cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2664
Views
40
Helpful
20
Replies

Effects of OSPF and trunk?

CourtneyKPrin
Level 1
Level 1

Two distribution switches connected to each other with bundled trunk ports using src-dst-ip load-balance and have an OSPF adjacency. They have SVIs in the same subnets as each other to segment different traffic (voice, servers, wireless, etc).  Some hosts are configured with a gateway that resides on the closets distribution switch and allows limited routing if the physical links between the distribution switches was severed. The IP route table shows more than one route between the switches and uses VLANs as the interfaces.

 

I have been directed to configure 'passive-interface default' and make the exception to one VLAN with 'no passive-interface vlan 3' until there's a migration plan to create new subnets and use just OSPF between the distribution switches.

 

Will the routed OSPF traffic be tagged with VLAN ID 3? If yes, will there be a security risk to servers on VLAN 3?

Will the routed OSFP traffic be load balanced on the ether-channel?

 

 

 

1 Accepted Solution

Accepted Solutions

Hello


@CourtneyKPrin wrote:

Are you sticking to that the routed traffic is not being tagged?


Hello
Thank you for the update
No Communication between users vlan 3 isn’t routed, they are switched over the trunk between site A/B and are tagged( unless otherwise stated), users in vlan3 only need to be routed via their D/G if they need to communicate outside their own vlan but OSPF isn't required for this to happen unless its to a network that site A/B dont share.

 

You could even test this by taking the D/G off a host in vlan 3 and they will still be able to reach another host in either site within its own vlan

 

EDITED -


@CourtneyKPrin wrote:

@CourtneyKPrin wrote:

I have been directed to use the 'passive-interface default' work around.


So based on what you have shared
If you append the above the OSPF adjacencies between sites will drop and in this instance will not affect your site/site connectivity. 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

20 Replies 20

Hello


@CourtneyKPrin wrote:

Some hosts are configured with a gateway that resides on the closets distribution switch and allows limited routing if the physical links between the distribution switches was severed. 


Is this a collapsed core/distribution extended vlan design, the reason I am asking is you mention tagged traffic, L2 trunks and having the same L3 SVIS on each switch.
Are you employing any first hop routing protocol for the vlan clients (hsrp/vrrp,glbp)?
Also, those switches won’t be using ospf  for inter-vlan routing at this time, The routing protocol sounds like its being used for route advertisement upstream maybe to a wan rtr and as you state for a future routed access layer lan design implementation,

 


@CourtneyKPrin wrote:

Will the routed OSPF traffic be tagged with VLAN ID 3? If yes, will there be a security risk to servers on VLAN 3?

Will the routed OSFP traffic be load balanced on the ether-channel?


 

Lastly no routed ospf traffic will be tagged only L2 vlan traffic traversing those trunks will be.

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Yes, it is a collapsed core/distribution.

No FHRP being used.

Are you sure OSPF would not be used for inter-vlan routing? Below is a snippet of ip route from one distribution switch when two VLANs were forming the adjacency. If a host on the 10.1.8.0 subnet uses the 10.1.8.2 as the gateway and wanted to send traffic to 10.0.20.10, wouldn't it use OSPF?

O*E1  0.0.0.0/0 [110/3] via 10.1.8.3, 00:06:17, Vlan1
                [110/3] via 10.1.3.3, 00:56:50, Vlan3
      10.0.0.0/8 is variably subnetted, 219 subnets, 8 masks
O        10.0.20.0/24 [110/2] via 10.1.8.3, 00:06:17, Vlan1
                      [110/2] via 10.1.3.3, 00:56:50, Vlan3
O        10.1.1.0/24 [110/2] via 10.1.8.3, 00:06:17, Vlan1
                     [110/2] via 10.1.3.3, 00:56:50, Vlan3
C        10.1.3.0/24 is directly connected, Vlan3
L        10.1.3.2/32 is directly connected, Vlan3

C        10.1.8.0/23 is directly connected, Vlan1
L        10.1.8.2/32 is directly connected, Vlan1

 

 

Hello

For an extended l2 lan inter-vlan routing those l3 cores switches don’t require a dynamic routing protocol however you are not running any fhrp for active gateway and reading your post again it seems vlan clients are provided default-gateway  based on the physical svi! 

so it does seem ospf is being used which unless you are running a routed access layer isn’t really applicable- using a fhrp would be better and much more resilient.You also are receiving type 5 lsa default routes to these cores!

How do clients receive ip allocation if clients on the same vlan share differing default-gateways or do they?

tbh this design at present isn’t clear to me

Would you be able to post a topology diagram?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Most of the clients are getting IP via DHCP, which does allow for configuring multiple gateways. I'm not sure how well that works though. We also have servers with static IPs and the gateway is manually configured to use the closest SVI. I'm not condoning this design and I'm trying to convince my co-workers we should change it to be more efficient. But, like I said in the first post, I have been directed to use the 'passive-interface default' work around.

 

Are you sticking to that the routed traffic is not being tagged?

 

SiteA

serverA

192.168.3.10 /24

192.168.3.3 gw




DSW1

VLAN1 192.168.8.3 /24

VLAN3 192.168.3.3 /24

int gi0/0

description to DSW2

switchport mode trunk

router ospf 1

network 0.0.0.0 0.0.0.0 area 0




SiteB

DSW2

VLAN1 192.168.8.2 /24

VLAN3 192.168.3.2 /24

int gi0/0

description to DSW1

switchport mode trunk

router ospf 1

network 0.0.0.0 0.0.0.0 area 0




serverB

192.168.3.20 /24

192.168.3.2 gw


 

If the traffic has to be routed between the switches then yes it will be tagged unless of course vlan 3 is the native vlan on the trunk. 

 

Not sure why you think it may be a security risk but if you are not comfortable with using a vlan with devices in it then why not just use a totally new vlan purely for OSPF ? 

 

Yes traffic should be load balanced as long as the source and destination IPs vary. 

 

Jon

Hello


@CourtneyKPrin wrote:

Are you sticking to that the routed traffic is not being tagged?


Hello
Thank you for the update
No Communication between users vlan 3 isn’t routed, they are switched over the trunk between site A/B and are tagged( unless otherwise stated), users in vlan3 only need to be routed via their D/G if they need to communicate outside their own vlan but OSPF isn't required for this to happen unless its to a network that site A/B dont share.

 

You could even test this by taking the D/G off a host in vlan 3 and they will still be able to reach another host in either site within its own vlan

 

EDITED -


@CourtneyKPrin wrote:

@CourtneyKPrin wrote:

I have been directed to use the 'passive-interface default' work around.


So based on what you have shared
If you append the above the OSPF adjacencies between sites will drop and in this instance will not affect your site/site connectivity. 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

 

Paul 

 

If the traffic is routed and the only vlan between the switches is vlan 3 and it is trunk then the traffic traversing the trunk link has to be tagged. 

 

How could it not be, it is on a trunk. 

 

Jon

Hello Jon

Well they've go to be mate, otherwise how can each site have the same L3 subnet being advertised to each other!


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello

Looks like they are:

SiteA
DSW1

description to DSW2

switchport mode trunk







SiteB

DSW2

description to DSW1

switchport mode trunk

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Paul 

 

I think we are answering different questions. 

 

You are talking about traffic within the same vlan whereas the question asked is about traffic between vlans. 

 

Either way the traffic is tagged, it has to be across a trunk. 

 

Jon

 

Paul

 

I am confused now  

 

The configuration posted shows the same subnets on either side so now I follow your answer. 

 

But I was going off the routing table posted and assumed there were some subnets that only existed on one of the switches ie. they were not common to both. 

 

Jon

 

Paul 

 

Just to clarify, he is not asking about traffic within the same vlan he is asking about traffic between vlans across the trunk link unless I am misunderstanding what is being asked. 

 

Jon

Hello Jon

Ospf and any other IGP isnt require here surely, the intervlan routing will be done by the SVI;s on either L3 switch via the trunk, either if a host in vlan 1 needs to speak to an host in vlan 3 or the other way around

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

 

Hi Paul

 

I think the issue is that there are some vlans/IP subnets that are not on both switches so you do need an IGP between the switches to route between those vlans. 

 

If you look at the routing table and the question around it you can see that there are some subnets that are OSPF routes ie. there is no directly connected interface on the switch. 

 

I think the question is about those subnets. 

 

Jon

Review Cisco Networking for a $25 gift card