I have 2 LAN's on seperate IP subnets connected by a layer 3 routed link between 2 stacks of Catalyst 3750G-SMI switches and I need to create an IP subnet common to both networks (but different to their main subnets) to implement a failover configuration for our internet access. I'm guessing a VLAN would be the way to go but is it possible to pass VLAN traffic over a layer 3 link or is there a better way to connect these 2 subnets that would all me to implement this setup?
Sounds like you need to create a trunk to carry the common VLAN across the routed link. You can then use SVIs (Switched Virtual Interfaces) to carry the layer three traffic alongside.
Something like:
vlan 5 Name "Layer 2 VLAN for common subnet"
interface vlan 10 description "Layer 3 SVI for routed traffic" ip address 192.168.1.1 255.255.255.252
interface FastEthernet0/1 description "Trunk port to carry both layer 2 and layer 3 VLANs" switchport trunk encapsulation dot1q switchport mode trunk
Thanks for the quick reply. My current configuration looks like this :-
interface Port-channel1 description Point-to-point link no switchport ip address 172.24.1.1 255.255.255.252 !
interface GigabitEthernet1/0/28 description SW001G1/0/28 no switchport no ip address channel-group 1 mode active !
ip route 10.3.0.0 255.255.0.0 172.24.1.2
I went with the port channel as I intend to add additional SFP's in the near future to increase the available bandwidth. The drawback is that you set the port as "no switchport" so you can't assign it as a trunk. I'm sure there's a better way to do this I just can't get my head around it.
If the Internet router only has one port facing the existing switch infrastructure then you would need to insert a hub or a small switch between the Internet router and the two existing switches. The ports on the existing switches facing the Internet router would be configured as routed ports and could run HSRP.
If the Internet router has two ports available facing the existing switch infrastructure, then connect one router port to each of the existing switch with each of the switch ports being configured as a routed interface. Run a common routing protocol amongst the switches and the internet router in order for dynamic routing to take care of switch failures. Internet router should advertise default to the switches.
Port-channels can be layer 2 or 3 - just like physical ports.
I suggest you change your Port-channel to layer 2 so it can be configured as a trunk port. The trunk can then carry two VLANs - The "common VLAN" and the SVI VLAN for routed traffic:
1 other thing to worry about is what happens when it breaks?
this type of design is common with server replication schemes that work at layer 2, and the assumption is that when you lose a site, the other copy carries on and the remaining network survives.
however - WAN faults are as common as major server or site failures.
if you have a L2 subnet across 2 sites like this, then any routers sending traffic into it from elsewhere treat it as a single logical connected lump of IP addresses - because that is what a subnet really is. the hidden design assumption is that things only work if that subnet is internally connected.
So - it breaks in 2 pieces. At that point you find out that most traffic patterns on the 2 sections where the traffic comes into the subnet from outside stop working.
if you have a local router interface, then outgoing works fine if you still have a default gateway.
but the return traffic just gets delivered to either section depending on router best path - and that may be the wrong half......
Thanks for the heads up but in our setup it's not a problem. The 2 offices are literally 350 Metres apart using our on on-site fibres so a break in the link is probably less likely than loosing a WAN link.
Each office has its own dedicated subnet and the additional subnet will only be used locally in the 2 offices so we have no traffic being routed into it from the rest of the WAN.
Than sounds like a plan to me and I think it's starting to sink in.. I'll get some time organised to put it in place out off hours
One last question though, I have all the other switch ports on both ends of the link in the default VALN1.. If the switches are connected at layer 2 wouldn't that mean the single VLAN1 would span both sites and give me no end of IP and VLAN overlaps?
Yes that is something to watch out for. Enabling trunking between the two switches will trunk all VLANs by default. So yes - your two VLAN1s will get bridged, as will any other VLANs with the same ID.
You can restrict which VLANS are allowed across the trunk with:
switchport trunk allowed vlan 5, 10
Best practice would be to avoid using VLAN1 for users. I suggest you also read about the native VLAN option before you get too involved with setting up DOT1Q trunks.
also vlan 1 is "special" on cisco - things like CDP live there, so even if you turn it off there will be some traffic.
best practice for a big network is not to use vlan1 for anything (maybe just management).
a few bits of good design practice (for lots of cisco stuff, not just campus):
formatting link
worth looking at even if you ignore most of it as not applicable.
that way when someone throws in a new switch without config, it doesnt work (or doesnt connect to the rest of the network), so cannot break the design without some effort and the installer has to do something to get connectivity.....
and please dont use VTP - network wide VLANs is not a good idea.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.