VLAN across a routed connection?

Discussion in 'Cisco' started by Martin Pugh, Sep 15, 2007.

  1. Martin Pugh

    Martin Pugh Guest

    Hi all,

    I have 2 LAN's on seperate IP subnets connected by a layer 3 routed link
    between 2 stacks of Catalyst 3750G-SMI switches and I need to create an
    IP subnet common to both networks (but different to their main subnets)
    to implement a failover configuration for our internet access. I'm
    guessing a VLAN would be the way to go but is it possible to pass VLAN
    traffic over a layer 3 link or is there a better way to connect these 2
    subnets that would all me to implement this setup?

    Thanks,

    Martin
     
    Martin Pugh, Sep 15, 2007
    #1
    1. Advertising

  2. Martin Pugh

    Guest

    Hi Martin,

    Sounds like you need to create a trunk to carry the common VLAN across
    the routed link. You can then use SVIs (Switched Virtual Interfaces)
    to carry the layer three traffic alongside.

    Something like:

    vlan 5
    Name "Layer 2 VLAN for common subnet"

    interface vlan 10
    description "Layer 3 SVI for routed traffic"
    ip address 192.168.1.1 255.255.255.252

    interface FastEthernet0/1
    description "Trunk port to carry both layer 2 and layer 3 VLANs"
    switchport trunk encapsulation dot1q
    switchport mode trunk

    Hope this helps,

    Paul
     
    , Sep 15, 2007
    #2
    1. Advertising

  3. Martin Pugh

    Martin Pugh Guest

    Hi Paul,

    Thanks for the quick reply. My current configuration looks like this :-

    interface Port-channel1
    description Point-to-point link
    no switchport
    ip address 172.24.1.1 255.255.255.252
    !

    interface GigabitEthernet1/0/28
    description SW001G1/0/28
    no switchport
    no ip address
    channel-group 1 mode active
    !

    ip route 10.3.0.0 255.255.0.0 172.24.1.2

    I went with the port channel as I intend to add additional SFP's in the
    near future to increase the available bandwidth. The drawback is that
    you set the port as "no switchport" so you can't assign it as a trunk.
    I'm sure there's a better way to do this I just can't get my head around it.

    Martin
     
    Martin Pugh, Sep 15, 2007
    #3
  4. Martin Pugh

    Merv Guest

    Alternatives:

    1. If the Internet router only has one port facing the existing switch
    infrastructure then you would need to insert a hub or a small switch
    between the Internet router and the two existing switches. The ports
    on the existing switches facing the Internet router would be
    configured as routed ports and could run HSRP.

    2. If the Internet router has two ports available facing the existing
    switch infrastructure, then connect one router port to each of the
    existing switch with each of the switch ports being configured as a
    routed interface. Run a common routing protocol amongst the switches
    and the internet router in order for dynamic routing to take care of
    switch failures. Internet router should advertise default to the
    switches.
     
    Merv, Sep 15, 2007
    #4
  5. Martin Pugh

    Guest

    No problem Martin.

    Port-channels can be layer 2 or 3 - just like physical ports.

    I suggest you change your Port-channel to layer 2 so it can be
    configured as a trunk port. The trunk can then carry two VLANs - The
    "common VLAN" and the SVI VLAN for routed traffic:

    interface Port-channel1
    description "Layer 2 Port-channel"
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk

    Then configure the VLANS / SVIs:

    vlan 5
    name "Common VLAN"

    interface vlan 10
    description "SVI for routed traffic"
    no switchport
    ip address 172.24.1.1 255.255.255.252

    Then turn on the Port-channel for the physical port:

    interface GigabitEthernet1/0/28
    switchport
    channel-group 1 mode active

    Let me know how you get on,

    Paul
     
    , Sep 15, 2007
    #5
  6. Martin Pugh

    stephen Guest

    <> wrote in message
    news:...
    > No problem Martin.
    >
    > Port-channels can be layer 2 or 3 - just like physical ports.
    >
    > I suggest you change your Port-channel to layer 2 so it can be
    > configured as a trunk port. The trunk can then carry two VLANs - The
    > "common VLAN" and the SVI VLAN for routed traffic:
    >
    > interface Port-channel1
    > description "Layer 2 Port-channel"
    > switchport
    > switchport trunk encapsulation dot1q
    > switchport mode trunk
    >
    > Then configure the VLANS / SVIs:
    >
    > vlan 5
    > name "Common VLAN"
    >
    > interface vlan 10
    > description "SVI for routed traffic"
    > no switchport
    > ip address 172.24.1.1 255.255.255.252
    >
    > Then turn on the Port-channel for the physical port:
    >
    > interface GigabitEthernet1/0/28
    > switchport
    > channel-group 1 mode active
    >
    > Let me know how you get on,


    1 other thing to worry about is what happens when it breaks?

    this type of design is common with server replication schemes that work at
    layer 2, and the assumption is that when you lose a site, the other copy
    carries on and the remaining network survives.

    however - WAN faults are as common as major server or site failures.

    if you have a L2 subnet across 2 sites like this, then any routers sending
    traffic into it from elsewhere treat it as a single logical connected lump
    of IP addresses - because that is what a subnet really is.
    the hidden design assumption is that things only work if that subnet is
    internally connected.

    So - it breaks in 2 pieces. At that point you find out that most traffic
    patterns on the 2 sections where the traffic comes into the subnet from
    outside stop working.

    if you have a local router interface, then outgoing works fine if you still
    have a default gateway.

    but the return traffic just gets delivered to either section depending on
    router best path - and that may be the wrong half......
    >
    > Paul

    --
    Regards

    - replace xyz with ntl
     
    stephen, Sep 15, 2007
    #6
  7. Martin Pugh

    Martin Pugh Guest

    Hi Stephen,

    Thanks for the heads up but in our setup it's not a problem. The 2
    offices are literally 350 Metres apart using our on on-site fibres so a
    break in the link is probably less likely than loosing a WAN link.

    Each office has its own dedicated subnet and the additional subnet will
    only be used locally in the 2 offices so we have no traffic being routed
    into it from the rest of the WAN.

    Martin

    stephen wrote:
    > <> wrote in message
    > news:...
    >> No problem Martin.
    >>
    >> Port-channels can be layer 2 or 3 - just like physical ports.
    >>
    >> I suggest you change your Port-channel to layer 2 so it can be
    >> configured as a trunk port. The trunk can then carry two VLANs - The
    >> "common VLAN" and the SVI VLAN for routed traffic:
    >>
    >> interface Port-channel1
    >> description "Layer 2 Port-channel"
    >> switchport
    >> switchport trunk encapsulation dot1q
    >> switchport mode trunk
    >>
    >> Then configure the VLANS / SVIs:
    >>
    >> vlan 5
    >> name "Common VLAN"
    >>
    >> interface vlan 10
    >> description "SVI for routed traffic"
    >> no switchport
    >> ip address 172.24.1.1 255.255.255.252
    >>
    >> Then turn on the Port-channel for the physical port:
    >>
    >> interface GigabitEthernet1/0/28
    >> switchport
    >> channel-group 1 mode active
    >>
    >> Let me know how you get on,

    >
    > 1 other thing to worry about is what happens when it breaks?
    >
    > this type of design is common with server replication schemes that work at
    > layer 2, and the assumption is that when you lose a site, the other copy
    > carries on and the remaining network survives.
    >
    > however - WAN faults are as common as major server or site failures.
    >
    > if you have a L2 subnet across 2 sites like this, then any routers sending
    > traffic into it from elsewhere treat it as a single logical connected lump
    > of IP addresses - because that is what a subnet really is.
    > the hidden design assumption is that things only work if that subnet is
    > internally connected.
    >
    > So - it breaks in 2 pieces. At that point you find out that most traffic
    > patterns on the 2 sections where the traffic comes into the subnet from
    > outside stop working.
    >
    > if you have a local router interface, then outgoing works fine if you still
    > have a default gateway.
    >
    > but the return traffic just gets delivered to either section depending on
    > router best path - and that may be the wrong half......
    >> Paul
     
    Martin Pugh, Sep 17, 2007
    #7
  8. Martin Pugh

    Martin Pugh Guest

    Hi Paul,

    Than sounds like a plan to me and I think it's starting to sink in..
    I'll get some time organised to put it in place out off hours

    One last question though, I have all the other switch ports on both ends
    of the link in the default VALN1.. If the switches are connected at
    layer 2 wouldn't that mean the single VLAN1 would span both sites and
    give me no end of IP and VLAN overlaps?

    Thanks,

    Martin
     
    Martin Pugh, Sep 17, 2007
    #8
  9. Martin Pugh

    Guest

    Hi Martin,

    Yes that is something to watch out for. Enabling trunking between the
    two switches will trunk all VLANs by default. So yes - your two VLAN1s
    will get bridged, as will any other VLANs with the same ID.

    You can restrict which VLANS are allowed across the trunk with:

    switchport trunk allowed vlan 5, 10

    Best practice would be to avoid using VLAN1 for users. I suggest you
    also read about the native VLAN option before you get too involved
    with setting up DOT1Q trunks.

    Good luck!

    Paul
     
    , Sep 18, 2007
    #9
  10. Martin Pugh

    stephen Guest

    <> wrote in message
    news:...
    > Hi Martin,
    >
    > Yes that is something to watch out for. Enabling trunking between the
    > two switches will trunk all VLANs by default. So yes - your two VLAN1s
    > will get bridged, as will any other VLANs with the same ID.


    also vlan 1 is "special" on cisco - things like CDP live there, so even if
    you turn it off there will be some traffic.

    best practice for a big network is not to use vlan1 for anything (maybe just
    management).

    a few bits of good design practice (for lots of cisco stuff, not just
    campus):
    www.cisco.com/go/srnd

    worth looking at even if you ignore most of it as not applicable.

    that way when someone throws in a new switch without config, it doesnt work
    (or doesnt connect to the rest of the network), so cannot break the design
    without some effort and the installer has to do something to get
    connectivity.....
    >
    > You can restrict which VLANS are allowed across the trunk with:
    >
    > switchport trunk allowed vlan 5, 10
    >
    > Best practice would be to avoid using VLAN1 for users. I suggest you
    > also read about the native VLAN option before you get too involved
    > with setting up DOT1Q trunks.


    and please dont use VTP - network wide VLANs is not a good idea.


    >
    > Good luck!
    >
    > Paul
    >

    --
    Regards

    - replace xyz with ntl
     
    stephen, Sep 19, 2007
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jarek Jarzebowski
    Replies:
    1
    Views:
    1,233
  2. Rob
    Replies:
    5
    Views:
    8,075
  3. Dave_T
    Replies:
    2
    Views:
    3,249
  4. amfony
    Replies:
    6
    Views:
    8,575
    Walter Roberson
    May 2, 2006
  5. One's Too Many

    VoIP VLAN across router-router link?

    One's Too Many, Oct 24, 2006, in forum: Cisco
    Replies:
    6
    Views:
    1,821
    freeNAC
    Nov 1, 2006
Loading...

Share This Page