pzozulka
asked on
Configuring L3 switch
We have an existing Cisco SG300-28 switch in L3 mode. Because we needed more ports, we are buying another switch -- same exact model.
I will be trunking them together, and allowing some of our ESXi server to do NIC Teaming across both switches.
Question:
How do I configure the VLAN IPs on the 2nd switch?
For example, below is the list of IPs and associated VLANs on switch 1:
VLAN 1000 - 10.10.0.1 (255.255.255.0)
VLAN 1020 - 10.20.0.1 (255.255.255.0)
VLAN 1030 - 10.30.0.1 (255.255.255.0)
VLAN 2 - 10.0.15.249 (255.255.255.248) -- connects to main firewall/router LAN port.
On switch 2, what IP/subnet mask should I assign to the above mentioned VLANs.
**NOTE: Only Switch 1 connects to the firewall. This means that any traffic on switch 2 that is headed outside our network (internet), needs to go through Switch 1 in order to hit the firewall.
I will be trunking them together, and allowing some of our ESXi server to do NIC Teaming across both switches.
Question:
How do I configure the VLAN IPs on the 2nd switch?
For example, below is the list of IPs and associated VLANs on switch 1:
VLAN 1000 - 10.10.0.1 (255.255.255.0)
VLAN 1020 - 10.20.0.1 (255.255.255.0)
VLAN 1030 - 10.30.0.1 (255.255.255.0)
VLAN 2 - 10.0.15.249 (255.255.255.248) -- connects to main firewall/router LAN port.
On switch 2, what IP/subnet mask should I assign to the above mentioned VLANs.
**NOTE: Only Switch 1 connects to the firewall. This means that any traffic on switch 2 that is headed outside our network (internet), needs to go through Switch 1 in order to hit the firewall.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
donjohnston: I don't believe this is true because we are already doing the NIC Team (Route based on the originating virtual port ID) to two separate switches (same models) in one of our other offices. Not to confuse with LACP -- just static trunking on ProCurve switches. If this was true, and you can only Team NIC to a single switch, then if that switch was to die, there would be no redundancy.
Here are example configs from the two ProCurve switches in our other office (5304xl)
Switch 1:
Switch 2:
I want to pretty much create the same setup with the Cisco switch, but I'm not that familiar with Cisco. As you can see Switch 2 is the one that's connected to the main firewall (10.0.15.254) on port B4, and on each switch, all VLANs have IP assignments.
Lastly, the two switches are trunked together on ports A14, B14, C14, C16. Looks like it's a static trunk (not LACP -- which I believe is EtherChannel in Cisco terms).
I trust these configs because they work well and were created by our senior network engineers. So I'm a bit confused why both of you said I don't need to assign IPs to the VLANs on the second switch.
Here are example configs from the two ProCurve switches in our other office (5304xl)
Switch 1:
interface A14
name "MDF-C02-A14"
flow-control
unknown-vlans Disable
no lacp
exit
interface B14
flow-control
unknown-vlans Disable
no lacp
exit
interface C14
name "MDF-C02-C14"
flow-control
unknown-vlans Disable
no lacp
exit
interface C16
name "MDF-C02-C16"
flow-control
no lacp
exit
trunk A14,B14,C14,C16 Trk1 Trunk
vlan 1001
name "ESX VMotion"
ip address 10.0.128.21 255.255.255.248
tagged A10,B1,C10-C11
exit
vlan 1002
name "IP Storage"
untagged A7,B12,B15,Trk5-Trk6
ip address 10.0.128.61 255.255.255.224
tagged A1-A2,A8,B13,C8
exit
ip route 0.0.0.0 0.0.0.0 10.0.15.254Switch 2:
interface A14
flow-control
unknown-vlans Disable
no lacp
exit
interface B4
unknown-vlans Disable
exit
interface B14
flow-control
unknown-vlans Disable
no lacp
exit
interface C14
flow-control
unknown-vlans Disable
no lacp
exit
interface C16
flow-control
no lacp
exit
trunk A14,B14,C14,C16 Trk1 Trunk
ip default-gateway 10.0.156.253
vlan 1001
name "ESX VMotion"
ip address 10.0.128.22 255.255.255.248
tagged A1,A4-A5,B1
exit
vlan 1002
name "IP Storage"
untagged Trk6-Trk7
ip address 10.0.128.62 255.255.255.224
tagged C8,C10-C13
exit
ip route 0.0.0.0 0.0.0.0 10.0.15.254 I want to pretty much create the same setup with the Cisco switch, but I'm not that familiar with Cisco. As you can see Switch 2 is the one that's connected to the main firewall (10.0.15.254) on port B4, and on each switch, all VLANs have IP assignments.
Lastly, the two switches are trunked together on ports A14, B14, C14, C16. Looks like it's a static trunk (not LACP -- which I believe is EtherChannel in Cisco terms).
I trust these configs because they work well and were created by our senior network engineers. So I'm a bit confused why both of you said I don't need to assign IPs to the VLANs on the second switch.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, that's what I thought as well, because in my experience, only when you add an IP address to a VLAN does it become reachable from other VLANs, which pretty much confirms what you just said.
I think it can be a benefit to be able to ping the storage VLAN devices from our management network for diagnostic purposes, but I see what you're saying in terms of functionality that L3 is not needed in our case.
Which brings me to my last question in the original post in regard to VLAN 2. This is the VLAN that contains the port on Switch 1 that connects to the firewall -- and in turn, to the outside world.
What config do I need to make on Switch 2, for all network traffic on swtich 2 headed to the outside world to know that to get to the outside world (firewall), the traffic needs to first go through switch 1.
I think it can be a benefit to be able to ping the storage VLAN devices from our management network for diagnostic purposes, but I see what you're saying in terms of functionality that L3 is not needed in our case.
Which brings me to my last question in the original post in regard to VLAN 2. This is the VLAN that contains the port on Switch 1 that connects to the firewall -- and in turn, to the outside world.
What config do I need to make on Switch 2, for all network traffic on swtich 2 headed to the outside world to know that to get to the outside world (firewall), the traffic needs to first go through switch 1.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
for all network traffic on swtich 2 headed to the outside world to know that to get to the outside world (firewall), the traffic needs to first go through switch 1.
No matter how many switches stack a VLAN traverses, its basic principal is it extends the broadcast traffic to the switching fabric. Your traffic to external network will be broadcasted with in the VLAN throughout both the switches, and due to proxy arp, the default gateway will respond with its MAC address for the traffic destined to unknown network, The devices will then build the frame for the traffic to outside world using the mac address of the default gateway. Once the gateway receives the frame, it will do its job of forwarding that.
No matter how many switches stack a VLAN traverses, its basic principal is it extends the broadcast traffic to the switching fabric. Your traffic to external network will be broadcasted with in the VLAN throughout both the switches, and due to proxy arp, the default gateway will respond with its MAC address for the traffic destined to unknown network, The devices will then build the frame for the traffic to outside world using the mac address of the default gateway. Once the gateway receives the frame, it will do its job of forwarding that.
ASKER
I just read your last comment. Does that mean the default gateway on Switch 1 has to be 10.0.15.254 (router's IP), and same on Switch 2?
My other options is: Since Switch 1 is the one that connects directly to the router, have its default gateway be 10.0.15.254, and Switch 2's default gateway point to Switch 1.
My other options is: Since Switch 1 is the one that connects directly to the router, have its default gateway be 10.0.15.254, and Switch 2's default gateway point to Switch 1.
To the basics, why exactly we need a default gateway in a switch. A switch being a layer2 device, doesn't have any Layer3 intelligence. When we give an IP to any Switch SVI interface and want to manage the switch remotely, the IP traffic will reach the switch, but the return traffic will not come back because the switch doesn't know where to forward traffic. Thats where the default-gateway comes into play, if the switch doesn't know where to forward traffic, it forwards them to default gateway.
Query - I just read your last comment. Does that mean the default gateway on Switch 1 has to be 10.0.15.254 (router's IP), and same on Switch 2?
To answer your question, yes, the default gateway on both the switches should be the Router IP 10.0.15.254
Query - My other options is: Since Switch 1 is the one that connects directly to the router, have its default gateway be 10.0.15.254, and Switch 2's default gateway point to Switch 1.
Don't do this. Even if you do, as I said switches doesn't have Layer3 intelligence, so Switch2 will forward the return management traffic to Switch1 and again switch1 will forward that to the router. This doesn't make any sense, does it.
Query - I just read your last comment. Does that mean the default gateway on Switch 1 has to be 10.0.15.254 (router's IP), and same on Switch 2?
To answer your question, yes, the default gateway on both the switches should be the Router IP 10.0.15.254
Query - My other options is: Since Switch 1 is the one that connects directly to the router, have its default gateway be 10.0.15.254, and Switch 2's default gateway point to Switch 1.
Don't do this. Even if you do, as I said switches doesn't have Layer3 intelligence, so Switch2 will forward the return management traffic to Switch1 and again switch1 will forward that to the router. This doesn't make any sense, does it.
ASKER
Both switches are set to L3 mode. Does that change any of what you said in this case?
No, its the same.
Set the default gateway to both switches to the router ip.
Set the default gateway to both switches to the router ip.
ASKER
Thanks much.
But if you want to assign IPs for some reason or the other.
VLAN 1000 - 10.10.0.2 (255.255.255.0) or any other unused IP
VLAN 1020 - 10.20.0.2 (255.255.255.0) or any other unused IP
VLAN 1030 - 10.30.0.2 (255.255.255.0) or any other unused IP
Create Trunk between the two switches and EtherChannel bundling if you want.
It will work fine.