I'm in the process of testing a new network environment that uses L3 routed connections instead of L2 trunks. I plan to use L3 routed links all the way to the access layer.
My existing environment consists of a variety of Cisco switches; all connected with L2 trunks. L2 trunks are used between the core and distribution, distribution and the access layer and between access switches as well.
My new environment will use 3550-12Gs at the distribution layer, connected to the core with L3 routed links. 3550s and 3560s will be used at the access layer, connected to distribution with L3 routed links. Each wiring closet will have 3 dedicated VLANs which are only available in that wiring closet.
I have this new topology set up in a test environment (diagram attached) and it works great. Client workstations are able to get IP addresses via DHCP, access to my production network is working and routing works fine.
My problem began to surface when I began to test my wireless APs. My wireless test client associates to the AP just fine, but DHCP does not work. My ip helper-addresses are set up correctly (I believe!). On the AP's con0, I am able to ping my DHCP server (and elsewhere on my production network), but client connectivity does not work.
My wireless network uses autonomous APs - I do not yet have LWAPP, WCS, etc. On all my APs (a mixture of 1231Gs and 1242Gs - 61 of them in total), I use the same wireless VLANs (140-145) to service my entire campus. This, of course, allows client workstation mobility. From the reading I've done here, it seems that the problem is the fact that my VLANs on the AP need to span across multiple wiring closets. Creating six wireless VLANs for each wiring closet is a non-starter. In addition to the wireless VLANs, I have a 'guest' VLAN (for wired 'guest' workstations), a 'pseudo-server' VLAN and a 'test' VLAN that span all switches on my network.
So... am I stuck? Can I move to L3 routed links throughout my campus network *and* keep my wireless, test and guest VLANs? If I *really* have to, I can kill off the guest, pseudo-server and test VLANs, but there's no way I can get rid of the wireless VLANs.
I'm almost sick to my stomach thinking of all the work I've already done and the possibility of not being able to move forward with L3 routed links...
Please help! :)
If you want to keep the wireless VLANs consistent (which makes sense for mobility purposes), you won't be able to fully accomplish what you want to do.
You really need LWAPPs to fully accomplish the move to L3 links while keeping wireless mobility fully operational. Since the LWAPPs tunnel back to the controller, the controller takes care of the mobility, and the VLAN that the access point is on becomes irrelevant.
The only options I see short of LWAPPs would be to either have a separate L2 infrastructure just for the WLAN (separate backbone trunks that just spans the wireless network), or a hybrid between L2 and L3 infrastructure. The access layer switches would still be the gateway for wired clients, but instead of passing the traffic through a routed port, the traffic would carry only the VLANs you need to span (ie wireless) plus one dedicated for the wired traffic (ie a VLAN configured like the routed link, with membership on only the one trunk).
I hope that made sense, and helps.
If LWAPP is the answer, it looks like I'll be moving that direction sooner rather than later.
Am I correct in saying that with a fully routed infrastructure, I am *not* able to use any VLANs that span multiple wiring closets? (ie: my 'guest', test and 'pseudo-server' VLANs will have to go away)
Having said that, if I move L3 routed links to distribution, but keep L2 trunks between distribution and the access layer, does this help me in any way? Perhaps I'll only route to distribution... but from what I visualize, this won't change anything - I still will need unique VLANs/subnets for each distribution switch, correct?
Am I correct in saying that with a fully routed infrastructure, I am *not* able to use any VLANs that span multiple wiring closets?
Yes, in a fully routed infrastructure, VLANs cannot span multiple closets.
You could potentially run a separate guest and pseudo-server VLAN in each closet, but it would be a different subnet for each.
Layer 3 at the distribution but not access layer would allow you to span VLANs across access switches connected to a pair of redundant distribution layer switches (in your diagram you could span VLANs across all of the access layer switches, but if you had another set of distribution layer switches that services other parts of the network, the VLANs could not span to those switches).
So yes, you would still need unique VLANs/subnets for each distribution switch (as opposed to for each access layer switch which you would need for a fully routed network).
If you put aside the Wireless for the minute as LWAPP looks like the answer for this. With regards to the wired stuff unless you have any specific Layer-2 requirements then go with Layer-3. By specific requirements I really mean clustering or VMWare type stuff that means you have devices that MUST be on the same Layer-2 network. Normally this is just a data centre or server farm requirement.
You can still have Guest and Server VLAN's in each wiring closet, it's just these will be on separate IP networks between wiring closets. You can apply the same security ACLs etc as you would before, just terminate the Layer-3 SVI in the wiring closets for each of the local VLANs.
Hey Andy, yes, that's correct. The wireless is the only 'real' issue re: spanned networks. My other spanned networks can 'go away' or I can create one per closet.
I do have VMware in the data center - but I'm not aware of specific requirements that you're describing... ignorance is bliss, perhaps?? :) Can you elaborate?
With regards to specific Layer-2 requirements this is something you would have to look into yourself as I have no background information about your LAN requirements. As you have said VMWare with distributed servers really needs Layer-2 connectivity between all potential host servers (it's not essential but makes Server peoples jobs easier). MS Clustering also requires Layer-2 connectivity between the two (or more) physical servers.
Other things I can think of are any non-IP requirements, not sure what but there may be?
If all you have in the (user) access layer are PC's and printers then a routed access layer will probably work well. We did this for a customer last year using 3560 & 3750 access layer switches running IP Base code and EIGRP Stub (and PIM stub) and it works really well.
It is sometimes difficult to convince people of the benefits, however when we did failover testing and explained the minimised failure footprints it was fairly obvious..
After thinking about this for a few days, it seems that I will still have to have a 'guest' VLAN, a 'test' VLAN and my wireless VLANs in each building.
I've provisioned 8 sequential class B networks (10.x.0.0) for each building. I'll have to subnet these class B's and create multiple guest VLANs, test VLANs, wireless VLANs, etc. for each building.
The wireless situation is a bit more work, obviously. I'll have to implement LWAPP (and all it's associated bits). That's gonna take some time.
I think I'm going to replace my old distribution switches (3508Gs) with 3550-12Gs and keep L2 trunks until I'm ready to migrate to L3.
Am I missing anything?
Thanks for all the help, gents.
Hello everyone. I'm still working on the planning for my migration from L2 to L3.
I've provisioned VLANs for the test, guest and laptop VLANs - one for each wiring closet ... which adds up real quick!
Wireless is still a bugaboo -- I'm now seriously considering a parallel network only for wireless -- I discounted this idea right away earlier on, but it's the front-runner right now. Uglyness!
I would provision another six VLANs per wiring closet (I have six wireless networks -- WEP, WPA, WPA2 Student, WPA2 Staff, EAP-FAST Student, EAP-FAST Staff -- that would each have to have a VLAN) -- but it's a PITA re: DHCP and IP subnets and I'm having a problem re: spanning-tree extend system-id (I've posted another Conversation about that).
So... I'm now leaning towards a parallel network. Any further thoughts before I go to the dark side? :)
To be honest the best solution for the wireless is always a separate infrastructure. LWAPP goes some way to address the various issues with overlaying the Wireless network onto the existing Wired network, but a totally separate network (properly firewalled off) is better (IMO).
If you have the ability (and money) to have parallel networks then go for it, you will need to connect the two networks via a new Firewall(s) or bring the new Wireless in via a DMZ or multiple DMZ's.
Thanks Andy, your thoughts give me some confidence re: the decision, but it seems like SUCH A KLUDGE! I think this would be the biggest kludge fix that I've ever done. But, perhaps I'm just naive about it, but it seems like there should be a 'better' way.
I can definitely firewall it off and protect the rest of the network just fine. I can pick up some old 2912 or 3512 switches somewhere (I think I have a stockpile in a storage room actually). This will burn up a lot of fiber cabling... other than that, it's just the kludge-factor that has me stalling.
Should I get over it? ;)
I thought I'd post an update re: my progress. I've created a working test environment for L3 to the edge, but I still haven't settled on a solution to wireless on campus.
To recap, I was considering...
1. A parallel network, trunked back to my server farm.
2. Converting my wireless over to LWAPP APs, installing and configuring the WCS, etc.
After thinking and researching for a few weeks, I've added the following possible options...
3. Creating the six the wireless VLANs on each and every floor of every building (~25 floors in total = 150 VLANs) and not worrying about the roaming issues re: IP#s changing on the client.
4. Same as #3, but implementing Mobile-IP to solve the changing IP# issue.
As before, I welcome your comments and help! I'm no longer leaning in any particular direction -- all I know is that I'd like to move ahead with the overall distributed L3 routing project, but wireless support is holding me up!