Re: probably an easy routing question, so please help
- From: "pk" <philip.kluss@xxxxxxxxx>
- Date: Thu, 24 May 2007 17:26:57 -0500
Hmm, it took no less than a week for me to come to this conclusion, but I'm
glad I figured it now rather than later.
If you remember, I'd decided that I was going to combine my 4 distinct,
non-contiguous subnets into one VLAN and avoid having to run out to the
router for intra-VLAN traffic, thus maintaining my gigabit connections. As
far as I can tell (and I've spent hours trying to verify this with actual
documentation, so PLEASE help me out if you know of some), VLANs only handle
broadcast traffic and the unicast traffic (read: stuff i really care about)
would still be banished to the router only to return at a much slower rate
than if the switch had handled it to begin with. Is that all true?
Here are things that I think are facts, please correct me now if I'm wrong.
Fact 1: VLAN capable Layer 2 switches ignore VLAN tags on unicast traffic.
Fact 2: A Layer 3 switch can route intraVLAN/interVLAN unicast traffic AS
WELL AS non-VLANed disjoint subnetted traffic avoiding the slow uplink to
the router.
Fact 3: If I had a well stocked computer lab, I could answer these
questions on my own and learn a great deal in the process. (This I KNOW is
true.)
I appreciate the feedback from all of you.
pk
"Aaron Leonard" <Aaron@xxxxxxxxx> wrote in message
news:q56s43tikg0ctlb8oi6et662dcpk2fop6j@xxxxxxxxxx
You can run 4 disjoint subnets on the same broadcast domain (in the same
VLAN). I used to set this up ages ago (back in the ancient days, before
L3 switches), by using multiple secondary addresses on the router
interface on this broadcast domain. I.e. something like this:
interface ethernet1
ip address 1.1.1.1 255.255.255.0
ip address 2.1.1.1 255.255.0.0 secondary
ip address 3.1.1.1 255.255.255.192 secondary
ip route-cache same-interface
Not ideal from the standpoint of traffic management, but it'll get the
job done till you decide to budget for some new hardware.
Aaron
---
~ I've just realized that VLANs don't just divide subnets, they also
COMBINE
~ subnets. I don't actually want my 4 IP blocks separate for any reason,
so
~ there's no reason I can't just combine them into a singular VLAN with my
~ existing switches, right? As far as I can tell (until I decide that I
want
~ more than one VLAN to communicate with each other without contacting the
~ router) I won't need to use a Layer 3 switch at all. Is that correct?
If
~ that's the case, my life got a whole lot easier, even though it would be
fun
~ to play around with a Layer 3 switch!
~
~ pk
~
~ "stephen" <stephen_hope@xxxxxxxxxxxx> wrote in message
~ news:HW23i.33$qQ1.10@xxxxxxxxxxxxxxxxxxxxxxx
~ > "pk" <philip.kluss@xxxxxxxxx> wrote in message
~ > news:f2i9ls$ljh$1@xxxxxxxxxxx
~ >> I was all ready to purchase a Layer 3 switch and start testing this
setup
~ >> when I came across some Cisco documentation and discovered this
little
~ >> gem
~ >> from the "Routers and Layer 3 Switching" section of the document.
~ >> http://www.cisco.com/warp/public/473/lan-switch-cisco.shtml#prereq
~ >>
~ >> It states, in no uncertain terms, "Note: Routers are necessary for
~ >> communication between two VLANs."
~ >
~ > more accurately - a routing is needed. A layer 3 switch is really a
~ > hardware
~ > based router - so you are covered.
~ >>
~ >> Is that true? This throw a serious kink in my plans. I need to use
~ >> VLANs
~ >> in order to be able to simulate transparent mode with multiple
subnets
~ > with
~ >> my Sonicwall 3060.
~ >
~ > VLANs might complicate what you end up doing - it sounds like the
default
~ > gateway on each device needs to "point" to the firewall for the
outside
~ > world, but local comms goes via the L3 switch.
~ >
~ > However - it tends to be easier in a routed network to offload route
~ > management and path selection to a routing device, and let that sort
out
~ > what goes where.
~ >
~ > then you only need to configure the L3 switch to alter the routing if
you
~ > change things, not every device.
~ >
~ > but it sounds like your firewall might not like that arrangement, so i
~ > suggest you sort how the firewall and a "router" need to interact
before
~ > finalising the design.
~ >
~ > For the record, I have 4 IP blocks (three /28s and one
~ >> /27). I do not want to deal with NATing this many addresses. Is a
Layer
~ > 3
~ >> switch STILL going to pass my VLAN traffic up to the router?
~ >
~ > No - or not if you design it properly.
~ >
~ > This is
~ >> killing me.
~ >>
~ >> Thanks for all the help so far.
~ >>
~ >> pk
~ >>
~ >> "stephen" <stephen_hope@xxxxxxxxxxxx> wrote in message
~ >> news:RpX2i.58$oX4.52@xxxxxxxxxxxxxxxxxxxxxxx
~ >> > "Trendkill" <jpmason@xxxxxxxxx> wrote in message
~ >> > news:1179328714.470756.105670@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
~ >> >> On May 16, 9:57 am, pk <philip.kl...@xxxxxxxxx> wrote:
~ >> >> > On May 15, 2:55 pm, Trendkill <jpma...@xxxxxxxxx> wrote:
~ >> >> >
~ >> >> >
~ >> >> >
~ >> >> > > On May 15, 3:33 pm, pk <philip.kl...@xxxxxxxxx> wrote:
~ >> >> >
~ >> >> > > > I'm not routing master, so this might be obvious, but I've
been
~ >> >> > > > curious about the answer to this question. Say an
individual
~ >> >> > > > was
~ >> >> > > > issued two IP blocks from their ISP.
~ >> >> >
~ >> >> > > > IP Block 1 : 123.123.123.0 /28
~ >> >> > > > IP Block 2 : 123.123.123.128 /28
~ >> >> >
~ >> >> > > > If the individual doesn't really care to separate the two
~ > networks
~ >> > for
~ >> >> > > > any reason and was just unfortunately issued two /28 blocks
~ > instead
~ >> > of
~ >> >> > > > one /27 block, isn't the link between the two networks going
to
~ >> > suffer
~ >> >> > > > unnecessarily? For instance, if Server A located in Block 1
is
~ >> >> > > > plugged into the same gigabit switch as Server B in Block 2
and
~ >> >> > > > they
~ >> >> > > > want to initiate a file transfer, they are required to run
out
~ >> >> > > > to
~ >> > the
~ >> >> > > > default gateway (ISPs router) through a T1 (perhaps)
connection
~ > and
~ >> >> > > > back in when it would have been much faster for them to go
~ > directly
~ >> > to
~ >> >> > > > the other's gigabit ethernet port on the switch? If this is
the
~ >> > case,
~ >> >> > > > would this be remedied, albeit poorly, by just subnetting
both
~ >> >> > > > of
~ >> >> > > > these ranges together into one giant class C address range?
(I
~ >> >> > > > understand fully that they wouldn't be able to access the
~ > rightful
~ >> >> > > > owners of the rest of the IP addresses in that range as they
~ > would
~ >> >> > > > search on their local LAN for them and time out, but this is
a
~ >> >> > > > hypothetical situation and only serves to educate myself on
the
~ >> >> > > > concept.) That said, how SHOULD this be handled in order to
~ >> >> > > > keep
~ >> > the
~ >> >> > > > connection between the subnets optimal?
~ >> >> >
~ >> >> > > > I'm quite sure that I'm missing some key concepts here, so
~ >> >> > > > please
~ >> >> > > > be
~ >> >> > > > kind and explain them to me.
~ >> >> >
~ >> >> > > > Thanks.
~ >> >> >
~ >> >> > > > pk
~ >> >> >
~ >> >> > > Provided both of those networks are off the same edge router,
and
~ >> >> > > routing is enabled, the traffic will not have to go across the
~ >> >> > > WAN/
~ >> >> > > Internet link, and will instead route to the directly
connected
~ >> >> > > network. This should work without issue.
~ >> >> >
~ >> >> > OK, that makes sense, but if the uplink is coming out of the
switch
~ >> >> > from a 10Mb link to the router and the computers are both hooked
~ >> >> > into
~ >> >> > gigabit ports then it is a big difference right? There's no way
for
~ >> >> > that switch to be a bit smarter (without turning into a router)
and
~ >> >> > not run out the 10Mb port to the router with all of its traffic,
~ >> >> > correct? Whereas before they would have transferred at gigabit
~ >> >> > rate,
~ >> >> > they now will be 100 times slower?
~ >> >>
~ >> >> Technically yes you are correct. Unless you have a L3 switch or a
~ >> >> router with gig ports, you will potentially have limits for any
~ >> >> bandwidth going inter VLAN. I've been trying to think through
your
~ >> >> option of running a /24 behind the scenes and simply not
addressing
~ >> >> nodes in the two networks you don't own.
~ >> >
~ >> > you can use proxy ARP to do this. i leant this trick on Bay /
Nortel
~ >> > kit
~ >> > which was really good at it, but it works on Cisco as well.
~ >> >
~ >> > both /28s are configured on the same Enet port, with proxy ARP
enabled.
~ >> >
~ >> > end stations are set up to use the overall /24.
~ >> >
~ >> > The router then lets local ARP take care of traffic between the 2
/28s,
~ >> > but
~ >> > will respond to ARP reqs for addresses on other parts of the /24.
~ >> >
~ >> > Once the ARP table is pointing at the correct device, then IP
packets
~ > get
~ >> > sent to the right place - result is the router has a bit more
~ >> > broadcasts
~ >> > to
~ >> > handle, but the local traffic doesnt need to "touch" the router.
~ >> >
~ >> > I'm not really sure if this
~ >> >> would work or not, as it your router technically would have to
~ >> >> advertise the /24, unless of course you could use distribution
lists
~ >> >> or something to split it up as necessary. I think your best bet
is to
~ >> >> sit down and really analyze your servers/nodes and come up with a
~ >> >> design that keeps your high traffic boxes on one switch/subnet or
the
~ >> >> other. I doubt you have 126 boxes that are the same application,
etc,
~ >> >> and probably could be split into some kind of logical groups by
high
~ >> >> traffic. Thus ensuring that intra VLAN traffic is maximized, and
~ >> >> inter-vlan traffic is minimized. If you do have a server
(database or
~ >> >> such) that is central to both networks, perhaps its better to just
~ >> >> dual home it to each network. All depends on your
requirements......
~ >> >
~ >> > Personally i prefer a L3 switch - a single Catalyst 3560 or 3750
will
~ > give
~ >> > you enough ports for both /28s.
~ >> >
~ >> > if you have enough servers to need 2 x /28, then paying for the
switch
~ > is
~ >> > going to be trivial. And if you dont need lots of servers, then
redo
~ >> > the
~ >> > design to use NAT and reduce the number of needed addresses.
~ >> >
~ >> > clever system designs can be great, but follow on work often hits
side
~ >> > effects, or the next engineer to do changes doesnt understand and
~ >> > breaks
~ >> > the
~ >> > design....
~ >> >>
~ >> > --
~ >> > Regards
~ >> >
~ >> > stephen_hope@xxxxxxxxxxxx - replace xyz with ntl
~ >> >
~ > stephen_hope@xxxxxxxxxxxx - replace xyz with ntl
~ >
~ >
~
.
- Follow-Ups:
- References:
- probably an easy routing question, so please help
- From: pk
- Re: probably an easy routing question, so please help
- From: Trendkill
- Re: probably an easy routing question, so please help
- From: pk
- Re: probably an easy routing question, so please help
- From: Trendkill
- Re: probably an easy routing question, so please help
- From: stephen
- Re: probably an easy routing question, so please help
- From: pk
- Re: probably an easy routing question, so please help
- From: stephen
- Re: probably an easy routing question, so please help
- From: pk
- Re: probably an easy routing question, so please help
- From: Aaron Leonard
- probably an easy routing question, so please help
- Prev by Date: Re: Why doesn't OSPF redistribute secondary address unless "redistribute connected"?
- Next by Date: Trunk, STP and duplex
- Previous by thread: Re: probably an easy routing question, so please help
- Next by thread: Re: probably an easy routing question, so please help
- Index(es):
Relevant Pages
|
Loading
