Solved: Re: Migrate from Router on a stick configuration to Inter-vlan routing using L3 switches.

IS34lyf · ‎07-30-2020

I am planning on migrating my campus network design from a traditional router on a stick configuration into Inter-vlan routing using L3 switches.

What are things i have to look out for? pitfalls? Is there a real advantage of switching over?

paul driver · ‎07-31-2020

Hello
The obvious would be Network Address Translation, only high end switches support it so you need to accommodate this in your migration>
Attached is a basic staged approach to migrate from a ROS devcie onto a L3 switch VSS/VPC/stack core based on the assumption the ROS device is running dynamic routing and this is enabled for its WAN facing interconnection between itself and the ISP/WAN device also for the LAN interface (sub-interfaces /vlans) which is interconnected to a Lan hanoff switch/stack for the inter-vlan routing.
The ISP/WAN device is advertising a default route into the ROS device.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Martin L · ‎07-30-2020

I think we will need more info like size of organization, amount and type of traffic, topology, types and models of router and switch you picked for SVI L3 routing. What amount of traffic or load your router currently has as well as existing L3 switch or future role of L3 switch does (besides routing). What is current router doing (protocols, features, roles).

I would say my major concern is will L3 switch be able to handle routing in addition to its current role. Note that you can add more Ram into a router but I don't think you can do the same for switches (at least not for c2900s-3850s). So, once you picked L3 switch, you will have to make sure it can handle the load.

Regards, ML
**Please Rate All Helpful Responses **

IS34lyf · ‎07-31-2020

Thank you Martin. Sorry i should have included them in the first post.
Here are the specs:

1x - ISR4331
2x - Cisco 3850 currently stacked ( Should i break the stack?)
2x - Nexus 3K for Datacenter
12x - Cisco 2960x Access Switch
About 300 Users and 100+ VMs

Thank you!

Giuseppe Larosa · ‎07-31-2020

Hello @IS34lyf ,

generally speaking the big advatange of moving to L3 switch inter VLAN routing is performance

A software based router like yours ISR4331 has a forwarding capability less then 1 Gbps in aggregate.

Your C3850 stack that you don't need to split , with L3 routing is able to perform tens of Gbps of inter Vlan routing.

There are functions that can be performed only by ISR 4331 and specifically NAT for internet access.

For the migration the best choice is to create a new Vlan to be used as logical link between the C3850 stack and the ISR 4331 and to have this new Vlan permitted on the trunk link between the router and the C3850.

Then you need to create SVI interface for each Vlan and you should shut down the corresponding sub-interface on the router.

Warning: if not using HSRP or other protocols the MAC address of the SVI will be different then that of router sub interface. This is actually the greatest impact on the network : all hosts in the Vlan need to learn the new MAC address using the ARP protocol.

A possible trick is to configure under the SVI the same MAC of the router subif to avoid this

interface Vlan X

mac xxyy.llmm.zzkk

Hope to help

Giuseppe

IS34lyf · ‎08-26-2021

I am curious by your statement here:

" For the migration the best choice is to create a new Vlan to be used as logical link between the C3850 stack and the ISR 4331 and to have this new Vlan permitted on the trunk link between the router and the C3850 "

I would like to know the advantage/disadvantage of setting up a VLAN between the 4431 and C3850 instead of L3 Point to Point?

Deepak Kumar · ‎07-31-2020

Hi,

I hope you selected the right hardware, software version for your network. The most important thing you will require, After office hours works and network downtime. I hope it is a new switch and still not connected in the network and you must perform Prototype Tests/installation.

1. Upgrade the switch to the right version. If required activate the license.

2 Create layer 2 vlan and Layer 3 SVI's on the switch as it was configured on the router (copy of subinterfaces).

3. Assigned VLAN's to the correct ports and uplink ports.

3. Verify for enabling IP routing on the Switch. "IP routing".

4. Are you using in FHRP protocols such as HSRP/VRRP? If than planned to migrate if required. Better to add switches in stacks if possible.

5. Are you using any Security protocols or ACLs for intervlan routing? If yes than migrate to the switch.

6. add default route toward the router or NATing device and also configure, VLAN, SVI, and port for your NATing device.

7. Take a confirm downtime and replace the router.

If you still have any questions then share your router configuration.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

IS34lyf · ‎07-31-2020

Thank you for all the helpful insights. Definitely adding all these to my plan.

Can this migration be done in phases?

Deepak Kumar · ‎07-31-2020

Hi,

What is your mean by phases? are you thinking to migrate the first 2 VLANs and letter on reset of VLANs? If yes, then it is possible and there will be a requirement of adding some static and default routing on the router (exiting) and new switches. That is complicated and not advisable.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

paul driver · ‎07-31-2020

Hello

@Deepak Kumar wrote:

Hi,

What is your mean by phases? are you thinking to migrate the first 2 VLANs and letter on reset of VLANs? If yes, then it is possible and there will be a requirement of adding some static and default routing on the router (exiting) and new switches. That is complicated and not advisable.

Not sure i understand your question - Are you saying a staged approached migration on a LAN core isn’t advisable - Can you elaborate on this?
Basically you have two options when it comes to this type of migration
1) An all in one change - which would incur a long outage to the client and possibly if for some reason something doesn’t work you have may have to backout the whole change causing even more down time

or

2) A staged migration of which I have explained, this provides the added benefit of minimal outage to a client and its more deterministic.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎07-31-2020

Hello
The obvious would be Network Address Translation, only high end switches support it so you need to accommodate this in your migration>
Attached is a basic staged approach to migrate from a ROS devcie onto a L3 switch VSS/VPC/stack core based on the assumption the ROS device is running dynamic routing and this is enabled for its WAN facing interconnection between itself and the ISP/WAN device also for the LAN interface (sub-interfaces /vlans) which is interconnected to a Lan hanoff switch/stack for the inter-vlan routing.
The ISP/WAN device is advertising a default route into the ROS device.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

IS34lyf · ‎08-03-2020

Thank you for everyone's responses and I take everything into consideration. I would most likely take the slower approach since this is a bigger project than i thought it would be.

IS34lyf · ‎08-26-2021

Hello Paul,

Now that I understood a bit more about our network, I would like to add a few more information and maybe you can shower me with more insights.

The ISR4431 has an interface connected to a MPLS router to reach remote branches. Another interface connected to the C3850 using sub-interfaces. We don't use NAT on the router since we have a firewall as our exit route to the internet.

This is an example of a network design i thought of might work., i really appreciate any corrections/suggestions.

- C3850 (stacked) will act as the main router.

- Configure a Point to Point L3 connection to the 4431, Firewall, and DataCenter switches. (This is my first choice however someone commented above that i can create VLAN instead? Any advice in doing so?)

- Configure OSPF to learn routes from the 4431, DataCenter Switches and Firewall.

- Connect to Access Switches using LACP.

On another note, would you create VLANs by Department or by purpose? For example: Data, Voice, Wireless, Etc. or Accounting, IT, Executives, etc? or hybrid?

Thank you for your time!

Georg Pauwen · ‎08-26-2021

Hello,

your design sounds good. Just a few things:

--> - Configure a Point to Point L3 connection to the 4431, Firewall, and DataCenter switches. (This is my first choice however someone commented above that i can create VLAN instead? Any advice in doing so?)

If these are all L3 connections, I would use dedicated L3 interfaces rather than Vlans. If you use Vlans and the firewall need to 'understand' Vlans, which adds unnecessary complexity. Just use dedicated interfaces on the 3850 as in this example:

interface gigabitethernet 1/0/1
description Uplink to 4431
no switchport
ip address 192.168.1.1 255.255.255.0

--> On another note, would you create VLANs by Department or by purpose? For example: Data, Voice, Wireless, Etc. or Accounting, IT, Executives, etc? or hybrid?

It is probably a question of taste, but I would name the Vlans by functionality/purpose (VoIP/Server/Data/Wireless) rather than by department. That way you know exactly what the Vlans are used for...

IS34lyf · ‎08-26-2021

Hello Georg,

Sounds good. so essentially, my connections to 4431, Datacenter and Firewall would be dedicated L3 interfaces. Lets say I decide to configure HA with a second 4431, will i do the same thing where i have 2 dedicated L3 Interfaces? Or is this an opportunity to create a FHRP solution? Will it be the same for the Datacenter switch in HA? can i still do Etherchannel on L3 links? Also would OSPF be good in this design or just do EIGRP since we use cisco equipment except the firewall (Fortinet)?

As for VLANs, I sort of copied the idea on how Organizational Units are created in AD where its by department, But now that i think about it it makes sense to make it by function/purpose.