Re: VLANs communication - Layer 3 switch

Playmobit · ‎06-27-2018

I am going to dive into networking and after reading many guides and watching many videos

I have some questions and I would like you to help me.

Let's say that we have Layer 3 switches and we decided that we will divide the network in 5 different vlans.

IT: vlan2 - 10.10.2.0/22

Workstations: vlan10 - 10.10.10.0/22

Machines: vlan20 - 10.10.20.0/22

WiFi: vlan30 - 10.10.30.0/22

Voice: vlan40 - 10.10.40.0/22

1. Will there be communication between vlans or it will be blocked because of the separation and I have to configure intervlan routing?

The reason that I need communication is because many users from vlan10 have to connect to

server on vlan2 via RDP (Remote Desktop Connection).

2. In case I won't have communication do I have to set the ports as trunk and allow the vlans

that each port (connected) end device has to have connection with?

3. On the trunk port which will be for the communication between the switches do I have to set

a vlan as untagged or should I leave them all tagged?

Thank you!

rais · ‎06-27-2018

For VLANs to communicate you would need SVI/logical interfaces with IP address on them. For communication between VLAN 10 and 2 you would need an SVI for both VLANs.

Packets within the switch/fabric are identified to belong to a certain VLAN because of the tag on them. No tag means no VLAN.

Switch ports connecting to end devices are usually placed in access mode...meaning an untagged frame will enter switch port and will be tagged with the vlan you specify alongwith access mode configuration.

HTH.

Diana Karolina Rojas · ‎06-27-2018

Hello,

By default in a L3 switch if you have "ip routing" enabled in the device all the vlans will have communication between them, if you want to add security you have to create ACLs in the interfaces vlan. How many switches do you have and where you will configure the gateways of the vlans?

On the other hand you have to leave the vlans tagged, you can define the vlans you want to permit in the trunk interface by configuring "switchport trunk allowed vlan {list of vlans separated by comma}

Please do not forget to rate useful post.

Best Regards,

Joseph W. Doherty · ‎06-27-2018

#1 Depends on switch configurations. Each VLAN/network will need a L3 address (usually configured using a SVI, but L3 switches often support "routed" ports) and IP routing will need to be enabled. Also, networks will need to reachable to/from each other (e.g. if same device, not in different VRFs not leaked to each other) and/or not in different virtual routers (if supported on your L3 device). You would also need to insure something like ACLs don't block traffic.

Different ways to do this across multiple L3 switches, as such are also L2 switches.

Across multiple L3 switches, you'll probably need to "inform" your L3 switches about the L3 topology. Again, multiple ways to do that.

#2 Cisco trunk ports are used to maintain/allow L2 VLANs between different L2 devices. Often done between different L2 switches, can be done between a switch and some hosts (e.g. some servers).

With multiple L3 switches, you might only have "routed ports" between them. (Again, there are multiple ways to support VLAN/networks with multiple L3 switches.)

#3 Normally, on Cisco trunks all VLANs, except VLAN1, by default, are tagged. You need tags so one L2 device can identify different VLANs with other. On Cisco devices you can only have one VLAN untagged. Each device should be configured to "know" which (normally the same) VLAN is using untagged frames.

BTW: on L3 switches, it's generally a good practice not to pass VLANs between devices, rather you route networks between them. I.e. you might want to have many more VLANs/networks.

e.g.

switch 1:

IT: vlan102 - 10.10.2.0/24
Workstations: vlan110 - 10.10.10.0/24
Machines: vlan120 - 10.10.20.0/24
WiFi: vlan130 - 10.10.30.0/24
Voice: vlan140 - 10.10.40.0/24

switch 2:

IT: vlan202 - 10.10.3.0/24
Workstations: vlan210 - 10.10.11.0/24
Machines: vlan220 - 10.10.21.0/24
WiFi: vlan230 - 10.10.31.0/24
Voice: vlan240 - 10.10.41.0/24

etc.

Richard Burts · ‎06-27-2018

The original post asks 3 questions, of which the first is the most important. Here are my responses to the 3 questions.

1) will there be communication between the vlans? On a layer 3 switch the default is that ip routing is not enabled. In this case there will not be any communication between the vlans. If you want communication between the vlans you either need to enable ip routing on the switch, or you need to connect the switch to a router using a trunk port where the router has sub interfaces configured matching each of the vlans.

2) is a somewhat confused question but seems to be asking if configuring trunk ports would enable the vlans to communicate. The answer is that no, enabling trunk ports will not facilitate communication between the vlans.

3) asks about trunk ports and tagged vs untagged vlans. The answer here is that one vlan on the trunk port (identified as the native vlan) will be untagged and that all other vlans will be tagged. A common practice is to maintain the default native vlan being vlan 1, but not to assign ports to vlan 1, to assign ports to the other vlans, each of which would be tagged on the trunk port. Note that having a trunk does not facilitate communication betweens vlans and it does not matter whether the vlans are tagged or untagged.

HTH

Rick

HTH

Rick

Joseph W. Doherty · ‎06-27-2018

To expand some on some of Rick's info . . .

#1

"On a layer 3 switch the default is that ip routing is not enabled. "

BTW, I believe that varies between L3 platforms. I recall (?) for the "small" L3 switches, like 3Ks, the default is IP routing is disabled, but I also recall (?) for "large" L3 chassis switches, like the 4500 or 6500/6800, the default is IP routing is enabled. (I further recall [?] for a 4500 chassis you can disable IP routing, but also recall [?] you're unable to disable IP routing on a 6500/6800. [L3 chassis IP routing default might also vary per IOS and/or installed sup.])

". . . or you need to connect the switch to a router using a trunk port where the router has sub interfaces configured matching each of the vlans."

Indeed, as Rick also describes, using a switch trunk port and router port using subinterfaces would be a common way to route between multiple VLANs, but you could also attach switch access ports to different router ports. Again, the latter would be unusual but might be done for various reasons.

#2 As Rick notes, this question is a bit confusing. As Rick also correctly notes, a trunk port (NB: alone) does not allow routing. However, OP did mention L3 switches (i.e. plural) and in this question, also mentioned connecting a trunk to an "end device".

Hopefully not to further confuse, but some end devices, such as servers, might be configured to also route and even user hosts might be multi-homed or be configured to route. So, a trunk can be used to bring VLANs to/from some other device that allows routing between those VLANs.

As I mentioned in my prior posting, there are various ways to route using L3 switches.

If some point is still unclear, please post a follow-up question. And/or, if you provide more information about what you have on-hand, and what you want to accomplish, various posters can be more specific in their answers.

Richard Burts · ‎06-28-2018

I generalized when I made my statement that by default ip routing is not enabled on layer 3 switches. Joseph correctly points out that what I should have said is that for most layer 3 switches ip routing is not enabled by default. Perhaps the original poster can clarify which model of layer 3 switch is used and then we will know if it is like the 6500 where ip routing is enabled by default or some other layer 3 switch.

The main point remains that if ip routing is enabled then there can be communication between the vlans and if ip routing is not enabled then the vlans will not communicate.

HTH

Rick

HTH

Rick

Joseph W. Doherty · ‎06-28-2018

As Rick notes, he is generalizing, but that also includes his recent statement "The main point remains that if ip routing is enabled then there can be communication between the vlans and if ip routing is not enabled then the vlans will not communicate."

Even when IP routing is enabled, on switches that support VRF and/or virtual routing, multiple VLANs might not route between themselves (because they aren't in the same routing topology). Such a configuration would be on the advanced/complex side, but one should be aware what Rick is describing might have exceptions.

Conversely, even when an individual L3 switch has IP routing disabled (effectively making it a L2 switch), another L3 device might route between the VLANs it hosts. I.e. to clarify what Rick is describing, he means that with IP routing disabled, that switch (effectively operating as a L2 switch) won't route between its VLANs, but again, the VLANs might be able to intercommunicate (route) due to other reasons.

As before, I really don't want to confuse, but also understand if you're have multiple L3 switches, there might be a bit more you need to "get right" to route between your VLANs. For instance, with an L3 switch, if you had 10 VLANs, but only had SVIs for 5 VLANs, you might route (on that switch) between those 5 VLANs, but not route (on that switch) between those VLANs without SVIs.

To IP route to/from networks, the L3 switch, besides needing IP routing enabled, will also need an interface with an IP on those networks.

Playmobit · ‎07-02-2018

Thank you all for the replies!

I will activate IP routing and will not configure ACL from the beginning as users in the network

needs to access sql/database servers.

How many switches do you have

7x48port Access switches + 1x 24port for 5 buildings, 4 in the main building and one on every other building, all the switches will be L3 except from 2 switches that will be L2.

You need tags so one L2 device can identify different VLANs with other. On Cisco devices you can only have one VLAN untagged. Each device should be configured to "know" which (normally the same) VLAN is using untagged frames.

Is there any reason to have IT Management VLAN untagged on the trunk ports between switches or I should have every vlan tagged?

The answer here is that one vlan on the trunk port (identified as the native vlan) will be untagged and that all other vlans will be tagged. A common practice is to maintain the default native vlan being vlan 1, but not to assign ports to vlan 1, to assign ports to the other vlans, each of which would be tagged on the trunk port.

So on a trunk port that I need to pass Data and Voice I configure data vlan as native to pass the traffic as untagged and Voice as tagged?

BTW: on L3 switches, it's generally a good practice not to pass VLANs between devices, rather you route networks between them. I.e. you might want to have many more VLANs/networks.

It is a good practice indeed but I will pass the vlans between the switches.

In case of using some L2 switches, the vlans will be able to pass but not communicate each other

because of the lack of routing capabilities of the device right? So each port can be assigned only on one vlan?

Joseph W. Doherty · ‎07-02-2018

"Is there any reason to have IT Management VLAN untagged on the trunk ports between switches or I should have every vlan tagged?"

Cisco switch trunks have one untagged VLAN which by default is VLAN 1. Some "low level" stuff is sent out untagged on trunk ports, which you cannot normally block. However, everything else that you can control should avoid using VLAN 1 and/or untagged frames on trunks. (The latter to improve security.)

"So on a trunk port that I need to pass Data and Voice I configure data vlan as native to pass the traffic as untagged and Voice as tagged?"

On a true trunk port, data and voice VLANs are generally both tagged. On access ports, which have a data and voice, often they use tagged frames for VoIP traffic and untagged frames for all other traffic.

"In case of using some L2 switches, the vlans will be able to pass but not communicate each other

because of the lack of routing capabilities of the device right? So each port can be assigned only on one vlan?"

Again, this is for the routine case, but there can be non-routine cases. L2 only switches don't route. (Some "L2" support some very basic routing. Many "smart" L2 switches support L3 features like L3 ACLs.) Switch ports can be assigned multiple VLANs, either as trunk port or access ports that support a 2nd tagged VLAN. The latter is often used for data/voice access ports.

Playmobit · ‎07-04-2018

The switches are some HPE 1950 and 3810.

On the uplink trunk port between switches which vlan would you suggest to leave untagged?

In case of connecting on a port a switch which is unaware of vlans like "LinkSys LGS108P" will it connect to the assigned vlan of the port and lease an IP from the according range or it will connect to the untagged vlan?

Joseph W. Doherty · ‎07-05-2018

Traditionally VLAN 1 is left untagged.

If you have a switch that is unaware of VLANs, attach it to a port set to access for the VLAN you want that switch's ports to be on.

Richard Burts · ‎07-08-2018

I agree with Joseph that if you connect the switch which is not aware of vlans to an access port of the switch that is aware of vlans, then the switch which is not aware of vlans will participate in the assigned vlan and will lease addresses from the assigned range. It will not connect to the untagged vlan (unless the vlan of the port of the other switch happens to be the native vlan of that switch).

HTH

Rick

HTH

Rick