Re: Trunk branches VS route them

Vencola · ‎06-19-2023

My company has three branches, we want to connect them using fiber cables.

we have two options:

option1: connect them using trunk ports: this option will be much easier in configuration. we can later give each branch its own VLANs.

option2: connect them using WAN ports: i.e. each site will has his different IP ranges and we route them using static or dynamic routing. using this option will be much harder in configuration and management.

The question is: what is the best practice and what is more secure option.

in option 1 (trunk ports) Shoud I worry about any security issues, for example, broadcast attacks. should I worry about any loops in the network.

are there any advantages in option 2 (routing), like isolating the issue in specific site or does VLANs will do this job exactly as if I used routing.

BR,

Reza Sharifi · ‎06-19-2023

Hi,

Unless you need to share a vlan or vlans across both sides, it is easier to go with a routed solution to beging with. So, just give each site its own IPs/VLANs and use a /30 to connect them together. If you only have a few subnet, static routes works fine but if you have a lot of subnets dynamic routing ptorotocl e.g., OSPF works well. In a routed envirement, you never have to worry about one side's broadcast storm bring the other site down.

HTH

Flavio Miranda · ‎06-19-2023

Hi

Advantages and disadvantages on both ways and the tie break depend on your needs.

If your HQ have a pair of switch in VSS or StackWise Virtual, trunk mode have some interesting point.

You can bring up two uplinks, they both will be up at the same time as no spanning-tree will be in place. Which means, if you have 10G interfaces you uplink will be 20Giga capacity.

IF you need to share vlans among sites or sites and HQ it would be possible.

Layer 3 is more complex and also have the benefit of no spanning-tree.

You will be limited if you need to share vlans.

You can load balance your uplinks

Vencola · ‎06-19-2023

Thanks Miranda

you said "Layer 3 is more complex and also have the benefit of no spanning-tree."

what are the benefit of no spanning-tree. why should I worry while using the spanning tree

Flavio Miranda · ‎06-19-2023

Spanning-tree, if you dont have VSS or stack will shutdown one uplink to avoid loop and this prevent you fro using both uplinks at the same time.

MHM Cisco World · ‎06-19-2023

L3 sure, L2 meaning you have big L2 domain this with STP is nightmare
NOTE:- above can apply in case that each site have it VLAN (differ subnet) and there is no need to bridge traffic

Vencola · ‎06-19-2023

many thanks for your reply.

but why using big L2 domain with STP is nightmare, isn't STP should prevent loops? why this can be a nightmare

MHM Cisco World · ‎06-19-2023

Ione SW (root) in one branch down then all SW in all branchs will start elect new root SW.

To prevent loop one link will be BLK' if this link interconnect two branchs then these branchs will forward traffic via third branch.

Cisco recommend max SW (hops) is 7 for stp' if more then you need to adjust timer of bpdu' which if not correct lead to missing bpdu in some SW which in end lead to that there is more than one root in domain.

These some points of what you will face with big l2 domain.

M02@rt37 · ‎06-19-2023

Hello @Vencola,

Usin trunk ports option allows for easier configuration and VLAN management. Each branch can be assigned its own VLANs, enabling traffic separation and control. Trunk ports transmit multiple VLAN traffic across a single link, tagging each frame with a VLAN identifier.

Trunk ports can create loops if not properly configured or if spanning tree protocols are not implemented. Implementing loop prevention mechanisms like STP is essential to avoid network disruptions caused by loops.

Using WAN ports and routing protocols allows each branch to have its own IP range, and traffic between branches is routed using static or dynamic routing protocols. I think that this option provides more flexibility and granularity in network design and management. With IP-based routing, it is crucial to implement proper firewall rules, access controls, and/or encryption mechanisms to secure traffic between branches.

Implementing and managing routing protocols can be more complex compared to configuring trunk ports.

--Both options can be secure if implemented following best practices and appropriate security measures.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Joseph W. Doherty · ‎06-20-2023

Basically, your option 1 is a classical LAN distribution<>access design vs. your option 2, a classical HQ<>branch design.

Can you use either? Sure can.

Is one design, inheritally, more secure than the other? I don't believe so.

Is one design "better" than the other? Yes, I believe a L3 design, your option 2, is better, which is why Cisco suggests L3 access, but is the "better" offset by more costly equipment and L3 complexity? Perhaps not within a LAN access edge but for a WAN?

Two attributes of WANs, different from LANs, have been latency and bandwidth. (The latter, bandwidth, might not be as stark a difference as it traditional was, e.g. your mention of fiber connections.)

A branch router much better manages traffic using the WAN link. For example, you mention VLANs, plural, at the branch. Branch East-West traffic doesn't need to bounce off L3 at HQ.