Migration from Flat L2 to L3 VLANs based network

Answered Question
Sep 2nd, 2010

Hi,

We're looking to migrate our flat  network to a Vlans based network. Currently we have  220 Data  nodes(default vlan 1 192.168.1.x/24) and 200 Voip nodes(192.168.2.x/24). 
The Voip phones all get DHCP from a firewall  and the Data Valn  PCs(data) have static IP addresses configured(its L2 meaning they dont  even have default gateway configured)

Now, we're thinking about using a separate vlan for Voip and Data for each floor(closet) as below
Data center  PC    10.128.1.0/24  VLAN   11
Data Center Voip  10.128.2.0/24  VLAN   12

Ground Floor  PC    10.128.3.0/24  VLAN   13
Ground Floor  Voip  10.128.4.0/24  VLAN   14

Admin Floor  PC    10.128.5.0/24  VLAN   15
Admin Floor  Voip  10.128.6.0/24  VLAN   16
...

Currently  we don't have any L3 switch in our setup and we will be adding  L3  switch at each closet as well one as couple of L3 stack switches at the  Data Centre.
We have downtime cntraints so we would like to do it  phasewise. Like move all users in Ground floor first, then Admin and so  on.  We want to move the PC static addresses to DHCP as well.

Attached are the current and proposed setup, I'd to hear some suggetions as how to migrate it phase wise. Also design considerations like whether to make L2-L3 boundry, spanning or not spanning VLANs across access swicthes etc.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 4 months ago

syedraheel wrote:

hmmm....I've attached a diagram of the topology....Now, if I dont want STP anywhere that would mean that the link between the two dist switches will be L3 p2p link right? which means unique VLANs for each access switch ? But we also have users connected on the dist switches so HSRP needs to be active for those users on that switch ? If anyone could help with a config template?

Also, links between dist and core are L3 so do I have to put all of them in same subnet or each link in a /30 subnet? Is it better to run ospf/eigrp or static routes on those links ?

Syed

Ideally you don't want any users connected to your distribution switches or any servers for that matter. If you could move them off then by all means go with L3 between the distribution switches and then have both L2 uplnks from the access-layer switches forwarding at the same time.

If your switches are L3 in the access-layer then you could go for a fully routed design ie. no L2 trunks from the access-layer, instead you use L3 uplinks. With that design STP is not an issue. However the big limitation with a fully routed access-layer is that you will not be able to have the same vlan on multiple switches ie. each switch has to have it's own vlan.

So if you stick with L2 at the access-layer then you could still have a routed link between the distribution switches and run HSRP for all vlans including the users connected to the distribution switches. The HSRP messages for all vlans would go via the access-layer switches. However i would personally have a separate L2 link between the distribution switches for the vlan(s) that the users who are directly connected to the switch are in. If there were multiple vlan(s) like this the connection would need to be a trunk but the key thing would be to make sure only the vlans for users directly connected are allowed on this trunk. The vlans on the access-layer switches should not be allowed on the trunk. That way you can still use both uplinks from each access-layer switch to forward traffic.

Or you could simply interconnect your distribution switches with a L2 trunk for all vlans and let STP(preferably RSTP) block one of the access-layer uplinks.

As for links between distribution and core if they are L3 routed links ie. you configure the IP address on the actual physical interface then you have no choice but to use separate /30 subnets for each link.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Leo Laohoo Thu, 09/02/2010 - 15:45

With Layer 3 on each floor, you can re-use the VLAN numbers and make VLAN identification alot easier.  That said, you only have 3 floors so it's really a not a big ask to remember different VLANs.

syedraheel Sat, 09/04/2010 - 11:36

hmmm....I've attached a diagram of the topology....Now, if I dont want STP anywhere that would mean that the link between the two dist switches will be L3 p2p link right? which means unique VLANs for each access switch ? But we also have users connected on the dist switches so HSRP needs to be active for those users on that switch ? If anyone could help with a config template?

Also, links between dist and core are L3 so do I have to put all of them in same subnet or each link in a /30 subnet? Is it better to run ospf/eigrp or static routes on those links ?

Correct Answer
Jon Marshall Sun, 09/05/2010 - 01:33

syedraheel wrote:

hmmm....I've attached a diagram of the topology....Now, if I dont want STP anywhere that would mean that the link between the two dist switches will be L3 p2p link right? which means unique VLANs for each access switch ? But we also have users connected on the dist switches so HSRP needs to be active for those users on that switch ? If anyone could help with a config template?

Also, links between dist and core are L3 so do I have to put all of them in same subnet or each link in a /30 subnet? Is it better to run ospf/eigrp or static routes on those links ?

Syed

Ideally you don't want any users connected to your distribution switches or any servers for that matter. If you could move them off then by all means go with L3 between the distribution switches and then have both L2 uplnks from the access-layer switches forwarding at the same time.

If your switches are L3 in the access-layer then you could go for a fully routed design ie. no L2 trunks from the access-layer, instead you use L3 uplinks. With that design STP is not an issue. However the big limitation with a fully routed access-layer is that you will not be able to have the same vlan on multiple switches ie. each switch has to have it's own vlan.

So if you stick with L2 at the access-layer then you could still have a routed link between the distribution switches and run HSRP for all vlans including the users connected to the distribution switches. The HSRP messages for all vlans would go via the access-layer switches. However i would personally have a separate L2 link between the distribution switches for the vlan(s) that the users who are directly connected to the switch are in. If there were multiple vlan(s) like this the connection would need to be a trunk but the key thing would be to make sure only the vlans for users directly connected are allowed on this trunk. The vlans on the access-layer switches should not be allowed on the trunk. That way you can still use both uplinks from each access-layer switch to forward traffic.

Or you could simply interconnect your distribution switches with a L2 trunk for all vlans and let STP(preferably RSTP) block one of the access-layer uplinks.

As for links between distribution and core if they are L3 routed links ie. you configure the IP address on the actual physical interface then you have no choice but to use separate /30 subnets for each link.

Jon

martin_knorre Sun, 09/05/2010 - 04:58

Hi,

why you want use a L3 in the Distribution layer? I would suggest an infrastruture with a Core, maybe two Catalyst 6509 or a cheaper way four stacked 3750, I'm not a designer therefore it depends on your budget.

And in the access layer you can use L2 switches, like the 2960 and so on...

I don't know your building and departments but the requirements for about 500 client systems are fullfilled.

Regards Martin

syedraheel Sun, 09/05/2010 - 22:02

Thanks Jon and Martin...

@ Martin ...we can't afford 6500s here and we have a limited budget. We have 2 stacked switches for the core.....I attached the proposed design eatlier in my posts.

Actions

This Discussion