VLAN Routing 4

[Stevehewitt]

Hi Guys,

Bit new to VLAN's so please bare with me!
Sure this is a stupid question, but I've always thought of L3 devices as routers, and whilst I get the principle of VLANs, I don't quite get how the devices between VLANs communicate without a router between then when using port based VLANs.


I have a network of 172.16.0.0/16 at the moment, running over L3 ProCurve switches.

If I create a new VLAN with a single node on 192.168.0.0/24, then what would the default gateway be?

E.G. I have Server A on 192.168.0.1 (VLAN 10) and plugged into another port I have Server B on 172.16.0.1 (VLAN 20).

I also have a router off another port on 172.16.0.254 (VLAN 20) - however the router only goes off to the internet. (e.g. LAN is 172.16.0.254 plugged into my L3 switches, and the WAN is plugged into a leased line)

Server B (172.16.0.1 - VLAN 20) has a gateway that points to the router on the same subnet (172.16.0.254) so it can access the internet.

What if Server A (192.168.0.1) wants to access a resource on Server B (172.16.0.1)? Does Server A have a default gateway of the router on 172.16.0.254? But it's on a different subnet...?! Same if Server B wants to access something on Server A - server B will just pump it out to the default gateway being the router - but the router only has a route to the net and to it's own 172.16.0.0/16 network...?!

Does this even make sense?!

Cheers in advance,



Steve.

"They have the internet on computers now!" - Homer Simpson

 

[burtsbees]

The gateway should be the SVI IP address in the switch. The access port is tied to a vlan, and the vlan has an IP address configured. That is the IP address you use for the gateway of nodes that are in that vlan. The different subnets, or vlans, can communicate because they are directly connected with eachother---they reside in the same switch, which routes them. A layer 3 switch should not be confused with a router, though they basically do the same thing. It's the vlans that make the biggest difference---there are very few routers that have multiple layer 2 switchports on which vlans can be configured and routed.

Burt

 

[Stevehewitt]

Cheers Burt - great response.

Can I double check something....

An SVI IP is essentially the IP for the VLAN set on the switch - no problem there I guess.

But what if you have say 3 L3 switches with the VLAN trunked between them. E.G. the VLAN had nodes on multiple L3 switches across the network with trunked/tagged connections between switches.

Would a single VLAN have a single IP, and thus I setup VLAN 10 on Switch 1 as having 192.168.0.1 as the IP, and then do the same on Switch 2? Wouldn't that then create duplicate IP's on the same subnet?

Thanks again for your help.

Cheers,



Steve.

"They have the internet on computers now!" - Homer Simpson

 

[Stevehewitt]

In case this helps (anyone that replies or someone who reads this in the future with the same problem as me!) here's a graphical view of what I'm trying to get my head around:

Two L3 switches, both physical switches running 4 VLAN's on them. There is a 10gig CX4 link trunk between the switches.

My query is regarding the default gateway... If I give the LAN vLAN an IP on the first switch of 172.16.0.1, then I assume that the clients on the same VLAN use that as the default gateway?
If that's correct, then what do I do about the same vLAN on the second switch? Does it get a different IP (say 172.16.0.2)? If so, what does that mean for any client machine that are in the LAN vLAN but are physically plugged into the 2nd switch? Do they use 172.16.0.2 as their default gateway?

Hope this makes some sense!!

Cheers,


Steve.

Steve.

"They have the internet on computers now!" - Homer Simpson

 

[burtsbees]

Would a single VLAN have a single IP, and thus I setup VLAN 10 on Switch 1 as having 192.168.0.1 as the IP, and then do the same on Switch 2? Wouldn't that then create duplicate IP's on the same subnet?"

No---I can show you an example in a Cisco L3 switch...or L2 with router-on-a-stick, for that matter. Let's do the L3...

interface vlan20
ip add 10.10.10.1 255.255.255.0
no shut

This is the IP address of the vlan. Then make access ports for the switchports...

interface fa0/2
switchport access vlan 20
no shut

and for all the rest of the switchports. Then the trunk...

int fa0/1
switchport mode trunk
switchport trunk encaps dot1q
no shut

Since the info is trunked to a second switch, all that is needed would be to make an access switchport for vlan 20, and the rest of the info is trunked across. I have usually seen DTP and VTP configured, so that there is a VTP domain with a VTP server with all the main VLAN info on it, and it sends the vlan info via a trunk. DTP will dynamically negotiate ports to either be a trunk or not a trunk.

Finally, which some people miss (actually a question on one of the CCNP tests!), enable ip routing

ip routing

only for a L3 switch. This just tells the switch to route its own vlans.

"My query is regarding the default gateway... If I give the LAN vLAN an IP on the first switch of 172.16.0.1, then I assume that the clients on the same VLAN use that as the default gateway?"

Yes.

"If that's correct, then what do I do about the same vLAN on the second switch? Does it get a different IP (say 172.16.0.2)? If so, what does that mean for any client machine that are in the LAN vLAN but are physically plugged into the 2nd switch? Do they use 172.16.0.2 as their default gateway?"

Answered in the first part of this post---the second switch gets info from the trunk.

HTH

Burt

 

[jimbopalmer]

Mantra 1) One Subnet equals one VLAN. Never try to use two VLANS per subnet, it is rarely a good plan to have multiple subnets on one VLAN.

All members of a subnet should have the same default gateway, it is the path off that subnet for packets your routing protocol does not recognize. You might as well make that the L3 switch 'closest' to your ISP access.

I tried to remain child-like, all I acheived was childish.

 

[Stevehewitt]

Cheers for that again Burt - spot on.

One final quickie if I may..... On the two example switches above, one of the switches will have our actual router in it that routes out to the internet.

Should client nodes on the LAN vLAN have the VLAN IP as the default gateway or should it use the router...? Nothing from the LAN should need to go out onto any other VLAN, and presumably the switch/vlan won't know that the router will send packets out to the internet either...?

Or have I still not quite "got it" yet!?!

Thanks again for all of your help - I really appreciate it.

Cheers,



Steve.

"They have the internet on computers now!" - Homer Simpson

 

[MrNick0483]

The clients on the vlans will need to have the default gateway of the particular vlan they are in. Then on the core layer 3 have a static route configured using the ip of the router as the next hop. This will route any traffic not destine for your internal network out to the internet.

 

[Stevehewitt]

Cheers MrNick - think I've got it now!

Thanks again for your help

Steve.

"They have the internet on computers now!" - Homer Simpson

 

[burtsbees]

I would put the router in a different subnet than any client machines. This may cause a routing loop otherwise...sort of...I think...

Burt

 

[VinceWhirlwind]

Burtsbees - I totally agree - the link to the router should be on a dedicated subnet. So create a new VLAN for "Internet", etc....

The reason this is important is that the remote router will be framing packets to your L3 switch for all VLANs EXCEPT to these devices on the router interface VLAN, to which the remote router will try to switch frames directly and be sending out ARP requests, etc....

This will bite you in the bum if you have any reason to add static ARP entries on your L3 device, because it won't occur to you that for some devices you would need the same ARP entry on the remote router, which presumably is managed by the WAN provider, making things difficult.

 

[daveytech]

I know this thread is old, and the questions have been answered but I'm dealing with a situation similar to this one, and was hoping there is someone who can give me a definitive answer.

The images above depict two switches physically separated, but have similar access ports.

- The default gateway for hosts on vlan LAN resides on the top switch

- The default gateway for hosts on vlan DMZ is on the bottom switch

- There are 2 servers plugged into the bottom switch, one on vlan LAN and one on vlan DMZ.

- In order for the server on vlan DMZ on the bottom switch to communicate with the server plugged into the bottom switch on vlan LAN, packets must go through the default gateway on the top switch - because that is where the SVI for the LAN vlan is configured.

This seems incredibly inefficient to me - Is there any way to allow the bottom switch to route traffic between the two servers without having to contact the top switch?

I'd be so very appreciate of any answers. I'd be happy to provide more info if necessary.

 

[burtsbees]

Not if it a layer 2 switch. A layer 2 switch needs a routing device. If the switches in the picture are layer 3 switches, then they could route their own vlans, so server in LAN could contact server in DMZ without leaving the switch, if both servers are physically connected to the same switch. This is how most people do it.

If these were layer 2 switches, and both servers resided in different vlans in the same switch, they would have to go all the way to the router to communicate with eachother, or a layer 3 device. This is indeed incredibly inefficient, which is a big reason layer 3 switches exist. I have my boss' network configured with router on a stick (Cisco 6505 with CatOS, SUP1's, so L2 only, trunked to a Cisco 2611). They have servers in different vlans that don't really need to talk to eachother much---they just want the broadcast domain broken up.

Burt

 

[daveytech]

Hello burtsbees - Thank you for responding!

I should have mentioned that the switches in my scenario are both layer 3 - Cisco 6509's running a hybrid OS.

*Quote* If the switches in the picture are layer 3 switches, then they could route their own vlans, so server in LAN could contact server in DMZ without leaving the switch, if both servers are physically connected to the same switch. *Quote*

How would I go about doing this? Can I have two routing interfaces/default gateways for the same vlan on two separate l3 switches? Switch 1: 10.1.1.1 Switch 2: 10.1.1.2
Hosts 10.1.1.0/24 ... ?

Would I simply create the LAN vlan on the bottom switch on, and configure an IP - essentially creating a second default gateway for hosts on the same subnet? I'm having trouble remembering if this will work - wouldn't this have the potential to allow routing loops?

Or

Do I configure ports on the bottom switch to be layer 3 with addresses on the same subnet as the vlans they were using, and plug the servers connected to the LAN vlan into the layer 3 interfaces - then configure the server to use the switches l3 interface as the default gateway?

Sorry for all the questions, I'm confused as you can see.

(We are using EIGRP to route vlans. SVI's/routing interfaces are configured on the 6509s to be the default gateway for hosts nearest to it currently.)