Hi @luis_cordova 

Are there any downsides to putting the vlans on the routers?  Will sending broadcast traffic up to the routers across the gigabyte trunks on our small business network (<50 devices) create an unnecessary encumbrance for the routers?  Any important security concerns?

Thanks,

Mike

Hola @mike0000111111 ,

In the scenario that you showed, you can route the vlan on the L3 switches, using vlan interfaces.

Then, you could create a communication vlan, which would connect the routers with the vlans.

In this way, you could filter the communication between vlan, if necessary, using ACL on switches L3.

Regards

@luis_cordova 

I think I understand the options, but can you confirm?

1) Forward all VLans via trunk to the routers, realizing that unnecessary broadcast traffic will be sent to the routers.  This removes one "hop" from the topology when passing traffic onto the internet.

or

2) Create a new 'Comms Vlan' on the routers, and then trunk Routers to L3 Switches.  Unnecessary broadcast traffic will be pruned and not sent to routers, while routing happens at the software layer of the L3 Switch and then forwarded via the trunk to 'Comms Vlan' on the router and then onto internet.  This eliminates unnecessary broadcast traffic going to routers, but there is no hop eliminated when passing traffic onto the internet.  However, L3 Switch routing is fast - so this probably doesn't matter.

Did I get the right read on this?

Thanks!

-Mike

Hi @mike0000111111 ,

1) Forward all VLans via trunk to the routers, realizing that unnecessary broadcast traffic will be sent to the routers.  This removes one "hop" from the topology when passing traffic onto the internet.

A: Yes, but with this option all the routing process is executed by the routers, both the internal routing and the one that goes to the internet.

2) Create a new 'Comms Vlan' on the routers, and then trunk Routers to L3 Switches.  Unnecessary broadcast traffic will be pruned and not sent to routers, while routing happens at the software layer of the L3 Switch and then forwarded via the trunk to 'Comms Vlan' on the router and then onto internet.  This eliminates unnecessary broadcast traffic going to routers, but there is no hop eliminated when passing traffic onto the internet.

A: With this option, the internal routing process can be executed by the L3 switch and the routers only execute the routing to the internet.

In addition, internal security processes can be applied to the L3 switches.

For this, I recommend you choose option 2.

Regards

@luis_cordova 

Thank you for your input; I've learned a lot.  I think option 2 will add flexibility and performance to my existing setup, so I'm definitely going with option 2.  However, I'd like to ask for clarification on a comment you made. 

You stated: 

A: Yes, but with this option [option 1] all the routing process is executed by the routers, both the internal routing and the one that goes to the internet.

It seems to me that by implementing option 1 my L3 switches would still do internal routing, since I'm using HSRP and the L3 Switches are prioritized for internal routing according to the HSRP schema I setup.  I assume if I added the routers to the HSRP schema, I could still complete internal routing using the precedence (L3 Switches) in the HSRP schema.  Does this seem correct?

Thanks,

Mike

Hi @mike0000111111 ,

Your option 1 said:

1) Forward all VLans via trunk to the routers, realizing that unnecessary broadcast traffic will be sent to the routers.  This removes one "hop" from the topology when passing traffic onto the internet.

I understood by what you indicated that you would leave the L3 switches working as L2 and create subinterfaces in the routers(router-on-a-stick).

Doing that, effectively, removes a hop to the traffic, but, the routers execute the whole routing process.

If I understood correctly, the L3 switches could not execute the HSRP protocol, because they would not have routing processes in them.

Now, if you choose option 2, you can have the L3 switches execute HSRP per vlan and the routers execute HSRP for the total traffic or, not execute HSRP on the L3 switches and let the routers execute HSRP for the total traffic.

This is because both the L3 switches and the routers perform routing processes.

Regards

I now understand the confusion.  My use of the phrase 'forward' vlan traffic to the routers does seem to imply router on a stick. (By the way, I had forgotten about sub-interfaces until you mentioned them in your post.)  I have one outstanding question, if you have the patience: If we were to assume option 1 with switches operating on L3 and trunked routers having routable interfaces on all the same vlans as the switches, then....

Do the L3 switches continue to perform A.) internal routing between vlans and B.) routing between the vlans and the route of last resort?  Or would the L3 switch, knowing that there was 1) a routable interface on the nearby trunked router that 2) sat on the same vlan as the outgoing traffic, and 3) had a direct connection to the route-of-last-resort, then pass traffic up to the ISR G2 Router to be routed onto the route-of-last-resort?  My gut feeling is the answer would be no, but I'm not sure.  

I'm just very curious.  Thank you for your time!

-Mike

Hi @mike0000111111 ,

To clarify:

If we were to assume option 1 with switches operating on L3 and trunked routers having routable interfaces on all the same vlans as the switches

In this scenario you would have vlan interfaces for each configured vlan

S(config)#ip routing

S(config)#vlan 10

S(config)#interface vlan 10

S(config-if)#ip address <gateway vlan10><mask>

and the ports that connect to the routers as routed ports

S(config)#interface f0/1

S(config-if)#no switchport

S(config-if)#ip add <ip><mask>

Then

Do the L3 switches continue to perform A.) internal routing between vlans

A: Yes

and B.) routing between the vlans and the route of last resort?

A: Yes and No

Yes, if you configure static routes to achieve communication with the routers or you use a routing protocol eg you include the networks of the vlan and the network configured in the routed port.

No, because when you configure a switch port as a routed port, you disable the layer 2 functions, so the vlan tag would only reach the vlan interfaces, leaving the packets, from the switch, without the vlan tag.

Or would the L3 switch, knowing that there was 1) a routable interface on the nearby trunked router that 2) sat on the same vlan as the outgoing traffic, and 3) had a direct connection to the route-of-last-resort, then pass traffic up to the ISR G2 Router to be routed onto the route-of-last-resort?  My gut feeling is the answer would be no, but I'm not sure. 

A: Your feeling is correct, for the reasons explained above.

Just keep in mind that in option 1 the HSRP could be used only in the L3 switches, since you would create different networks between the switches and the routers.

Regards

Remember to mark the correct answers as solved, because that helps other users with similar doubts

@luis_cordova 

Thank you again for this great info.  In my previous scenario, I wasn't planning on turning the ports into routable interfaces.  I was going to try and keep them trunked.  I would only create virtual interfaces on the routers with assigned IP addresses in each Vlan.  Maybe that wouldn't work?

My final diagram is included in this for viewing.  If you see something weird, please let me know.  Otherwise, thank you and enjoy your weekend!

-Mike

p.s.  I'll be sure to mark the correct answer.  

Hi @mike0000111111 

I see you used the vlan 56 as a communication vlan .

Remember to create subinterface on the routers

R(config)#interface fa0/X

R(config-if)#no shutdown

R(config)#interface fa0/X.56

R(config-subif)#encapsulation dot1q 56

R(config-subif)#ip address <ip><mask>

and create vlan 56 on the L3 switches.

Your diagram looks very good.

If you have other questions, you should only post them in the community.

Regards

Good weekend to you too

Hey Luis:

I'm following up to share that the topology looked good for my R1 (ISR G2 Router), since it has a 4ESG EHWIC that can be trunked using a single VLAN SVI with IP address.  But my R2 doesn't have that EHWIC card, so when trying to put two routed physical ports on the same subnet, I was, of course, told that the IP addresses were overlapping.

In an attempt to get two physical ports on the router to connect to the same subnet (Vlan 56), I discovered I could bridge the interfaces.  I plan on doing that and reporting my results here.  Refer to my diagram if you're wondering why I'm trying to put two routed interfaces onto the Vlan 56.

Thank,

Mike