 1500 points or more

Wilson:


I'm really glad you figured out the DHCP mystery! :-)


This was a really good VLAN thread. A lot of basic operational concepts were discussed, so I think you should mark the particular post that actually solved your problem, and Cisco will archive it.


That said, it may be a better idea to start a new thread for the OSPF scenario you want to present to everyone for analysis. This way the thread remains easy to follow along one specific track. Yes?


By the way, thank you kindly for your generous ratings.


Victor

Jon Marshall Sun, 04/20/2008 - 19:09
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


Nothing wrong with asking questions :-)


Victor has given a very good explanation of how L2 vlans and L3 vlan interfaces work.


You are right in what you say, if you had 3 or 4 3550 switches all interconnected with trunks then assuming


1) the vlans exist at layer 2 on each switch ie. "sh vlan" shows the vlan existing

2) the vlans are allowed on all the trunks


then yes they would all be able to use the SVI on the 6500 as their default-gateway.


Vlans are layer 2 by definition. So just to clarify


"sh vlan" will show you the L2 vlans on a switch.


"sh ip int brief" would show you the L3 interface(s) on a switch.


As for OSPF bear in mind that it will only run on the 6500 and the WAN router as ll your 3550 switches will not be routing. So OSPF packets will simply use the 3550 switches to pass packets between the 6500 and the WAN router.


Jon

wilson_1234_2 Mon, 04/21/2008 - 03:21
User Badges:

Thanks jon,


Concerning OSPF, would the router and 6509 become OSPF neighbors and exchange LSAs with each other if they were several trunk links apart?

Correct Answer
Jon Marshall Mon, 04/21/2008 - 03:28
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

As long as the vlan that the router and the 6500 have in common is allowed on all the trunk links then yes they will exchange LSA's.


Jon

Istvan_Rabai Sun, 04/20/2008 - 15:18
User Badges:
  • Gold, 750 points or more

Hi Richard,


Victor is telling you the right things.


Based on your previous post I assumed you already had the 3550 in layer2 mode, this is why I was confused about the behavior of your config.


You wrote the following:


"In the original scenario:

I have a 3500 trunked to a 6509 carying all vlans.


VTP configured and The 3500 is acting as a client."


Sorry for the inconvenience, and please do what Victor suggested you to do.


Thanks:

Istvan

Actions

This Discussion