10-25-2010 10:26 AM - edited 03-06-2019 01:43 PM
My boss is pushing me to make the switch configurations for our access switches as simple as possible. Basically there would be an access switch connected directly to my core switch, a Catalyst 4507. I'm not real crazy about the idea of using the uplink as an access port, and leaving the vlan assignments off of the access switch ports, so basically everything would look like it's in VLAN 1 until it hits the core and gets tagged on the egress port on the core. I'm not even convinced it will work like that, it's something he's heard from other sites doing it, only after asking around, I haven't seen where anybody has actually done it. He's not a tech guy at all, doesn't care about security, and doesn't care about any sort of good design practices. The access switches contain isolated VLANs, so the idea is okay, I'm just concerned. I don't think it's a good idea to set it up like this. Can anyone point out any real adavantages, disadvantages to this. I just want to make sure I'm not being a paranoid engineer. Any help or ideas are greatly appreciated. Thanks.
10-25-2010 10:41 AM
jbraswell wrote:
My boss is pushing me to make the switch configurations for our access switches as simple as possible. Basically there would be an access switch connected directly to my core switch, a Catalyst 4507. I'm not real crazy about the idea of using the uplink as an access port, and leaving the vlan assignments off of the access switch ports, so basically everything would look like it's in VLAN 1 until it hits the core and gets tagged on the egress port on the core. I'm not even convinced it will work like that, it's something he's heard from other sites doing it, only after asking around, I haven't seen where anybody has actually done it. He's not a tech guy at all, doesn't care about security, and doesn't care about any sort of good design practices. The access switches contain isolated VLANs, so the idea is okay, I'm just concerned. I don't think it's a good idea to set it up like this. Can anyone point out any real adavantages, disadvantages to this. I just want to make sure I'm not being a paranoid engineer. Any help or ideas are greatly appreciated. Thanks.
Not sure how he will tag it on the core exactly ?
It's not a good idea for a number of reasons.
1) if you only have 1 vlan per switch, how will you manage the switch ? Having the management IP in the same vlan as the user vlan is not a good idea from a security perspective. So at the very least you need 2 vlans per switch.
2) It sounds like everything would be in vlan 1 on the access-layer switches so you have one big flat broadcat domain. A device on one access-layer switch that broadcasts would have that packet sent to every other device on every other access-layer switch via the 4507. This is inefficient, wastes bandwith and wastes CPU/memory on the client devices.
3) You don't say whethere you are running voice but if you are you need a separate vlan per switch for those as well.
4) vlan 1 shouldn't be used anyway for any traffic, switch management traffic, and here i mean telnet/ssh, and certainly not user traffic.
What i can't understand is that if he is not a technical person, and doesn't care about security or good design then what exactly is his input into this ? And he may not care about security/good design at the moment but if the network stops working he may well might.
Personally i would a trunk link and have at least one user vlan and one management vlan on each access-layer switch. The management vlan can be the same for all access-layer switches. Configure the trunk links to only allow those vlans relevant to each switch which cuts down on STP instances and broadcast traffic.
Jon
10-26-2010 06:36 AM
Jon,
Thanks for the reply. I probably need to clarify a little to make things more understandable, so here goes:
We have about fifteen VLANs with 1 subnet per VLAN. Each building in the manufacturing plant will be assigned a VLAN, which will have various access switches throughout the plant, one per production line. there won't be a need for QoS or anything really special at all, it's all going to be layer 2 traffic up until the core, where it might need to be routed to another VLAN, or out to the internet, a server farm, whatever. So, the idea that is being pushed is that all the access switches would be just factory switches installed, nothing except an IP and hostname assigned to them. From there, they will directly connect to the 4507 core switch, and this is the part that I don't quite understand myself, the switchport the access switch is connected to will be assigned as an access port in that VLAN. If I understand the 802.1Q tagging correctly, the access port won't add a tag to the frame, it will only pass the frame, unchanged out the port, so everything will still be essentially VLAN 1. Am I correct on this? I thught the port had to be a trunk in order for the frame to receive a VLAN tag. Could the native VLAN be changed to make this work? I know it would throw up a lot of native VLAN mismatch error, but I supose that could work.
I do have my own VLAN for management, so that is a plus, I suppose. I just don't see how this would be a good design, I'm like you, I see it as being inefficient and defeating the purpose of having VLANs.
BTW, the boss is an electrical engineer that got this dumped on him, he doesn't understand networking, doesn't care to, and makes my life a living hell telling me how to build a network...
Thanks for the reply, please let me know what you think, I'd really like to have some more knowledgable input on this.
Thanks,
John
10-27-2010 08:27 AM
So, the idea that is being pushed is that all the access switches would be just factory switches installed, nothing except an IP and hostname assigned to them. From there, they will directly connect to the 4507 core switch, and this is the part that I don't quite understand myself, the switchport the access switch is connected to will be assigned as an access port in that VLAN.
If you just assign them an ip and hostname then all ports will be in vlan 1. There will be no tag. You can then assign the port the switch connects to on the 4507 as either -
1) a trunk port in which case if you wanted assign the access-layer switch into a particular vlan you would need to make the native vlan of the trunk that vlan
or
2) an access port in the vlan you want the access-layer switch to be in eg. vlan, which sounds like what is being proposed.
So lets say you assign the 4507 port that connects to access-layer switch 1 (sw1) into vlan 5. All packets arriving from sw1 will be placed into vlan 5 on the 4507 switch. Note with this setup you cannot run a dedicated management vlan for your switches because you would need at least 2 vlans per link ie. you would need a trunk link. So that's how it would work. Your'e not actually tagging the packets on the 4507 because you are not using a trunk link. But in essence it would work.
Having said all that, it is not a very clever thing to do and please feel free to quote me to your boss. If he doesn't understand networking at even the most basic level then it might better if he left it you to set it up correctly. Again please feel free to quote me
What you are doing is basically bridging 2 vlans together per access-layer switch ie. vlan 1 off each switch and whichever vlan you choose for each port on the 4507 switch. Each switch would run STP for vlan 1 and this STP would then extend to whatever vlan you have allocated to that switch connection on the 4500. It makes troubleshooting particularly difficult ie. you have an STP loop in vlan 1 on an access-layer switch but it affects vlan 5 on the 4500. L2 is confusing enough without adding this complexity. Imagine using the "sh spanning-tree vlan x" from each end of the link ?
A further confusion would come with the IP assignment. You have to allocate an IP for sw1 from vlan 5. But then you log onto the access-layer switch and the only L3 interface is vlan 1. Again very confusing.
And if any new network guy comes along i can almost guarantee they will be scratching their heads. I would be. When you are in the middle of troubleshooting because the network is down the last thing you want is added complexity.
Worst still there is no flexibility. What if you need to allow another vlan to one of the access-layer switches (this happens all the time), you can't without a fair bit of work ie.
1) not only do you need to setup a trunk link but -
2) you need to work out which vlan the port on the 4500 connecting to the access-layer switch is in and then logon to the access switch and change all the ports into that vlan so when you add the new vlan you can discriminate between the 2.
I'm sure if i thought about it a while other things would occur. What i can't understand is why anyone would want to do this. At first it may seem like an easy approach ie. just assign an IP and hostname and it's plug and play. But with just a bit more thought it is easy to see how this could create confusion and what makes it even more confusing for me is that the only extra work is adding a vlan and configuring the link as a trunk link. It's hardly time consuming and with that bit of extra work you have a more flexible, easier to understand network.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide