Help figure out this L3 switch config?

--chris-- · December 2014

I have a setup with three buildings. Building 1 has a L3 Dell 5448 PoE switch. Building 2 has a Cisco 3560. Building 3 has a Dell 5448 PoE L3 switch, a 2960, firewall and ISP router. Building 3 is where the ISP demark is.

The part I am confused about is that the L3's in building 1 and 3 have a default gateway that points to the Cisco L3 in Building 2. If the 3560 in building two is the default gateway, how does anything get out to the internet? Shouldn't the default gateway be the Dell L3 in building 3?

The Cisco L3 has a static route which points to the firewall. The firewall is in Building 3. The wonderful drawing below shows the physical connections between buildings (red lines).

emerald_octane · December 2014

One guess is that there is connectivity to building 2 via layer 2 trunk across each switch from the demarc, just an extra vlan on each switch. I could see this being the case if the Cisco has advanced/unique functionality that needs to be addressed, however such a configuration would cause several single points of failure because you move away from the hub&spoke topology to a weird bus type topology.

--chris-- · December 2014

emerald_octane wrote: »

One guess is that there is connectivity to building 2 via layer 2 trunk across each switch from the demarc, just an extra vlan on each switch. I could see this being the case if the Cisco has advanced/unique functionality that needs to be addressed, however such a configuration would cause several single points of failure because you move away from the hub&spoke topology to a weird bus type topology.

That is something I thought of, but how....I was not certain that could actually work.

The L3 Cisco is the only PoE / VoIP switch in use, would that qualify as unique? This is a weird setup if that is the case...I feel confident about my network knowledge until I start working on this network, that would explain a lot of the un-easy feeling I have when I need to troubleshoot it.

fredrikjj · December 2014

I have no idea what's going on here. What are the IP addresses written in each box? You should probably do a proper network diagram. One logical layer 3 diagram and one that shows the physical connections.

You can use this app: www.draw.io and import the cisco icons for different types of devices.

VAHokie56 · December 2014

to me it seems all the switches have just local routing tables and no dynamic IGP running ...so they all have a def route pointing to the 3560 in building 2. Perhaps who ever stood it up thought to make the 3650 more like an aggregation point and of course the 3560 has a def route to the fw which is how you most likely access the interwebz...its kind of fug-ugly and maybe I am wrong. Build it in Packet tracer and post it ...it seems terribly simple, cant be that hard to port it to a PT file

--chris-- · December 2014

VAHokie56 wrote: »

to me it seems all the switches have just local routing tables and no dynamic IGP running ...so they all have a def route pointing to the 3560 in building 2. Perhaps who ever stood it up thought to make the 3650 more like an aggregation point and of course the 3560 has a def route to the fw which is how you most likely access the interwebz...its kind of fug-ugly and maybe I am wrong. Build it in Packet tracer and post it ...it seems terribly simple, cant be that hard to port it to a PT file

I wish I felt that way about this! I think this clients network is a mess, but what do I know...i have been in IT about a year and only recently started seeing Cisco gear in the wild.

Your description is spot on. No routing protocols, just static and connected routes. The 3560 aggregates for the other two L3s. The 3560 then has a default route that points to the FW.

I had just never seen or heard of a setup like this. I mean, in all the Cisco "guides" on setting up things like this it shows the FW and the "aggregation" device (in my case the 3560) physically stacked on top of each other...not in different buildings. I assumed (I know, I know...) that you should put the GW and the FW physically near each other...but that is not the case huh?

Why wouldn't the person who stood this up just use the Dell L3 that sits below the FW as the "aggregator"? What reasons would you skip that and go to what I have here?

VAHokie56 · December 2014

Ya hard to say...if it was me I would of made the 3560 the sole L3 device and trunk what I need to the other two switches making them strictly L2 aside from a mang IP, and then keep that def route of the 3560 to the FW of course. Be nice to toss another 3560 in for redundancy and hsrp. Best bet when you run across something like this is just map out the madness so you know how exactly its ghetto rigged and don't spend to much time wondering why someone made the mess!

--chris-- · December 2014

VAHokie56 wrote: »

Ya hard to say...if it was me I would of made the 3560 the sole L3 device and trunk what I need to the other two switches making them strictly L2 aside from a mang IP, and then keep that def route of the 3560 to the FW of course. Be nice to toss another 3560 in for redundancy and hsrp. Best bet when you run across something like this is just map out the madness so you know how exactly its ghetto rigged and don't spend to much time wondering why someone made the mess!

I will be mapping this out much better now that I see what is going on.

The issue I was having is that I was disregarding L2 & L3 and blurring them together. No wonder I would start to figure it out then run into a (logical) brick wall. Keeping them separate makes this much easier to see.

chrisone · December 2014

You can absolutely have this design. Its not standard and not efficient at all, however it is possible. You have to separate your logical and physical way of thinking. Logical you can have any one of these buildings be the primary edge router then as you mentioned the default route sends it to building 3 with the firewall. As long as the VLAN of the demarc is extended to all buildings its possible to have any of those 3 buildings communicate to the demarc. Ideally you want all your edge devices near the demarc, but for some strange reason the default logical way for all buildings is to push the traffic to building 2 which then has a default route to the firewall in building three.

So for whatever reason my guess is that business needs had something to do with this strange setup.

pevangel · December 2014

Dell 5448 are not L3 switches.

If this is a client's network, then you should try to understand how the business functions. Most of their resources could be at building 2 so it makes sense to have the L3 switch there. It would be ideal to move the demarc to building 2 but it's probably cost prohibitive.

Help figure out this L3 switch config?

Comments