I have a configuration question, so I tought of comming on here and seing if you guys could help me out.
Currently we have 3 6500's, SW1 and SW2 (6513's) inter-connected via port-channel(vlan
trunk) and SW3 (6509) connected via standard trunk port on a lan extention over Gige.
Our vlan routing is currently done via a pair of Fortigate firewalls. They have a physical
interface connection for each vlan to SW1 and SW2. These fortigates are setup as the
gateways for each vlan (10.98.x.1).
We have the requirement to move the vlan routing down to the core 6500's on the MSFC.
each 65xx switch have a vlan interface setup for each vlan (19) as shown bellow which spands across all 3 switches:
VLAN 100 DMZ 192.168.2.0/21
VLAN 102 PROD 10.98.2.0/23
VLAN 104 CORP 10.98.4.0/23
VLAN 106 QA 10.98.6.0/23
VLAN 108 VOIP 10.98.8.0/23
VLAN 112 FCIP 10.98.12.0/23
VLAN 208 SIPGC
VLAN 210 PROD-SIP 10.98.10.0/23
VLAN 221 GT (No Vlan interface)
VLAN 242 BGP (No Vlan interface)
VLAN 264 SIP-VPBX (No Vlan interface)
VLAN 265 SIP-BW 188.8.131.52/29
VLAN 300 WANCOM1 (No Vlan interface)
VLAN 400 WANCOM2 (No Vlan interface)
Each vlan spands across all 3 switches via the Trunk ports since there are devices on
specific vlans that are connected to different 6500's for redundancy.
The Vlans are currently all setup for spanning tree priority:
SW1 spanning-tree priority 0
SW2 spanning-tree priority 4096
SW3 spanning-tree priority 8192
I need to know, if we pull the fortigate firewall from this setup, and start doing the
vlanrouting on the MSFC, how does this change the configuration? Please provide some examples.
Since we have 3 core switches, do we need to implement HSRP on the Vlan interfaces? If so,
how would that be configured? Again, configuration examples would be appreciated.
Also, which routing protocol should be implemented in this scenerio?
SW1 and SW2 would do all the intervlan routing. Lets use vlan 102 as an example
int vlan 102
ip address 10.98.2.2 255.255.254.0
standby 102 ip 10.98.2.1
standby 102 priority 90
standby 102 authentication cisco
int vlan 102
ip address 10.98.2.3 255.255.254.0
standby 102 ip 10.98.2.1
standby 102 priority 110
standby 102 authentication cisco
Do this for each of your vlan interfaces. Note that if you want you can effectively do a crude sort of load-balancing by having all the even vlans with a priority of 90 on SW1 and 110 on SW1 and all the odd vlans with a priority of 90 on SW1 and 110 on SW2. If you do this make sure the STP root is set to match ie. SW1 STP root all odd vlans, SW2 STP root all even vlans.
If SW3 only connects to one of the the 2 other switches probably isn't worth doing this.
As for routing protocol, you don't really need one unless you have other devices that you need to peer with.
thanks Jon for your quick reply,
So HSRP would be implemented on the VLAN interfaces in this case right?
But what about Vlan routing? There some Vlans that should not talk to others for example, vlan 104 should not talk to 102 only for specific hosts. Vlan 100 should not talk to anything but access to the internet as it's the DMZ. 210 should talk to 102 etc....
SW3 only has 1 link to SW1 and no links to SW2. SW3 is at the DR site and there are limited systems on SW3 and a call center on that switch also, which is on Vlan 108. So in this case, 108 should talk to 104 and vice-versa.
If you want to restrict traffic between vlans then you need to look at access-lists eg.
vlan 104 = 192.168.5.0/24
vlan 102 = 192.168.6.0/24
access-list 101 permit ip 192.168.5.0 0.0.0.255 host 192.168.6.10
access-list 101 permit ip 192.168.5.0 0.0.0.255 host 192.168.6.12
access-list 101 deny ip 192.168.5.0 0.0.0.255 any
int vlan 102
ip access-group 101 out
the above would only allow traffic from vlan 104 subnet to 2 hosts .10 & .12 on vlan 102.
With vlan interfaces traffic going out of vlan interface is traffic going TO devices on that vlan. Traffic coming into the vlan interface is traffic FROM devices on that vlan.
One last thing - there is an implict deny at the end of every access-list so the above example would block all other traffic to devices on vlan 102 so you need to modify access-lists to fit.
** Edit - it is important to understand that access-lists are in no way stateful and are considerably less secure than dedicated firewalls so you need to take this into account **
yes, ok, and I could use extended access list for more specific drill down to service request.
So again, access list is to be implemented on the closest side of the requester before the routing occurs right?
So if I leave SW3 (remote site) as is (trunk port allow all vlan to traverse to SW1), then I could simply setup HSRP on all the vlan interfaces of SW1 and SW2 as you stated above correct? or is there a better way to do this?
It is better to filter traffic as close to the source as possible yes.
It depends on the traffic patterns from SW3. If most of the traffic is contained within the same vlan on SW3 then yes i would configure as previously suggested as the only time traffic would need to cross the trunk link to SW1 (other than for inter-vlan routing) is if a device on SW3 in vlan 102 for example wanted to talk to a device in vlan 102 on SW1 or SW2.
However bear in mind that if you have 2 devices connected to SW3 that are in different vlans and they want to communicate with each other all their traffic will have to go back to SW1 to be inter-vlan routed.
Obviously any traffic from SW3 to any other device on SW1/SW2 whether in the same vlan or a different vlan will have to go across the link anyway so it is really about traffic between devices in different vlans on SW3.
how would I go about setting up SW3 so that if traffic from vlan 102 on SW3 needs to speak to 104 and 104 destination IS on SW3, so that the traffic does not go accross the trunk to SW1 and back to SW3?
Diagram looks fine. Don't worry too much about traffic having to traverse the SW3 -> SW1 link unless you find that the link is getting overutilised.
Just how far is SW3 from SW1 ?
ok, I spoke to a Engineer @ Cisco and he told me this setup would not work.
He stated that if I implement HSRP (lets say SW1 has higher priority), SW1 would be active and SW2 would be standby, in this case anything (Servcers taht is) connected to SW2 would not go anywhere...since there not multihomed on SW1 and SW2?!?
I'm more confused now then I was before.
He also mentioned about vlan routing that I would need to setup sub-interfaces ?
Now I'm realy confused...
And i think i'm a bit confused unless i am not understanding your setup.
It doesn't matter if the server is connected only to SW2 and the active gateway is on SW1, that is what the L2 trunk between sw1 & sw2 is for. So the server sends a packet to SW2 and this is sent across the L2 trunk to SW1. If this didn't work that way then our data centre and i suspect a lot of other people's data centres wouldn't work either :-)
As for subinterfaces - you don't need these on 6500 switches. Subinterfaces would be used if you were using a router to route between vlans but you aren't.
I'm wondering if the Cisco engineer and myself are talking about 2 totally different things here because i have found Cisco engineers do know what they are talking about.
obviously you and I know exactly what we are taling about, with the document I provided, but he does not even though he does have that document on hand...
Anyway, I setup 2 vlans 600 and 601 and setup router rip. since my other vlans are 10.98.x.x the network in rip even though i entered "network 10.1.0.0" and "network 10.1.1.0" it only shows 10.0.0.0 with a /8
It shows in ip route the 10.1.0.0 and 10.1.1.0 as conntected.
I also setup HSRP on VLAN 600 and just waiting on 1 pc's to connect 1 on SW1 and the other on SW2 and simulate HSRP and vlan routing, but I need to think about this so I test correctly my scenerio.
Thanks Jon !
Let me know how you get on.
Just one other point. If you are just concerned with routing between the vlans that are on your 6500 switches and all the L3 vlan interfaces are on the switch you don't need rip. The "sh ip route" would still show them as connected.
Rip will only show 10.0.0.0/8 as it is a classful protocol, at least version 1 is.
Well that depends on a number of things.
What other devices do you have in your network and do you need them to peer with your 6500 switches.
A default route on your 6500's pointing to the fortigate firewalls would take care of your internet access although you would need to add routes on the firewalls for the vlans connected on your 6500's for the return traffic.
A dynamic routing protocol is a good thing in a network with a number of devices that need to exchange routes. But if you don't have that many devices static routing will work just fine.
It's really up to you as to what you need. Ripv2 is an improvement on v1 in some respects but i'm not sure at the moment you need either.