Solved

VLAN multiple sites

Posted on 2014-10-28
13
113 Views
Last Modified: 2015-07-13
I have two buildings (A&B), each with three WAN connections:
microwave bridge between only Bldgs A & B
DIA circuit at Bldgs A & B
WAN (switched ethernet) between Bldgs A, B, C, D, E,...

I want to attack connectivity with the radio bridge, but need to look forward so I won't have to reconfigure when the other WAN links are lit up.

Current:
Radio A (10.3.4.10) in a VLAN 4 of Bldg A
VLAN 4 has virtual IP of 10.3.4.1 on Cores in Bldg A
Radio B (10.3.4.11) direct connected to X1 (WAN) port of B-Sonicwall in Bldg B
Bldg B is a flat network 10.5.5.0/24
B-Sonicwall X0 (LAN) is 10.5.5.254
B-Sonicwall X1 (WAN) is 10.3.4.14
Bldg B has default route to 10.5.5.254 (B-Sonicwall X0)
B-Sonicwall has default route to 10.3.4.1 (virt.IP in Bldg A VLAN 4)

Everything is working...basically all traffic that is not in the broadcast domain for 10.5.5.0/24 is routed to the B-Sonicwall.  Hops from Radio B to Radio A, then lands in VLAN 4 as traffic from 10.3.4.14 (B-Sonicwall X1 WAN interface).

All traffic comes from Bldg B to Bldg A as routed traffic over the single IP 10.3.4.14 (B-Sonicwall X1 WAN).

bridge-01
I want to convert this radio bridge into a trunk so that:
traffic will have the true source IP, not routed through a single IP
voice will stay in a specific VLAN back to Bldg A PBX system

Future considerations:
fiber WAN to multi-site will be the primary path between all remote sites
user internet traffic always flow through Bldg A for content filtering

Trunk radios on A-3750x & B-3750g (bypassing the B-Sonicwall).
Copy Bldg A VLANs onto the switches in Bldg B.
Create a new VLAN 5 for Bldg B's devices on _both_ Bldg A & B switches.
Assign VLANs to the ports in Bldg B
Remove IP from B-Sonicwall X1 WAN port (prep for new DIA).
Default route for VLAN 5 is 10.3.4.1 (virt.IP on A-cores)

bridge-02
0
Comment
Question by:aleghart
  • 7
  • 5
13 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 40410049
I think your model is pretty much set and solid.
I couldn't figure out the question
0
 
LVL 32

Author Comment

by:aleghart
ID: 40410062
Sorry, Akinsd, I edited the original Q a couple of times and messed up the actual Question at the end:

My Questions:

1.

Will these steps get me connected at Layer 2 so my content filter in Bldg A can see all of the proper source IP addresses?

2.

How do I take care of inter-VLAN routing...or do I need to?

3.

What am I missing (now or for future)?

4.

Am I right to expect a couple of hours downtime at Bldg B?

Trunk radios on A-3750x & B-3750g (bypassing the B-Sonicwall).
Copy Bldg A VLANs onto the switches in Bldg B.
Create a new VLAN 5 for Bldg B's devices on _both_ Bldg A & B switches.
Assign VLANs to the ports in Bldg B
Remove IP from B-Sonicwall X1 WAN port (prep for new DIA).
Default route for VLAN 5 is 10.3.4.1 (virt.IP on A-cores)
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 500 total points
ID: 40410124
I believe that VLAN 5 is for 10.5.5.0/24, which would mean that the default route in VLAN5 is 10.5.5.x.

The management of the radio links will stay in VLAN 4. Possibly that is someting you will need to configure on the radio units. Alternatively, perhaps you can keep VLAN 4 as "untagged" fort he radio links, so that remote management of the units comes untagged. That would possibly mean that on the 3750 units, the native vlan for these ports are vlan 4.

Default route in VLAN 4 is 10.3.4.1.

The core switches will automatically route between the vlans.

It is not clear how the two core switches is set up no to handle redundancy, loop avoidance, etc, but what ever works for the existing VLANs will work also for the additional vlans.
0
 
LVL 32

Author Comment

by:aleghart
ID: 40410137
The A-cores have been running for a couple of years as-is, with HSRP and virtual IP addresses for each VLAN:  .1 virtual IP for VLAN,   .2 for core1,   .3 for core2

For VLAN 5 (and 6, 7, 8...) which will reside primarily at Bldg B, do I need to worry about assigning an IP address for the VLANs on A-core1 and A-core2?
0
 
LVL 17

Accepted Solution

by:
pergr earned 500 total points
ID: 40410141
Yes, your core switches is where you route between vlans - so if you want to route between vlans you should configure the VLANs there, including giving them IP addresses. Essentially, without IP address on the VLAN there is no intervlan routing.

In theory, you can also route between the vlans of building B o the 3720 you have in building B. That would mean putting the IP address that is default gateway in each vlan on that 3750. Then it will route between those vlans. However, in order to make those networks reachable from the core switches, you would then have to configure static routes on the core switches - with next-hop being an IP address on the building-b-3750, in a vlan that is available on the core switches.
0
 
LVL 32

Author Comment

by:aleghart
ID: 40410674
I think i'll put VLAN 5 on the B-3750g in Bldg B.
Will that allow me to create 2 routes on A-cores?  One via the radio bridge, and one in the future via the new fiber WAN?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 17

Assisted Solution

by:pergr
pergr earned 500 total points
ID: 40410699
Once you have redundant links, you need to decide what protocol you use for loop avoidance.
If you want a VLAN trunking to have redundancy, then you will want to run some sort of spanning-tree, or redundant-uplink feature.

Now your 3750 has two uplinks - one to each core switch - which means you use either spanning-tree or redundant-uplink feature already. (If I remember correctly Cisco calls it flex-link, or something like that.)

If you have some sort of trunking redundancy (L2 redundancy) then a single route would be enough also when you get the fiber link. You would set your spanning tree to prefer the fiber link.

Now, if you want to keep all VLAN local in building B, then you could create a new VLAN (or use VLAN 4) only for "transit" to building B. Then you could add another VLAN (say 44) via the fiber link. These two VLAN would use different subnets, and so different IP on the building B 3750. In that case, you could have two static routes to those two IP - with a preference for the fiber link.

(Remember that the building B 3750 also needs a default route back to the core switches - but you may already have that for remote management.
0
 
LVL 32

Author Comment

by:aleghart
ID: 40410764
OK.  Uplinks to the A-cores from A-3750x are port channel.   I can't do that with the radio bridge and the new fiber WAN.  The WAN is switched Ethernet from a carrier that will be giving a Layer 2 link between multiple sites, not just Bldgs A & B.

STP with preference to the fiber WAN should work, right?  Actually, we can do some tests later...I might have more bandwidth on this radio bridge (750Mbps) than the fiber WAN, which will be carrying traffic from a half dozen other sites at the same time.

For STP to work, however, I'll have to let the radios drop their Gig ports if the signal gets too weak.  Otherwise, the switch thinks the bridge is still working because the NIC is up/up.  We just had that at another site...NIC is working, but radio link was weak/broken.  Traffic wouldn't move to the other path until we shutdown the ports manually.

If I tell the radios to shutdown their data NIC upon loss of signal, I still have a management port that I can connect to.  On the switch side, do I treat this management port as a normal access port on VLAN 4?  That way, data doesn't come pouring through the port, thinking it's a trunk for all the VLANs to use.

If I lose the radio link, the management IP for Radio B is in VLAN 4's subnet.  But on Bldg B, I no longer have a path to A-cores to handle the inter-VLAN routing.

Can I still reach the Radio B management interface from Bldg B?  Or will I have to plug something into a same VLAN port over there?
0
 
LVL 17

Expert Comment

by:pergr
ID: 40410805
You need to figure out what the "layer 2 link between multiple sites" is. It could be either VPLS or several point to point pseudowires.

If it is VPLS, the service providers network learns MAC addresses, and effectively works as a switch, If it is pseudowires, the service providers network does not learn MAC, and is effectively a number of cables. It makes a difference when implementing redundancy with the radio link.

Personally I would prefer using a routing protocol for redundancy (like OSPF or BGP), assuming all your switches can run that. It does mean you do not get VLAN across sites, but it is typically not necessary. Also, with OSPF, if you add a new VLAN+subnet in one site, then automatically the core site (and all other sites) learn that route via OSPF. Very useful...

What are the core switches?
If you do LAG on the 3750, there is some sort of multi-chassis lag on the core switchs..., or VSS, etc.
0
 
LVL 32

Author Comment

by:aleghart
ID: 40410839
Layer 2 between sites will switched Ethernet.  Each site claims one IP in a /24 subnet, then publishes routes via EIGRP.  The other sites pick up these routes to that single IP.  A few (that don't need to be published to all) are added manually as-needed.

Most if the inter-site routes are learned, not entered statically.

The cores at Bldg A and B will be  a pair of 3850X on one side.  The other will be a pair of Nexus 5K.
0
 
LVL 17

Expert Comment

by:pergr
ID: 40410867
So if you route on the layer-2 service, you will not use STP.

I do advice you to go for OSPF instead of EIGRP though.
With EIGRP you are locked to using Cisco devices only - and there is better stuff around...
0
 
LVL 32

Author Comment

by:aleghart
ID: 40410946
With hundreds of Cisco devices, several dozen in-production routes, and 24/7 operations at all sites, we're not going to sneak in one piece of non-Cisco gear without a lot of meetings, emails...

There are some powerful solutions out there.  I had a Vyatta switch for $2.5K that would let me handle BGP for a full /24 on two ISPs...much cheaper than Cisco.

Too bad Brocade is trying to kill it off.
0
 
LVL 32

Author Closing Comment

by:aleghart
ID: 40880221
Thanks for all the help.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now