Solved: I have done a L3 design based

TheRealBecks · ‎11-24-2014

Hello,

I got an existing network topology with following parts and configurations:

- 2x WS-C6509-E (core) combined with SSO as one device

--> 75 VLANs with interfaces, VTP 3

- 8x WS-C4506 ("switch1" to "switch8") with connected clients and servers

--> 75 VLANs activated

--> two Gig-interfaces are connected to one WS-C6509-E, two to that second device, all four Gig-ints are configured together as one port-channel

The number of clients is very different and some VLANs got up to 217 clients at the moment, so the broadcast domain could be to "large" in the future. The problem is, that clients of one department (=VLAN) are connected to all eight switches and not only to one device. So I'm investigating how I should migrate that network over to layer 3 with OSPF. The main questions are:

- How should clients be configured on WS-C4506? Should I configure that 75 VLANs? Do I need private VLANs, so clients on one device can't communicate with others on layer 2?

- When configuring OSPF, how many SWIs do I need on every WS-C4506?

10.0.0.0/8 network should be used for this task. Please see also that attached picture, so you will know the current physical connections.

Thanks for replies!

Martin Beckert

Jon Marshall · ‎11-28-2014

Martin

We didn't use private vlans but as I have said before in other threads I haven't ever needed or wanted to use them. Others on the forums have different views so I may be a bit biased but the only time I would really use them is to preserve an IP space such as a public IP range but still isolate devices within that range.

Perhaps others could comment on their usefulness here.

On a more general note you need to decide what type of protection the servers need. On an internal LAN (not DC) you may decide you don't need it. We often didn't use anything with servers local to a building but then we had a DC for all our main servers and the critical ones such as database servers etc. were firewalled. You could use acls but it depends on the apps running eg. Microsoft services often require some of the more insecure ports to be allowed through anyway.

It really comes down to what servers you have, how important they are and what internal security policies you have as well so it' difficult to say. It may be that an acl on the server vlan(s) SVI(s) may be enough.

With regards to moving to L3. When I designed the L3 network I was referring to, one of the key motivations was STP ie. not just failover but also the ability to use the full throughput of the uplinks. But that was before things like VSS. When VSS came along, or more precisely MEC (Multi chassis etherchannel) which is also supported on stacked switches and vPC on the Nexus switches the need to workaround STP was no longer an issue as such.

Using L3 from the access layer switches means less flexibility ie. you cannot have a vlan on multiple switches which is where this discussion started. Keep in mind that some servers might need L2 adjacency ie. they need to be in the same vlan so if your servers also connect to the client switches a L3 solution would mean some of the servers might (and it is only a might) need to be on the same switch.

If they connect to the 6500s it is a non issue.

But the most important point is this. When you say with your current design if you buy new switches the broadcast domains could grow too large you seem to be assuming that buying more switches means more ports per your existing vlans and it would be if you simply extended the same vlans to the new switches and kept on allocating ports into those vlans.

But there is no need to do this. You can simply say that all vlans use a class C address space and if the addressing runs out in a vlan you just create a new vlan with a new IP subnet. All the vlans are routed on the 6500s so as long as you create the corresponding SVI on the 6500s it will work fine with no additional performance hit. There is no technical reason why a department cannot have multiple vlans assigned to it ie. the switches don't know and don't care.

So although i am not trying to talk you out of it I would think long and hard about what possible benefits you would get from moving to a L3 setup ie. what, if anything, you gain and what difficulties you may face in the future, again if any.

Okay that's probably enough for now. Feel free to come back with more queries, observations etc.

One last point. I haven't read the design docs for a while now so there may be new recommendations I'm not aware of. I have also assumed throughout this thread we have been dealing with a non DC setup so let me know if it is otherwise.

So if anybody else wants to add to this thread they would be more then welcome.

Jon

View solution in original post

Jon Marshall · ‎11-25-2014

Martin

Presumably you have one IP subnet per vlan ?

The problem you have is that clients within the same vlan are connected to all the client switches which means you can't make the uplinks to the 6500s L3 routed links. You cannot route between clients in the same vlan/IP subnet.

If you created a L3 SVI for the same vlan on each client switch then each switch would see in it's routing table a locally connected interface for that IP subnet so it is never going to know that some clients within the same IP subnet are on other switches.

The only way you could make this a L3 design is if you could ensure that a vlan/IP subnet is only on one client switch. You can have multiple vlans per client switch but they must only exist on that switch ie. you can't have any vlan existing on multiple client switches.

That said you say that the etherchannel from each client switch is spread between the 6500 pair so I assume you are running VSS. If so what you have at the moment is a standard design. So are you experiencing any issues at the moment with broadcasts etc ?

One thing that may be worth doing is limiting which vlans are allowed on which trunks (assuming you aren't already) unless of course you really do have at least one client in every vlan on every client switch.

Jon

TheRealBecks · ‎11-26-2014

Hello Jon!

Quote: "The problem ... vlan/IP subnet.

If you ... other switches.

The only ... client switches."

Yes, that's exactly what I also already know :) So it's for me no problem to configure a L3-network with OSPF when only one or a few VLANs are on one switch and not spread across the whole building/network, so every VLAN would get it's own IP subnet.

Quote: "That ... is a standard design."

Yes.

Quote: "So are you experiencing any issues at the moment with broadcasts etc ?"

No, everything is fine at the moment. It's only the point, that I'm not sure how to implement L3 network with this physical sectioning of clients. So what would be, if we get another eight switches and some BC-domains get over 500+ clients? This scenario is realistic and I have no idea how to solve this problem.

Quote: "One thing that ... in every vlan on every client switch."

I think there are only a few VLANs here and there not needing on a specific switch, so that's no problem at the moment and no need to configure this.

So I'm asking my question differently: How would senior admins implement L3 network with this hardware having in mind that it could be possible that eight switches (8 x 200 client ports) come along and that departments are spread all over the building. That's the point :)

Thanks for your reply!

Martin

Jon Marshall · ‎11-26-2014

Martin

So I'm asking my question differently: How would senior admins implement L3 network with this hardware having in mind that it could be possible that eight switches (8 x 200 client ports) come along and that departments are spread all over the building. That's the point :)

Just to clarify. Are you equating departments with vlans ie. if the departments are spread across the building then so are the vlans ?

I'm struggling to work out whether you are asking -

1) each vlan will be spread across all client switches because of the way departments match up with vlans

or

2) I can isolate each vlan to a particular client switch but what happens if I get more clients in a vlan than there are ports on a particular client switch.

or

3) something else entirely:-)

Jon

TheRealBecks · ‎11-27-2014

Just to clarify. Are you equating departments with vlans ie. if the departments are spread across the building then so are the vlans ?

Yes, so here's a hypothetical example: Staff from accounting department is spread all over the building so this clients are all in VLAN 3 and VLAN 3 is configgured on every switch.

<-- So this is layer 2 topology. But if I get more switches (with 200 ports per switch) and therefore more clients per VLAN, should this topology still be layer 2? Or would it be best practice to migrate that network over to layer 3? And the resulting final question: If it's going to be layer 3, how should that be configured? :)

The point is I don't know how senior administrators would handle this scenario, so I'm unsure if it should be changed to layer 3 in the future.

Thanks,

Martin

Jon Marshall · ‎11-27-2014

Martin

If the vlans are spread across all the client switches you can't make this a L3 design. A L3 design would mean the connections from the client switches to the 6500s are L3 and each switch routes the vlans locally instead of on the 6500s.

With your current setup what you would need is an overlay technology such as EoMPLS or in a virtualised environment something like VxLAN but these are technologies used in specific environments and they require specific hardware.

So unless you can isolate the vlans to specific client switches I don't think L3 is really practical in your setup. You would need to break the department/vlan model you have. I have done a L3 design based on floors in the building not which departments people were in so we could limit the vlans to specific floors ie. to specific switches.

All that said I'm not sure you have an issue. There is nothing to stop you creating a new vlan/IP subnet for a department if they exhaust the existing address space of their current vlan so you could contain broadcasts that way.

And VSS does lend itself to the design you currently have ie.each client switch is forwarding on all uplinks without the need for STP to block any links.

Does that make sense ?

Please feel free to ask further if you have more questions.

Jon

TheRealBecks · ‎11-28-2014

I have done a L3 design based on floors in the building not which departments people were in so we could limit the vlans to specific floors ie. to specific switches.

Yeah, that's something I wanted to hear! :D Ok, it sounds interesting. My Cisco 4506 models have up to four moduls with each having 48 Gig-ports, so I could configure a VLAN for each modul and link it to a SVI on layer 3. So every model 4506 would have four SVIs and I could configure OSPF in my network.

Now the question is: Do you use protected VLANs on your access ports? And how do you restrict your access to your servers in the network? Do you use ACLs for that and permit single IPs for every server itself?

Greetings

Martin

Jon Marshall · ‎11-28-2014

Martin

We didn't use private vlans but as I have said before in other threads I haven't ever needed or wanted to use them. Others on the forums have different views so I may be a bit biased but the only time I would really use them is to preserve an IP space such as a public IP range but still isolate devices within that range.

Perhaps others could comment on their usefulness here.

On a more general note you need to decide what type of protection the servers need. On an internal LAN (not DC) you may decide you don't need it. We often didn't use anything with servers local to a building but then we had a DC for all our main servers and the critical ones such as database servers etc. were firewalled. You could use acls but it depends on the apps running eg. Microsoft services often require some of the more insecure ports to be allowed through anyway.

It really comes down to what servers you have, how important they are and what internal security policies you have as well so it' difficult to say. It may be that an acl on the server vlan(s) SVI(s) may be enough.

With regards to moving to L3. When I designed the L3 network I was referring to, one of the key motivations was STP ie. not just failover but also the ability to use the full throughput of the uplinks. But that was before things like VSS. When VSS came along, or more precisely MEC (Multi chassis etherchannel) which is also supported on stacked switches and vPC on the Nexus switches the need to workaround STP was no longer an issue as such.

Using L3 from the access layer switches means less flexibility ie. you cannot have a vlan on multiple switches which is where this discussion started. Keep in mind that some servers might need L2 adjacency ie. they need to be in the same vlan so if your servers also connect to the client switches a L3 solution would mean some of the servers might (and it is only a might) need to be on the same switch.

If they connect to the 6500s it is a non issue.

But the most important point is this. When you say with your current design if you buy new switches the broadcast domains could grow too large you seem to be assuming that buying more switches means more ports per your existing vlans and it would be if you simply extended the same vlans to the new switches and kept on allocating ports into those vlans.

But there is no need to do this. You can simply say that all vlans use a class C address space and if the addressing runs out in a vlan you just create a new vlan with a new IP subnet. All the vlans are routed on the 6500s so as long as you create the corresponding SVI on the 6500s it will work fine with no additional performance hit. There is no technical reason why a department cannot have multiple vlans assigned to it ie. the switches don't know and don't care.

So although i am not trying to talk you out of it I would think long and hard about what possible benefits you would get from moving to a L3 setup ie. what, if anything, you gain and what difficulties you may face in the future, again if any.

Okay that's probably enough for now. Feel free to come back with more queries, observations etc.

One last point. I haven't read the design docs for a while now so there may be new recommendations I'm not aware of. I have also assumed throughout this thread we have been dealing with a non DC setup so let me know if it is otherwise.

So if anybody else wants to add to this thread they would be more then welcome.

Jon

Migrate Network from layer 2 to layer 3