dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6639
kracksmith
join:2004-07-14
Fullerton, CA

kracksmith

Member

[Config] 4500 inter-vlan routing

I know this switch does L3 routing but can somebody explain how it technically works?
so if VLAN1 has subnet 172.16.1.0 and VLAN2 has subnet 172.16.2.0 for them to communicate on this L3 switch internally how does interVlan work? Also i don't believe I need to configure anything special as it should work automatically?

what if i don't want specific VLAN to talk to another VLAN, then use Access list and put a policy in place?
Bink
Villains... knock off all that evil
join:2006-05-14
Colorado

Bink

Member

said by kracksmith:

so if VLAN1 has subnet 172.16.1.0 and VLAN2 has subnet 172.16.2.0 for them to communicate on this L3 switch internally how does interVlan work?

It functions like a simple router—and will pass traffic between the VLANs. For example, if one host has an IP of 172.16.1.1/24 and a default gateway of 172.16.1.254, which is the IP of interface vlan1 of this L3 switch—and another host has an IP of 172.16.2.1/24 and a default gateway of 172.16.2.254, which is the IP of interface vlan2 of this L3 switch, the L3 switch will route traffic between the two hosts.
said by kracksmith:

Also i don't believe I need to configure anything special as it should work automatically?

You might just need to add “ip routing” to the configuration.
said by kracksmith:

what if i don't want specific VLAN to talk to another VLAN, then use Access list and put a policy in place?

Correct.

mikeeo
Premium Member
join:2000-03-12
Newark, DE

mikeeo to kracksmith

Premium Member

to kracksmith
said by kracksmith:

what if i don't want specific VLAN to talk to another VLAN, then use Access list and put a policy in place?

Switch SVI's work a little different than hardware routed interfaces. The best bet would be to put each SVI in a seperate VRF if you don't want them talking.
mikeeo

mikeeo to kracksmith

Premium Member

to kracksmith
said by kracksmith:

what if i don't want specific VLAN to talk to another VLAN, then use Access list and put a policy in place?

Switch SVI's work a little different than hardware routed interfaces. The best bet would be to put each SVI in a seperate VRF if you don't want them talking.

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid to kracksmith

Member

to kracksmith
VRF???? gotta be kiddin me????

Private VLAN is the answer...
kracksmith
join:2004-07-14
Fullerton, CA

kracksmith to Bink

Member

to Bink
ok got it, then how does DHCP work if all departments has their own different subnet? manually static everybody?
elnino
join:2006-08-27
Akron, OH

elnino

Member

said by kracksmith:

ok got it, then how does DHCP work if all departments has their own different subnet? manually static everybody?

You would use the "ip helper-address" command to forward DHCP requests. ip helper-address 172.16.1.20
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to kracksmith

MVM

to kracksmith
In practice you should also make sure you have the right hardware and code package loaded for
L2/3/4 routing. For the 65xx chassis, it's usually making sure you have an MSFC daughtercard
installed and an IOS package that supports multilayer switching.

Read the specs sheet and browse Feature Navigator to be sure.

Regards
kracksmith
join:2004-07-14
Fullerton, CA

kracksmith to elnino

Member

to elnino
so if i have multiple subnets and I use IP helper-address how would the single DHCP server know what subnet to apply to each VLAN?

ua_hockey
join:2003-08-07
Columbus, OH

ua_hockey

Member

said by kracksmith:

so if i have multiple subnets and I use IP helper-address how would the single DHCP server know what subnet to apply to each VLAN?

Because the DHCP request will be sourced from the L3 interface on the switch. It will know where to send the DHCPOFFER based on which interface sent the request. For example, if you have an interface 192.168.1.1/24, it will send a request to the DHCP server for the 192.168.1.0/24 network. If you have a scope defined for that network, it will return an offer with a valid address on that network.
ua_hockey

ua_hockey to Da Geek Kid

Member

to Da Geek Kid
said by Da Geek Kid:

VRF???? gotta be kiddin me????

Private VLAN is the answer...

A private VLAN would only isolate the VLAN at Layer 2 (2 hosts in the same VLAN can't talk to each other, but can talk to the gateway). If you want to isolate at Layer 3 (hosts in VLAN 1 can't talk to hosts in VLAN 2), then your only choices are some type of firewall / ACL, or VRF.

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid

Member

Private vlans and Mac acls eliminate any L3 from occuring...

yaplej
Premium Member
join:2001-02-10
White City, OR

1 recommendation

yaplej

Premium Member

Well if you dont want traffic to route from a network to another typically the correct way is to use an ACL. You might be able to prevent routing between two network using VRF but its more of a provider thing to allow routing of networks for customers that have overlapping networks advertised. Such as private network address space.

I am sure there are very creative way of using VRF to do all sorts of neat routing tricks but for just blocking network A from reaching network B ACLs are likely the answer. Remember to KISS.
kracksmith
join:2004-07-14
Fullerton, CA

kracksmith

Member

If i want to utilize the switch inter-VLAN routing, L3. then it's a must to configure an IP address to each VLAN interfaces?

If i don't configure the IP VLAN interface then my only option is to use a router?
vipergg
join:2010-03-14

vipergg

Member

Yes that is correct , for each layer 2 vlan that is created if you want to route that vlan you must create a layer 3 SVI to route that vlan or you must use an external layer 3 device to route that vlan . You are better off using routing on the switch than using a router on a stick setup because the router will always be considerably slower at routing packets than a L3 switch like a 4500.

mikeeo
Premium Member
join:2000-03-12
Newark, DE

mikeeo to Da Geek Kid

Premium Member

to Da Geek Kid
said by Da Geek Kid:

VRF???? gotta be kiddin me????

Private VLAN is the answer...

Its obvious you have no clue how VRF's work.

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid

Member

lolrof....

Ok Oracle,

Sorry, we are unworthy.
And to be clear. You have no idea what I know.

mikeeo
Premium Member
join:2000-03-12
Newark, DE

mikeeo

Premium Member

said by Da Geek Kid:

lolrof....

Ok Oracle,

Sorry, we are unworthy.
And to be clear. You have no idea what I know.

I know exactly how much you know. Your answer to my VRF solution explains it all.

Your answer is ugly to configure, unscalable and a security threat.

Your CCNA answer of using MAC ACL's is pathetic to say the least. What happens when a new host is provisioned? you going to keep updating the ACL everytime a new host is added? again unscalable.

VRF's are the ONLY way to truly seperate L3 routing domains without using a Nexus series switch.

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid to kracksmith

Member

to kracksmith
hmm. Last I checked VLAN is a layer 2 broadcast domain. the question was how to segregate two VLANs on a switch, not two organizations transiting through Internet. The VRF is not secure either as all its traffic is available for anyone who has access to that switch to see. VRF does not encrypt the traffic it just isolates in layer 3 as VLANs do in layer 2.

mikeeo
Premium Member
join:2000-03-12
Newark, DE

mikeeo

Premium Member

said by Da Geek Kid:

hmm. Last I checked VLAN is a layer 2 broadcast domain. the question was how to segregate two VLANs on a switch, not two organizations transiting through Internet. The VRF is not secure either as all its traffic is available for anyone who has access to that switch to see. VRF does not encrypt the traffic it just isolates in layer 3 as VLANs do in layer 2.

Noo the OP wanted to seperate two VLANs from talking over layer 3 Vlan interfaces.

Again its apparent you have no idea how VRF's, Inter-Vlan switching and basic IP neworking systems work.

TestKing isn't always the answer when you want to pass a Cisco exam...

Chewbakka
join:2004-12-19

Chewbakka

Member

mm, catfight

mikeeo
Premium Member
join:2000-03-12
Newark, DE

mikeeo

Premium Member

said by Chewbakka:

mm, catfight

He knows I'm right hence why he hasn't replied.

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid

Member

there are 10 ways to skin a cat...

mikeeo
Premium Member
join:2000-03-12
Newark, DE

mikeeo

Premium Member

You crack me up. Your solution doesn't work period.
aryoba
MVM
join:2002-08-22

aryoba to kracksmith

MVM

to kracksmith
said by kracksmith:

what if i don't want specific VLAN to talk to another VLAN, then use Access list and put a policy in place?

You need to be specific of what you mean by not talking between VLAN. Here are some examples

1. If the Layer-3 switch does not need to run routing at all, then simply use the switch as strict Layer-2 switch only

2. When you need the Layer-3 switch to participate in routing of certain VLAN, then have SVI Layer-3 interfaces only on those participating VLAN while keep Layer-2 VLAN on rest of VLAN

3. When you need the Layer-3 switch to participate in routing of certain VLAN while separating routing table between networks, then you may need to implement VRF. If you simply implement ACL but not separating routing table between networks, then it is not a total separation which may be insecure solution
kracksmith
join:2004-07-14
Fullerton, CA

kracksmith

Member

ok what about using PVLAN which we implemented instead of ACL or VRF?
With Pvlan we have a community vlan within the Pvlan or have multiple vlan within pvlan to not talk together. since we only have 1 vlan within the Pvlan we didn't need to worry about choosing either community vlan or isolated vlan within the pvlan.

this one particular vlan we wanted to isolate is our backend iscsi which is connected directly to the SAN in which we don't want other broadcasting vlan. so we just decided on a pvlan whether is the best solution or not.

aryoba
MVM
join:2002-08-22

aryoba

MVM

Private VLAN is basically separating broadcast domain within VLAN. What I've seen of having Private VLAN practical or sensible is either when you have "too large" subnet which you can share among different networks or when you have multiple WWN (World Wide Network) in Fibre Channel SAN.

Should you have such Fibre Channel SAN, then you may need to use Nexus switch which is capable of handling both Ethernet and WWN Fibre Channel SAN on the same platform.

ua_hockey
join:2003-08-07
Columbus, OH

ua_hockey

Member

At the risk of being drawn into the festivities, let me give an example of where I have used each of these technologies. I am not saying, I am right, but it has worked for me.

PVLANS: A network of 3rd party connections (think business partners). Each business partner brings a router onto your prem. You have a lot of them, and you need to filter them going to/from your network. Now, you could set up a separate VLAN and LAYER 3 topology for each of them. This is hard to scale because each time you add a new business partner, you have to make changes to your firewall. I use PVLANS to provide 1 Layer 2 network that allows each business partner to not be able to see another business partner. Then you can filter them from your internal network with your firewall. Each PVLAN can only talk to your firewall or filtering device, not to other devices in the broadcast domain. This ensures that business partner "A" cannot talk to business partner "B", while permitting you to use 1 DMZ for both.

VRF: A scenario where you have multiple layer 3 networks that you do not want to route between. For example, say you need to route "external" traffic and "internal" traffic, like your internal network and a business partner network. You don't need a lot of port density, and the 6500 that you have laying around will do the job nicely. The problem is that you want to have the internal networks and external networks pass through a security device before they talk to each other (FWSM, ASA, Check Point, etc...). You will also be doing layer 3 on both networks (maybe BGP with the business partners and OSPF internally). Without VRF, it would be possible for the external traffic to route to the inside without passing through the security device. You set up VRF to isolate the routing tables from each other. VRF 1 has no idea how to get to the networks on VRF 2, even though they are on the same switch. You can have your security device participate in routing so that your inside networks only know how to get to your outside networks through the security device (and vice-versa).

Hope that helps (putting on flame resistant suit now).

mikeeo
Premium Member
join:2000-03-12
Newark, DE

mikeeo

Premium Member

I don't think Da Geek Kid understands what you just said so I doubt we will ever get a reply from him.