Re: Can you check this infrastructure configuration will work from Floor to Core? - Page 2

chris.george · ‎06-22-2018

I would like to optimise our existing core to floor infrastructure:

We have 4 floors altogether with rougly 4x 48 port switches per floor.

Each floor has its only dedicated fibre link direct to the Core switch in our Data Centre (some 10Gb and some 1Gb uplinks - we are slowly upgrading to 10Gb uplinks throughout).

The DC core switch is configured as a layer 3 switch and has all the vlan interfaces set with an IP address which is in fact the default gateway address assigned to PCs and Servers. For example - PCs are on VLAN 22, interface VLAN 22 is set as IP address 172.22.1.252/24 which is the PC configured gateway. And the Server VLAN 20 interface on the Core switch has IP address 172.16.1.252/24 representing the default GW of the Servers. In effect the Core switch is the Layer 3 switch Gatway.

The VTP mode on the Core switch is set to SERVER.

Each floor switch is a Layer 2 switch - for those capable of running Layer 3 they have been dumbed down to only be a Layer 2 switch (no IP routing).

The uplink trunks allow VLAN 20 and 22 from Core to Floors.

The floor switches VTP mode is TRANSPARENT.

Is this an optimised configuration for our estate? Are there any glaring mistakes here?

Joseph W. Doherty · ‎07-06-2018

"On each of the fibre uplinks from the Core to the Floor I have 'allowed vlan 20,22'."

Ah! If the non-server access switches are only supporting VLAN 20, either disallow VLAN 20 on the trunk or change the port to an access-port in VLAN 20 (the latter assuming you don't want to use VTP).

chris.george · ‎07-06-2018

Perhaps I'm being stupid here but if I disallow 20 on the fibre uplinks to the floor switches won't I be preventing vlan 22 (which are the access ports on the floor switches) from getting to servers on vlan 20 (again they are configured as access ports) because I've disallowed accessibility to vlan 20?

Joseph W. Doherty · ‎07-06-2018

No, because somewhere you've enabled routing which routes between those two VLANs. That router (your core L3) needs both VLANs. Also, a server edge switch, using only VLAN 22, also doesn't need VLAN 20.

At L2, VLANs never (actually they aren't supposed to) intermix.

chris.george · ‎07-13-2018

Hmmm - when I stop vlan 20 on the trunk the Servers on vlan 20 cannot connect to users on vlan 22

This is how routing is configured on the Layer 3 core switch for VLAN 22 - it's seen as automatically 'Connected' I haven't actually put a L3 route command in there - perhaps I should then!

C 172.22.0.0/16 is directly connected, Vlan22

Joseph W. Doherty · ‎07-13-2018

If you have a L3 switch, with IP routing enabled, it will, by default, route between directly connected networks.

chris.george · ‎07-13-2018

Yes the core switch is Layer 3 and there is Connected routes between vlan 20 and vlan 22 - but when I only allow vlan 22 on the layer 2 edge switch I cannot ping servers on vlan 20 on the core switch - why would that be then?

Joseph W. Doherty · ‎07-13-2018

Insufficient information to say. I would need you to explain your topology and provide configs.

chris.george · ‎07-16-2018

I'm going to rig up a simple test lab just using 2 switches - a L3 switch and L2 switch and see if it works as you describe ...

Joseph W. Doherty · ‎07-16-2018

Ok, if it doesn't, please post configs.

chris.george · ‎07-16-2018

OK I've got it to working with this config but this config has it's limitations - is this what you were expecting?:

Layer 2 switch config

vlan 22
name WORKSTATIONS
!
vlan 120
name MANAGEMENT
!
vlan 802
name NATIVE-VLAN

!

interface GigabitEthernet1/0/1 <-- how all the access ports are configured for the workstations
switchport access vlan 22
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/24 <-- The trunk port to the test L3 Switch
switchport trunk native vlan 802
switchport mode trunk
spanning-tree portfast trunk
spanning-tree link-type point-to-point

interface Vlan22
ip address 172.22.23.24 255.255.0.0
!
interface Vlan120
ip address 10.10.120.120 255.255.255.0

Layer 3 switch config

vlan 20
name SERVERS
!
vlan 120
name MANAGEMENT
!
vlan 802
name NATIVE-VLAN

interface FastEthernet0/1 <-- example of SERVER access port

switchport access vlan 20
switchport mode access
spanning-tree portfast

interface FastEthernet0/48 <-- The trunk port config connecting to the L2 switch in this test
switchport trunk encapsulation dot1q
switchport trunk native vlan 802
switchport mode trunk
spanning-tree portfast trunk
spanning-tree link-type point-to-point

interface Vlan20
ip address 172.16.17.18 255.255.0.0
!
interface Vlan120
ip address 10.10.120.1 255.255.255.0
!
ip http server
ip http secure-server
!
ip route 172.22.0.0 255.255.0.0 10.10.120.120 <-- the route to 172.22 on the L2 switch

!

Joseph W. Doherty · ‎07-16-2018

"interface Vlan22
ip address 172.22.23.24 255.255.0.0"

Should be on the L3 switch, not the L2 switch.

"interface Vlan120
ip address 10.10.120.120 255.255.255.0"

Should be a /32 on the L2.

chris.george · ‎07-17-2018

OK so other than that are we looking OK? Is there a better way of doing this?

In my scenario there would be the one central L3 core switch into which the 16 layer 2 switches connect to, each with a different 10.10.120 management address. Thanks again, soon I will get to the bottom of all this. I'm really just pruning and optimising this 'collapsed backbone' architecture as best I can; for example it's unnecessary to has a floor switch with 'ip routing' enabled when only Layer 2 functionality is required - etc etc.

I'm interested though - why should the below address be /32 - how does this affect things?

"interface Vlan120
ip address 10.10.120.120 255.255.255.0"

Oh and... interface Vlan22 ip address 172.22.23.24 255.255.0.0" - yes it should perhaps be on the L3 switch but I was simply running a test using this interface as a source IP address rather than hooking up a PC - for example "ping 172.16.17.18 source vlan 22" - if that makes sense.

Joseph W. Doherty · ‎07-17-2018

"I'm interested though - why should the below address be /32 - how does this affect things?"

What you have for that is fine - what I had in my mind a loopback management IP.

"Oh and... interface Vlan22 ip address 172.22.23.24 255.255.0.0" - yes it should perhaps be on the L3 switch but I was simply running a test using this interface as a source IP address rather than hooking up a PC - for example "ping 172.16.17.18 source vlan 22" - if that makes sense."

Generally, a L2 switch should only have one IP assigned to it, for management. For the L3 switch to route, it needs interfaces, with IPs, in all its networks. So, although having another IP on your L2 switch, may or may not cause issues, your L3 switch should have both VLAN networks on it. Further, normally those IPs would be gateways IPs for hosts on those networks.