I have a question regarding our layer 3 ports. If we decide to run layer 3 ports between our access and distro switches aren’t we kind of getting rid of our trunk interfaces if we decide to make them layer3 ports? Are trunk interfaces still needed if everything will be using routing protocols?
From a best standards prospective if we are using all layer 3 switches on access, distro and core would the best solution be something where we use layer 2 port channels on our access switches and span them to our our disto switches for redundency or make the port-channels layer3 and bundle them with our trunk interfaces and span them to our distro switches?
When you use L3 interfaces then yes, your vlans/trunks are gone. We only use trunks to span VLANs over multiple switches.
If you create a routed design then between the routers/switches we don’t use VLANs anymore, it’s all routed. Take a look at this lesson, I added some simple examples for L2/L3 designs for the core/distribution/access layer setup:
Technically a design with L3 switches everywhere would be the best. VLANs will be restricted to a single access layer switch to get rid of trunks and spanning-tree. Routing protocols like OSPF or EIGRP have faster convergence and are more reliable than spanning-tree.
It might be a challenge though…all your traffic will be routed so your applications need to support it. For example, a few years ago I ran into an issue with an Apple TV and iPAD. It uses multicast for the bonjour protocol with a TTL of 1 which means it’s unroutable…if you want to stream anything from the iPad to the Apple TV then it HAS to be in the same subnet
Example: Switch L3 port 1-10 configure with SVI feature to do Inter-vlan. the remaining port I configure inter-vlan on router but switch layer 3 act like switch layer 2. I do not disable ip routing.
Thanks for the articles. I have one questions that when creating L3 port(No switch port) from L2 port what is the Internal vlan that switch creating Autometically. As we know if we creat L3 port then that will not belongs to any vlan.
Zaman,
By default, a Layer 3 port will automatically be assigned to a reserved range of “internal use” VLANs. Which specific vlans will be used depends on the internal allocation policy setting. There are two options:
#1 vlan internal allocation policy ascending
This setting starts with VLAN 1006 and goes up.
#2 vlan internal allocation policy descending
This setting starts with VLAN 4094 and goes down.
In general, try to avoid using manually defined VLANs close to 1006 or vlan 4094 so you won’t have a conflict.
Could you pls explain the trunk and access port functionalities in details?
Will the trunk port allow access frames to pass through or vice versa?. Also the same functionality with different vlans and different subnets?
I had a production network where I wanted to implement exactly what you describe. The solution I used was access lists as you mentioned. It is probably the fastest and most immediate solution. However, there are a couple of other solutions that may be more flexible as well. These are described below:
VLAN access list - This is just an access list but it filters based on VLAN rather than IP. It is a layer 2 solution. An example configuration can be seen below:
interface Vlan1
no ip address
shutdown
!
interface Vlan2
description VLan connected to Internet
ip address 10.0.2.1 255.255.255.252
!
interface Vlan10
description User VLAN
ip address 10.1.10.1 255.255.255.0
!
interface Vlan20
description Server VLAN
ip address 10.1.20.1 255.255.255.0
!
interface Vlan30
description Management VLAN
ip address 10.1.30.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.2.2
ip access-list standard INTERNET
permit any
ip access-list extended DENY-INTERNAL
permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
-----------------------------------------------------
vlan access-map MY-VLAN-MAP 10
action drop
match ip address DENY-INTERNAL
vlan access-map MY-VLAN-MAP 20
action forward
match ip address INTERNET
vlan filter MY-VLAN-MAP vlan-list 10-30
-------------------------------------------------------
In this example, users on the three VLANs can access ONLY VLAN2 to connect to the internet, however, any attempt for inter VLAN connectivity will be dropped. So intervlan routing is essentially blocked for VLANs 10, 20 and 30.
The other option, which is a layer 3 solution is the use of policy based routing. An example can be seen below:
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 172.16.1.0 0.0.0.255 any
route-map vlan500 permit 10
match ip address 100
set ip next-hop 10.170.10.10
route-map vlan600 permit 10
match ip address 110
set ip next-hop 10.170.10.10
interface vlan 500
ip address 192.168.1.1 255.255.255.0
ip policy route-map vlan500
interface vlan 600
ip address 172.16.1.1 255.255.255.0
ip policy route-map vlan600
This is probably the most flexible of the above solutions because you can configure it per range of IP addresses. Your access lists can be more specific to include specific hosts within a subnet/VLAN so that some hosts will have access to specific VLANs and others won’t.
Does two different VLANS always have diff subnet? can’t we create two different VLAN on the same n/w?
i am referring to your text at the top of the lesson: “SwitchA has two VLANs so we have two different subnets.”
Prem,
In most cases, there is a one-to-one relationship between VLANs and subnets. However, this is not always so. For example, in a shared hosting environment, it is common for multiple customers to be using the same network on the same provider’s equipment. In this case, in order to keep the traffic separated, the provider must use something called Private VLANs. Private VLANs can use the same subnet but spread across different VLANs.
Thank you for the example., I have some questions about it:
1-For the VLAN access-list, DENY-INTERNAL access-list why do you use 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255 ? Because it also blocked internet (vlan 2) traffic. I think it should be 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255 to prevent communication between VLANS 10,20,30. Could you explain?
2- In policy based routing example, what is the 10.170.10.10, is it the gateway for internet traffic? By this config do you force vlan 500, 600 connect internet and block intervlan traffic ?
3-Could you give access-list solution?
Yes, you are correct. The access-list should be 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255 in order to cover VLANs 10, 20 and 30. Thank you!
10.170.10.10 is the gateway IP. This config essentially blocks the routing from one VLAN to the other by forcing all traffic to be routed via the 10.170.10.10 router rather than going to the corresponding SVI. So a ping from 192.168.1.5 to 172.16.1.5 would not be routed from one SVI to another, but it would be routed to 10.170.10.10. From there, whatever routing is confgured on that device would define what happens to such packets after that…
Let’s say you have two SVIs configured on a layer 3 switch: VLAN 10 and VLAN 20 with IP addresses 10.10.10.1 and 10.10.20.1 respectively. Host A with an IP address of 10.10.10.5 wants to communicate with host B with an IP address of 10.10.20.5. InterVLAN routing will allow this communication.
To block it, you can create the following access list and assign it to one of the SVIs:
ip access-list 101 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 ip access-list 101 permit ip any any
This blocks all traffic from VLAN 10 to VLAN 20. You can either place it as an outgoing access list on SVI VLAN 10 or as an incoming access list on SVI VLAN 20. Being an extended access list, it should always be placed closer to the source, so the following should be configured:
interface vlan 10 ip access-group 101 in
Any packets originating from VLAN 10 will now be blocked at the default gateway of VLAN 10 which is the corresponding SVI (10.10.10.1). Thus, intervlan routing is not functional.
This is of great interest to me as its something that keeps nagging at me that I want to make 100% sense of. I will soon study private VLANs on the issue of sharing subnets on a VLAN.
There is a variation of this question though that I have great interest in. Rene uses an example where he has two switches and each one has SVI with same subnet for the same VLAN but on different switches.
so four switches all four are in same subnet, and lets just say they are in VLAN 10.
I think I have been coming at this all wrong. when I thought of SVI I thought about Default Gateway when we gave it an IP but that does not seem to be the case???
it now seems that it has nothing to do with the default gateway. In fact the default gateway could be different and would depend on the specific device if done manually or if done through DHCP that would delegate the Default Gateway.
so if I had four different PC each one could if manually configured have each have a different default gateway. which makes sense when you think about what a Default Gateways job is in regards to a specific device.
am I thinking about this correctly? meaning an SVI is simply a mechanism to allow inter vlan routing on that switch.
so if I have an SVI on a switch with the 192.168.1.0 subnet for VLAN 10 and I have on that switch also VLAN 20, 30, and 40 and they all have an SVI interface then that switch will allow all that traffic from those VLANs and their different subnets to communicate.
However, an SVI does not mean its a Default Gateway it only means it could be its real purpose is just inter vlan routing.
I hope I am understanding this and I think I am now just wanted to clarify.
Please allow me to step in and participate, as this is an issue that I had trouble in visualising and understanding. I hope I can be of some help. For the most part, you’ve got it, maybe I can make things a little bit clearer for you.
It is possible to have SVIs on multiple switches be in the same subnet, and depending on how you have set up your network, you can make any one of those SVIs a default gateway for use by the hosts on the 192.168.1.0/24 subnet. In the same way, you can place multiple routers on the same subnet and have them function as multiple possible default gateways. The concept is the same.
Yes, that is correct.
Keep in mind that:
An SVI can be thought of as a (virtual) layer three interface that resides on a VLAN.
It can be used for several purposes, one of which is to function as a default gateway for inter-VLAN routing, so devices on that specific VLAN will be able to communicate with other subnets, either on or off of the specific layer three switch.
It can also used as an interface to configure the switch itself, either via telnet/ssh or via http.
Yes, that is absolutely right!
Keep in mind that inter-VLAN routing is still routing, and as such, it still requires a default gateway, so in this sense, an SVI will function as a default gateway.
