Solved

Cisco 3560 L3 routing

Posted on 2011-03-15
24
554 Views
Last Modified: 2012-05-11
Hi,

We are installing a Cisco 3560 to provide broadband to a multi office building. All users will be in same VLAN as our switch will be across the street with fibre running over to the new office. We plan to use 'switcport protection' to stop users from seeing eachother and block broadcast traffic. However issue is that one of the offices uses the web site of one of the other offices which is hosted on site. So can we expect the Cisco to route at L3 even though we have port protection enabled?

All offices will be provided with public IP via Cisco DHCP with a mask of 255.255.252.0. The VLAN IP will be the Default Gateway.

Thanks,

Ripwinder.
0
Comment
Question by:Ripwinder
  • 8
  • 6
  • 3
  • +3
24 Comments
 
LVL 13

Accepted Solution

by:
kdearing earned 250 total points
ID: 35144591
If you are assigning public IP addresses, why not let them see each other?
- Each business will have their own router/firewall
- Broadcasts are not an issue because they are not sent across subnets
0
 

Author Comment

by:Ripwinder
ID: 35144628
Some users are connecting directly to the switch and are then issued an IP via the DHCP server on the 3560 so are all sharing a gateway and are in the same VLAN and subnet, not all are using a firewall/router. If we remove port protection then we are unsure if L3 will route through as the VLAN on the 3560 is in effect a L3 device.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35144737
Hi,

why you configuring 2 VLANs?
0
 

Author Comment

by:Ripwinder
ID: 35144766
I didnt mention 2 VLANS. All users are in one VLAN which is routed to the primary VLAN on our core switch. We have a few sites connecting in to our switch but this has no impact on this site or this question. I just need to know how to route users traffic via L3 device on the actual switch when we are using port protection.

Thanks,

RW
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35145197
By using port protection, you are defeating the purpose of giving them public IP addresses.
Removing port protection should have nothing to do with the routing capability of your switch.
0
 

Author Comment

by:Ripwinder
ID: 35145894
I wouldn't say that. All users would be accessible from any other external source address in the world so how am I defeating the purpose?

I did not say removing protected port would have an impact on routing. When using protected port the only way for two users to talk to eachother is to go via layer 3. This is a fact that is learnt on basic CCNA. What I am asking is can a 3560 route this request somehow.

When user A send out a request to go to user B website switch will not allow this request as it will look to route straight to user b rather than via gateway as they are in same subnet. So how to force traffic via gateway?
0
 
LVL 17

Expert Comment

by:MAG03
ID: 35146076
you could use PBR or even a static route to force that behavior.
0
 

Author Comment

by:Ripwinder
ID: 35146696
What would the static route look like, we already have a route created for the specific IP range and subnet routing to VLAN 1 and a ip route 0.0.0.0 0.0.0.0 (upstream gateway)

Thanks,

RW
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 250 total points
ID: 35146720
So can we expect the Cisco to route at L3 even though we have port protection enabled?

Yes

Unless the routing is being performed by an external router that is connected to your switch on a port that is also protected.
0
 

Author Comment

by:Ripwinder
ID: 35146741
Hi Don,

Thanks for your input. Would our mask 255.255.252.0 cause us problems. I'm thinking that it will cause the clients on the network to act like a large LAN rather than sending requests the gateway IP?

Cheers,

RW
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 35146799
A thousand hosts on a single broadcast domain is a bit on the larger side.  But problems? Hard to say without a performance baseline.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 17

Expert Comment

by:MAG03
ID: 35146819
the static route would be along the lines of:  ip route 10.10.10.10 255.255.255.255 10.10.10.1

where 10.10.10.10 is the ip address of the web server and 10.10.10.1 is the default gateway or next hop.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 35146864
a thousand hosts on a single broadcast domain? am i missing something or was that a posting mistake? Just looked through the previous posts and did not see anything regarding that.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 35146903
Original post:

>All offices will be provided with public IP via Cisco DHCP with a mask of 255.255.252.0.

Subsequent post:

>Would our mask 255.255.252.0 cause us problems.

A mask of 255.255.252.0 would allow for 1022 hosts on the network.
0
 

Author Comment

by:Ripwinder
ID: 35146919
When I asked about problems I ddint mean too many hosts. I meant the actual subnet being a /22 and not a /32. With a /32 all traffic would/should route via the gateway by default but a /22 address I would imagine would lok to route locally?

RW
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 35146959
>I meant the actual subnet being a /22 and not a /32.

I'm not following you. Are you referring to the mask used by a host? A route? Something else?
0
 

Author Comment

by:Ripwinder
ID: 35146979
The end uer would be assigned a /22 via DHCP on the Cisco switch. So I'm thinking this might cause an issue.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 35147006
You mean an IP address with a /22 mask?

If it's not too many hosts, what kind of issue are you asking about?
0
 

Author Comment

by:Ripwinder
ID: 35147026
The issue I'm talking about is basically a device issued with a /22 mask may not try and route via the gateway as it perceives its place as being on an internal LAN infrastructure.

RW
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 35147058
Well, that's a basic IP addressing design issue.

Unless you have created a dis-contiguous network, this won't be a problem.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35147819
The point I was trying to make is that a public IP address should be accessible from any other public IP address.
Using that logic, I see no reason to imlement port protection.

You say you are concerned that they are on the same public subnet.
I don't see why that matters.

ISPs do it all the time.
For instance, if you order a DSL circuit from Verizon, your public IP will have a /24 subnet.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35503418
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now