Solved: Where to do inter-VLAN routing? (core/distribution/access)

Julian Regel · ‎09-21-2012

We have a network core comprising of two Cisco 3560E-12D-S switches. From these two switches,we have connections to all our top of rack switches and also to our end user access layer switches. The end users are connecting to a stack of 3750X switches.

All end user data traffic is currently on a single VLAN (VLAN20), but we are implementing a project that will require desktop PCs to access a server located in a rack on a different VLAN (VLAN600). So we need to do inter-VLAN routing between two VLANs (VLAN 20 and VLAN 600).

From a best practice perspective, everything I've read suggests that routing should occur in the core switches. I'm fine with this in principle because traffic will traverse the core anyway. However, I don't want to use the core to route between more than these two VLANs. We have other VLANs for separate purposes (e.g., the management VLAN) and I don't want to open this up.

My questions are:

1) Where is the "best" place to perform Inter-VLAN routing? Is it at the access layer, or in the core (we don't really have a distribution layer).

2) If it's in the core, is there a way to limit the VLANs between which routing is allowed? I only want to route between VLAN20 and VLAN600 and definitely not allow routing between VLAN20 and my management VLAN!

Thanks for any advice!

JR

John Blakley · ‎09-21-2012

1) I route in our core.

2) When you enable routing on the core, all vlans that have a l3 svi attached to them will be able to route between vlans. You can resolve this by adding acls to the vlans that you don't want to get to your management vlan.

For example, if your vlan 20 was address 192.168.20.0/24 and your vlan 600 was addressed at 192.168.6.0/24, you could do something like the following:

int vlan 20

ip addr 192.168.20.1 255.255.255.0

ip access-group Allowed in

ip access-list ext Allowed

deny ip 192.168.20.0 0.0.0.255 192.168.6.0 0.0.0.255

permit ip any any

When you're having to block traffic within the same vlan, you can use vacls.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎09-21-2012

1) I route in our core.

2) When you enable routing on the core, all vlans that have a l3 svi attached to them will be able to route between vlans. You can resolve this by adding acls to the vlans that you don't want to get to your management vlan.

For example, if your vlan 20 was address 192.168.20.0/24 and your vlan 600 was addressed at 192.168.6.0/24, you could do something like the following:

int vlan 20

ip addr 192.168.20.1 255.255.255.0

ip access-group Allowed in

ip access-list ext Allowed

deny ip 192.168.20.0 0.0.0.255 192.168.6.0 0.0.0.255

permit ip any any

When you're having to block traffic within the same vlan, you can use vacls.

HTH,

John

HTH, John *** Please rate all useful posts ***

Joseph W. Doherty · ‎09-21-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Answering "best" place for inter-VLAN routing is might be a philosophical question. From what you describe, easiest might be just doing routing on your two core devices.

As to limiting routing between just two of your VLANs, to really limit routing between them, you would need to run them in their own VRF. A more common way is not to NOT route between other VLANs but instead block traffic between those other VLANs using ACLs.

fb_webuser · ‎09-22-2012

We featured your question on our pages. Check out some of the answers here: http://www.facebook.com/CiscoSupportCommunity/posts/282928808486860

---

Posted by WebUser Cisco NetPro from Cisco Support Community App

Julian Regel · ‎09-25-2012

Thanks for the comments (and also to everyone on the Facebook group that replied).

Much appreciated.

JR