VLAN design

Answered Question
Sep 4th, 2009
User Badges:

Hi,


There are two L3 switches (Catalyst 4503) to be depolyed for core switches, five access switches (Catalyst 2960) for connecting to

Desktop PCs. The vendor proposes two designs. We would like to seek for your expertise to see whether what one is the best, or another design may be considered to be the best approach. Thanks


rdgs



Design A: VLAN


! Router 4503

interface fa0/2

switchport mode access

switchport access vlan 2


interface fa0/3

switchport mode access

switchport access vlan 3


interface fa0/4

switchport mode access

switchport access vlan 4


interface fa0/5

switchport mode access

switchport access vlan 5


Interface VLAN1

ip address 192.168.1.1 255.255.255.0

description default VLAN


Interface VLAN2

ip address 192.168.2.1 255.255.255.0

description VLAN 2


Interface VLAN3

ip address 192.168.3.1 255.255.255.0

description VLAN 3


Interface VLAN4

ip address 192.168.4.1 255.255.255.0

description VLAN 4


Interface VLAN5

ip address 192.168.5.1 255.255.255.0

description VLAN 5




! 2960


interface fa0/1

switchport mode access

switchport access vlan 2

description VLAN 2

:

:


interface fa0/8

switchport mode access

switchport access vlan 2

description VLAN 2


interface fa0/9

switchport mode access

switchport access vlan 3

description VLAN 3

:

:


interface fa0/16

switchport mode access

switchport access vlan 3

description VLAN 3



Design B: VLAN + 802.1Q


! Router 4503

interface fa0/24

switchport mode trunk

switchport trunk encapsulation dot1q

description first trunk


interface fa0/23

switchport mode trunk

switchport trunk encapsulation dot1q

description first trunk


! 2960

interface fa0/2

switchport mode access

switchport access vlan 2


interface fa0/3

switchport mode access

switchport access vlan 3


interface fa0/4

switchport mode access

switchport access vlan 4


interface fa0/5

switchport mode access

switchport access vlan 5


Interface VLAN1

ip address 192.168.1.1 255.255.255.0

description default VLAN


Interface VLAN2

ip address 192.168.2.1 255.255.255.0

description VLAN 2


Interface VLAN3

ip address 192.168.3.1 255.255.255.0

description VLAN 3


Interface VLAN4

ip address 192.168.4.1 255.255.255.0

description VLAN 4


Interface VLAN5

ip address 192.168.5.1 255.255.255.0

description VLAN 5


interface fa0/23

switchport mode trunk

switchport trunk encapsulation dot1q

description first trunk


interface fa0/23

switchport mode trunk

switchport trunk encapsulation dot1q

description first trunk


Correct Answer by Jon Marshall about 7 years 7 months ago

Anita


"Does above message respond following question?"


No, these were just general best practices.


In answer to your design B question it all depends on whether you need multiple vlans on each 2960 or not. All inter-vlan routing is done on the 4500 switches.


Because you are using L2 trunks to the 2960 switches then yes you could have vlan 3 for example on all the 2960 switches and they would all be able to communicate. If this was a routed access-layer then that would not work but as we have already discussed, you can't have a routed access-layer with 2960 switches.


So when you say


"If so, how does the c2960-01 know that some hosts within VLAN 3 to be in c2960-02? From my understanding, the traffic, which goes to trunk port, should be the inter-vlan traffic outside VLAN3."


that's not correct with a L2 access-layer. The traffic that goes to the trunk port can either be traffic


1) destined for another vlan

2) destined for the same vlan on another switch


As for the best practices -


2) the native vlan is simply the vlan on a trunk link for which packets are not tagged. Just simply pick an unused vlan, and by unused i mean no ports allocated to this vlan.


3) To route between vlans on a L3 switch you create a L3 SVI (switched virtual interface) ie.


int vlan 3

ip address 192.168.5.1 255.255.255.0


if the vlan dorsnt have a L3 interface then any device connected into that vlan cannot talk to any other device on another vlan. This is exactly what you want for unused ports.


4) The management vlan by default is vlan 1. By default the native vlan is vlan 1. But those are only the defaults. You should change them. So as discussed choose an unused vlan for the native vlan and do not create a L3 SVI for this vlan.

As for the management vlan, again this should be changed from vlan 1. Choose a new vlan and only use this for managing the switches ie. no end devices should be allocated into this vlan.


8) Never used flexlink so can't really comment.


9) You need to read what i have written in previous post. You cannot run L3 from the access-layer so you cannot use a routing protocol such as OSPF/EIGRP to use equal cost paths from the access-layer.


You can do a rudimentary form of load-sharing at L2 but it depends on how many vlans you have per 2960. If for example you only have 1 data vlan and 1 management vlan per 2960 there is no point in try to load-share because the management traffic is minimal and the vast bulk of traffic is from the data vlan. As i say, with L3 you could load-share the one vlan and that is one of the benefits of using L3.


However if you had 2 data vlans on the 2960 switch then you could load-share ie.


the 2960 is connected via a L2 trunk to each 4500 switch. The 2 vlans are vlan 10 & vlan 11.


On 4500_1


set spanning-tree root for vlan 10

set HSRP active for vlan 10


on 4500_2


set spanning-tree root for vlan 11

set HSRP active for vlan 11


then traffic for vlan 10 will go to 4500_1 and traffic for vlan 11 will go to 4500_2. Note that this assumes you have a L2 trunk between switches.


There is so much more that could be written about the design setup but it really does depend on what your requirements are. The 2 very basic designs outlined in your original post are only a starting point and there is a lot more you need to flesh out before implementing it.


Jon

Correct Answer by Mohamed Sobair about 7 years 7 months ago

Hi Jon,


Good catch. I actually missed the point that the 2960 doesnt support L3 SVI functionality.


My suggestion was purely based on the design recommendation and i didnt looked at the switch series, However, you mentioned the OSPF should be running between the distribution 4503 series, but the design (Routed Access design) illustrates the opposite as they clearly pointed out the routing including OSPF or Eigrp to be running between the access layer to the distribution layer as well.


Pls refer to the attached document,


HTH

Mohamed



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.4 (5 ratings)
Loading.
jproos Fri, 09/04/2009 - 02:20
User Badges:

I would definately go for the second design. This is much more scalable (what if you add another VLAN? You would have to add a new cable to each accesssswitch!). This really is wat trunks were invented for.


Some other thoughts:

- Try to avoid the use of VLAN1, this could be a security issue, google for "VLAN1 security" for more info.

- Just adding two trunks between your switches will not be sufficient. Spanning Tree will shut down one of them, so you'll end up with a single 100 Mbit link to handle your traffic. You should combine the two ports into a "port-channel" by using the command channel-group.

- You will probably want to uplink each accessswitch to both coreswitches. (another reason to use trunks - it would cost you 10 interfaces on each accessswitch to uplink 5 vlans to two coreswitches - not scalable)

- You should consider using gigabit uplinks between access and core, the price difference is quite minimal and 100Mbit or 200Mbit shared between 20 PC's could become a bottleneck.

Joseph W. Doherty Fri, 09/04/2009 - 03:49
User Badges:
  • Super Bronze, 10000 points or more

BTW, if your network is small enough (e.g. only five 2960s) that a pair of 4503s is suitable, you might want to consider a much less expensive L3 switch. A stack of 3750s might work just as well for you. Of if you prefer not to stack, a pair of 3560s.

b.julin Fri, 09/04/2009 - 12:10
User Badges:
  • Bronze, 100 points or more

Neither design is good. The second one is trying to use an L2 2960 as an L3 switch.


First, you should uplink each access switch via the 2 built-in Gi ports gi0/1 to the core, even if the core is 100Mbps, since it allows you to drop in a gig core later. If it's over copper, this is a no-brainer. If over fiber, you'll have to assess the cost of throwing away some 100FX SFPs to get SX SFPs for the upgrade versus getting a gig blade for the 4503. If you are intent on doing 100FX I sure hope your fiber plant is multimode :-)


Whether you should go one to each core switch, or etherchannel two to a single core switch depends on your physical situation, but in either case, the uplinks should be trunks, not access links, and the L3 vlan interfaces should be on the core switches.



Mohamed Sobair Fri, 09/04/2009 - 12:45
User Badges:
  • Gold, 750 points or more

Hi,


I would go with design A.


Cisco recommends moving the layer-3 routed design to the access layer.


There are many advantages of using layer-3 access design:


1- Improved convergence.

2- Trafiic load balancing .

3- singl set of troublshooting.

4- simplified multicast config and single control plane.


Having said that, its recommended to use Eigrp or Ospf at the access with the distribution , in ur case with the core.


I would also remove vlan 1 for security reasons and assign the managment to be another valn.


HTH

Mohamed

anitachoi3 Sun, 09/06/2009 - 07:38
User Badges:

Hi experts,


Thank you for your idea and suggestion.


For the design A, some enhancements would be deployed to improve the design as below:


- Avoid using VLAN 1 to be the user or server VLAN

- Uplink port would be Giga ethernet

- The uplink cable is Fiber cable, MMF interface would be considered to order

- OSPF would be configured for internal routing protocol.



The advantage of design A should have:

- Improved convergence.

- Traffic load balancing .

- single set of troublshooting.

- simplified multicast config and single control plane


For the design B, some enhancements would be deployed to improve the design as below:


The advantage of design B should have:


- Avoid using VLAN 1 to be the user or server VLAN

- Uplink port would be Giga ethernet

- The uplink cable is Fiber cable, MMF interface would be considered to purchase

- "Channel-group" would be considered to deploy for increasing the bandwidth of uplink trunks

- ethernet channel would be consider to deploy for availability

- OSPF would be configured for internal routing protocol.





Besides, there are some issues would like to clarify with experts. Grateful if you would have any idea or suggestion


Design A

1. Should the VTP be enabled to sync the VLAN DataBase between two core switches?


2. If all VLAN would be configured on all access switch 2960, there are many uplinks to core switch for same VLAN communication. How to address this issue to combine the uplinks to two or three ports only?


3. What is the disadvange of design A?


Design B

4. For the design B, could VLAN 3 be configured on different two or three access switches (e.g. c2960-01, c2960-02, c2960-03)? If so, how does the c2960-01 know that some hosts within VLAN 3 to be in c2960-02? From my understanding, the traffic, which goes to trunk port, should be the inter-vlan traffic outside VLAN3.


e.g. C2960-01 VLAN2 and VLAN3

C2960-02 VLAN3 and VLAN4

C2960-03 VLAN5 and VLAN3


5. What is the advange of design B?


6. What is the disadvange of design B?


7. For the network security, the active VLAN would be specified. If one new VLAN would be added to the network, have the configuration of all 2960 and 4503 to be modified otherwise the existing vLAN could not communicate with the hosts which are sitting on the new VLAN? Any idea to tackle this issue? to achieve the min administration work and adequate network security to avoid unauthorize network equipment to be connected the network easier.



Design A and Design B

8. Would the flex link be deployed to design A or B? if so, the spanning tree L2 protocol should be disabled. Any advantage of Flex link?


9. If load share (or balance) is one of the requirement, what protocol should be implemented? which design component would be added? related configuration or URL is much welcome

Your help is much appreciated


rdgs


Jon Marshall Sun, 09/06/2009 - 11:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Anita


It's quite difficult to say what the best design is because you haven't given any requirements but from the devices you are using some things can be said.


Firstly you cannot use L3 from the access-layer as Mohammed suggested simply because the 2960 is not a L3 switch so you will have to run L2 uplinks from the

access-layer.


Also as Brian pointed out the second design simply isn't possible because a 2960 switch cannot support multiple L3 vlan interfaces and route between them.


Since you have 2960 in the access-layer you will not be running a routing protcol from the access-layer. So when you write -


"The advantage of design A should have:

- Improved convergence.

- Traffic load balancing .

- single set of troublshooting.

- simplified multicast config and single control plane"


i'm not sure entirely what you mean. OSPF will only be running between the 2 4500 distribution switches and will not extend to the access-layer.


You should definitely run trunks from the 2960 switches to the distribution switches. The reason being that you will need at least 2 vlans per 2960 switch. I say at least because again we don't have any requirements but at a minimum


1) One vlan for clients - data

2) One vlan for managing the 2960 switch


optionally you may need a further vlan for voice if you are going to be running VOIP to clients.


VTP - you have 2 options -


1) the 4500 switches are both VTP servers and the 2960 switches are VTP clients. Advantage is you only need to update one of the 4500 switches and the changes will be propogated to all other switches. Disadvantage is you can accidentally overwrite the vlan database of all switches when you introduce a new switch.


2) You can make all the switches VTP transparent. Advantage and disadvantage the opposite of 1).


It's not going to make a huge difference which one you use.


As for uplinks. You should look to uplink each 2960 switch to both 4500 switches. Each uplink would be a L2 trunk. Because of STP one of the uplinks will block per vlan. Lets assume you have 1 data vlan and a management vlan per 2960. If you want to use utilise both links for the data vlan then you can


1) etherchannel but then you have to send both links to the same 4500 and if that 4500 goes down you have lost connectivity.


2) You could use a L3 link between the 4500 switches. Then both uplinks can be used. This is a perfectly valid design choice and maximises the bandwidth from the 2960 switches.


3) Joseph makes a very valid point however about 3750 switches in a stack instead of the 4500s. If you use a 3750 stack you can then create an etherchannel from the 2960 switches and use cross-stack etherchannel on the 3750 switches which means you have an etherchannel going to both 3750 switches.


If you decide to have multiple data vlans per 2960 you can actually use of the links for one vlan and the other link for the other vlan etc. This is done by setting the STP root on the relevant 4500 and matching it to the HSRP active gateway.


Design B just won't work as previously said.


As for standard procedures -


1) Do not use vlan 1 for anything

2) On the L2 trunks set a specific vlan to the native vlan. This vlan should not be used for any end devices and it does not need a L3 SVI because the native vlan never needs routing

3) Allocate another vlan which does not have a L3 SVI and assign any unused ports into this vlan and shut down those ports.

4) The management vlan for the switches should be a dedicated vlan that is only used for managing the switches.


To further secure your switches use this white paper as a starter -


http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns431/ns17/networking_solutions_whitepaper0900aecd80459628.html


Having said all that, the above is really very generic information. As i initially said without knowing what your requirements are that's all it can be.


Jon

Correct Answer
Mohamed Sobair Sun, 09/06/2009 - 16:48
User Badges:
  • Gold, 750 points or more

Hi Jon,


Good catch. I actually missed the point that the 2960 doesnt support L3 SVI functionality.


My suggestion was purely based on the design recommendation and i didnt looked at the switch series, However, you mentioned the OSPF should be running between the distribution 4503 series, but the design (Routed Access design) illustrates the opposite as they clearly pointed out the routing including OSPF or Eigrp to be running between the access layer to the distribution layer as well.


Pls refer to the attached document,


HTH

Mohamed



Jon Marshall Mon, 09/07/2009 - 02:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mohamed


"However, you mentioned the OSPF should be running between the distribution 4503 series, but the design (Routed Access design) illustrates the opposite as they clearly pointed out the routing including OSPF or Eigrp to be running between the access layer to the distribution layer as well."


Agreed. My comment about OSPF/EIGRP only running between the 4500 switches as referring to Anita's setup and not a generic L3 routed access-layer.


You are quite right that in a routed access-layer OSPF/EIGRP is used not only in the distribution layer but also extends to the access-layer.


Jon

anitachoi3 Mon, 09/07/2009 - 08:47
User Badges:

Hi,


Thank you for your valuable idea and suggestion.


However, some points would like to clarify and the real meaning what it is:



---- Jon ----

2) On the L2 trunks set a specific vlan to the native vlan. This vlan should not be used for any end devices and it does not need a L3 SVI because the native vlan never needs routing

3) Allocate another vlan which does not have a L3 SVI and assign any unused ports into this vlan and shut down those ports.

4) The management vlan for the switches should be a dedicated vlan that is only used for managing the switches.

----- end of message -----


Does above message respond following question?


------ Anita's question -----

Design B

4. For the design B, could VLAN 3 be configured on different two or three access switches (e.g. c2960-01, c2960-02, c2960-03)? If so, how does the c2960-01 know that some hosts within VLAN 3 to be in c2960-02? From my understanding, the traffic, which goes to trunk port, should be the inter-vlan traffic outside VLAN3.


e.g. C2960-01 VLAN2 and VLAN3

C2960-02 VLAN3 and VLAN4

C2960-03 VLAN5 and VLAN3

-------- end of question -----



If yes,

Item 2, grateful if you could elaborate it, example is much appreciated

Item 3, grateful if you could elaborate the first part, I understand the unused ports to be shutdown.

Item 4, the management VLAN is native VLAN, isn't it? if not, grateful if you could elaborate it


Besides, could the 2960 switch (c2960-01) pass the local VLAN traffic (e.g. VLAN3) to another 2960 switch (c2960-02) which the same vlan (VLAN3) was configured via the trunk port inbetween the L3 switch (core switch)?


Grateful if you could advise on following:


8. Would the flex link be deployed to design A or B? if so, the spanning tree L2 protocol should be disabled. Any advantage of Flex link?


9. If load share (or balance) is one of the requirement, what protocol should be implemented? which design component would be added? related configuration or URL is much welcome


Thank you very much


rdgs



Correct Answer
Jon Marshall Mon, 09/07/2009 - 09:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Anita


"Does above message respond following question?"


No, these were just general best practices.


In answer to your design B question it all depends on whether you need multiple vlans on each 2960 or not. All inter-vlan routing is done on the 4500 switches.


Because you are using L2 trunks to the 2960 switches then yes you could have vlan 3 for example on all the 2960 switches and they would all be able to communicate. If this was a routed access-layer then that would not work but as we have already discussed, you can't have a routed access-layer with 2960 switches.


So when you say


"If so, how does the c2960-01 know that some hosts within VLAN 3 to be in c2960-02? From my understanding, the traffic, which goes to trunk port, should be the inter-vlan traffic outside VLAN3."


that's not correct with a L2 access-layer. The traffic that goes to the trunk port can either be traffic


1) destined for another vlan

2) destined for the same vlan on another switch


As for the best practices -


2) the native vlan is simply the vlan on a trunk link for which packets are not tagged. Just simply pick an unused vlan, and by unused i mean no ports allocated to this vlan.


3) To route between vlans on a L3 switch you create a L3 SVI (switched virtual interface) ie.


int vlan 3

ip address 192.168.5.1 255.255.255.0


if the vlan dorsnt have a L3 interface then any device connected into that vlan cannot talk to any other device on another vlan. This is exactly what you want for unused ports.


4) The management vlan by default is vlan 1. By default the native vlan is vlan 1. But those are only the defaults. You should change them. So as discussed choose an unused vlan for the native vlan and do not create a L3 SVI for this vlan.

As for the management vlan, again this should be changed from vlan 1. Choose a new vlan and only use this for managing the switches ie. no end devices should be allocated into this vlan.


8) Never used flexlink so can't really comment.


9) You need to read what i have written in previous post. You cannot run L3 from the access-layer so you cannot use a routing protocol such as OSPF/EIGRP to use equal cost paths from the access-layer.


You can do a rudimentary form of load-sharing at L2 but it depends on how many vlans you have per 2960. If for example you only have 1 data vlan and 1 management vlan per 2960 there is no point in try to load-share because the management traffic is minimal and the vast bulk of traffic is from the data vlan. As i say, with L3 you could load-share the one vlan and that is one of the benefits of using L3.


However if you had 2 data vlans on the 2960 switch then you could load-share ie.


the 2960 is connected via a L2 trunk to each 4500 switch. The 2 vlans are vlan 10 & vlan 11.


On 4500_1


set spanning-tree root for vlan 10

set HSRP active for vlan 10


on 4500_2


set spanning-tree root for vlan 11

set HSRP active for vlan 11


then traffic for vlan 10 will go to 4500_1 and traffic for vlan 11 will go to 4500_2. Note that this assumes you have a L2 trunk between switches.


There is so much more that could be written about the design setup but it really does depend on what your requirements are. The 2 very basic designs outlined in your original post are only a starting point and there is a lot more you need to flesh out before implementing it.


Jon

Actions

This Discussion