Cisco VLAN Routing Without Trunks
A little background on what I'm trying to do.
I have a remote building connected via radio link.. on either side is a Cisco 2960G, each with a radio plugged in.
There are 3 VLANs at the remote site:
296 - 10.2.96.0 / 24 (Management at site, such as switches)
275 - 10.2.75.0 / 24 (Users at site)
295 - 10.2.95.0 / 24 (Servers at site)
At the primary site, I've a number of VLANs... for the sake of brevity, here's one VLAN:
160 - 10.1.16.0 / 24 (IT Staff)
On to the problem.
Packets between the local and remote building are being dropped left right and center, and as a result performance is abysmal at best.
We upgraded the radios to a dedicated frequency, to improve performance. The new radios are the ones which exhibit this behavior.
Having spoken with the vendors, they're able to push roughly 150 Mbps through the radios with zero packet loss (I directly observed their test). They have also indicated that these radios do NOT play nicely with Cisco Trunk ports.
So, I need (would like) to find a way to use multiple VLANs without trunks... whether this would involve additional L3 hardware at the remote (and possibly local site) or otherwise.
I have a remote building connected via radio link.. on either side is a Cisco 2960G, each with a radio plugged in.
There are 3 VLANs at the remote site:
296 - 10.2.96.0 / 24 (Management at site, such as switches)
275 - 10.2.75.0 / 24 (Users at site)
295 - 10.2.95.0 / 24 (Servers at site)
At the primary site, I've a number of VLANs... for the sake of brevity, here's one VLAN:
160 - 10.1.16.0 / 24 (IT Staff)
On to the problem.
Packets between the local and remote building are being dropped left right and center, and as a result performance is abysmal at best.
We upgraded the radios to a dedicated frequency, to improve performance. The new radios are the ones which exhibit this behavior.
Having spoken with the vendors, they're able to push roughly 150 Mbps through the radios with zero packet loss (I directly observed their test). They have also indicated that these radios do NOT play nicely with Cisco Trunk ports.
So, I need (would like) to find a way to use multiple VLANs without trunks... whether this would involve additional L3 hardware at the remote (and possibly local site) or otherwise.
I wouldn't start spending mony unelss the radio link providor can explain exactly what is needed. A layer 3 switch, like the Cisco 3750, could route the traffic, but unless the radio link vendor can confirm what is and isn't supported, there's no telling what would work. Can this vendor produce a documented and supported VLAN over radio link proposal? Perhaps it would be possible, with two layer 3 switches or two routers, to create an encrypted site to site VPN tunnel so the radio links do not see or interact with the trunk data. But again, the radio link vendor must show whether this is supported or not.
ASKER
Your first mention... using a layer 3 switch.
Would it need to be an L3 switch, or would a regular router (with the correct number of interfaces) work for the job?
More specifically, could an access port between two L3 devices contain VLAN Tagged traffic?
Would it need to be an L3 switch, or would a regular router (with the correct number of interfaces) work for the job?
More specifically, could an access port between two L3 devices contain VLAN Tagged traffic?
The only way to have multiple VLANs between two locations without a trunk is to use multiple links (one for each VLAN).
But something doesn't sound right.
Do they mean only Cisco trunks? Or trunks from any vendor? And why do they not work with trunks? Is it the 1522 byte frame? If that's all it is, you could drop the MTU down to 1496 on the hosts.
But something doesn't sound right.
They have also indicated that these radios do NOT play nicely with Cisco Trunk ports.
Do they mean only Cisco trunks? Or trunks from any vendor? And why do they not work with trunks? Is it the 1522 byte frame? If that's all it is, you could drop the MTU down to 1496 on the hosts.
ASKER
They said cisco trunks, but I certainly didn't get the feeling they were singling out Cisco.
I'll lower the MTU down to 1496 and see what happens.
I'll lower the MTU down to 1496 and see what happens.
ASKER
In retrospect, perhaps I should ask a few more questions.
Do you mean just the MTU on the hosts at the remote site, or also the servers at the local site which they access?
Is there any way to force fragmentation at the 2960s?
Do you mean just the MTU on the hosts at the remote site, or also the servers at the local site which they access?
Is there any way to force fragmentation at the 2960s?
Do you mean just the MTU on the hosts at the remote site, or also the servers at the local site which they access?
All end stations (servers, PC's, etc.). The reason is that if the end stations never create a frame larger than 1496, then even after the 802.1q tags are added, the resulting frame will not be larger than 1518.
Is there any way to force fragmentation at the 2960s?
Since the goal is to trunk across the link, the 2960s are not routing. So fragmentation isn't an option.
ASKER
Ah, right. But if I had routers at both ends, I could set the link MTU. Is that a sane thought?
I'll get in touch with the vendor and see if they have other info on why the trunks don't work... I could definitely get routers for both sides, but not on a whim.
Edit:
I already have a small router at that site already, which I use to force their internet-bound traffic out through an ADSL connection, rather than through the radios to this site's internet connection. I could very easily reposition that router... would I need a router on both sides, or would the router's lower MTU cause the local servers to automatically reduce their MTU when talking to remote site hosts?
I'll get in touch with the vendor and see if they have other info on why the trunks don't work... I could definitely get routers for both sides, but not on a whim.
Edit:
I already have a small router at that site already, which I use to force their internet-bound traffic out through an ADSL connection, rather than through the radios to this site's internet connection. I could very easily reposition that router... would I need a router on both sides, or would the router's lower MTU cause the local servers to automatically reduce their MTU when talking to remote site hosts?
Ah, right. But if I had routers at both ends, I could set the link MTU. Is that a sane thought?
Sure. But then you're not trunking over the link. You're routing over the link.
I could very easily reposition that router... would I need a router on both sides, or would the router's lower MTU cause the local servers to automatically reduce their MTU when talking to remote site hosts?
You would really need a router at each end.
ASKER
Okay, thanks. I'll see if I can throw pfsense or monowall or something on a PC as a test, and use it as an impromptu router. I know pfsense supports vlans, and I'd be shocked if it didn't support fragmentation (since I know it supports recombining to avoid fragmentation obfuscation).
I'm not sure if this will work or not, but I'm certainly going to try... since it's going to be a bit of time before I can complete what I need to complete, I'm going to mark your next answer as the answer - and then followup later with a new question if needed.
From a logical standpoint, will that have any impact on the general behavior of the VLANs as they are? That is, will traffic from one VLAN/subnet still reach a VLAN/subnet across that link, or will I need to implement some other approach? Guessing the answer is that there won't be any impact, and that it will reach, but I'd best make sure.
I'm not sure if this will work or not, but I'm certainly going to try... since it's going to be a bit of time before I can complete what I need to complete, I'm going to mark your next answer as the answer - and then followup later with a new question if needed.
Sure. But then you're not trunking over the link. You're routing over the link.
From a logical standpoint, will that have any impact on the general behavior of the VLANs as they are? That is, will traffic from one VLAN/subnet still reach a VLAN/subnet across that link, or will I need to implement some other approach? Guessing the answer is that there won't be any impact, and that it will reach, but I'd best make sure.
From a logical standpoint, will that have any impact on the general behavior of the VLANs as they are?
Yes. A huge impact. VLANs stop at the router. Which means that one site will become a different IP network than the other site.
ASKER
Sorry, I think I wasn't specific... or I was too specific - one of the two.
I'm looking to make sure that I'll still be able to directly reach a host from one side to the other side (both ways, since remote hosts need to hit local servers, and local hosts need to hit remote hosts for support). Which, as I suspect, would be the case.
I'm looking to make sure that I'll still be able to directly reach a host from one side to the other side (both ways, since remote hosts need to hit local servers, and local hosts need to hit remote hosts for support). Which, as I suspect, would be the case.
If the same VLANs aren't at both sites, then there's no reason to trunk between the sites.
FYI... Cisco's terminology 'Trunking' is basically what other vendors call tagging. Typically, the way 802.1q tagging works is by tagging VLAN ID's to the header of each frame as it goes it enters an uplink interface and it is stripped of the header of the frame as it is received on the opposite end of an uplink interface. Cisco's ISL doesn't tag the frame header, but actually encapsulated it. Which then follows the same process. This is why Cisco's trunking would not be supported. Primarily, because the tagged VLAN ID's would be basically be stripped off as soon as it enters the Wireless device's interface; in therory. At which, the frame is received on the opposite end of the wireless radio it would no longer contain the VLAN information.
Therefore, routing is your best solution.
Therefore, routing is your best solution.
The 2960 does not support ISL. 802.1q only.
FYI... I was speaking in general terms for Cisco switches not specifically about the 2960.
This post specified the 2960. And Cisco has depricated ISL. The number of Cisco switches which support ISL is shrinking rapidly.
ASKER
So much information, very happy to see it so freely shared.
As I understand it, I would be implementing the following:
And that the result of this will be subnets at the remote site which are isolatable from subnets at the local site (via ACLs on the L3 hardware and the inherant non-routing of certain types of traffic).
The router at the remote side would have something like the following:
remote 2960G
int gi0/47
<nothing special>
remote L3:
int fa0
<nothing special, essentially just an L2 port?>
int fa1
ip address 10.2.96.254 255.255.255.0
int vlan 275
ip address 10.2.75.254 255.255.255.0
int vlan 295
ip address 10.2.95.254 255.255.255.0
Local L3:
int fa0
<nothing special, just an L2 port?>
int fa1
ip address 10.2.96.253 255.255.255.0
Local 2960G:
int gi0/47
<nothing special>
And that if a host at my local site, 10.1.16.0 / 24 were to try and reach a host at the remote site in vlan 275, the route would look like this:
Am I misunderstanding anything?
As I understand it, I would be implementing the following:
Remote Site | 2960 L2 | "R" L3 | Radio | Air | Radio | "L" L3 | 2960 L2 | Local Site
Gi0/47 |Fa0 Fa1| <int> | | <int> | Fa1 Fa0| Gi0/47 |And that the result of this will be subnets at the remote site which are isolatable from subnets at the local site (via ACLs on the L3 hardware and the inherant non-routing of certain types of traffic).
The router at the remote side would have something like the following:
remote 2960G
int gi0/47
<nothing special>
remote L3:
int fa0
<nothing special, essentially just an L2 port?>
int fa1
ip address 10.2.96.254 255.255.255.0
int vlan 275
ip address 10.2.75.254 255.255.255.0
int vlan 295
ip address 10.2.95.254 255.255.255.0
Local L3:
int fa0
<nothing special, just an L2 port?>
int fa1
ip address 10.2.96.253 255.255.255.0
Local 2960G:
int gi0/47
<nothing special>
And that if a host at my local site, 10.1.16.0 / 24 were to try and reach a host at the remote site in vlan 275, the route would look like this:
10.1.16.1 <---> 10.1.16.254 <---> 10.2.96.253 <---> 10.2.96.254 <---> 10.2.75.254 <---> 10.2.75.1Am I misunderstanding anything?
I'm not sure that I am interpreting your information correctly.
Will you doing the inter-VLAN routing (for each site) on the 2960 or the router?
Will you doing the inter-VLAN routing (for each site) on the 2960 or the router?
ASKER
the inter-vlan routing at my local site is done by a pair of catalyst 3560G layer 3 switches. The remote site only has the 3 VLANs (currently), 275,295, and 296.
The remote site would be routed by the router at the remote site... which I think may be where I confused myself - I'm guessing that I wouldn't actually use SVIs in a router, for routing... instead using FA ports, each with its own IP address in the correct subnet?
The remote site only has one switch, don't know if that matters.
Or would the remote site look something like this?
Router:
int fa0
description L3 interface for 275
ip address 10.2.75.254 255.255.255.0
int fa1
description L3 interface for 295
ip address 10.2.95.254 255.255.255.0
int fa3
description L3 interface for 296
ip address 10.2.96.254 255.255.255.0
2960:
vlan 275
name Users
vlan 295
name Servers
vlan 296
name Management
int gi0/46
description plugged into router fa0
switchport access vlan 275
int gi0/47
description plugged into router fa1
switchport access vlan 295
int gi0/48
description plugged into router fa2
switchport access vlan 296
int gi0/1
description example port for PC intended to be in the 10.2.75.0/24 subnet
switchport access vlan 275
The remote site would be routed by the router at the remote site... which I think may be where I confused myself - I'm guessing that I wouldn't actually use SVIs in a router, for routing... instead using FA ports, each with its own IP address in the correct subnet?
The remote site only has one switch, don't know if that matters.
Or would the remote site look something like this?
Router:
int fa0
description L3 interface for 275
ip address 10.2.75.254 255.255.255.0
int fa1
description L3 interface for 295
ip address 10.2.95.254 255.255.255.0
int fa3
description L3 interface for 296
ip address 10.2.96.254 255.255.255.0
2960:
vlan 275
name Users
vlan 295
name Servers
vlan 296
name Management
int gi0/46
description plugged into router fa0
switchport access vlan 275
int gi0/47
description plugged into router fa1
switchport access vlan 295
int gi0/48
description plugged into router fa2
switchport access vlan 296
int gi0/1
description example port for PC intended to be in the 10.2.75.0/24 subnet
switchport access vlan 275
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was about to say that the 2960 was an L2 switch and that I can't make more than one SVI, but when I went to test to confirm, it worked.
Which blows my mind... I KNOW I tried it once before, without success. But I must've done something wrong.
You're right, that does dramatically simplify things. I'm just doing some trials, and then I'll post back - very likely with an accepted solution as well.
Which blows my mind... I KNOW I tried it once before, without success. But I must've done something wrong.
You're right, that does dramatically simplify things. I'm just doing some trials, and then I'll post back - very likely with an accepted solution as well.
Yeah... The 2960 is a weird box. All the other 2900's are Layer-2 only. But this one actually can do layer 3. You just can't do routing protocols.
ASKER
Well, you've been a remarkable help, so I'm going to mark this one as answered. If I encounter further problems, I'll be sure to come ask again.
ASKER
Thanks!