04-08-2009 08:04 AM - edited 03-06-2019 05:04 AM
Hi,
I think I have the answer to this one but just need clarification if somebody wouldn't mind.
I'm in the process of redesigning our campus network which currently employs campus wide vlans. (10 in total)
I'm looking at the routed access layer design however we have one application which requires one of the existing VLANS to remain as a campus wide VLAN due to the application requiring MAC address information.
I take it there is no way I can keep this single campus wide vlan but still employ the routed access layer design in the rest of the campus?
I'm thinking that the routed uplinks will not be able to carry the single vlan to all switches on campus.
Hope it makes sense.
Thanks
04-08-2009 08:11 AM
You are correct, but there is a way. What we do is have a second connection between our buildings that only carries that VLAN (layer 2). So that VLAN is spanned across the campus and normal user VLANs are routed. Does my explaination make sense?
04-08-2009 08:12 AM
Paul
You are correct. A routed access-layer reduces the flexibility in terms of vlan deployment altho there are sigificant advantages as well.
What you could do, if you have a spare fibre from each switch is to use a single access vlan on that link and route the rest of the vlans although this is a bit of a kludge. The vlan you need across all switches would be routed on the distribution switches.
Alternatively you could look into L2TPv3 which allows you to extend a L2 vlan across a L3 routed network.
Depends how much effort you need to put in weighed against the advantages you are gaining from L3.
Jon
04-08-2009 08:18 AM
5 for both of you.
Simple but effective, never though of having a another link between switches!
:-)
04-08-2009 09:14 AM
Interesting. We are also migrating to a L3 access layer and will eventually run into a problem where we need to span a layer 2 vlan. Do you know if the 4506 sup 5 and 6 support this feature? From what I've read its just L2TP.
04-08-2009 10:42 AM
What Collin and myself were referring to is not a feature as such so it's not a question of whether the 4506 would support it or not.
Basically from each access-layer switch you both routed AND L2 uplinks to the distribution switches. All the vlans that are routed in the access-layer go across the L3 uplink. But you can't do this with the vlan that needs to be present on multiple access-layer switches. So you have a separate physical connection that is a L2 link for that specific vlan only.
Does this make sense ?
Jon
04-08-2009 09:46 AM
Unsure whether this is what Jon is describing, but you should be able to run two VLANs across the physical links between L3 switches. The one VLAN could be your global VLAN, the second one unique to, and between, the pair of L3 devices, and is used for routed traffic. I.e. a "spare" or second physical connection shouldn't be necessary.
04-08-2009 10:38 AM
Joseph
No this wasn't what i was describing. I was talking about the main uplink being a routed L3 link and all the vlans on the access-layer switches had their L3 interface on the access-layer switches.
However for the vlan that needs to be present on all access-layer switches then you would need a second physical link for that vlan between all access-layer switches and the distribution switches. The L3 interface for that vlan would be on the distribution switch.
If the uplink is a L3 routed link you can't then use this same link to carry a L2 vlan.
Perhaps i am misunderstanding ?
Jon
04-08-2009 10:52 AM
Jon, I am reading this thread and I think you and Colin are understanding the requirements of the OP.
Its nice to be able to run a routed access layer, but if it requires a "kludge" of a set up (ehem, gotta look that on up!), or some inconsistent implementation, I would just go with the switched access layer and be done with it.
Im not 100% sure, but I think that a routed access layer may also present more challenges with regard to a WLAN deployment and roaming.
I would say just deploy spanning tree in an aggressive manner, follow Cisco best practices, and make sure that forwarding, failover, traffic patterns, and root bridge elections are deterministic.
I think he'll be OK.
Just my 2 cents...
Victor
04-08-2009 11:06 AM
Victor
I kind of agree with you to an extent. If you find you are having to add separate links because of the need to have vlans on multiple access-layer switches then i would be inclined to go with a L2 access-layer. It should also be ringing alarm bells as to whether the design is fit for purpose.
Wireless can be an issue depending on how you set it up but in addition there is the problem of using IDS within a L3 routed access-layer.
Even Cisco's design doc's state that the L2 access-layer is still by far the most common and that altho L3 does have it's advantages and we both know what these are :-), it is still not as flexible as L2.
STP isn't all that bad :-)
Jon
04-08-2009 11:25 AM
Jon, then I do have something different in mind.
You peer the routers on a VLAN trunk port, not a routed port. Since it's a VLAN trunk, you can have one VLAN dedicated for the transit router-to-router traffic, and the second as the global VLAN.
04-08-2009 11:39 AM
Joseph
Yes that would be another approach but the key thing is that it is no longer a true routed access-layer design because you have extended L2, and consequently STP, to the access-layer.
I guess it's L2 and a half :-)
Jon
04-08-2009 12:06 PM
I was under the impression Jon that you meant that L2TPv3 could be ran across the L3 link and encapsulate a layer 2 vlan. In terms of the "Layer 2.5" we have that implemented on our Metro ISP connection for a few of our sites where we don't have dark fiber. We use a vlan to transport EIGRP information about the routed access layer switches, works great for that kind of connection. What i mentioned earlier is that we are currently migrating to a true routed access layer and have a computer that needs to be on a layer 2 vlan which will eventually be divided by the routed link. Its more of a convenience for the person using it. So not my problem when i change it to layer 3 link but hoped there would be another way to extend the layer 2 vlan without a second uplink.
04-08-2009 12:28 PM
Michael
I was at a client site that used that set up.
They had a DR site and another branch office connected to their main site by using a multipoint Metr-E connection, TLS. They needed both a routed link to pass eigrp updates back and forth and they also needed to span their server farm vlan because they did data dumps, replication to their DR site every night.
So, what I did was something like this:
=======
DR SITE
=======
vlan 2,21
interface range FastEthernet0/1 - 24
description 10 / 100 Port
switchport access vlan 2
switchport mode access
switchport nonegotiate
load-interval 60
mls qos trust cos
speed auto
duplex auto
spanning-tree portfast
spanning-tree guard root
no shutdown
interface GigabitEthernet0/1
description Connection to TLS
switchport access vlan 21
switchport trunk encapsulation dot1q
switchport trunk native vlan 21
switchport mode trunk
load-interval 60
no shutdown
!
interface Vlan2
description Connection to Servers
ip address 172.16.0.250 255.255.254.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan21
description Connection to TLS
ip address 172.16.200.5 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
!
router eigrp 200
network 172.16.200.0 0.0.0.255
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.200.1
=============
BRANCH OFFICE
=============
interface GigabitEthernet0/0
description Connection to TLS circuit
ip address 172.16.200.4 255.255.255.248
ip summary-address eigrp 200 172.20.0.0 255.255.240.0 5
load-interval 60
duplex full
speed 100
media-type rj45
no keepalive
!
!
!
router eigrp 200
network 172.16.200.0 0.0.0.255
no auto-summary
ip route 0.0.0.0 0.0.0.0 172.16.200.1
===========
MAIN OFFICE
===========
interface Vlan2
description SERVER 2 VLAN
ip address 172.16.2.1 255.255.255.0 secondary
ip address 172.16.16.1 255.255.255.0 secondary
ip address 172.16.1.1 255.255.254.0
no ip redirects
!
!
!
interface Vlan21
description TLS WAN vlan
ip address 172.16.200.1 255.255.255.248
!
router eigrp 200
network 172.16.0.0 0.0.1.255
network 172.16.200.0 0.0.0.255
no auto-summary
!
So, interface vlan 21 at all sites has eigrp running on it and establishing neighborships and passing routes back and forth, while server vlan 2 at the DR site was spanned to the main office for data replication purposes.
I thought it was weird when i did it -- and I still do. lol
So, what you have is sort of a hybrid (layer 2.5) set up. Its a trunk that carries routing updates between eigrp peers as well as L2 traffic.
Any thoughts on this?
Joseph, is something like this what you were thinking of before?
Victor
04-08-2009 12:41 PM
Vic, that makes sense. I was actually referring to two seperate configurations though. One configuration was similar to what you posted, having a layer 2 vlan transport EIGRP routing information, on our Metro E connection, about our Routed access layer switches. The other configuration i was talking about was us moving to a routed access layer on our dark fiber LAN. The problem and question i had was if there was a way to encapsulate a layer 2 vlan over a P2P Layer 3 link. What sparked my interest was the term Jon used, L2TPv3.
I like your configuration, that's clever. Sorry if i got you guys side tracked, especially you Joesph. I thought this was interesting post.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: