site vlan connectivity

suthomas1 · ‎10-22-2018

Hi,

what is the best way to configure for following scenario.

A site that will need 4 vlans. Site has a router with two interface & a 3560 switch.

Should i use the router on a stick method (create subinterface for each vlan on router & let the switch act as pure layer 2 with default gateway being the managment vlan interface of router.
or is there any better way. Please help , thanks.

Seb Rupik · ‎10-22-2018

Hi there,

Both topologies are valid, but there are logical and physical limitations.

If you opt for the router-on-a-stick model your inter-VLAN traffic will be constrained by the bandwith of the link between the router and 3560. Is it a 1Gbps interface? Can you create an etherchannel.

What about inter-VLAN security? Is inter-VLAN traffic permitted unchecked? If so you ay as well have the user VLAN SVIs on the 3560 and do the routing there.

If you need some ACLs, then it will be easier to implement them on the router especially if you require a stateful firewall function, this is where IOS Zone Based Firewall will be useful.

Cheers,

Seb.

Joseph W. Doherty · ‎10-23-2018

Depends whether you expect any internal VLAN to VLAN traffic, or all traffic will flow off-site.

Unless you purchase a high end router (e.g. ASR 1K and up), likely your router won't have anything near the routing (PPS and internal bandwidth) performance of your L3 switch, i.e. your 3560. If that's the case, you can do LAN routing using the 3560, and WAN routing with the "router".

suthomas1 · ‎10-23-2018

all traffic on the 4 vlans will be going out of the site, no intervlan connectivity is needed.

The 3560 is the only switch on that site providing port connection to hosts. If the suggestion is to create SVI on 3560, then what should the config on router look like.

Or please suggest the best possible option & correct my understanding. thanks.

Joseph W. Doherty · ‎10-23-2018

If there's no local VLAN to VLAN traffic, then what you initially proposed should be fine.

However, if you're still curious, you would configure the 3650 with SVIs, with routing enabled on it, and you could configure how it routes to/from the router several ways. For example, you could configure a P2P link between 3560 and router, and route the default to it and on the router, route back to the VLAN networks, or you could have the subinterfaces, on the roiuter, as you initially described, but make the SVIs the host gateways and route the default, on the 3560, to any or all the router subinterface IPs. As the router would have a "foot" in the local networks, you wouldn't need to route back to the 3560.

suthomas1 · ‎10-23-2018

Thanks, apart from vlan filtering what the pros & cons of either methods ;

- L3's on the router & switch acting as layer 2

- SVI's on the switch & p2p link connecting switch & router

appreciate inputs. thanks.

Joseph W. Doherty · ‎10-23-2018

The biggest difference is likely performance (in favor of routing on the L3 switch). (Again, not an issue, if there's not local LAN routing.)

Using the L3 switch as only a L2 switch, would be best for a "simpler" network (less complex config on the switch).

Abzal · ‎10-23-2018

Hm my reply looks like got deleted.

With router on a stick you can utilize more features of L3 router such like netflow, traffic shaping/policing. But if there is no need in such features not much difference except performance.

Best regards,
Abzal

Abzal · ‎10-23-2018

Here you can find config example for router on a stick - https://learningnetwork.cisco.com/docs/DOC-23481

#2 option much easier config wise, example - https://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/14976-50.html

But in #2 option you would need additionally set up p2p link between router and 3560 switch if needed.

Best regards,
Abzal