LAyer3 switch routing

DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
Hi,

Ok guys how would you do this.

in the digram below I have the core (2 4506's) and the Distribution switchs


becasue of how things are I need to run end to end vlans across site, But I also want to run local vlans with laye 3 routing to the core.

So as I see it I need to have trunking back to the core.

thats simple enough but what I want to achive is for the local vlans that are routed back to the core, to both loadbalance to the two core swiches, and I dont want there trunks blocked be spanning tree.

What I was thinking was using two VLANS, one core switch is the route for one, and the other core switch is the root for the second.

then the vlan interface is configured with an IP on the each core and on the distribution switch.

this would allow routing protocols to replicate around and allow load balancing.

But ont thing I dont want is two access switchs to send data directly to each other, which they would be able to do.

IS there a better way to achive this. I can think of plenty of way but not surewhich one to go for ??

any thoughts.
  • If you can't explain it simply, you don't understand it well enough. Albert Einstein
  • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.

Comments

  • ConstantlyLearningConstantlyLearning Member Posts: 445
    DevilWAH wrote: »

    But ont thing I dont want is two access switchs to send data directly to each other, which they would be able to do.

    any thoughts.


    Don't connect the access switches directly?
    "There are 3 types of people in this world, those who can count and those who can't"
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    Don't connect the access switches directly?


    I ment distribution switchs
    sorry

    as in if the disribution switchs and the core swithcs have a SVI in the same VLAN then adjances will be foremed across all of them.

    I ony want adjencise to form between the core switch and distribution switches, not distribution to distribution
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    I hope you figure this out, seems like a great project....I wish I could add my two cents on this one...

  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    cheers :)

    its one of them ones that I can think of 50 ways to achive it, but no elegent solutions that cover every thing I want out of it.

    The other thing is it needs to be simple enough that other non network people can support it.

    I jsut know I will set it up and then a few months down the line I will be kicking my self avbout how I could have done it so much simpler...

    Oh hold on i just thought!! if I put a ACL on the SVI at the distribution sitch so it can only talk to the core switch SVI ip address then it can only form routing adjences with that IP address... i think... lets go test :)

    the reson I want to do it like this is rather than having lots of point to point vlan is so I can get all the routing and load balancing to run over 2 extra vlans...
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    DevilWAH wrote: »
    cheers :)

    its one of them ones that I can think of 50 ways to achive it, but no elegent solutions that cover every thing I want out of it.

    The other thing is it needs to be simple enough that other non network people can support it.

    I jsut know I will set it up and then a few months down the line I will be kicking my self avbout how I could have done it so much simpler...

    Oh hold on i just thought!! if I put a ACL on the SVI at the distribution sitch so it can only talk to the core switch SVI ip address then it can only form routing adjences with that IP address... i think... lets go test :)

    the reson I want to do it like this is rather than having lots of point to point vlan is so I can get all the routing and load balancing to run over 2 extra vlans...


    Does it make sense to use passive-interface anywhere so you only listen/learn which networks to be apart of?

  • ConstantlyLearningConstantlyLearning Member Posts: 445
    Does it make sense to use passive-interface anywhere so you only listen/learn which networks to be apart of?

    Looks like that would work just dandy.

    How Does the Passive Interface Feature Work in EIGRP? [IP Routing] - Cisco Systems
    "There are 3 types of people in this world, those who can count and those who can't"
  • networker050184networker050184 Mod Posts: 11,962 Mod
    If you don't want them to form adjacencies why not just use separate Vlans for each distribution switch? That would take care of all your issues.

    Also, just curious why you don't want them to communicate directly? Why would you want the traffic to take a less optimal path?
    An expert is a man who has made all the mistakes which can be made.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    passive interfaces wont work as the SVI interface to the core switch is the same as the distribution switchs.

    Its no more direct route. the data has to go through the core switch what ever (look how the distribution switch are linked back to the core, for one to talk to another the data must pass through the core switch). i just want it to go through at layer 3 and not at layer 2. There is no point in distribution switchs being able to talk directly as it offers no redundence as a core switch is still the single point of failer. and having all distribution switchs with adjencies to each other will incress the size of the routing tables every where.

    Yes the way to do it is mutiple vlans, but then the core switch has to have lots of svi's. i want to keep the numbers down from a managment point of view.

    Idealy I was thinking prvt vlans. where core has an interface in the primary VLAN is primary, and distribution in an ioslated vlan, but i dont think you can assign a ioslated vlan a svi?
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    DevilWAH wrote: »
    passive interfaces wont work as the SVI interface to the core switch is the same as the distribution switchs.

    Its no more direct route. the data has to go through the core switch what ever (look how the distribution switch are linked back to the core, for one to talk to another the data must pass through the core switch). i just want it to go through at layer 3 and not at layer 2. There is no point in distribution switchs being able to talk directly as it offers no redundence as a core switch is still the single point of failer. and having all distribution switchs with adjencies to each other will incress the size of the routing tables every where.

    Yes the way to do it is mutiple vlans, but then the core switch has to have lots of svi's. i want to keep the numbers down from a managment point of view.

    Idealy I was thinking prvt vlans. where core has an interface in the primary VLAN is primary, and distribution in an ioslated vlan, but i dont think you can assign a ioslated vlan a svi?

    I don't really agree with you on not having a routed link between distribution switches, but hey there is more than one way to skin a horse. What's the problem with managing a bunch of SVIs? I think that would be a lot easier to manage then some crazy private Vlan stuff.
    An expert is a man who has made all the mistakes which can be made.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    But if i had a full mesh, between all the distribution switchs (of which there are far more than 2) I then have an issues with security managment, and managemnt in general will get more complex.

    In this company security is high, so it is more important for me to be able to lock down how traffic flows and have nice central points of managment (ie the core switchs), than it is to make sure the flow is most efficient.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    DevilWAH wrote: »
    But if i had a full mesh, between all the distribution switchs (of which there are far more than 2) I then have an issues with security managment, and managemnt in general will get more complex.

    In this company security is high, so it is more important for me to be able to lock down how traffic flows and have nice central points of managment (ie the core switchs), than it is to make sure the flow is most efficient.


    What exactly would be the security risk of the distribution switches routing directly between each other? They will still be able to route to each other through the core, it would just be a less efficient route. Maybe there is something I'm missing here. I didn't mean ALL distribution switches should form adjacincies with each other, jut the distribution switches within a switch block.

    I still have to disagree that this would add management overhead. IMO it would add far less management overhead than ACL'd or a private Vlan solution that would end up with more configuration and less flexibility of traffic rerouting.
    An expert is a man who has made all the mistakes which can be made.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    What exactly would be the security risk of the distribution switches routing directly between each other? They will still be able to route to each other through the core, it would just be a less efficient route. Maybe there is something I'm missing here. I didn't mean ALL distribution switches should form adjacincies with each other, jut the distribution switches within a switch block.

    I still have to disagree that this would add management overhead. IMO it would add far less management overhead than ACL'd or a private Vlan solution that would end up with more configuration and less flexibility of traffic rerouting.


    Oh switchs in the same switch block will form adjencies, thats cool. what I don't want is all the switch blocks forming adjencies with each other.

    but i need both layer 3 routing of local vlans from the switch blocks to the core and end to end vlans between switch blocks.

    So the "correct" way would be to create a seperate VLAN between each switch block and each core switch and run routing over these, and trunk them back to the core.

    ie SWitch block 1 has vlan 2 linking back to coreswitch 1 and vlan 3 linking back to coreswitch 2, Switch block 2 has vlan 4 back to core 1 and 5 back to core 2. (VLAN 2 and 3 would only exist on switch block 1 and the core and on no other switchblocks in the network)

    on the other hand if switch block one had vlan 2 linking back to coreswitch one and switchblock 2 also used vlan 2 to link back to the core switch. Then if i run routing protoclols over this vlan switch blockone would form adjencies with boh the core and the second switch block.

    in the first case the core switch ends up with lots of SVI to support he routing, in the second case it ends up with one SVI. for all the routing.

    So I am jsu weighing up the many ways to achive this, with my focus being I want very centrilsed managment of the traffic, in effeact I want to casue a bottle neck through which all traffic traveling between subnets is forced.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Sign In or Register to comment.