cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
563
Views
0
Helpful
7
Replies

Advice on method to implement a requirement

AlexFer
Level 1
Level 1

Hi experts,

I have a requirement that needs implementing - I'm hoping to get advice on methodology.

 

Current network topology:

(a) a distribution-layer L3 switch is connected to multiple (>2) access-layer L3 switches using routed-mode interfaces.

(b) traffic between L3 switches is routed (not switched). Access-layer switches are EIGRP stubs.

(c) End-user host can roam between any one port of an access-layer L3 switch.

 

Requirements:

1. End-user host must always be on same subnet/vlan (regardless of the access switch)

2. End-user host's default gateway must always be same (regardless of the access switch)

3. End-user can send and receive traffic beyond the distribution layer-switch.

 

Clues/advice on method much appreciated.

7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Alex,

your requirements are not compatible at all with your network setup.

 

Requirements:

1. End-user host must always be on same subnet/vlan (regardless of the access switch)

2. End-user host's default gateway must always be same (regardless of the access switch)

3. End-user can send and receive traffic beyond the distribution layer-switch.

 

To be honest from a networking point of view your current setup using routed Access is the best one in terms of stability and reduced broadcast domain and STP scope.

 

To satisfy the requirements reported above you should go back to a solution with L2 only access switches with L2 trunks to distribution switches and all inter-vlan routing performed at distribution layer only.

STP would become again important and redundant links will be blocked.

 

In addition to this in order to keep the same Vlan for the user/end user device you should deploy 802.1X and may be NAC (Network Access Control) so that the Vlan is assigned to the port after successful authentication.

And you would need an ISE server or other Radius server and installation /enabling 802.1X client on all end user devices.

 

From a networking point of view your current setup is better as explained above.

 

The new requirements are likey asked for security as it would allow easier tracking of user activity by IP address.

Edit: I see the end user is only required to stay on the same Vlan /IP subnet not to keep always the same IP address. If address reservations are not configured based on MAC address on the DHCP servers the IP addres can change over time.

 

I would report all these concerns to your manager, as this would be two steps back at the networking level specially for stability and performance (now you can use ECMP with STP one uplink would be blocked unless playing with STP root bridge election in different Vlans if using Rapid PVST)

Without using reservations in DHCP the new requirements do not provide a so great advantage for security and user activity logging.

 

Hope to help

Giuseppe

 

 

Hi Giuseppe,

> To satisfy the requirements reported above you should go back to a solution with L2 only access switches with L2 trunks to distribution switches and all inter-vlan routing performed at distribution layer only.

Yes, (but I think you mean "go forward" not "go back"). Migration from current all-routed network to routed+switched is what I'm trying to avoid by seeking (creative) options to keep (current) all-routed.

(I see requirement to L2 trunk multiple distribution switches as unpalatable change.)

Very much appreciate all input.

R's, Alex

PS. You've correctly concluded, the change driver is 802.1x integration.

Hello Alex,

>> Yes, this is (already) a known option, but would require migration from current all-routed network to routed+switched. I'm seeking (creative) options to keep all-routed.

I don't see any other option available as I would not expect your access layer switches to support MPLS and VPLS. :)

 

>> PS. You've correctly concluded, the change driver is 802.1x integration.

I guessed this.

 

Hope to help

Giuseppe

 

 

I do not think this to be a desirable design, but ... you can run tunnels from all client to a central subnet?

in this tunnel the client allways has same subnet, gateway, and other connectivity.

compare this to WLC with central switching for wireless clients.

the challenge is to automate tunnel setup at the client.

Hi Alex,

 

Do you have applications that require VLANs stretched across switch closets? If no, then I don't see how having a routed access prevents you from implementing 802.1X, as you can certainly reuse VLANs in a routed access. The difference is that each switch closet has different subnet for same VLAN.

 

What NAC product do you have or plan to buy? Is it Cisco ISE? If you're planning to do Change of Authorization for VLAN assignment, you can do Named VLANs, so that the VLAN ID becomes irrelevant to the NAC Server.

 

You may also wish to look at Cisco's solution for VLAN extension in a routed access VLAN, which requires adding a Fabric layer. Link is below.

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Design-Sol1dot2-2018DEC.pdf

 

 

Hi grabonlee,

thanks for Fabric layer reference. I'll keep in my pocket in case I need to drop names.

 

> The difference is that each switch closet has different subnet for same VLAN.

This is the rub. If we use (static) VLAN ACLs (where the VLAN is specified by ISE post 802.1x authentication) per supplicant's category/role, then we'd need that number of subnets on every access switch (because any user is allowed to roam anywhere in access layer).

So, 5 categories/roles and 500 access switches - that's 2500 (/26) subnets. OK, that's doable if done once, but the fickle nature of categories/roles means that they'll inevitably increase and change. Cisco Prime can push out provisioning updates, but it is unappealing for subnets and ACLs.

 

For robustness and scalebility, user-dACLs or TrustSec make more sense (because VLAN and subnet become irrelevant). But this is even more unappealing to administer.

R's, Alex

Hi Alex,

 

I'm not sure why you would need static VLAN ACL. Even in a Multilayer access design, which is prevalent in many networks, you see different VLAN IP subnets per floor with no spanning, and 802.1X in such environment is same as Routed access. You would see NAC deployments use downloadable ACLs, user VLAN assigment, user-dACLs.

 

For me 802.1X wouldn't be a concern, as that's end-user/devices. My concern would be if I need to do RSPAN or extend VLANs for any other purpose. For RSPAN, ERSPAN can solve that. Just work out different what-if scenarios or have a discussion with your Cisco partner since you're considering changing your network architecture.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco