cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1336
Views
12
Helpful
16
Replies

Routed Access Layer

lamav
Level 8
Level 8

How important is it to have a routed connection between 2 switches in a routed server farm access layer?

So, what we have are 2 server farm switches in an HA configuration with L3 uplinks from each to a routed distribution layer, as well as L2 trunks between access switches.

Question:

How important is it to have a routed connection between the 2 routed access layer switches?

My answer is that it is important. The logic is that the 2 switches are in an HA setup, and that makes it all the more imperative that the IP routing and forwarding information in each switch be the same -- identical/synchronized/converged. This will speed up network convergence in the event of a failure of one of the access switches.

There are others who say that for an ACCESS layer, it is not so important because -- and this is where I get fuzzy regarding the stance -- that L2 switching is faster than routing and therefore....I dont know the rest of the argument. maybe you can fill me in. :-)

Thanks

Victor

16 Replies 16

Marwan ALshawi
VIP Alumni
VIP Alumni

lets share the ideas and compair

with routed access layer

u gonna have the SVIs on the access switches and the connection between the access layer and Dist. layer switches will be through layer three connection [routed port]

now no need to any link between the access layer switches the Dist switches need

now if u have a Core layer.. and from Dist layer to core layer ofcourse u have layer three connectivity

and u pass from the Dist layer to the Core layer only summary route..

in this case the core layer will have no knowledge about the connection between the Dist and access layer interfaces and its status because its have only summary route and just when get a packet for that subnet will sent it to the corspoding Dist

so in case of any link down between any Dist and access layer the core will continue send the paccket to the Dist even the connection is down becuase it has only summary no spesific route

so to get around this issue u need a Layer three connection between the Two Dist Switches

two forward the packet to the roght access layer switch in caseof any link down regarding that u have two redundant links with ur Dist switches

hope this helpful

Marwan, I am intimately familiar with everything you have written. I dont think youve answered my question though.

Thanks anyway

Marwan, I am intimately familiar with everything you have written. I dont think youve answered my question though.

Thanks anyway

4rmorris
Level 1
Level 1

There's definitely a place for both models. The big catch with routed access layer is that the subnets are local to the switch. If you have a need to have a subnet span multiple switches, you need a layer 2 connection between them.

This may not be a problem in a branch building. But let's think about a server farm, where all the servers have a port in a VLAN with the backup servers, for faster (non-routed) backup. What if you have 2 server farm switches? You either need multiple backup vlans, or you need to span the backup vlan across the two switches with a layer 2 link.

Also keep in mind that rapid spanning tree can converge in less than 2 seconds.

Be careful not to pigeonhole yourself... think about what you're trying to accomplish, and decide if layer 2 or layer 3 access is right for you. If you assume one is always better, sooner or later you'll run into a case where you can't do something you need to do, and you could have addressed it in the design phase.

Good luck,

Ryan

Thank you, Ryan. I appreciate your time and expertise, however, you, too, have not answered my direct question:

Is there a need for a routed connection between 2 server farm routed access switches? If so, what is its function?

Thats it.

I know about L3 isolation between the distro and core. I know about the limitations of a routed access layer in a server farm. I know a lot about deploying a routed access layer -- seen it in action, too.

What I dont know is whether there must be -- or really should be -- a routed crosslink between the 2 routed access layer switches. And why or why not?

Thank you

Victor

i would say

based on ur question u said

"a routed crosslink between the 2 routed access layer switches"

thats means there is a Dist layer

and u have a routed uplink with that Dist

so one of the Dist roles in this design model is to do rotuing between access layers and u mgiht have filtering there and so on

once u add the routed link between those access layer and u are runing rouing

then this link will effect all the topology design and it might gonna be the default path between the two Access layer switch in the case u gonna bypass the Dist switches

and it is strectly not recomeded from security perspective

lets say u have a 6500 on ur Dist switches and in that 6500 u have FWSM and u want the communication between servers through the FWSM

when u add that link u gonna bypass this security mesurment and the servers can communicate directly through that routed access link

based on those two prespectives it sounds not recomended...

however it is an opetion might need it in a case u might face it in future to bypass somthing and so on..

i hope this time, have answered ur question more preceisly..:)

and good luck

"lets say u have a 6500 on ur Dist switches and in that 6500 u have FWSM and u want the communication between servers through the FWSM when u add that link u gonna bypass this security mesurment and the servers can communicate directly through that routed access link"

Im trying to make sense out of that, but I cant.

Even without a routed link between 2 routed access switches in a server farm, inter-vlan routing will still occur at the access layer. The L3 vlan interfaces will have been configured on the routed access layer and that will facilitate routing (L3 switching) between vlans. You dont need an L3 crosslink for that. The issue with the FW could happen at a routed distro layer with an FWSM, too.

VL

i just mention this as additional example

if u have two ACCESS switches with L3 but they comunicat through a Dist switch u can make the comunication through FWSM

by the way with FWSM u wont creat SVIs for vlans needs to communicate through FWSM

once u created that and those vlans assigned to FWSM the fwsm will be by passed

just u make the default gateway as the FWSM IP inside for example

and the fwsm will route between vlans through the MSFC if u have multiple context or though the FWSM itself only if u have routing between FWSM interfaces only

anyway

hope i was helpful somehow

because my idea is clear

thank u

"by the way with FWSM u wont creat SVIs for vlans needs to communicate through FWSM

once u created that and those vlans assigned to FWSM the fwsm will be by passed"

Marwan, IF YOU DONT CREATE L3 SVIs ON THE ROUTED ACCESS LAYER SWITCHES, THEN IT AINT A ROUTED LAYER ANYMORE, IS IT?

I dont know why you keep adding things to the discussion and creating scenarios that have nothing to do with what Im talking about.

I asked a very straightforward direct question, which I will post again for anyone who wishes to kindly give me some perspective.

In a ROUTED access layer in a server farm, what would be the function of an L3 crosslink between those ROUTED access switches? Is it necessary for resiliency and faster convergence? Why or why not?

Thanks anyway.

ok

i havt but just in respons to the fwsm note u have said

any way

i am happy i had a discussion with u

thank u

Ok, I see what you're saying now. I would say no, you don't need a routed link between the two switches. You probably DO want a layer 2 link between them, so the servers can talk to each other in the same subnet without going up to the core.

I would send all the layer 3 traffic exiting the subnets to the core for routing. Otherwise you're kind of messing with the hierarchical design.

Regards,

Ryan

Edison Ortiz
Hall of Fame
Hall of Fame

Victor,

This is a very strange design proposal at the access-layer. Usually, the design calls for either Layer2 or Layer 3 at the access layer.

Your design is a hybrid design and the importance of having the routed connection isn't something of a main concern but you should be concerned on how the traffic flow would behave in case of different kind of failures.

You have given us the following guidelines:

1) 2 Server Farm switches in HA configuration.

- HA configuration as HSRP, Dual Supervisor or both?

2) Routed links between server farm switches in addition to routed links towards the distribution switches.

- What routing protocol are we using here?

___

Let's pretend you are using HSRP and the server's default gateway points to the HSRP VIP. Access Layer switch A is the active HSRP router. The server is trying to access a device in the internet. The packet leaves the server, it goes to the Switch A, Switch A finds the closest path to the internet. Now, the decision on where to send the packet out will depend on the routing protocol being used between the 3 Layer3 switches. Switch A may use Switch B or the distribution layer switch. How about the return traffic?

In situation like this it's when it comes the importance or lack thereof when setting up routed access layer switches as well as L2 trunks on server farms, we need to understand the whole packet flow rather than just the pure design.

I understand you want to maintain L2 between access for dual home servers, with that in mind, go with access-layer L2 trunks between switch A and B and routed towards the distribution layer.

__

Edison.

Thanks, Edison.

To answer your questions, I am talking about HSRP, single SUP, though.

The routing protocol is eigrp.

Right now it is a routed access layer in a server farm and it has both L3 and L2 crosslinks.

The L2 is for the reason you gave -- L2 adjacency, NIC teaming, etc.

The reason for existence of the L3 is exactly the essence of my question! Perhaps its strange, but it is there in the production network.

So, yesterday, a discussion was had regarding the utility -- in general -- of creating a routed connection between routed access layer switches in a server farm. My interest is in asking WHY one would create the L3 connection insofar as it may effect resiliency, convergence, and some other value-added reason I may be leaving out.

I do understand that providng another routed path may change the routing protocols decision making process for a 'next-hop'....but again, the question is not 'what would happen if' a routed crosslink exists, but 'why would anyone build it in the first place'.

Thanks

Victor

The reason for existence of the L3 is exactly the essence of my question! Perhaps its strange, but it is there in the production network.

In my professional career, I've come across with designs that have no reason. If I were to audit your network, I would've ask the same question you are posing and it would've been directed to whoever came up with that design.

To my knowledge, there is no reason why. Only the person that did it, knows why.

Many assumptions can be made:

- Migration strategy

- Redundancy in case of STP failure (rare)

In short, we can spend our precious day wondering why that person did it and the only answer may be 'because she/he can'.

__

Edison.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco