Solved

layer 3 on access 3750

Posted on 2014-02-06
8
203 Views
Last Modified: 2014-04-10
I'd like to get your feedback on the attached network. Basically, I have layer 3 on sw2 and sw1 with the trunk in between. I am not sure if this is a desirable setup or not. Please provide your thoughts? Thanks
Capture.JPG
0
Comment
Question by:leblanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 9

Accepted Solution

by:
ffleisma earned 300 total points
ID: 39841246
the trunk part is fine, but i noticed you are keeping the default gateway at the firewall.

usually a better design practice is to have the default gateway for all (data/voice) vlans at the core, in your case it would be switch1 (which is a 3750) which is a L3 switch and can handle SVI interfaces.
0
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 300 total points
ID: 39841264
now consider this simple design

simple LAN
The link between FW and core is on a separate VLAN
This keeps things simple, external route goes to FW, internal route (10, 172.16, 192.168) routes go to core.

Also, this keeps the gateways at the core switch. The benefit of this is that, you dont have to create sub-interfaces or firewall rules everytime you are terminating a VLAN on the firewall).

Gateway are at the core switch
The gateways are at the core switch which is done by SVI (interface VLAN). Let the core switch do routing, even though firewalls can do routing, its best to limit their services to firewall-stuff (ACL/NAT).

Device Management IP/VLAN
Try to keep device management IP on a separate VLAN. One benefit, network devices wont take up IP address within your host VLAN.

This type of design is much more scalable.
1. you dont have to touch firewall everytime a new VLAN is created (except of coarse if you'll need to allow traffic out from new VLAN and need to apply new ACL/NAT on FW).
2. static route from FW is 10.0.0.0/16, everytime you create a 10.x.x.x VLAN on core, you won't have to add static route. This keep things simple.
3. notice that the core switchport connecting to FW is on access mode? later on this can be on trunk mode if you like, if in case you are creating sub-interfaces on the firewall inside interface and would like to use same physical interface.
4. core does all internal routing. if for example data VLAN terminates at the FW, and if the DHCP server is on a server VLAN, DHCP traffic will have to go through FW from host to server (not very efficient). now consider is server VLAN and host VLAN are both terminated at core SVI, host-to-server communication will not need to go to FW as core will handle the routing

Now i know i've covered a lot, let me know if you have any further question, glad to help out!
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 200 total points
ID: 39842031
ffleisma's answer is correct and very thorough. Great addition to the EE familly. The only thing I could add if not already covered:

1. If not doing Layer 3 to the Access layer (switch 2 and 3), they don't need ip routing. Switch 1 is doing all routing for them.

2. If you do want to keep ip routing, you'd be better creating /30 networks between switch 1 and (switch 2 and 3) and run a routing protocol like EIGRP. This will give you quicker convergEnce then relying on STP.  You will create routed ports on all 3 switches connecting to each other and assign a ip address part of the /30 subnets. You would then enable EIGRP on all three switches, and make switch 2 and 3, EIGRP stubs so they are not transit.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:leblanc
ID: 39842298
Good explanation... One question though... Why I cannot have a trunk between sw1 and sw2 (with ip routing enable)? Thx
0
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 300 total points
ID: 39842360
Why I cannot have a trunk between sw1 and sw2 (with ip routing enable)? Thx

actually you can if it is a requirement.it would look something like this

routing across trunk
as you can see routing protocol will run across the trunk. this can also work even is you put the port connecting SW1 and SW2 as access ports.

so technically, that will work.

but may i ask why do you need routing enabled between SW1 and SW2? our initial assumption is that all traffic routing is done by SW1, hence, no need to create L3 connecting between SW1-SW2. one reason i can think of is that SW2 is receiving routes from someone else, hence you want to propagate it to SW1, is this the case?
0
 
LVL 1

Author Comment

by:leblanc
ID: 39843122
I got involved in this project and somebody else configured those switches before. The person left the firm. Anyway, from my understanding, they turned on routing on sw2 because of the VoIP phone bootup process. The phone has to go to vlan10 to get the config from the ftp server; then talk to the PBX on vlan20.  But like you said, sw2 should be a layer 2 and if it needs routing, it can go to sw1 as its DG.
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 200 total points
ID: 39843249
Yes you can have trunks and use the vlan interfaces in the routing protocol,  but routed port alleviate dealing with spanning tree and 802.1q on those links.

Also based on your statement above you don't need routing on those switches.  I'd rather you use two of the switches in an hsrp pair.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39879844
Thanks. I will take a closer look at this.
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question