Solved: RE: basic vlan architecture design & routing...

jmaxwellUSAF · ‎03-14-2023

Hello.

RE: basic vlan architecture design & routing...

My intent is to isolate a specific-task primary server in one branch, and a secondary server in another branch.

My understanding is that the best design is to maintain these devices inside their own same vlan and subnet. 1. Is this correct?

If so, that would mean I would need to implement /32 routes within the same subnet to different branch locations.

2. Is this recommended architecture?

3. If not, what is the recommended architecture?

Thank you.

Joseph W. Doherty · ‎03-14-2023

"So same vlan at both branches?"

If by "same", if you mean same VLAN ID number, probably. If you mean same, as in the same L2 broadcast domain, not what I had in mind, but that can be possible too (the latter, though, is still somewhat unusual doing across a L3 infrastructure, assuming that's the case).

"What about the subnet-- same subnet?"

What I had in mind, again, no. Again, if you're really extending the SAME L2 domain, yes it can be. Again, doing so, can make for some interesting performance issues.

I'm wondering, if you're after a L2/L3 active/standby architecture, geographically separated for redundancy, often that can be done, but they do come with their own "challenges".

View solution in original post

Joseph W. Doherty · ‎03-14-2023

You would need to further define "isolate".

By "same vlan and subnet)", do you mean the same L2 broadcast domain and its corresponding IP network, across a L3 infrastructure?

Can you provide references, if any, to what you've possibly have been reading on this subject?

jmaxwellUSAF · ‎03-14-2023

My intent is to install the same branch topology on 2 branches. I intend to connect a secure device to a layer 3 switch that connects to a router. I prefer to implement routing at the router.

My idea was to create a layer 2 and 3 separation for these 2 specific devices located in different branches.

What is the recommended architecture?

Thank you.

Joseph W. Doherty · ‎03-14-2023

Is your L3 switch routing?

If so, I would suggest separate VLAN and a /30 network. Gateway a SVI.

This would allow ACL control in/out SVI and/or using VRF(-lite).

jmaxwellUSAF · ‎03-14-2023

So same vlan at both branches?

What about the subnet-- same subnet?

TotallyTodd · ‎03-14-2023

Each VLAN should totally have a separate subnet. For this implementation a /30 would be fine if you totally aren't planning for expansion. This will allow for 2 usable addresses, the first address would be for the server itself and the second would be placed on the the interface/sub-interface of the router that you are configuring. This would be a great practice to implement VLSM (variable length subnet masking). A layer 3 switch will be capable of routing in between VLANs and for security purposes it would be best to keep servers separate totally.

Joseph W. Doherty · ‎03-14-2023

"So same vlan at both branches?"

If by "same", if you mean same VLAN ID number, probably. If you mean same, as in the same L2 broadcast domain, not what I had in mind, but that can be possible too (the latter, though, is still somewhat unusual doing across a L3 infrastructure, assuming that's the case).

"What about the subnet-- same subnet?"

What I had in mind, again, no. Again, if you're really extending the SAME L2 domain, yes it can be. Again, doing so, can make for some interesting performance issues.

I'm wondering, if you're after a L2/L3 active/standby architecture, geographically separated for redundancy, often that can be done, but they do come with their own "challenges".

jmaxwellUSAF · ‎03-15-2023

When data is hopping from router to router, if any of those connections are not configured as 802.1Q (or ISL), the VLAN info gets dropped, correct?

Joseph W. Doherty · ‎03-15-2023

Normally, yes. There are ways to pass L2 across L3, but I don't know if any support passing multiple VLANs. I would think the latter might be possible.

Is doing this a requirement?