VLAN multiple sites

I have two buildings (A&B), each with three WAN connections:
microwave bridge between only Bldgs A & B
DIA circuit at Bldgs A & B
WAN (switched ethernet) between Bldgs A, B, C, D, E,...

I want to attack connectivity with the radio bridge, but need to look forward so I won't have to reconfigure when the other WAN links are lit up.

Radio A ( in a VLAN 4 of Bldg A
VLAN 4 has virtual IP of on Cores in Bldg A
Radio B ( direct connected to X1 (WAN) port of B-Sonicwall in Bldg B
Bldg B is a flat network
B-Sonicwall X0 (LAN) is
B-Sonicwall X1 (WAN) is
Bldg B has default route to (B-Sonicwall X0)
B-Sonicwall has default route to (virt.IP in Bldg A VLAN 4)

Everything is working...basically all traffic that is not in the broadcast domain for is routed to the B-Sonicwall.  Hops from Radio B to Radio A, then lands in VLAN 4 as traffic from (B-Sonicwall X1 WAN interface).

All traffic comes from Bldg B to Bldg A as routed traffic over the single IP (B-Sonicwall X1 WAN).

I want to convert this radio bridge into a trunk so that:
traffic will have the true source IP, not routed through a single IP
voice will stay in a specific VLAN back to Bldg A PBX system

Future considerations:
fiber WAN to multi-site will be the primary path between all remote sites
user internet traffic always flow through Bldg A for content filtering

Trunk radios on A-3750x & B-3750g (bypassing the B-Sonicwall).
Copy Bldg A VLANs onto the switches in Bldg B.
Create a new VLAN 5 for Bldg B's devices on _both_ Bldg A & B switches.
Assign VLANs to the ports in Bldg B
Remove IP from B-Sonicwall X1 WAN port (prep for new DIA).
Default route for VLAN 5 is (virt.IP on A-cores)

LVL 32
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AkinsdNetwork AdministratorCommented:
I think your model is pretty much set and solid.
I couldn't figure out the question
aleghartAuthor Commented:
Sorry, Akinsd, I edited the original Q a couple of times and messed up the actual Question at the end:

My Questions:


Will these steps get me connected at Layer 2 so my content filter in Bldg A can see all of the proper source IP addresses?


How do I take care of inter-VLAN routing...or do I need to?


What am I missing (now or for future)?


Am I right to expect a couple of hours downtime at Bldg B?

Trunk radios on A-3750x & B-3750g (bypassing the B-Sonicwall).
Copy Bldg A VLANs onto the switches in Bldg B.
Create a new VLAN 5 for Bldg B's devices on _both_ Bldg A & B switches.
Assign VLANs to the ports in Bldg B
Remove IP from B-Sonicwall X1 WAN port (prep for new DIA).
Default route for VLAN 5 is (virt.IP on A-cores)
I believe that VLAN 5 is for, which would mean that the default route in VLAN5 is 10.5.5.x.

The management of the radio links will stay in VLAN 4. Possibly that is someting you will need to configure on the radio units. Alternatively, perhaps you can keep VLAN 4 as "untagged" fort he radio links, so that remote management of the units comes untagged. That would possibly mean that on the 3750 units, the native vlan for these ports are vlan 4.

Default route in VLAN 4 is

The core switches will automatically route between the vlans.

It is not clear how the two core switches is set up no to handle redundancy, loop avoidance, etc, but what ever works for the existing VLANs will work also for the additional vlans.
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

aleghartAuthor Commented:
The A-cores have been running for a couple of years as-is, with HSRP and virtual IP addresses for each VLAN:  .1 virtual IP for VLAN,   .2 for core1,   .3 for core2

For VLAN 5 (and 6, 7, 8...) which will reside primarily at Bldg B, do I need to worry about assigning an IP address for the VLANs on A-core1 and A-core2?
Yes, your core switches is where you route between vlans - so if you want to route between vlans you should configure the VLANs there, including giving them IP addresses. Essentially, without IP address on the VLAN there is no intervlan routing.

In theory, you can also route between the vlans of building B o the 3720 you have in building B. That would mean putting the IP address that is default gateway in each vlan on that 3750. Then it will route between those vlans. However, in order to make those networks reachable from the core switches, you would then have to configure static routes on the core switches - with next-hop being an IP address on the building-b-3750, in a vlan that is available on the core switches.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aleghartAuthor Commented:
I think i'll put VLAN 5 on the B-3750g in Bldg B.
Will that allow me to create 2 routes on A-cores?  One via the radio bridge, and one in the future via the new fiber WAN?
Once you have redundant links, you need to decide what protocol you use for loop avoidance.
If you want a VLAN trunking to have redundancy, then you will want to run some sort of spanning-tree, or redundant-uplink feature.

Now your 3750 has two uplinks - one to each core switch - which means you use either spanning-tree or redundant-uplink feature already. (If I remember correctly Cisco calls it flex-link, or something like that.)

If you have some sort of trunking redundancy (L2 redundancy) then a single route would be enough also when you get the fiber link. You would set your spanning tree to prefer the fiber link.

Now, if you want to keep all VLAN local in building B, then you could create a new VLAN (or use VLAN 4) only for "transit" to building B. Then you could add another VLAN (say 44) via the fiber link. These two VLAN would use different subnets, and so different IP on the building B 3750. In that case, you could have two static routes to those two IP - with a preference for the fiber link.

(Remember that the building B 3750 also needs a default route back to the core switches - but you may already have that for remote management.
aleghartAuthor Commented:
OK.  Uplinks to the A-cores from A-3750x are port channel.   I can't do that with the radio bridge and the new fiber WAN.  The WAN is switched Ethernet from a carrier that will be giving a Layer 2 link between multiple sites, not just Bldgs A & B.

STP with preference to the fiber WAN should work, right?  Actually, we can do some tests later...I might have more bandwidth on this radio bridge (750Mbps) than the fiber WAN, which will be carrying traffic from a half dozen other sites at the same time.

For STP to work, however, I'll have to let the radios drop their Gig ports if the signal gets too weak.  Otherwise, the switch thinks the bridge is still working because the NIC is up/up.  We just had that at another site...NIC is working, but radio link was weak/broken.  Traffic wouldn't move to the other path until we shutdown the ports manually.

If I tell the radios to shutdown their data NIC upon loss of signal, I still have a management port that I can connect to.  On the switch side, do I treat this management port as a normal access port on VLAN 4?  That way, data doesn't come pouring through the port, thinking it's a trunk for all the VLANs to use.

If I lose the radio link, the management IP for Radio B is in VLAN 4's subnet.  But on Bldg B, I no longer have a path to A-cores to handle the inter-VLAN routing.

Can I still reach the Radio B management interface from Bldg B?  Or will I have to plug something into a same VLAN port over there?
You need to figure out what the "layer 2 link between multiple sites" is. It could be either VPLS or several point to point pseudowires.

If it is VPLS, the service providers network learns MAC addresses, and effectively works as a switch, If it is pseudowires, the service providers network does not learn MAC, and is effectively a number of cables. It makes a difference when implementing redundancy with the radio link.

Personally I would prefer using a routing protocol for redundancy (like OSPF or BGP), assuming all your switches can run that. It does mean you do not get VLAN across sites, but it is typically not necessary. Also, with OSPF, if you add a new VLAN+subnet in one site, then automatically the core site (and all other sites) learn that route via OSPF. Very useful...

What are the core switches?
If you do LAG on the 3750, there is some sort of multi-chassis lag on the core switchs..., or VSS, etc.
aleghartAuthor Commented:
Layer 2 between sites will switched Ethernet.  Each site claims one IP in a /24 subnet, then publishes routes via EIGRP.  The other sites pick up these routes to that single IP.  A few (that don't need to be published to all) are added manually as-needed.

Most if the inter-site routes are learned, not entered statically.

The cores at Bldg A and B will be  a pair of 3850X on one side.  The other will be a pair of Nexus 5K.
So if you route on the layer-2 service, you will not use STP.

I do advice you to go for OSPF instead of EIGRP though.
With EIGRP you are locked to using Cisco devices only - and there is better stuff around...
aleghartAuthor Commented:
With hundreds of Cisco devices, several dozen in-production routes, and 24/7 operations at all sites, we're not going to sneak in one piece of non-Cisco gear without a lot of meetings, emails...

There are some powerful solutions out there.  I had a Vyatta switch for $2.5K that would let me handle BGP for a full /24 on two ISPs...much cheaper than Cisco.

Too bad Brocade is trying to kill it off.
aleghartAuthor Commented:
Thanks for all the help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.