henry_o
asked on
Basic Layer 3 Switching
Hi everyone,
We are currently redesigning our network to incorporate layer 3 switching, as normal layer 2 switching has caused a few issues for us.
Basically, we have 2 clusters of servers, each with a seperate level 2 managed switch. Currently, these 2 switches then connect to a third level 2 switch, which in turn connects to a firewall, and then the router managed by our ISP.
Within these clusters, there are various subnets (each cluster contains several IPs from different subnets for reasons i won't go into, and it is not possible for us to assign a single subnet to a single cluster, for example), and when 2 servers within a single cluster but in 2 different subnets wish to talk to each other, they have to go via the ISP router. This is not a good solution, as we obviously have to pay for traffic that goes to that router from our network. The other issue with this is that our stateful inspection firewall does not like packets going out of it and then back in for reasons that are beyond the scope of this question.
My question is: if i change the third switch (the one that connects the other 2 switches together) to a level 3 switch, will the traffic then be routed there and then back into the network, rather than having to go through our firewall and the ISP router?
Also, can a level 3 switch only route between 2 vLANs, or can it 'learn' where IPs are in the network, and route traffic to the correct port accordingly, when traffic needs to go between 2 subnets in the same vLAN?
Finally: Would the default gateway for all servers (assuming a Level 3 switch is in place) need to be the IP address of the switch, or would it remain as the ISP router?
It should be noted that the firewall i mentioned is in 'bridge' mode, and can not perform routing.
Thanks for any advice!
We are currently redesigning our network to incorporate layer 3 switching, as normal layer 2 switching has caused a few issues for us.
Basically, we have 2 clusters of servers, each with a seperate level 2 managed switch. Currently, these 2 switches then connect to a third level 2 switch, which in turn connects to a firewall, and then the router managed by our ISP.
Within these clusters, there are various subnets (each cluster contains several IPs from different subnets for reasons i won't go into, and it is not possible for us to assign a single subnet to a single cluster, for example), and when 2 servers within a single cluster but in 2 different subnets wish to talk to each other, they have to go via the ISP router. This is not a good solution, as we obviously have to pay for traffic that goes to that router from our network. The other issue with this is that our stateful inspection firewall does not like packets going out of it and then back in for reasons that are beyond the scope of this question.
My question is: if i change the third switch (the one that connects the other 2 switches together) to a level 3 switch, will the traffic then be routed there and then back into the network, rather than having to go through our firewall and the ISP router?
Also, can a level 3 switch only route between 2 vLANs, or can it 'learn' where IPs are in the network, and route traffic to the correct port accordingly, when traffic needs to go between 2 subnets in the same vLAN?
Finally: Would the default gateway for all servers (assuming a Level 3 switch is in place) need to be the IP address of the switch, or would it remain as the ISP router?
It should be noted that the firewall i mentioned is in 'bridge' mode, and can not perform routing.
Thanks for any advice!
ASKER
Hi,
Thanks for the response! Just a couple of questions to clarify:
> " can a level 3 switch only route between 2 vLANs"
> Yes
Does this mean that i would have to put every server that i want to be able to communicate with another server without leaving the network on its own vLAN? For example, if i have a server with IP 200.10.11.5 and another server with IP 200.10.15.7 these would _not_ be able to communicate with each other if they were on the same vLAN, but could communicate with each other if they were on seperate vLANs?
Thanks again!
- Henry
Thanks for the response! Just a couple of questions to clarify:
> " can a level 3 switch only route between 2 vLANs"
> Yes
Does this mean that i would have to put every server that i want to be able to communicate with another server without leaving the network on its own vLAN? For example, if i have a server with IP 200.10.11.5 and another server with IP 200.10.15.7 these would _not_ be able to communicate with each other if they were on the same vLAN, but could communicate with each other if they were on seperate vLANs?
Thanks again!
- Henry
you should think of vlans as subnets as well. So 200.10.11.5 and 200.10.15.7 could not be in the same vlan.
Well, they could, depending on the length of the mask...
ferinstance 200.8.0.0/13 would be the smallest net/mask that would encompass both addresses.
So, if they are indeed on different vlans, they would need the layer3 component to route between those two hosts.
ferinstance 200.8.0.0/13 would be the smallest net/mask that would encompass both addresses.
So, if they are indeed on different vlans, they would need the layer3 component to route between those two hosts.
>Well, they could, depending on the length of the mask...
indeed. just assumed that we are talking about smaller nets here :)
henry_o:
What type of layer 2 switches do you have in place at the moment?
indeed. just assumed that we are talking about smaller nets here :)
henry_o:
What type of layer 2 switches do you have in place at the moment?
ASKER
Hey guys,
thanks for the responses.
They are smaller subnets we are talking about here - the largest is a /24 (we currently have three, but they are non-consecutive).
The layer 2 switches are an HP procurve and a Dell Powerconnect - they are both 24 port managed switches, but have no layer 3 functionality.
It is my intention to use the layer 3 switch to connect those two switches together, then connect the external network (ie. the firewall) to the level 3 switch. That way, i should be able to have traffic between the two clusters routed by the layer 3 switch, or if two servers within the same cluster but different subnets, they will take the route (for example) "server > Dell layer 2 switch > layer 3 switch > Dell layer 2 switch > other server", correct?
This should illustrate why i didn't want to isolate actual ports into vLANs; i'm hoping that even if all ports on the layer 3 switch are assigned to the same vLAN, it will still be able to route the traffic within the network, either between servers on a single layer 2 switch, or between the 2 switches.
Thanks for all your help guys, it's much appreciated!!
- Henry.
thanks for the responses.
They are smaller subnets we are talking about here - the largest is a /24 (we currently have three, but they are non-consecutive).
The layer 2 switches are an HP procurve and a Dell Powerconnect - they are both 24 port managed switches, but have no layer 3 functionality.
It is my intention to use the layer 3 switch to connect those two switches together, then connect the external network (ie. the firewall) to the level 3 switch. That way, i should be able to have traffic between the two clusters routed by the layer 3 switch, or if two servers within the same cluster but different subnets, they will take the route (for example) "server > Dell layer 2 switch > layer 3 switch > Dell layer 2 switch > other server", correct?
This should illustrate why i didn't want to isolate actual ports into vLANs; i'm hoping that even if all ports on the layer 3 switch are assigned to the same vLAN, it will still be able to route the traffic within the network, either between servers on a single layer 2 switch, or between the 2 switches.
Thanks for all your help guys, it's much appreciated!!
- Henry.
You need to assign ports into vlans and configure the uplinks between the switches as 802.1q trunk links. If you do not assign a port to a vlan, its by default part of vlan1 (the management vlan).
Suggest you read through this article
http://computer.howstuffworks.com/lan-switch.htm
A layer 3 switch will work for you, but you need to undestand the concept of vlans/trunking.
Again, vlans should be though of as subnets, so if you have 3 /24 networks, you should have 3 vlans for the internal networks and a default gateway on the layer3 device pointing to the isp router.
Suggest you read through this article
http://computer.howstuffworks.com/lan-switch.htm
A layer 3 switch will work for you, but you need to undestand the concept of vlans/trunking.
Again, vlans should be though of as subnets, so if you have 3 /24 networks, you should have 3 vlans for the internal networks and a default gateway on the layer3 device pointing to the isp router.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Thanks PennGwyn. Just a couple of points:
> Multiple subnets on the same VLAN is a bad idea, if you can avoid it.
Unfortunately it is unavoidable (the servers run Virtuozzo, which 'juggles' virtual 'partitions' between physical servers in real-time for load-balancing. Some partitions will have an IP in one subnet, but another will have an IP in another subnet, but these may co-exist on one machine (obviosuly if these partitions are contacting each other while existing on the same machine, the traffic will never leave the machine, but my point is that there could be several IPs in different subnets in the same vLAN)). I am curious though as to why it is a bad idea?
> it should be configured not to issue redirects
Apologies if this is a silly question, but what would be the implications of issuing redirects?
I have increased the points, as this has been quite long. Thanks again!
Thanks PennGwyn. Just a couple of points:
> Multiple subnets on the same VLAN is a bad idea, if you can avoid it.
Unfortunately it is unavoidable (the servers run Virtuozzo, which 'juggles' virtual 'partitions' between physical servers in real-time for load-balancing. Some partitions will have an IP in one subnet, but another will have an IP in another subnet, but these may co-exist on one machine (obviosuly if these partitions are contacting each other while existing on the same machine, the traffic will never leave the machine, but my point is that there could be several IPs in different subnets in the same vLAN)). I am curious though as to why it is a bad idea?
> it should be configured not to issue redirects
Apologies if this is a silly question, but what would be the implications of issuing redirects?
I have increased the points, as this has been quite long. Thanks again!
So the answer to your questions are:
"... if i change the third switch to a level 3 switch,will the traffic then be routed there and then back into the network"
Basically, yes
" can a level 3 switch only route between 2 vLANs"
Yes
" or can it 'learn' where IPs are in the network"
Yes. Using routing protocols just like a router.
"Would the default gateway for all servers (assuming a Level 3 switch is in place) need to be the IP address of the switch, or would it remain as the ISP router?"
Yes. Or rather it would be the IP address assigned to the VLAN interface or the physical port for that VLAN.
-Don