«

Hi all,

I have 2 LAN's on seperate IP subnets connected by a layer 3 routed link
between 2 stacks of Catalyst 3750G-SMI switches and I need to create an
IP subnet common to both networks (but different to their main subnets)
to implement a failover configuration for our internet access. I'm
guessing a VLAN would be the way to go but is it possible to pass VLAN
traffic over a layer 3 link or is there a better way to connect these 2
subnets that would all me to implement this setup?

Thanks,

Martin

Hi Martin,

Sounds like you need to create a trunk to carry the common VLAN across
the routed link. You can then use SVIs (Switched Virtual Interfaces)
to carry the layer three traffic alongside.

Something like:

vlan 5
Name "Layer 2 VLAN for common subnet"

interface vlan 10
description "Layer 3 SVI for routed traffic"
ip address 192.168.1.1 255.255.255.252

interface FastEthernet0/1
description "Trunk port to carry both layer 2 and layer 3 VLANs"
switchport trunk encapsulation dot1q
switchport mode trunk

Hope this helps,

Paul

Hi Paul,

Thanks for the quick reply. My current configuration looks like this :-

interface Port-channel1
description Point-to-point link
no switchport
ip address 172.24.1.1 255.255.255.252
!

interface GigabitEthernet1/0/28
description SW001G1/0/28
no switchport
no ip address
channel-group 1 mode active
!

ip route 10.3.0.0 255.255.0.0 172.24.1.2

I went with the port channel as I intend to add additional SFP's in the
near future to increase the available bandwidth. The drawback is that
you set the port as "no switchport" so you can't assign it as a trunk.
I'm sure there's a better way to do this I just can't get my head around it.

Martin

Alternatives:

1. If the Internet router only has one port facing the existing switch
infrastructure then you would need to insert a hub or a small switch
between the Internet router and the two existing switches. The ports
on the existing switches facing the Internet router would be
configured as routed ports and could run HSRP.

2. If the Internet router has two ports available facing the existing
switch infrastructure, then connect one router port to each of the
existing switch with each of the switch ports being configured as a
routed interface. Run a common routing protocol amongst the switches
and the internet router in order for dynamic routing to take care of
switch failures. Internet router should advertise default to the
switches.

No problem Martin.

Port-channels can be layer 2 or 3 - just like physical ports.

I suggest you change your Port-channel to layer 2 so it can be
configured as a trunk port. The trunk can then carry two VLANs - The
"common VLAN" and the SVI VLAN for routed traffic:

interface Port-channel1
description "Layer 2 Port-channel"
switchport
switchport trunk encapsulation dot1q
switchport mode trunk

Then configure the VLANS / SVIs:

vlan 5
name "Common VLAN"

interface vlan 10
description "SVI for routed traffic"
no switchport
ip address 172.24.1.1 255.255.255.252

Then turn on the Port-channel for the physical port:

interface GigabitEthernet1/0/28
switchport
channel-group 1 mode active

Let me know how you get on,

Paul

<> wrote in message
news: ps.com...
> No problem Martin.
>
> Port-channels can be layer 2 or 3 - just like physical ports.
>
> I suggest you change your Port-channel to layer 2 so it can be
> configured as a trunk port. The trunk can then carry two VLANs - The
> "common VLAN" and the SVI VLAN for routed traffic:
>
> interface Port-channel1
> description "Layer 2 Port-channel"
> switchport
> switchport trunk encapsulation dot1q
> switchport mode trunk
>
> Then configure the VLANS / SVIs:
>
> vlan 5
> name "Common VLAN"
>
> interface vlan 10
> description "SVI for routed traffic"
> no switchport
> ip address 172.24.1.1 255.255.255.252
>
> Then turn on the Port-channel for the physical port:
>
> interface GigabitEthernet1/0/28
> switchport
> channel-group 1 mode active
>
> Let me know how you get on,

1 other thing to worry about is what happens when it breaks?

this type of design is common with server replication schemes that work at
layer 2, and the assumption is that when you lose a site, the other copy
carries on and the remaining network survives.

however - WAN faults are as common as major server or site failures.

if you have a L2 subnet across 2 sites like this, then any routers sending
traffic into it from elsewhere treat it as a single logical connected lump
of IP addresses - because that is what a subnet really is.
the hidden design assumption is that things only work if that subnet is
internally connected.

So - it breaks in 2 pieces. At that point you find out that most traffic
patterns on the 2 sections where the traffic comes into the subnet from
outside stop working.

if you have a local router interface, then outgoing works fine if you still
have a default gateway.

but the return traffic just gets delivered to either section depending on
router best path - and that may be the wrong half......
>
> Paul
--
Regards

- replace xyz with ntl

Hi Stephen,

Thanks for the heads up but in our setup it's not a problem. The 2
offices are literally 350 Metres apart using our on on-site fibres so a
break in the link is probably less likely than loosing a WAN link.

Each office has its own dedicated subnet and the additional subnet will
only be used locally in the 2 offices so we have no traffic being routed
into it from the rest of the WAN.

Martin

stephen wrote:
> <> wrote in message
> news: ps.com...
>> No problem Martin.
>>
>> Port-channels can be layer 2 or 3 - just like physical ports.
>>
>> I suggest you change your Port-channel to layer 2 so it can be
>> configured as a trunk port. The trunk can then carry two VLANs - The
>> "common VLAN" and the SVI VLAN for routed traffic:
>>
>> interface Port-channel1
>> description "Layer 2 Port-channel"
>> switchport
>> switchport trunk encapsulation dot1q
>> switchport mode trunk
>>
>> Then configure the VLANS / SVIs:
>>
>> vlan 5
>> name "Common VLAN"
>>
>> interface vlan 10
>> description "SVI for routed traffic"
>> no switchport
>> ip address 172.24.1.1 255.255.255.252
>>
>> Then turn on the Port-channel for the physical port:
>>
>> interface GigabitEthernet1/0/28
>> switchport
>> channel-group 1 mode active
>>
>> Let me know how you get on,
>
> 1 other thing to worry about is what happens when it breaks?
>
> this type of design is common with server replication schemes that work at
> layer 2, and the assumption is that when you lose a site, the other copy
> carries on and the remaining network survives.
>
> however - WAN faults are as common as major server or site failures.
>
> if you have a L2 subnet across 2 sites like this, then any routers sending
> traffic into it from elsewhere treat it as a single logical connected lump
> of IP addresses - because that is what a subnet really is.
> the hidden design assumption is that things only work if that subnet is
> internally connected.
>
> So - it breaks in 2 pieces. At that point you find out that most traffic
> patterns on the 2 sections where the traffic comes into the subnet from
> outside stop working.
>
> if you have a local router interface, then outgoing works fine if you still
> have a default gateway.
>
> but the return traffic just gets delivered to either section depending on
> router best path - and that may be the wrong half......
>> Paul

Hi Paul,

Than sounds like a plan to me and I think it's starting to sink in..
I'll get some time organised to put it in place out off hours

One last question though, I have all the other switch ports on both ends
of the link in the default VALN1.. If the switches are connected at
layer 2 wouldn't that mean the single VLAN1 would span both sites and
give me no end of IP and VLAN overlaps?

Thanks,

Martin

Hi Martin,

Yes that is something to watch out for. Enabling trunking between the
two switches will trunk all VLANs by default. So yes - your two VLAN1s
will get bridged, as will any other VLANs with the same ID.

You can restrict which VLANS are allowed across the trunk with:

switchport trunk allowed vlan 5, 10

Best practice would be to avoid using VLAN1 for users. I suggest you
also read about the native VLAN option before you get too involved
with setting up DOT1Q trunks.

Good luck!

Paul

<> wrote in message
news: ups.com...
> Hi Martin,
>
> Yes that is something to watch out for. Enabling trunking between the
> two switches will trunk all VLANs by default. So yes - your two VLAN1s
> will get bridged, as will any other VLANs with the same ID.

also vlan 1 is "special" on cisco - things like CDP live there, so even if
you turn it off there will be some traffic.

best practice for a big network is not to use vlan1 for anything (maybe just
management).

a few bits of good design practice (for lots of cisco stuff, not just
campus):
www.cisco.com/go/srnd

worth looking at even if you ignore most of it as not applicable.

that way when someone throws in a new switch without config, it doesnt work
(or doesnt connect to the rest of the network), so cannot break the design
without some effort and the installer has to do something to get
connectivity.....
>
> You can restrict which VLANS are allowed across the trunk with:
>
> switchport trunk allowed vlan 5, 10
>
> Best practice would be to avoid using VLAN1 for users. I suggest you
> also read about the native VLAN option before you get too involved
> with setting up DOT1Q trunks.

and please dont use VTP - network wide VLANs is not a good idea.


>
> Good luck!
>
> Paul
>
--
Regards

- replace xyz with ntl