Solved: Re: Migration from Flat L2 to L3 VLANs based network

syedraheel · ‎09-02-2010

Hi,

We're looking to migrate our flat network to a Vlans based network. Currently we have 220 Data nodes(default vlan 1 192.168.1.x/24) and 200 Voip nodes(192.168.2.x/24).
The Voip phones all get DHCP from a firewall and the Data Valn PCs(data) have static IP addresses configured(its L2 meaning they dont even have default gateway configured)

Now, we're thinking about using a separate vlan for Voip and Data for each floor(closet) as below
Data center PC 10.128.1.0/24 VLAN 11
Data Center Voip 10.128.2.0/24 VLAN 12

Ground Floor PC 10.128.3.0/24 VLAN 13
Ground Floor Voip 10.128.4.0/24 VLAN 14

Admin Floor PC 10.128.5.0/24 VLAN 15
Admin Floor Voip 10.128.6.0/24 VLAN 16
...

Currently we don't have any L3 switch in our setup and we will be adding L3 switch at each closet as well one as couple of L3 stack switches at the Data Centre.
We have downtime cntraints so we would like to do it phasewise. Like move all users in Ground floor first, then Admin and so on. We want to move the PC static addresses to DHCP as well.

Attached are the current and proposed setup, I'd to hear some suggetions as how to migrate it phase wise. Also design considerations like whether to make L2-L3 boundry, spanning or not spanning VLANs across access swicthes etc.

Jon Marshall · ‎09-05-2010

syedraheel wrote:
hmmm....I've attached a diagram of the topology....Now, if I dont want STP anywhere that would mean that the link between the two dist switches will be L3 p2p link right? which means unique VLANs for each access switch ? But we also have users connected on the dist switches so HSRP needs to be active for those users on that switch ? If anyone could help with a config template?
Also, links between dist and core are L3 so do I have to put all of them in same subnet or each link in a /30 subnet? Is it better to run ospf/eigrp or static routes on those links ?

Syed

Ideally you don't want any users connected to your distribution switches or any servers for that matter. If you could move them off then by all means go with L3 between the distribution switches and then have both L2 uplnks from the access-layer switches forwarding at the same time.

If your switches are L3 in the access-layer then you could go for a fully routed design ie. no L2 trunks from the access-layer, instead you use L3 uplinks. With that design STP is not an issue. However the big limitation with a fully routed access-layer is that you will not be able to have the same vlan on multiple switches ie. each switch has to have it's own vlan.

So if you stick with L2 at the access-layer then you could still have a routed link between the distribution switches and run HSRP for all vlans including the users connected to the distribution switches. The HSRP messages for all vlans would go via the access-layer switches. However i would personally have a separate L2 link between the distribution switches for the vlan(s) that the users who are directly connected to the switch are in. If there were multiple vlan(s) like this the connection would need to be a trunk but the key thing would be to make sure only the vlans for users directly connected are allowed on this trunk. The vlans on the access-layer switches should not be allowed on the trunk. That way you can still use both uplinks from each access-layer switch to forward traffic.

Or you could simply interconnect your distribution switches with a L2 trunk for all vlans and let STP(preferably RSTP) block one of the access-layer uplinks.

As for links between distribution and core if they are L3 routed links ie. you configure the IP address on the actual physical interface then you have no choice but to use separate /30 subnets for each link.

Jon

View solution in original post

Leo Laohoo · ‎09-02-2010

With Layer 3 on each floor, you can re-use the VLAN numbers and make VLAN identification alot easier. That said, you only have 3 floors so it's really a not a big ask to remember different VLANs.

syedraheel · ‎09-04-2010

hmmm....I've attached a diagram of the topology....Now, if I dont want STP anywhere that would mean that the link between the two dist switches will be L3 p2p link right? which means unique VLANs for each access switch ? But we also have users connected on the dist switches so HSRP needs to be active for those users on that switch ? If anyone could help with a config template?

Also, links between dist and core are L3 so do I have to put all of them in same subnet or each link in a /30 subnet? Is it better to run ospf/eigrp or static routes on those links ?

Jon Marshall · ‎09-05-2010

syedraheel wrote:
hmmm....I've attached a diagram of the topology....Now, if I dont want STP anywhere that would mean that the link between the two dist switches will be L3 p2p link right? which means unique VLANs for each access switch ? But we also have users connected on the dist switches so HSRP needs to be active for those users on that switch ? If anyone could help with a config template?
Also, links between dist and core are L3 so do I have to put all of them in same subnet or each link in a /30 subnet? Is it better to run ospf/eigrp or static routes on those links ?

Syed

Ideally you don't want any users connected to your distribution switches or any servers for that matter. If you could move them off then by all means go with L3 between the distribution switches and then have both L2 uplnks from the access-layer switches forwarding at the same time.

If your switches are L3 in the access-layer then you could go for a fully routed design ie. no L2 trunks from the access-layer, instead you use L3 uplinks. With that design STP is not an issue. However the big limitation with a fully routed access-layer is that you will not be able to have the same vlan on multiple switches ie. each switch has to have it's own vlan.

So if you stick with L2 at the access-layer then you could still have a routed link between the distribution switches and run HSRP for all vlans including the users connected to the distribution switches. The HSRP messages for all vlans would go via the access-layer switches. However i would personally have a separate L2 link between the distribution switches for the vlan(s) that the users who are directly connected to the switch are in. If there were multiple vlan(s) like this the connection would need to be a trunk but the key thing would be to make sure only the vlans for users directly connected are allowed on this trunk. The vlans on the access-layer switches should not be allowed on the trunk. That way you can still use both uplinks from each access-layer switch to forward traffic.

Or you could simply interconnect your distribution switches with a L2 trunk for all vlans and let STP(preferably RSTP) block one of the access-layer uplinks.

As for links between distribution and core if they are L3 routed links ie. you configure the IP address on the actual physical interface then you have no choice but to use separate /30 subnets for each link.

Jon

martin_knorre · ‎09-05-2010

Hi,

why you want use a L3 in the Distribution layer? I would suggest an infrastruture with a Core, maybe two Catalyst 6509 or a cheaper way four stacked 3750, I'm not a designer therefore it depends on your budget.

And in the access layer you can use L2 switches, like the 2960 and so on...

I don't know your building and departments but the requirements for about 500 client systems are fullfilled.

Regards Martin

syedraheel · ‎09-05-2010

Thanks Jon and Martin...

@ Martin ...we can't afford 6500s here and we have a limited budget. We have 2 stacked switches for the core.....I attached the proposed design eatlier in my posts.