Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Deploying vlan and limiting traffic from not reaching network core

Folks:
I am reading CCNP Switch 642-813 official Certification Guide (isbn=978-1-58720-243-8) and I’m a little confused as to the following on page.71 –

“You should not allow VLANs to extend beyond the Layer 2 domain of the distribution switch. In other words, the VLAN should not reach across the network’s core and into another switch block. The idea again is to keep broadcasts and unnecessary traffic movement out of the core block”.

Can anyone offer a different way of stating this or offer a picture or a diagram? I am having a hard time visualizing what this is trying to say – is this refereeing to two different switch blocks/stacks on either side of a switch core if I were to the draw the topology flat?

Thanks
JJ

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Deploying vlan and limiting traffic from not reaching networ

JJ

This is referring to the 3 tier design where you have a separate access layer/distribution layer and core layer.

So imagine a campus where you have multiple buildings and a main site. All the other buildings connect to the main site and to get from one building to another they go via the main site.

The main site would have a pair of core switches and a pair of distribution switches + access layer switches. The other buildings would have a distribution pair of switches and access layer switches. Each buildings distribution switches would connect back to the core switches usually with L3 links. In the past you used L2 links but with L3 switching you now generally route, or more precisely, L3 switch through the core.

What that extract from your book is saying is that each building has it's own vlans and they are routed on the distribution switches in each building. Only traffic destined for a vlan or more specifically a subnet that is not within the building should be sent to the core switches which then route them to the correct place.

What you shouldn't do is have a vlan in a building that also extends to the core and possibly to other buildings. This is because a vlan is a broadcast domain so a broadcast in a vlan would be sent to all hosts in that vlan. So if you allow a vlan to extend through the core you are allowing broadcasts from one building to go through the core to other buildings.

The core switches should be left to L3 switch traffic between buildings and pretty much nothing else.

There is usually no need to extend vlans to or across the core  ie. each set of vlans is terminated on the distribution switches so broadcasts are contained within each building or again more specifically within each vlan within the building.

One other thing to note is that if you have a single building with maybe just a WAN connection the 3 tier design is not necessarily the best way to go and a common solution is a collapsed core where the core and dsitribution switches are the same physical switches. It saves on cost and within a single building there is often very little need for a high speed core.

I have used the terms route and L3 switch interchangeabley here but technically all L3 capable switches route in hardware so to be precise it is L3 switching.

Finally the above about a single building setup does not refer to a DC where the rules are somewhat different.

Hope that helps and i haven't confused you more.

Feel free to ask further if needed.

Jon

4 REPLIES
VIP Super Bronze

Deploying vlan and limiting traffic from not reaching network co

JJ,

I don't have the book in front of me, but if I were to guess, the book is talking about access, distro, core design.  So, what the book is trying to say is that if you have access, distro, core switches, you don't want to extend your vlans beyond your distro switches.  Another word you create the layer-2 vlans on the access switches and trunk them to the distro switches and that is where you terminate the vlans.  Than from the distro to core you use routed layer-3 links.  In this case the default gateway for your users is the distro switch and not the core.

HTH

Hall of Fame Super Blue

Re: Deploying vlan and limiting traffic from not reaching networ

JJ

This is referring to the 3 tier design where you have a separate access layer/distribution layer and core layer.

So imagine a campus where you have multiple buildings and a main site. All the other buildings connect to the main site and to get from one building to another they go via the main site.

The main site would have a pair of core switches and a pair of distribution switches + access layer switches. The other buildings would have a distribution pair of switches and access layer switches. Each buildings distribution switches would connect back to the core switches usually with L3 links. In the past you used L2 links but with L3 switching you now generally route, or more precisely, L3 switch through the core.

What that extract from your book is saying is that each building has it's own vlans and they are routed on the distribution switches in each building. Only traffic destined for a vlan or more specifically a subnet that is not within the building should be sent to the core switches which then route them to the correct place.

What you shouldn't do is have a vlan in a building that also extends to the core and possibly to other buildings. This is because a vlan is a broadcast domain so a broadcast in a vlan would be sent to all hosts in that vlan. So if you allow a vlan to extend through the core you are allowing broadcasts from one building to go through the core to other buildings.

The core switches should be left to L3 switch traffic between buildings and pretty much nothing else.

There is usually no need to extend vlans to or across the core  ie. each set of vlans is terminated on the distribution switches so broadcasts are contained within each building or again more specifically within each vlan within the building.

One other thing to note is that if you have a single building with maybe just a WAN connection the 3 tier design is not necessarily the best way to go and a common solution is a collapsed core where the core and dsitribution switches are the same physical switches. It saves on cost and within a single building there is often very little need for a high speed core.

I have used the terms route and L3 switch interchangeabley here but technically all L3 capable switches route in hardware so to be precise it is L3 switching.

Finally the above about a single building setup does not refer to a DC where the rules are somewhat different.

Hope that helps and i haven't confused you more.

Feel free to ask further if needed.

Jon

Community Member

Deploying vlan and limiting traffic from not reaching network co

Thank you for the detailed post. In addition, I looked through my CCDA book, and believe I now understand in greater detail what you were trying to describe.

However, let me see if I have this correct – if I have to remote offices, which have their own accounting department – I should create a vlan at each site for each accounting team – not one large accounting team vlan, since the core (HQ) would be between the two sites. And if the two teams need to communicate or share data, then perform routing with a route outside the vlan?

Hall of Fame Super Blue

Re: Deploying vlan and limiting traffic from not reaching networ

JJ

However, let me see if I have this correct – if I have to remote offices, which have their own accounting department – I should create a vlan at each site for each accounting team – not one large accounting team vlan, since the core (HQ) would be between the two sites. And if the two teams need to communicate or share data, then perform routing with a route outside the vlan?

Exactly. There is usually no need to extend the vlan just because they are in the same dept. but different buildings. You would route between those vlans via the high speed core.

There are some scenarios where extending vlans is very useful but you mainly find these in DC setups. Some servers need L2 adjacency for replication etc. so you cannot route between them as it would break that replication. So you may come across DC designs where two DCs have been interconnected and some vlans are extended across the interconnect.

But for standard campus site designs a L3 core where each buildings vlans are routed on the local distribution switch and only traffic to remote vlans (IP subnets) is sent across the core is the far more common approach.

Jon

296
Views
0
Helpful
4
Replies
CreatePlease to create content