Solved

layer 3 on access 3750

Posted on 2014-02-06
8
194 Views
Last Modified: 2014-04-10
I'd like to get your feedback on the attached network. Basically, I have layer 3 on sw2 and sw1 with the trunk in between. I am not sure if this is a desirable setup or not. Please provide your thoughts? Thanks
Capture.JPG
0
Comment
Question by:leblanc
  • 3
  • 3
  • 2
8 Comments
 
LVL 9

Accepted Solution

by:
ffleisma earned 300 total points
Comment Utility
the trunk part is fine, but i noticed you are keeping the default gateway at the firewall.

usually a better design practice is to have the default gateway for all (data/voice) vlans at the core, in your case it would be switch1 (which is a 3750) which is a L3 switch and can handle SVI interfaces.
0
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 300 total points
Comment Utility
now consider this simple design

simple LAN
The link between FW and core is on a separate VLAN
This keeps things simple, external route goes to FW, internal route (10, 172.16, 192.168) routes go to core.

Also, this keeps the gateways at the core switch. The benefit of this is that, you dont have to create sub-interfaces or firewall rules everytime you are terminating a VLAN on the firewall).

Gateway are at the core switch
The gateways are at the core switch which is done by SVI (interface VLAN). Let the core switch do routing, even though firewalls can do routing, its best to limit their services to firewall-stuff (ACL/NAT).

Device Management IP/VLAN
Try to keep device management IP on a separate VLAN. One benefit, network devices wont take up IP address within your host VLAN.

This type of design is much more scalable.
1. you dont have to touch firewall everytime a new VLAN is created (except of coarse if you'll need to allow traffic out from new VLAN and need to apply new ACL/NAT on FW).
2. static route from FW is 10.0.0.0/16, everytime you create a 10.x.x.x VLAN on core, you won't have to add static route. This keep things simple.
3. notice that the core switchport connecting to FW is on access mode? later on this can be on trunk mode if you like, if in case you are creating sub-interfaces on the firewall inside interface and would like to use same physical interface.
4. core does all internal routing. if for example data VLAN terminates at the FW, and if the DHCP server is on a server VLAN, DHCP traffic will have to go through FW from host to server (not very efficient). now consider is server VLAN and host VLAN are both terminated at core SVI, host-to-server communication will not need to go to FW as core will handle the routing

Now i know i've covered a lot, let me know if you have any further question, glad to help out!
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 200 total points
Comment Utility
ffleisma's answer is correct and very thorough. Great addition to the EE familly. The only thing I could add if not already covered:

1. If not doing Layer 3 to the Access layer (switch 2 and 3), they don't need ip routing. Switch 1 is doing all routing for them.

2. If you do want to keep ip routing, you'd be better creating /30 networks between switch 1 and (switch 2 and 3) and run a routing protocol like EIGRP. This will give you quicker convergEnce then relying on STP.  You will create routed ports on all 3 switches connecting to each other and assign a ip address part of the /30 subnets. You would then enable EIGRP on all three switches, and make switch 2 and 3, EIGRP stubs so they are not transit.
0
 
LVL 1

Author Comment

by:leblanc
Comment Utility
Good explanation... One question though... Why I cannot have a trunk between sw1 and sw2 (with ip routing enable)? Thx
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 300 total points
Comment Utility
Why I cannot have a trunk between sw1 and sw2 (with ip routing enable)? Thx

actually you can if it is a requirement.it would look something like this

routing across trunk
as you can see routing protocol will run across the trunk. this can also work even is you put the port connecting SW1 and SW2 as access ports.

so technically, that will work.

but may i ask why do you need routing enabled between SW1 and SW2? our initial assumption is that all traffic routing is done by SW1, hence, no need to create L3 connecting between SW1-SW2. one reason i can think of is that SW2 is receiving routes from someone else, hence you want to propagate it to SW1, is this the case?
0
 
LVL 1

Author Comment

by:leblanc
Comment Utility
I got involved in this project and somebody else configured those switches before. The person left the firm. Anyway, from my understanding, they turned on routing on sw2 because of the VoIP phone bootup process. The phone has to go to vlan10 to get the config from the ftp server; then talk to the PBX on vlan20.  But like you said, sw2 should be a layer 2 and if it needs routing, it can go to sw1 as its DG.
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 200 total points
Comment Utility
Yes you can have trunks and use the vlan interfaces in the routing protocol,  but routed port alleviate dealing with spanning tree and 802.1q on those links.

Also based on your statement above you don't need routing on those switches.  I'd rather you use two of the switches in an hsrp pair.
0
 
LVL 1

Author Comment

by:leblanc
Comment Utility
Thanks. I will take a closer look at this.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now