Solved: Re: OSPF in Core and VLANs in Access

Patrick72 · ‎01-23-2023

Dear Experts,

I am working on a project at the moment and I need advice/validation from you. I have to setup a OSPF (L3) network with a collapsed core with about 12-16 department (access layer). The OSPF domain runs from the Core to the access layers (departments). I am running only one area (area 0) everywhere. At the access layer L2 (vlans) will remain unchanged. At the access layer I want to setup sub-interfaces (encapsulation dot1q vlan) with ip helper to give out ip addresses. All interfaces is set as passive-interface default and activated only where OSPF communication is needed. Ospf network type between Core and Access layer is point-to-point.

Example config sub-interface:


encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.224
ip helper-address 10.10.50.10
ip ospf 1 area 0

My three questions are:

1) I have for example VLAN10 at different departments. So I broke down 10.10.10.0/24 in for example three networks of 30 hosts to accommodate the stretch of VLAN 10 to different departments. Is this stretch ok? Is the solution at the access layer with the sub-interfaces the best way to go? Is there a more elegant solution?
I tested this solution in in EVE-NG and it works. The DHCP server (Windows 2019) gives out IP addresses and the hosts can ping everywhere and also go to the Internet. The only thing on Firewall I would have to remember to group all the different vlan10 networks so all vlan10 go to same destinations.

2) What is the best way to connect the servers to the CORE? At the moment I'm thinking of connecting the servers as L3 to the collapsed core. The same was my thought with the firewall? Thinking of doing a L3 aggregate port for the firewall so I can bundle two or more ports.

3) I want all communication between the servers and the users to go thought the firewall. So I want to block direct traffic from users to servers on Core level. Was thinking of doing this with access-list(?)

If there is anything I missed just let me know. I attached a small topo that I just created in draw.io. Hope it helps.

Please let me know what you think.

Thank you for your assistance.

Georg Pauwen · ‎01-24-2023

Hello,

here are my thoughts:

--> 1) I have for example VLAN10 at different departments. So I broke down 10.10.10.0/24 in for example three networks of 30 hosts to accommodate the stretch of VLAN 10 to different departments. Is this stretch ok? Is the solution at the access layer with the sub-interfaces the best way to go? Is there a more elegant solution?

If you subnet 10.10.10.0/24 into different subnets, you are effectively creating new Vlans. I would not use the same Vlan name, as you do not know which IP address space belongs to that name (it could be three different subnets). Better to create a separate Vlan for each address space.

--> 2) What is the best way to connect the servers to the CORE? At the moment I'm thinking of connecting the servers as L3 to the collapsed core. The same was my thought with the firewall? Thinking of doing a L3 aggregate port for the firewall so I can bundle two or more ports.

I would put the servers in a separate Vlan. That way, you can control access on the core layer 3 switch.

--> 3) I want all communication between the servers and the users to go thought the firewall. So I want to block direct traffic from users to servers on Core level. Was thinking of doing this with access-list(?)

Ideally, the firewall should not be used to route between internal networks, especially since you already have a core layer 3 switch that does all the routing. As stated in 2), access between the server Vlan and the user Vlans can be controlled at the core layer 3 switch.

View solution in original post

MHM Cisco World · ‎01-24-2023

let check desing point by point,
first, make client send to FW and then from that point to DHCP server, why you looking for that ?
you can use L2 security instead and keep FW for access Internet and Cloud OUT.

best way to connect DHCP server ? you have clients in different network, so you need put the DHCP server in different subnet and use IP helper under SVI interface.

Georg Pauwen · ‎01-24-2023