Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 582
  • Last Modified:

Cisco 3560 L3 routing

Hi,

We are installing a Cisco 3560 to provide broadband to a multi office building. All users will be in same VLAN as our switch will be across the street with fibre running over to the new office. We plan to use 'switcport protection' to stop users from seeing eachother and block broadcast traffic. However issue is that one of the offices uses the web site of one of the other offices which is hosted on site. So can we expect the Cisco to route at L3 even though we have port protection enabled?

All offices will be provided with public IP via Cisco DHCP with a mask of 255.255.252.0. The VLAN IP will be the Default Gateway.

Thanks,

Ripwinder.
0
Ripwinder
Asked:
Ripwinder
  • 8
  • 6
  • 3
  • +3
2 Solutions
 
kdearingCommented:
If you are assigning public IP addresses, why not let them see each other?
- Each business will have their own router/firewall
- Broadcasts are not an issue because they are not sent across subnets
0
 
RipwinderAuthor Commented:
Some users are connecting directly to the switch and are then issued an IP via the DHCP server on the 3560 so are all sharing a gateway and are in the same VLAN and subnet, not all are using a firewall/router. If we remove port protection then we are unsure if L3 will route through as the VLAN on the 3560 is in effect a L3 device.
0
 
Istvan KalmarCommented:
Hi,

why you configuring 2 VLANs?
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
RipwinderAuthor Commented:
I didnt mention 2 VLANS. All users are in one VLAN which is routed to the primary VLAN on our core switch. We have a few sites connecting in to our switch but this has no impact on this site or this question. I just need to know how to route users traffic via L3 device on the actual switch when we are using port protection.

Thanks,

RW
0
 
kdearingCommented:
By using port protection, you are defeating the purpose of giving them public IP addresses.
Removing port protection should have nothing to do with the routing capability of your switch.
0
 
RipwinderAuthor Commented:
I wouldn't say that. All users would be accessible from any other external source address in the world so how am I defeating the purpose?

I did not say removing protected port would have an impact on routing. When using protected port the only way for two users to talk to eachother is to go via layer 3. This is a fact that is learnt on basic CCNA. What I am asking is can a 3560 route this request somehow.

When user A send out a request to go to user B website switch will not allow this request as it will look to route straight to user b rather than via gateway as they are in same subnet. So how to force traffic via gateway?
0
 
Marius GunnerudSenior Systems EngineerCommented:
you could use PBR or even a static route to force that behavior.
0
 
RipwinderAuthor Commented:
What would the static route look like, we already have a route created for the specific IP range and subnet routing to VLAN 1 and a ip route 0.0.0.0 0.0.0.0 (upstream gateway)

Thanks,

RW
0
 
Don JohnstonCommented:
So can we expect the Cisco to route at L3 even though we have port protection enabled?

Yes

Unless the routing is being performed by an external router that is connected to your switch on a port that is also protected.
0
 
RipwinderAuthor Commented:
Hi Don,

Thanks for your input. Would our mask 255.255.252.0 cause us problems. I'm thinking that it will cause the clients on the network to act like a large LAN rather than sending requests the gateway IP?

Cheers,

RW
0
 
Don JohnstonCommented:
A thousand hosts on a single broadcast domain is a bit on the larger side.  But problems? Hard to say without a performance baseline.
0
 
Marius GunnerudSenior Systems EngineerCommented:
the static route would be along the lines of:  ip route 10.10.10.10 255.255.255.255 10.10.10.1

where 10.10.10.10 is the ip address of the web server and 10.10.10.1 is the default gateway or next hop.
0
 
Marius GunnerudSenior Systems EngineerCommented:
a thousand hosts on a single broadcast domain? am i missing something or was that a posting mistake? Just looked through the previous posts and did not see anything regarding that.
0
 
Don JohnstonCommented:
Original post:

>All offices will be provided with public IP via Cisco DHCP with a mask of 255.255.252.0.

Subsequent post:

>Would our mask 255.255.252.0 cause us problems.

A mask of 255.255.252.0 would allow for 1022 hosts on the network.
0
 
RipwinderAuthor Commented:
When I asked about problems I ddint mean too many hosts. I meant the actual subnet being a /22 and not a /32. With a /32 all traffic would/should route via the gateway by default but a /22 address I would imagine would lok to route locally?

RW
0
 
Don JohnstonCommented:
>I meant the actual subnet being a /22 and not a /32.

I'm not following you. Are you referring to the mask used by a host? A route? Something else?
0
 
RipwinderAuthor Commented:
The end uer would be assigned a /22 via DHCP on the Cisco switch. So I'm thinking this might cause an issue.
0
 
Don JohnstonCommented:
You mean an IP address with a /22 mask?

If it's not too many hosts, what kind of issue are you asking about?
0
 
RipwinderAuthor Commented:
The issue I'm talking about is basically a device issued with a /22 mask may not try and route via the gateway as it perceives its place as being on an internal LAN infrastructure.

RW
0
 
Don JohnstonCommented:
Well, that's a basic IP addressing design issue.

Unless you have created a dis-contiguous network, this won't be a problem.
0
 
kdearingCommented:
The point I was trying to make is that a public IP address should be accessible from any other public IP address.
Using that logic, I see no reason to imlement port protection.

You say you are concerned that they are on the same public subnet.
I don't see why that matters.

ISPs do it all the time.
For instance, if you order a DSL circuit from Verizon, your public IP will have a /24 subnet.
0
 
QlemoC++ DeveloperCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 8
  • 6
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now