complex VLAN Routing in an SFE2000 Switch

Unanswered Question
May 7th, 2009
User Badges:

VLAN



G'day All,


We have a central site, with 6 regional sites.

Each regional site is connected to the same ISP, and the traffic is divided by them using a distinct VLAN for each site and at each regional site is a simple router that handles DHCP etc.

Normal routing works fine, if we just use a single VLAN, the routing works, but it is the multiple VLANs where we have issues.


In the central site we have a simple router that has all of the regional LAN/Routes configured and its WAN port is connected to a SFE2000P switch on port E9.

Port E9 is an Untagged member of VLAN’s 1006-1009.

Port E11 of the switch is Trunked and is connected to the ISP’s Cisco router(Port F0/0).

Port E11 is a Tagged member of VLAN’s 1006 thru to 10011.

We are attempting to route to the various regional sites and this fails, UNLESS the corresponding port has a PVID for that regional VLAN :

For example:

Regional1 has a VLAN of 1006 and an IP of 10.10.10.70

Regional2 has a VLAN of 1007 and an IP of 10.10.10.60

Port E9 is set to PVID 1006

If we ping from the local router to 10.10.10.70 it works perfectly.

If we ping from the local router to 10.10.10.60 it fails, and the ARP table of the local router does not show an entry of the Regional2 router MAC address.


If we set Port E9 to PVID 1006

Then if we ping from the local router to 10.10.10.70 it FAILS.

If we ping from the local router to 10.10.10.60 it  works perfectly, and the ARP table of the local router shows an entry of both the Regional1 and 2 router MAC addresses.




For Internet access:

Port E12 is also Trunked to the same Cisco Router (port F0/1) and is a member of VLAN 1012

Ports E19-E24 are in Access Mode and members of VLAN1012.

The internet works perfectly, and is not an issue.


So it would seem that the Trunking is working, but the VLAN routing is not.

I understand that traffic is not broadcast between VLAN's but, as this is a "Layer3" switch why does it not learn the IP/VLAN if it knows the MAC/VLAN?


Any suggestions?


Rgds Ben

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
allyu Tue, 05/12/2009 - 17:39
User Badges:

If the "simple router" is a VLAN aware router, then traffic for VLAN 1006-1011 on the link between the SFE2000 (port E9) and the "simple router" at the central site will have to be VLAN tagged,  the ports on both side of the link will have to be configured as tag member of VLAN 1006-1011, and each VLAN on the "simple router" will have to be configured with the IP subnet corresponding to the VLAN.


If the "simple router" is a traditional router, not a VLAN aware router, then you will have to connect the router with the SFE2000 using 6 Ethernet links.   Each port on the SFE2000 that connects to the router carries traffic of a VLAN untagged.   Each port on the simple router will have be configured with an IP subnet that corresponds to the VLAN on the corresponding SFE2000 port on the other side.


"We are attempting to route to the various regional sites and this fails, UNLESS the corresponding port has a PVID for the regional VLAN".  It fails because your simple router sends only untagged packets either because it is not a VLAN aware router, or is misconfigured if it is VLAN aware router.  Either cases, the SFE2000 will only forward untagged packets include broadcast ARP requests to the VLAN corresponding to the PVID you configure for port E9 on the SFE2000.


This is not a SFE2000 unique issue or solution.  This is the only proper way that you can configure L3 (in this case IP) routing between VLANs.

zentechconsultants Tue, 05/12/2009 - 18:05
User Badges:

G'day Allyu,

Thanks for your response.

The "Simple" routers are not VLAN aware, otherwise we would not have needed the SFE2000 in the central location.


I have managed to get this working by a lot of trial and error and finally configured an IP adress for each of the VLANs directly on the SFE2000.

ie for VLAN1 I configured an IP address in the SFE2000 and a corresponding /30 Subnet so effectively there was only 2 hosts (the regional Router and the SFE2000 VLAN IP). I repeated this for each VLAN, and then configured a Route for each regional VLAN as well.

Once this was done, it all worked as I expected.


But this still seems to be an overly complex configuration.

If I was using physical switches instead of VLAN's, and I connected a physical cable from each Regional switch into the Central switch, ARP would work simply, and learn that the IP/MAC for Regional1 was via Portx. So it surprises me that a similar "Virtual" configuration can not be configured in the Switch.

I had (mistakenly) assumed that placing ports in the same VLAN, also bridged those VLAN's using IGMP snooping.


Rgds Ben

allyu Tue, 05/12/2009 - 18:24
User Badges:

If I understand you correctly you basically configure the SFE2000 to function as a switch and as a VLAN aware router with static routes to each regional subnet,  absorbing the routing function of your "simple router".   This is possible for SFE2000 supports IP routing with static routes.  Theoretically, this is the equivalence of VLAN aware router case in my earlier response.   If it works for you without the need of the "simple router".  That is great

zentechconsultants Mon, 05/18/2009 - 14:05
User Badges:

Actually, it's not, becuase while the "Simple" routers we have are pretty basic, they are much better than the SFE2000, in that they provide more information, Wireless, DHCP, DNS etc. In addition, for monitoring, we now have two completely diffrent device types to monitor, instead of one, so have had to duplicate all of the vairous laerts etc. The outcome to this is that it has cost us (not the client) many hours of work, for no gain in functionality/useability.

If we had known prior to this, exactly what capability the SFE2000 had, and how it worked, we may have designed the WAN differently, but now we are stuck with a very complicated solution for a very simple problem.

The Local Router, now forwards to the Switch, which then forwards to the Regional routers. All of which need their own settings, and routes etc.

After calling the Linksys support 3 times(2hrs, 15 mins, 5 mins) and being told they would "discuss" it with colleagues, and call me back (which never happened), it is clear that this was not as simple a task as I would have imagined. The reason for a helpdesk is to get help. All I needed was. "Sorry, you can't bridge VLANS on this device, you will need to configure the Layer 3 Routing within the device".


So while I will close this request, I'm still not happy with the outcome.

Address resolution and broadcasting should be easy on a Layer3 device so I don't understand why IRB is not a feature of this switch.


Rgds Ben.

Ivor Diedricks Mon, 05/18/2009 - 15:21
User Badges:
  • Cisco Employee,



SFE2000 is a static L3 device and is advertised as such. This means it does not support Dynamic Routing protocols like RIP or OSPF. It can perform inter-VLAN routing at wirespeed but the routes need to be manually configured. Static L3 switches on the market performs the same way. This is not a switch “problem” but really is the nature of how static L3 devices work. This is why you needed to configure the routes manually.


In reference to your comment Sorry, you can't bridge VLANS on this device, you will need to configure the Layer 3 Routing within the device"

<> A switch by its nature forwards L2 traffic within a VLAN transparently and isolates traffic between VLANs. Layer 3 devices (router or L3 switch) perform routing between the VLANs. There are two kinds of L3 devices – static and dynamic. Dynamic routing devices learn about the routes in the network through a routing protocol like RIP or OSPF. With static routing devices, these routes need to be manually configured. BTW, this is true for products from other vendors on the market as well. SFE2000 can perform inter-VLAN routing but the routes need to be manually configured.

zentechconsultants Mon, 05/18/2009 - 18:38
User Badges:

G'day,

All good points, that the Helpdesk should have told me within 15 minutes of my call.

I'm not a Certified Network Engineer, and nor should I be expected to be one when purchasing SME devices.

Isn't that what a Helpdesk is for?


Re documentation, yes I see that now that the "Layer 3" entry does specifically mention Static, and doesn't mention OSPF/RIP.

The reason I thought this would work was because of GARP and GVRP, I had assumed that these would combine to provide the equivalent of ARP. A fact I asked about on the helpdesk as well, but they didn't know.

Even the QA docs on the subject are misleading in my opinion as they say:

VLANs function at Layer 2. Since VLANs isolate traffic within the VLAN, a Layer 3 router working at a protocol level is required to allow traffic flow between VLANs. Layer 3 routers identify segments and coordinate with VLANs. VLANs are Broadcast and Multicast domains. Broadcast and Multicast traffic is transmitted only in the VLAN in which the traffic is generated.

and then:

Combining VLANs and GARP (Generic Attribute Registration Protocol) allows network managers to define network nodes into Broadcast domains.

So thats where I got the idea that GARP/GVRP would do the trick, will obviously in the future look for OSPF and RIP instead.


None of the VLAN Q&A's specifically mention routing between VLAN's and the specific Routing Q&A does not really mention mention VLANs either.

So was there documentation I missed?


My main gripe was that even after I contacted your Helpdesk, I was no better off after 2hrs on the ph and 4 days waiting.

I get it that VLANS are complex, but I expect Vendor support to be a little more responsive. Even Allyu's response, while great, was 5 days after my original post, which was 2 days after my first call to the Helpdesk and 5 days after we had replaced the original SFE1000P with the SFE2000, the former being the ONLY SxExxx switch that does not do "Static" Layer3.....great marketing!

If you are going to produce switches with complex features, such as VLANS, at relatively low price points, than you have to match the customer expectations.

Otherwise, IMHO drop the SxE range, and stick to IOS.


Rgds Ben

Ivor Diedricks Tue, 05/19/2009 - 10:50
User Badges:
  • Cisco Employee,



Ben,


Firstly, SFE1000P is marketed strictly as a L2 switch so no ambiguity around that at all. We market the SxE2xxx family as the static Layer 3 products - if you look at the website and datasheets, you will find this to be true.


Secondly, VLANs and GVRP/GARP operate at L2 in the OSI model. VLANs create isolated workgroups at the layer 2 level and GVRP/GARP provides a way for switches to learn about VLANs configured on another switch dynamically. The statement in the article you attached is accurate - this combination of VLANs and GARP does organize network nodes into broadcast domains. Layer 3 protocols like IP, operate above this layer and it does not mix. IP together with RIP/OSPF does a similar thing at L3 as VLANs with GVRP/GARP accomplish at L2.


Not sure if you have seen the Switch Reference Guide on cisco.com which describes the Static Routing screens for SxE2000 amongst others:

http://www.cisco.com/en/US/docs/switches/lan/csbms/sfe2000/reference/guide/sfe_refguide.pdf


As a company, we have products that deliver dynamic L3 functionality - this is the Catalyst line of switches. The SxE2xxx products address the static L3 part of the market and below. It addresses a specific need and is not intended to solve all problems. It does exactly what it is marketed to do and customers who buy it for that purpose are happy with it.


Ben – if you are willing to post your case number, we can have someone in the Support organization give you a call so that we can engage on this topic directly.


Thanks,

Ivor

zentechconsultants Wed, 05/20/2009 - 15:02
User Badges:

G'day Ivor,


Firstly, I'd like to assure anyone reading this, not to be put off by the Linksys SxE switches, they really are pretty good.


Secondly, Ivor I think we'd better agree to disagree on this, as we are coming from two very different directions.

You are clearly very knowledgeable about both networking and the Linksys/Cisco products and have had a lot of time to absorb the various differences.

I, on the other hand, work in the SME space. This space is dominated by price and variety, I don't think I would have one client that uses all of a single type/vendors products.


Argh!!!!! I just spent approx 2hrs researching my reply, only to get an error, when I submitted, and then the above text was all that was retained. Will know better, next time to write my response in Notepad first.

Anyway, I don't have any more time to spend on this, so forgive my brevity, the previous response was much nicer..


Yes you are right, had I more time I would clearly have made a different choice RE SFE1000P/SFE2000, but the brief descriptions on the model page is misleading. There are a lot of differences between the SxE1 and SxE2 ranges, for example non stacking, Fanless and PoE. So I would have thought highlighting the differences would be more helpful. You have to remember that when we call suppliers they don't necessarily have everything in stock, so our choice (while on the phone) was... SFE1000P or SGE2000...

In fact the most helpful would be a feature Matrix.

I retract my crack about the IOS, it was not called for, the SxE are really good value for money.


RE Case# sorry I had that on a postit, which I think has since gone into the bin. when I didn't think I needed it.

I do think your Helpdesk needs more organisational training though. There is no reason I can think of why (if the answer was so obvious....) that after 3 calls and being told of a "Team Meeting" to discuss the issue, it wasn't resolved. (Note the 2nd call was 2hrs+ and they had full remote control of the PC).


Thanks for the Ref guide, yes I had read this and the statement "Combining VLANs and GARP (Generic Attribute Registration Protocol) allows network managers to define network nodes into Broadcast domains." was what got me on the wrong track RE: GARP/GVRP. As you say, they do a similar thing at Layer2. So for a Network Engineer it may be obvious, but for the rest of us that don't live and breathe the OSI Model, the difference is pretty subtle.


Anyway, bottom line for me is:

I will continue to buy Linksys switches from Cisco, and would recommend them to anyone. But will obviously take more care in the future RE Specs, and hopefully not get the same experience when I call the Helpdesk next time, and will remember to post to this forum!


Rgds Ben.

Actions

This Discussion