Routed Access Layer,

pmcallion · ‎04-08-2009

Hi,

I think I have the answer to this one but just need clarification if somebody wouldn't mind.

I'm in the process of redesigning our campus network which currently employs campus wide vlans. (10 in total)

I'm looking at the routed access layer design however we have one application which requires one of the existing VLANS to remain as a campus wide VLAN due to the application requiring MAC address information.

I take it there is no way I can keep this single campus wide vlan but still employ the routed access layer design in the rest of the campus?

I'm thinking that the routed uplinks will not be able to carry the single vlan to all switches on campus.

Hope it makes sense.

Thanks

Collin Clark · ‎04-08-2009

You are correct, but there is a way. What we do is have a second connection between our buildings that only carries that VLAN (layer 2). So that VLAN is spanned across the campus and normal user VLANs are routed. Does my explaination make sense?

Jon Marshall · ‎04-08-2009

Paul

You are correct. A routed access-layer reduces the flexibility in terms of vlan deployment altho there are sigificant advantages as well.

What you could do, if you have a spare fibre from each switch is to use a single access vlan on that link and route the rest of the vlans although this is a bit of a kludge. The vlan you need across all switches would be routed on the distribution switches.

Alternatively you could look into L2TPv3 which allows you to extend a L2 vlan across a L3 routed network.

Depends how much effort you need to put in weighed against the advantages you are gaining from L3.

Jon

pmcallion · ‎04-08-2009

5 for both of you.

Simple but effective, never though of having a another link between switches!

:-)

cowetacoit · ‎04-08-2009

Interesting. We are also migrating to a L3 access layer and will eventually run into a problem where we need to span a layer 2 vlan. Do you know if the 4506 sup 5 and 6 support this feature? From what I've read its just L2TP.

Jon Marshall · ‎04-08-2009

What Collin and myself were referring to is not a feature as such so it's not a question of whether the 4506 would support it or not.

Basically from each access-layer switch you both routed AND L2 uplinks to the distribution switches. All the vlans that are routed in the access-layer go across the L3 uplink. But you can't do this with the vlan that needs to be present on multiple access-layer switches. So you have a separate physical connection that is a L2 link for that specific vlan only.

Does this make sense ?

Jon

Joseph W. Doherty · ‎04-08-2009

Unsure whether this is what Jon is describing, but you should be able to run two VLANs across the physical links between L3 switches. The one VLAN could be your global VLAN, the second one unique to, and between, the pair of L3 devices, and is used for routed traffic. I.e. a "spare" or second physical connection shouldn't be necessary.

Jon Marshall · ‎04-08-2009

Joseph

No this wasn't what i was describing. I was talking about the main uplink being a routed L3 link and all the vlans on the access-layer switches had their L3 interface on the access-layer switches.

However for the vlan that needs to be present on all access-layer switches then you would need a second physical link for that vlan between all access-layer switches and the distribution switches. The L3 interface for that vlan would be on the distribution switch.

If the uplink is a L3 routed link you can't then use this same link to carry a L2 vlan.

Perhaps i am misunderstanding ?

Jon

lamav · ‎04-08-2009

Jon, I am reading this thread and I think you and Colin are understanding the requirements of the OP.

Its nice to be able to run a routed access layer, but if it requires a "kludge" of a set up (ehem, gotta look that on up!), or some inconsistent implementation, I would just go with the switched access layer and be done with it.

Im not 100% sure, but I think that a routed access layer may also present more challenges with regard to a WLAN deployment and roaming.

I would say just deploy spanning tree in an aggressive manner, follow Cisco best practices, and make sure that forwarding, failover, traffic patterns, and root bridge elections are deterministic.

I think he'll be OK.

Just my 2 cents...

Victor

Jon Marshall · ‎04-08-2009

Victor

I kind of agree with you to an extent. If you find you are having to add separate links because of the need to have vlans on multiple access-layer switches then i would be inclined to go with a L2 access-layer. It should also be ringing alarm bells as to whether the design is fit for purpose.

Wireless can be an issue depending on how you set it up but in addition there is the problem of using IDS within a L3 routed access-layer.

Even Cisco's design doc's state that the L2 access-layer is still by far the most common and that altho L3 does have it's advantages and we both know what these are :-), it is still not as flexible as L2.

STP isn't all that bad :-)

Jon

Joseph W. Doherty · ‎04-08-2009

Jon, then I do have something different in mind.

You peer the routers on a VLAN trunk port, not a routed port. Since it's a VLAN trunk, you can have one VLAN dedicated for the transit router-to-router traffic, and the second as the global VLAN.

Jon Marshall · ‎04-08-2009

Joseph

Yes that would be another approach but the key thing is that it is no longer a true routed access-layer design because you have extended L2, and consequently STP, to the access-layer.

I guess it's L2 and a half :-)

Jon

cowetacoit · ‎04-08-2009

I was under the impression Jon that you meant that L2TPv3 could be ran across the L3 link and encapsulate a layer 2 vlan. In terms of the "Layer 2.5" we have that implemented on our Metro ISP connection for a few of our sites where we don't have dark fiber. We use a vlan to transport EIGRP information about the routed access layer switches, works great for that kind of connection. What i mentioned earlier is that we are currently migrating to a true routed access layer and have a computer that needs to be on a layer 2 vlan which will eventually be divided by the routed link. Its more of a convenience for the person using it. So not my problem when i change it to layer 3 link but hoped there would be another way to extend the layer 2 vlan without a second uplink.

lamav · ‎04-08-2009

Michael

I was at a client site that used that set up.

They had a DR site and another branch office connected to their main site by using a multipoint Metr-E connection, TLS. They needed both a routed link to pass eigrp updates back and forth and they also needed to span their server farm vlan because they did data dumps, replication to their DR site every night.

So, what I did was something like this:

=======

DR SITE

=======

vlan 2,21

interface range FastEthernet0/1 - 24

description 10 / 100 Port

switchport access vlan 2

switchport mode access

switchport nonegotiate

load-interval 60

mls qos trust cos

speed auto

duplex auto

spanning-tree portfast

spanning-tree guard root

no shutdown

interface GigabitEthernet0/1

description Connection to TLS

switchport access vlan 21

switchport trunk encapsulation dot1q

switchport trunk native vlan 21

switchport mode trunk

load-interval 60

no shutdown

!

interface Vlan2

description Connection to Servers

ip address 172.16.0.250 255.255.254.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Vlan21

description Connection to TLS

ip address 172.16.200.5 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

!

router eigrp 200

network 172.16.200.0 0.0.0.255

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.200.1

=============

BRANCH OFFICE

=============

interface GigabitEthernet0/0

description Connection to TLS circuit

ip address 172.16.200.4 255.255.255.248

ip summary-address eigrp 200 172.20.0.0 255.255.240.0 5

load-interval 60

duplex full

speed 100

media-type rj45

no keepalive

!

router eigrp 200

network 172.16.200.0 0.0.0.255

no auto-summary

ip route 0.0.0.0 0.0.0.0 172.16.200.1

===========

MAIN OFFICE

===========

interface Vlan2

description SERVER 2 VLAN

ip address 172.16.2.1 255.255.255.0 secondary

ip address 172.16.16.1 255.255.255.0 secondary

ip address 172.16.1.1 255.255.254.0

no ip redirects

!

interface Vlan21

description TLS WAN vlan

ip address 172.16.200.1 255.255.255.248

!

router eigrp 200

network 172.16.0.0 0.0.1.255

network 172.16.200.0 0.0.0.255

no auto-summary

!

So, interface vlan 21 at all sites has eigrp running on it and establishing neighborships and passing routes back and forth, while server vlan 2 at the DR site was spanned to the main office for data replication purposes.

I thought it was weird when i did it -- and I still do. lol

So, what you have is sort of a hybrid (layer 2.5) set up. Its a trunk that carries routing updates between eigrp peers as well as L2 traffic.

Any thoughts on this?

Joseph, is something like this what you were thinking of before?

Victor

cowetacoit · ‎04-08-2009

Vic, that makes sense. I was actually referring to two seperate configurations though. One configuration was similar to what you posted, having a layer 2 vlan transport EIGRP routing information, on our Metro E connection, about our Routed access layer switches. The other configuration i was talking about was us moving to a routed access layer on our dark fiber LAN. The problem and question i had was if there was a way to encapsulate a layer 2 vlan over a P2P Layer 3 link. What sparked my interest was the term Jon used, L2TPv3.

I like your configuration, that's clever. Sorry if i got you guys side tracked, especially you Joesph. I thought this was interesting post.