Routed Access Layer,

Unanswered Question
Apr 8th, 2009
User Badges:

Hi,



I think I have the answer to this one but just need clarification if somebody wouldn't mind.


I'm in the process of redesigning our campus network which currently employs campus wide vlans. (10 in total)


I'm looking at the routed access layer design however we have one application which requires one of the existing VLANS to remain as a campus wide VLAN due to the application requiring MAC address information.


I take it there is no way I can keep this single campus wide vlan but still employ the routed access layer design in the rest of the campus?


I'm thinking that the routed uplinks will not be able to carry the single vlan to all switches on campus.


Hope it makes sense.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Collin Clark Wed, 04/08/2009 - 08:11
User Badges:
  • Purple, 4500 points or more

You are correct, but there is a way. What we do is have a second connection between our buildings that only carries that VLAN (layer 2). So that VLAN is spanned across the campus and normal user VLANs are routed. Does my explaination make sense?

Jon Marshall Wed, 04/08/2009 - 08:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Paul


You are correct. A routed access-layer reduces the flexibility in terms of vlan deployment altho there are sigificant advantages as well.


What you could do, if you have a spare fibre from each switch is to use a single access vlan on that link and route the rest of the vlans although this is a bit of a kludge. The vlan you need across all switches would be routed on the distribution switches.


Alternatively you could look into L2TPv3 which allows you to extend a L2 vlan across a L3 routed network.


Depends how much effort you need to put in weighed against the advantages you are gaining from L3.


Jon

pmcallion Wed, 04/08/2009 - 08:18
User Badges:

5 for both of you.



Simple but effective, never though of having a another link between switches!


:-)

cowetacoit Wed, 04/08/2009 - 09:14
User Badges:

Interesting. We are also migrating to a L3 access layer and will eventually run into a problem where we need to span a layer 2 vlan. Do you know if the 4506 sup 5 and 6 support this feature? From what I've read its just L2TP.

Jon Marshall Wed, 04/08/2009 - 10:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

What Collin and myself were referring to is not a feature as such so it's not a question of whether the 4506 would support it or not.


Basically from each access-layer switch you both routed AND L2 uplinks to the distribution switches. All the vlans that are routed in the access-layer go across the L3 uplink. But you can't do this with the vlan that needs to be present on multiple access-layer switches. So you have a separate physical connection that is a L2 link for that specific vlan only.


Does this make sense ?


Jon

Joseph W. Doherty Wed, 04/08/2009 - 09:46
User Badges:
  • Super Bronze, 10000 points or more

Unsure whether this is what Jon is describing, but you should be able to run two VLANs across the physical links between L3 switches. The one VLAN could be your global VLAN, the second one unique to, and between, the pair of L3 devices, and is used for routed traffic. I.e. a "spare" or second physical connection shouldn't be necessary.

Jon Marshall Wed, 04/08/2009 - 10:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Joseph


No this wasn't what i was describing. I was talking about the main uplink being a routed L3 link and all the vlans on the access-layer switches had their L3 interface on the access-layer switches.


However for the vlan that needs to be present on all access-layer switches then you would need a second physical link for that vlan between all access-layer switches and the distribution switches. The L3 interface for that vlan would be on the distribution switch.


If the uplink is a L3 routed link you can't then use this same link to carry a L2 vlan.


Perhaps i am misunderstanding ?


Jon

lamav Wed, 04/08/2009 - 10:52
User Badges:
  • Blue, 1500 points or more

Jon, I am reading this thread and I think you and Colin are understanding the requirements of the OP.


Its nice to be able to run a routed access layer, but if it requires a "kludge" of a set up (ehem, gotta look that on up!), or some inconsistent implementation, I would just go with the switched access layer and be done with it.


Im not 100% sure, but I think that a routed access layer may also present more challenges with regard to a WLAN deployment and roaming.


I would say just deploy spanning tree in an aggressive manner, follow Cisco best practices, and make sure that forwarding, failover, traffic patterns, and root bridge elections are deterministic.


I think he'll be OK.


Just my 2 cents...


Victor



Jon Marshall Wed, 04/08/2009 - 11:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Victor


I kind of agree with you to an extent. If you find you are having to add separate links because of the need to have vlans on multiple access-layer switches then i would be inclined to go with a L2 access-layer. It should also be ringing alarm bells as to whether the design is fit for purpose.


Wireless can be an issue depending on how you set it up but in addition there is the problem of using IDS within a L3 routed access-layer.


Even Cisco's design doc's state that the L2 access-layer is still by far the most common and that altho L3 does have it's advantages and we both know what these are :-), it is still not as flexible as L2.


STP isn't all that bad :-)


Jon

Joseph W. Doherty Wed, 04/08/2009 - 11:25
User Badges:
  • Super Bronze, 10000 points or more

Jon, then I do have something different in mind.


You peer the routers on a VLAN trunk port, not a routed port. Since it's a VLAN trunk, you can have one VLAN dedicated for the transit router-to-router traffic, and the second as the global VLAN.

Jon Marshall Wed, 04/08/2009 - 11:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Joseph


Yes that would be another approach but the key thing is that it is no longer a true routed access-layer design because you have extended L2, and consequently STP, to the access-layer.


I guess it's L2 and a half :-)


Jon

cowetacoit Wed, 04/08/2009 - 12:06
User Badges:

I was under the impression Jon that you meant that L2TPv3 could be ran across the L3 link and encapsulate a layer 2 vlan. In terms of the "Layer 2.5" we have that implemented on our Metro ISP connection for a few of our sites where we don't have dark fiber. We use a vlan to transport EIGRP information about the routed access layer switches, works great for that kind of connection. What i mentioned earlier is that we are currently migrating to a true routed access layer and have a computer that needs to be on a layer 2 vlan which will eventually be divided by the routed link. Its more of a convenience for the person using it. So not my problem when i change it to layer 3 link but hoped there would be another way to extend the layer 2 vlan without a second uplink.

lamav Wed, 04/08/2009 - 12:28
User Badges:
  • Blue, 1500 points or more

Michael


I was at a client site that used that set up.


They had a DR site and another branch office connected to their main site by using a multipoint Metr-E connection, TLS. They needed both a routed link to pass eigrp updates back and forth and they also needed to span their server farm vlan because they did data dumps, replication to their DR site every night.


So, what I did was something like this:


=======

DR SITE

=======


vlan 2,21


interface range FastEthernet0/1 - 24

description 10 / 100 Port

switchport access vlan 2

switchport mode access

switchport nonegotiate

load-interval 60

mls qos trust cos

speed auto

duplex auto

spanning-tree portfast

spanning-tree guard root

no shutdown



interface GigabitEthernet0/1

description Connection to TLS

switchport access vlan 21

switchport trunk encapsulation dot1q

switchport trunk native vlan 21

switchport mode trunk

load-interval 60

no shutdown


!

interface Vlan2

description Connection to Servers

ip address 172.16.0.250 255.255.254.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Vlan21

description Connection to TLS

ip address 172.16.200.5 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

!

router eigrp 200

network 172.16.200.0 0.0.0.255

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.200.1




=============

BRANCH OFFICE

=============


interface GigabitEthernet0/0

description Connection to TLS circuit

ip address 172.16.200.4 255.255.255.248

ip summary-address eigrp 200 172.20.0.0 255.255.240.0 5

load-interval 60

duplex full

speed 100

media-type rj45

no keepalive

!

!

!


router eigrp 200

network 172.16.200.0 0.0.0.255

no auto-summary


ip route 0.0.0.0 0.0.0.0 172.16.200.1




===========

MAIN OFFICE

===========


interface Vlan2

description SERVER 2 VLAN

ip address 172.16.2.1 255.255.255.0 secondary

ip address 172.16.16.1 255.255.255.0 secondary

ip address 172.16.1.1 255.255.254.0

no ip redirects

!

!

!


interface Vlan21

description TLS WAN vlan

ip address 172.16.200.1 255.255.255.248

!

router eigrp 200

network 172.16.0.0 0.0.1.255

network 172.16.200.0 0.0.0.255

no auto-summary

!


So, interface vlan 21 at all sites has eigrp running on it and establishing neighborships and passing routes back and forth, while server vlan 2 at the DR site was spanned to the main office for data replication purposes.


I thought it was weird when i did it -- and I still do. lol


So, what you have is sort of a hybrid (layer 2.5) set up. Its a trunk that carries routing updates between eigrp peers as well as L2 traffic.


Any thoughts on this?


Joseph, is something like this what you were thinking of before?


Victor

cowetacoit Wed, 04/08/2009 - 12:41
User Badges:

Vic, that makes sense. I was actually referring to two seperate configurations though. One configuration was similar to what you posted, having a layer 2 vlan transport EIGRP routing information, on our Metro E connection, about our Routed access layer switches. The other configuration i was talking about was us moving to a routed access layer on our dark fiber LAN. The problem and question i had was if there was a way to encapsulate a layer 2 vlan over a P2P Layer 3 link. What sparked my interest was the term Jon used, L2TPv3.

I like your configuration, that's clever. Sorry if i got you guys side tracked, especially you Joesph. I thought this was interesting post.

Jon Marshall Wed, 04/08/2009 - 13:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


Apologies for the confusion. L2TPv3 is indeed used to extend L2 vlans across a L3 routed network but as far as i know it is only supported on routers and not L3 switches.


So you're right in that your 4500 switches wouldn't support it.


Jon

Joseph W. Doherty Wed, 04/08/2009 - 12:34
User Badges:
  • Super Bronze, 10000 points or more

STP might be an issue for the "global" VLAN, the "routed" VLANs, as I described them, should be configured to be unique between L3 switches. I.e. They can't loop.


We're not doing L2 and a half (although I like the term), but just using the same connection for multiple purposes. I.e. we have both a non-routed access layer and a routed access layer. Depends on what VLAN the host is connected to.


[edit]

PS:

If the idea of using non-routed ports for L3 connections seems odd, they might be required for VRF-Lite, which I believe can use VLANs between routers.

Jon Marshall Wed, 04/08/2009 - 13:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

"We're not doing L2 and a half (although I like the term), but just using the same connection for multiple purposes."


I know, i was just being facetious :-)


Personally i agree with Victor on this. If you design a L3 routed access-layer and have L3 routed uplinks ie. not L2 vlans where the only 2 members of that vlan are L3 peers, but true routed links with no STP, and then realise you need to span a vlan across switches you should probably be looking at a different design.


Problem with using the same link for multiple purposes is if there is a loop in the global vlan then the loop will affect the entire link. And that for me is one of the major reasons for using a L3 routed access design ie. eliminate STP.


Jon

lamav Wed, 04/08/2009 - 13:10
User Badges:
  • Blue, 1500 points or more

"If you design a L3 routed access-layer and have L3 routed uplinks ie. not L2 vlans where the only 2 members of that vlan are L3 peers, but true routed links with no STP, and then realise you need to span a vlan across switches you should probably be looking at a different design."


Jon, I'll tell you what I would do, though.


If I had to span a vlan across two access switches for, lets say, a floor of users at an office, I would do that. I would run the routed access layer and still span the vlan across those two switches only with an L2 trunk.


If, on the other hand, I had to span a vlan across the entire campus distribution block, that I would not do a routed access layer, but stay switched.


I agree with you that an L2 trunk between routed access switches is not an orthodox access layer, but then again, I have always been an apostate. :-)


Victor

Joseph W. Doherty Wed, 04/08/2009 - 13:33
User Badges:
  • Super Bronze, 10000 points or more

(I knew you were being facetious; and still like 2 and a half.)


As to mixing L2 and L3, OP makes that a requirement. Otherwise, there would be no need for the one global L2 VLAN (and something we try to avoid with L3.)


The real question is whether to use two links or one. Either can work. Personally, I would rather use a 2nd link for additionally bandwidth and redundancy in a Etherchannel configuration. Assuming the 2nd link is even currently available. (If STP is involved with dual parents, you would need either 2 uplinks, my method, or 4 uplinks, dedicated method.)


However, for those who find it easier to understand and maintain dedicated links, that's certainly a valid consideration.


(For example I worked on one project were we needed to span OSPF areas between a pair of 7500s. I configured multiple subinterfaces on a FastEthernet port. Another engineer found that complex, so he found some multi-port Ethernet cards, and dedictated one port to each OSPF area. 7500 had spare card slots and user traffic didn't normally transit the links, so although I was happy with the subinterfaces, not a problem to do it his way either.)


As to impact of loop issues, if you configured it wrong in either case, you'll likely know it when it happens. Often a loop is more of a problem than just link saturation, and that might be addressed by port QoS. Personally, I would worry more about something like STP configured correctly to break a loop rather than whether a dedicated loop can handle the looped traffic. Again, though, if those maintaining the network want to trade off a link for, what they consider, less complexity, and they have considered other tradoffs, feel free to do so. There's often many ways to deliever the same results.

nidesai Tue, 04/28/2009 - 05:21
User Badges:

Hi,


you can use routed access with VSS, which will allow you to use routed subnets and yet allow few vlans to span.. Using a hybrid topology where one can define VLAN at distribution latyer for spanning. The key thing is use VSS because it eliminates loops and thus the main risk associated with spanning VLAN and also removes the inflexibility with Routed Access of not able to span vlan.


HTH

Nimish

Actions

This Discussion