cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3109
Views
0
Helpful
12
Replies

routing at the distribution\Core switch

Cisco Shark
Level 1
Level 1

Hi All

I have the following situation where I don't really know which solution to pick , would really appreciate some help :

 

The network diagram is attached  (Cores switches are 4506):

 

My question is what is the best solution for users connected through Core2 switch to reach site 1 and site 2?

 

For Core1 won't be a problem, I use static routes would solve the issue.  For Core 2 Couple of things I thought of:

 

1- convert the Routed ports to SVI ports and propagate them across to the second switch as additional vlans

 

2- Add a L3 link between the two Cores and either use static routes or run routing protocal for only these subnets... I wouldn't think this have any impact for HSRP?

 

 

Thanks for your help in advance

 

Ciscoer

1 Accepted Solution

Accepted Solutions

With the new vlan you need to create the vlan in the vlan database on each switch and then each switch needs an SVI for that vlan.

You don't need to run HSRP for this vlan.

If you just created it on core 1 your static routes on core 2 would not have a valid next hop because core 2 needs an interface in the same subnet.

So it is a new vlan with no end devices it in at all ie. it is just allowed on the interconnect between your switches.

It is purely used as a transit vlan between the core switches.

Think of it as a point to point link only using SVIs not L3 routed ports.

Your static routes on core 2 would point to the new vlan SVI IP address on core 1.

No need for any routes pointing back to core 2 because the source IPs will always be client vlans and both core switches know about these subnets.

I agree using the existing port channel is probably the better solution as you already have that in place. If you are specifically allowing which vlans are allowed on the trunk then make sure you allow the new vlan as well.

I take your point about the ISP although it should be very easy for them to make the change but I understand totally what you are saying and maybe the setup is more complicated than I think.

It's late here so I'm logging off but hopefully the above should be enough to get you started.

I'll check in with this thread tomorrow so if you have any more queries or there is something I haven't explained very well please feel free to post back.

Jon

View solution in original post

12 Replies 12

Jon Marshall
Hall of Fame
Hall of Fame

Simplest solution is to connect the ISP router to both 4500s which would also increase your redundancy.

You don't need a common vlan and SVIs for this, you can use routed ports from each 4500.

It's also not clear why your access switches are being shown only connected to one 4500 instead of dual connected.

Depending on where you HSRP active gateways are that could lead to a lot of extra traffic on the interconnect between your 4500s.

Are the above due to limitations in your cabling ?

Jon

Hi John

Thanks for the reply....

 

1- Sorry I havent' listed all the connections there..  90% of access switches have redundency to both cores...

 

2- Due to cabling limit I cannot have two cables going to both Cores... the two cables from the NTU represent two sites..

 

3-  Core 2 is the active HSRP.

 

Thank you..

So both connections from the ISP router need to be on the same 4500 ?

With the SVI solution are you just talking about two vlans for the ISP connections and on both switches you create SVIs for these vlans and then add routes to both switches for the remote sites ?

As opposed to just using a L3 link between your core switches and adding routes for the remote sites.

Either way both connections still terminate on the same switch and all traffic goes via that switch to get to the ISP router ?

Just want to make sure I understand what you are asking.

Jon

You are correct. Both connections need to go to the same 4500 (Core 1) which is the closest to the ISP router.

 

Yes, I am thinking one Vlan per site with SVI interface and static routes on both switches. but I am not sure how good this would be.

 

connection still terminate on th same switch and Traffic goes through one switch to get to the ISP router...I think I have to deal with situation in case that Switch goes down for some reason.

 

Thank you

 

 

 

I think that's the point I am not understanding.

Your ISP router connects to two sites.

But the LAN interfaces of the ISP router are surely just normal connections ie. aren't the NTEs on the WAN side of that router ?

Sorry to keep going on about this and it may be my misunderstanding of the physical connectivity but as you point out if the switch with both connections fails (or you need to upgrade for example) then you lose all remote site connectivity.

You don't need two cables to each core switch you only need one per switch as the same router handles both remote sites.

Is this still not possible ?

Jon

 

Sorry about the confusion John...

The WAN VPN connectivity from the ISP as follows:

The NTU is a 3750 swtich, The ISP provides one port (cables) per site from that switch  , ..

 

The ISP router(L3 switch) is not doing any routing at all...Please see attached image.

 

Thanks

So the 3750 is just a L2 switch and the /30 subnets extend from your 4500 to the remote site end, is that correct ?

Jon

Yes that's correct.

Right, sorry it took so long for me to understand the setup.

Well the first thing I would say is if the ISP could route on the 3750 then you could connect back to both core switches and have redundancy because the 3750 would then be able to route to both sites.

But assuming you can't do that the main issue with using the SVI/vlan approach as you have outlined is by doing this you have extended L2 to the 3750 and actually to the remote sites as well. And because the ISP device is a switch STP comes into it as well although as it one vlan per site there is no loop.

So I would leave your ports to the 3750 as routed ports.

Then you can either -

1) create a new vlan on the trunk and have an SVI on core 1 and core 2 and use that as a transit vlan to get to the remote sites. No end devices need to be in this vlan.

or

2) add another link, L3 as you say, and use that

Either will work fine in your setup and it really depends on whether you want to use your existing port channel and add another vlan or add another link.

You can use statics or a dynamic routing protocol. If you did use a dynamic routing protocol then only allow it on the transit vlan if that is the way you go.

It may make more sense to use the port channel as you have redundancy because of the multiple links unless of course you made the L3 connection an etherchannel.

I really would talk to the ISP though as the 3750 is a L3 switch and if they could route for the remote sites on that switch you could have a better solution.

What do you think ?

Jon

 

 Thank you for your reply and time John. ...

I agree extending Vlans to the NTU is not a good idea that's why I am trying to away find with L3  solution .

So, with the first solution:

1-  with the new vlan, you mean I should create the SVI on Core 1( Correcting I should Just add it as HSRP group), and create static routes on Core2 pointing to that SVI for both of the remote sites subnets, am I correct? and obiously have static routes on Core1 for the both subnets pointing to the remote routers IPs....

 

I think is would be a better solution as leave both switches with L2 port channel rather than adding additonal L3 in between

I am not sure if the ISP would agree to do that...or even willing to even consider it.

Thank you.

 

With the new vlan you need to create the vlan in the vlan database on each switch and then each switch needs an SVI for that vlan.

You don't need to run HSRP for this vlan.

If you just created it on core 1 your static routes on core 2 would not have a valid next hop because core 2 needs an interface in the same subnet.

So it is a new vlan with no end devices it in at all ie. it is just allowed on the interconnect between your switches.

It is purely used as a transit vlan between the core switches.

Think of it as a point to point link only using SVIs not L3 routed ports.

Your static routes on core 2 would point to the new vlan SVI IP address on core 1.

No need for any routes pointing back to core 2 because the source IPs will always be client vlans and both core switches know about these subnets.

I agree using the existing port channel is probably the better solution as you already have that in place. If you are specifically allowing which vlans are allowed on the trunk then make sure you allow the new vlan as well.

I take your point about the ISP although it should be very easy for them to make the change but I understand totally what you are saying and maybe the setup is more complicated than I think.

It's late here so I'm logging off but hopefully the above should be enough to get you started.

I'll check in with this thread tomorrow so if you have any more queries or there is something I haven't explained very well please feel free to post back.

Jon

Thank you very much John.. I have the complete picture now.. and I will probably do more testing too...

Review Cisco Networking for a $25 gift card