InterVLAN Routing on Layer 3 Switch

C

cmputrnrd4lif

Weaksauce
Joined
Aug 13, 2004
Messages
91
I need to start VLANing out an office network and have some questions regarding interVLAN routing.

The network consists of a L2/L3 Cisco 3560 as the core switch and about 15 Catalyst 2960's and 2950's plugged into it for access level switching. The network has 2 subnets and are not separated from eachother by VLANs or router interfaces, which has created a single (large) broadcast domain. Plugged into the core switch is a linux box that provides our routing. It has a single interface with 2 IP's bound to it - each IP is the default gateway of both subnets. Using this setup, I need to figure out how to implement VLANing and move the routing to the 3560.

Cisco has a good document explaning interVLAN routing for the 3560: http://www.ciscosystems.net.ph/en/U...s_configuration_example09186a008019e74e.shtml

I want to use the 3560 as the router now and phase out the linux box, but do so one subnet at a time instead of all at once. If I setup a 3rd subnet, a VLAN, and a VLAN interface for it on the 3560, can the linux box be the default route as suggested in the document? If so, it doesn't need to be a trunk port does it? That's only the case if the linux box does the interVLAN switching right?
 
What's at the edge doing routing? The 3560s won't NAT, so you need something that will.

Use a 3560 as your core, break the two subnets up into two (or more) VLANs and have all your hosts point to it for their defaults. Then point the 3560 to your edge router or the linux box as its default to the internets (no trunk port, either a routed port or a switch port in the outside VLAN). Use ACLs or a firewall on the edge device.
 
I want to use the 3560 as the router now and phase out the linux box, but do so one subnet at a time instead of all at once. If I setup a 3rd subnet, a VLAN, and a VLAN interface for it on the 3560, can the linux box be the default route as suggested in the document? If so, it doesn't need to be a trunk port does it? That's only the case if the linux box does the interVLAN switching right?
Click to expand...
Ugh, you don't want to do something like this piecemeal, it will just make something simple terribly complicated instead. Some other things to consider are:

1. How your client computers obtain IP addresses, are they static or DHCP? What is the DHCP server?

2. Do you have hosts on both subnets dispersed throughout the access layer? If so you'll need trunks with both vlans to each switch and either implement VTP or be prepared to create a lot of vlans by hand.

3. As stated if you are NAT'ing internal hosts to the internet you'll need to keep the Linux box around. Set up a point to point /30 network between the Linux machine and a L3 interface on the 3560. You'll need a summarized route to the internal networks via the 3560 L3 interface on the Linux box if you do this, either that or use RIP (bleh). Better option would be to get rid of the Linux box and replace it with a real network device. You'll also need a default route on the 3560 to the Linux router.

4. There's no reason to trunk to the Linux box unless both vlans are going to be routed by it instead of the 3560.
 
What's at the edge doing routing? The 3560s won't NAT, so you need something that will.
Click to expand...

We have an older model Cisco router that does NAT.

Use a 3560 as your core, break the two subnets up into two (or more) VLANs and have all your hosts point to it for their defaults. Then point the 3560 to your edge router or the linux box as its default to the internets (no trunk port, either a routed port or a switch port in the outside VLAN). Use ACLs or a firewall on the edge device.
Click to expand...

That makes sense, but I'm somewhat lost where you say "no trunk port, either a routed port or a switch port in the outside VLAN". Are you suggesting that the connection between the 3560 and the edge router should be in its own VLAN?


Ugh, you don't want to do something like this piecemeal, it will just make something simple terribly complicated instead. Some other things to consider are:
Click to expand...

I know, I hate to do it this way, but I'm trying to solve one problem immediately by VLANing out a group of devices. Also, 95% of the LAN devices are static IP's, which is about 300 devices. I'd have to find every device, make note of the subnet it's in, the port that it's on, and assign it to the correct VLAN. That would take quite a bit of time.


1. How your client computers obtain IP addresses, are they static or DHCP? What is the DHCP server?
Click to expand...

Clients are almost completely static. The few machines that are DHCP have their IP's assigned via mac reservation. I've been thinking that moving all of the machines to this method, DHCP mac reservations, may make transitions like this a lot easier.


2. Do you have hosts on both subnets dispersed throughout the access layer? If so you'll need trunks with both vlans to each switch and either implement VTP or be prepared to create a lot of vlans by hand.
Click to expand...

Yes, both subnets are dispersed through the access layer and the plan is to implement VTP.


3. As stated if you are NAT'ing internal hosts to the internet you'll need to keep the Linux box around. Set up a point to point /30 network between the Linux machine and a L3 interface on the 3560. You'll need a summarized route to the internal networks via the 3560 L3 interface on the Linux box if you do this, either that or use RIP (bleh). Better option would be to get rid of the Linux box and replace it with a real network device. You'll also need a default route on the 3560 to the Linux router.
Click to expand...

I'm sure the linux box will stay around for the time being.

I'm a new CCNA student, so by summarizing do you mean:

10.0.100.0/24 and 10.0.110.0/24 = 10.0.96.0/20

I'm pushing for a router, but the Linux box has held up well across the years and at it's current price (free), it's hard to convince people to move to an expensive Cisco router.


4. There's no reason to trunk to the Linux box unless both vlans are going to be routed by it instead of the 3560.
Click to expand...

That's what I had thought. Good to know for sure, now.


Thanks for the clarification, everyone. This has helped tremendously.
 
Okay, before I ask anything else, what exactly does this Linux box do (other than route between 2 subnets that are in the same broadcast domain)?

You have a "older model Cisco router" that is NAT'ing which I'm assuming means that it is your WAN edge device and has a public IP. You have a 3560 multilayer switch that is capable of routing all your internal vlans. Based on this information the Linux box is completely superfluous unless it is providing some unknown function not listed above.

Where is your DHCP server, i.e. what machine is it?
 
cmputrnrd4lif said:
We have an older model Cisco router that does NAT.

That makes sense, but I'm somewhat lost where you say "no trunk port, either a routed port or a switch port in the outside VLAN". Are you suggesting that the connection between the 3560 and the edge router should be in its own VLAN?

I know, I hate to do it this way, but I'm trying to solve one problem immediately by VLANing out a group of devices. Also, 95% of the LAN devices are static IP's, which is about 300 devices. I'd have to find every device, make note of the subnet it's in, the port that it's on, and assign it to the correct VLAN. That would take quite a bit of time.

Clients are almost completely static. The few machines that are DHCP have their IP's assigned via mac reservation. I've been thinking that moving all of the machines to this method, DHCP mac reservations, may make transitions like this a lot easier.

Yes, both subnets are dispersed through the access layer and the plan is to implement VTP.

I'm sure the linux box will stay around for the time being.

I'm a new CCNA student, so by summarizing do you mean:

10.0.100.0/24 and 10.0.110.0/24 = 10.0.96.0/20

I'm pushing for a router, but the Linux box has held up well across the years and at it's current price (free), it's hard to convince people to move to an expensive Cisco router

That's what I had thought. Good to know for sure, now.

Thanks for the clarification, everyone. This has helped tremendously.
Click to expand...

My suggestion was that you create a routed port OR a VLAN containing that router. Ideally you would use a /31 on a routed port between the 3560 and the router. That's how I'd probably do it.

Your network seems to be designed terribly. You should consider bringing in a consultant to redo it from the ground up. No offense, but this seems to be a bit over your head. If you bring someone else in you can shadow him and probably learn a lot.
 
In 16 years of IT I have never seen anyone use a /31, ever. It is especially pointless on a private network where address conservation is not necessary. Every point to point leased line I have ever setup has a /30 mask (lots). Cisco's own curriculum indicates you should use a /30. So what you should've said was:

Ideally you would use a /30 on a routed port because it is common practice, but you can use /31 if you want to confuse people needlessly
Click to expand...
 
People use /31s all the time. From your posts, there seems to be a lot you haven't seen in your 16 years of IT. Here's something you should remember, just because you haven't seen something and don't know anything about it doesn't mean that it shouldn't be used. It just means YOU lack knowledge.

The people confused by a /31 probably shouldn't be in the field of networking. It's actually the simplest subnet out there, two addresses. Why use a /30 when a /31 does it better?

Anyway, what you should have said (or done, really) instead of your condescending little wink, is use Google and verify that you know what you're talking about before correcting someone, especially if there's a good chance the person knows more than you.

Realistically, we shouldn't have gone into all of this. You should have been a normal person and said something like "oops, lol. learn something new everyday" instead of trying to cover up your lack of knowledge with bs.
 
I can link a copy of the RFC for FDDI too, doesn't mean anyone uses it...

Why use a /30 when a /31 does it better?
Click to expand...

KISS - Keep it simple stupid. Using a /31 breaks from the convention of the first address in the range identifying the network and the last acting as the broadcast address. The OP is going to have a tough time passing the subnetting questions on the CCNA, which he said he was working on, if he doesn't keep that little bit of minutia in mind. If fact it is a critical concept for the exam.

You should have been a normal person
Click to expand...
normal people are sheep
 
Wow, you just can't stop, eh?

I've worked for an ISP, we use /31s quite a bit. We also use them at my current company. Again, simply because YOU haven't seen something does not mean it isn't used. It's pretty sad that you won't admit that and actually learn something here.

Not using something because it is new or breaks current convention is silly. Think of where we would be in technology if everyone thought the way you're pretending to. We'd still be using classful addressing and horrible design practices, among other things.

Normal people are sheep, eh? You sound like the sheep here, unable to embrace something new and more efficient. You have no interest in saving 50% of IP addresses because you've never seen it done before? Come on man.

And, you're essentially insulting the OP by saying he won't be able to understand something as ridiculously simple as a /31 subnet. You're grasping at straws here.
 
I've worked for an ISP, we use /31s quite a bit.
Click to expand...
We are talking about an internal LAN in this thread that is privately addressed, not some mom and pop ISP that is address starved. Your "creative solution" to a problem they don't have interjects needless configuration complexity.

And, you're essentially insulting the OP by saying he won't be able to understand something as ridiculously simple as a /31 subnet. You're grasping at straws here.
Click to expand...
Actually I was more concerned about providing information that is useful to someone interested in becoming a CCNA. Your information is not. That's not how it's taught and that's not how it's tested.
 
I enjoy the fact that more than 50% of the posts so far are what subnet to use for a link between the 3650 and the router. :rolleyes:

Maybe to get back to the question at hand, OP, it sounds like your network has a couple of issues that could be addressed.

  • DHCP - I realize that it may have started small and grown but once you get past about 10 devices, DHCP is the direction to go, I would start to seriously look at incorporating this into your network
  • The *nix Box - as someone already said, you need to understand exactly what that box is doing, as well as any other devices like that on your network- are you using Active Directory?
  • VLANS - which is what you're currently looking at, you said you needed to seperate some devices- what devices? Phones or something else. This may play into the design.
  • Architecture - if you don't have one already, you need a detailed document (Visio) which outlines exactly the physical and logical layout of your network. Making changes without knowing this is a big no-no

While it's easy to say (and I agree) that a consultant is your best bet for this, I can understand the reality being that there's no money for that. A word of caution- be careful! Document everything you do, the changes you make, etc. That can be invaluable when it comes time to diagnose or roll back any changes you've made.
 
mattjw916 said:
We are talking about an internal LAN in this thread that is privately addressed, not some mom and pop ISP that is address starved. Your "creative solution" to a problem they don't have interjects needless configuration complexity.

Actually I was more concerned about providing information that is useful to someone interested in becoming a CCNA. Your information is not. That's not how it's taught and that's not how it's tested.
Click to expand...

You're hopeless. My "creative solution" is an RFC standard. Also, to clarify, the ISP I worked for was very large and everyone is "address starved" right now, I figured you'd already know that.

/31s aren't useful? Your posts get more and more laughable every time. Real engineers get a kick out of people like you.
 
My "creative solution" is an RFC standard.
Click to expand...
Meaningless. Companies like Microsoft create RFCs for one-off solutions all the time and call them "standards". Just because there is an RFC for it doesn't mean it is widely adopted or even a good idea. It just means someone took the time to document it. Same goes for all those ISO-9xxx standards. Even if the process is garbage, as long as you documented it, you get a gold star.

The only thing that is silly in this thread is that you are proposing address conservation in a PRIVATE network.

Anyway, I'm going to spend the rest of the afternoon re-IPing all my point-point links now. I wouldn't want to run out of RFC1918 addresses... I mean there are only 17,891,328 available for use on my internal LAN.
 
Hahaha. This is such a joke. So, the standard is BS and no one uses them, and they're stupid, right? You can't be serious. I'll be sure to inform all the real engineers I work with that we can't use /31s anymore because mattjw doesn't approve. All this because you didn't know about something and you don't want to look stupid (though you're looking pretty stupid anyway)?

So you use /30s with 1918 addresses? Well that's just silly according to you. You should be using /24s or 16s since you have 17,891,328, right? Flawless logic, sir. It just gets better and better.

I'm dying to see what you have to say next.
 
I'm sure someone who thought they were a "real engineer" came up with the disaster listed above too, whatever that is.

Actually I have /30s because the internal address block was already allocated for a specific purpose and I didn't want to go through the trouble of requesting documentation changes, which is a huge deal on enterprise networks. Of course, that must not make me a "real engineer" because I like to have the documentation match the network...

I'll be sure to inform all the real engineers I work with that we can't use /31s anymore because mattjw doesn't approve.
Click to expand...
Straw man much?
 
Straw man? Seriously? Pot, kettle?

This whole thing has been about you being wrong but trying to throw all sorts of BS to avoid it. You have side stepped every point I've made.

And, I knew it would get better. You're so committed to this that you're now saying that you wouldn't be using /30s if they weren't already allocated. Yet you recommended /30s in one of your first posts. Hilarious. So first /30s are good, but /31s aren't (after you actually learned what they are), but now you're only using /30s because they were already allocated, implying that you wouldn't use them if they weren't. You should really stop, really.

Oh, and I don't think you're a real engineer because you're obviously not able to learn anything or admit you're wrong. Those are detrimental traits for engineers to possess. You also can't seem to stop arguing about something you're clearly wrong about, as well as contradicting yourself repeatedly.
 
I don't think you know what straw man means or your wouldn't keep misrepresenting my position and attacking it. While you are practicing "engineering via googling" why don't you look up what it means.
 
Hahaha, "engineering via googling"? Nice. I'd take that to "engineering while being a close-minded imbecile who can't learn new things or admit he's wrong". Not the same ring, but appropriate.
 
Can't we just agree that both of you are right and get alone?

Both ways will work.
 
Yes, it's possible to use /31's. BUT the OP isn't a guy running an enterprise class fully public ip network. The OP isn't a guy that knows very much about subnetting. The OP needs to learn the Cisco way of doing things before he can safely stray off into pro territory.

Matt/Vito- You're both right and you're both wrong, in your own ways, in the valid arguments you both created. Now shake hands and move on to the next flame.

[joke]
As for me, I use /16 on my private p2p links because I can. :-P
[/joke]
 
wow, when i first read Vito_Corleone post stating /31 i was like uhh you messed up there buddy. but i read those links, i never knew you could use a /31 mask, learned something new today, but as i'm still going for a CCNA i guess i learn lots of new things LOL.
 
Yes, it's possible to use /31's. BUT the OP isn't a guy running an enterprise class fully public ip network. The OP isn't a guy that knows very much about subnetting. The OP needs to learn the Cisco way of doing things before he can safely stray off into pro territory.
Click to expand...

Well, I wouldn't say I know very little. I have to use VLSM in most of my labs so I've got it down pretty good. I may not be a Jedi like you all, but I'll get there. :D

I will say that yes, I was confused by the /31 suggestion. In all of my lessons, /30 has always been suggested for point-to-point connections. Also, seeing as how you would use the network and broadcast IP's as host addresses, I didn't think it would work. Not taking sides, just saying what I've learned so far.


I take no offense to anyone who has suggested bringing in a consultant. I know I don't know everything, afterall that's why I'm here. However, I feel pretty confident after getting some good suggestions. I may need to take some more time to do some network discovery here, but I'll get it.
 
cmputrnrd4lif said:
I will say that yes, I was confused by the /31 suggestion. In all of my lessons, /30 has always been suggested for point-to-point connections. Also, seeing as how you would use the network and broadcast IP's as host addresses, I didn't think it would work. Not taking sides, just saying what I've learned so far.
Click to expand...

It would work, you don't have to use them addresses as broadcast and host, it's just a standard. As long as the device you are using it on can understand the use of /31 masks, you'll be okay :)
 
Don't worry, you'll come to realize that in networking, and IT in general, people often choose unnecessarily obtuse solutions to simple problems. In fact, I've made a very good living cleaning up the disastrously implemented networks of others.

When you run your own ISP, then you can worry about conserving address space and using /31 networks for your p2p WAN links. Until then, stick with what is relevant to your goal and what is on the tests. While getting creative might work, I prefer to go with what will work.
 
It definitely will work. As others have said in here, they're using them. But, of course, you stick to your guns.
 
Vito_Corleone said:
It definitely will work. As others have said in here, they're using them. But, of course, you stick to your guns.
Click to expand...
I see nothing compelling here that warrants changing my opinion:

1. The OP is not concerned with running out of addresses.
2. This is not a publicly addressed WAN, it's a privately addressed LAN.
3. /30 is unarguably a more common approach.
4. /30 is the "right" answer for the CCNA.

Feel free to tell the rest of the viewers which one of the above is incorrect. Since you can't, I'm sure you'll draw some absurd conclusion that's completely incorrect from some random other post of mine and attack it.
 
Flame suit on.

mattjw916 said:
While getting creative might work, I prefer to go with what will work.
Click to expand...

It's not creative, it's called efficient.

It's not a case of "might work," it's a case of "does work."

I don't see what's so difficult about this :rolleyes:
 
mattjw916 said:
I see nothing compelling here that warrants changing my opinion:

1. The OP is not concerned with running out of addresses.
2. This is not a publicly addressed WAN, it's a privately addressed LAN.
3. /30 is unarguably a more common approach.
4. /30 is the "right" answer for the CCNA.

Feel free to tell the rest of the viewers which one of the above is incorrect. Since you can't, I'm sure you'll draw some absurd conclusion that's completely incorrect from some random other post of mine and attack it.
Click to expand...

He's not concerned with running out of addresses, so what? You could still be more efficient, or get in the habit of being efficient. If he's going to use /30s, why not use /31s? That's my question, which you haven't been able to answer, other than saying you've never seen them used so that means no one ever uses them and no one should.

More common != better. Things are more common until something better comes around and makes them legacy.

Why are we talking about the CCNA? I don't recall the thread being about subnetting practice on the CCNA. I thought we were talking about the real world

And, what absurd conclusions have I drawn? If anything, I think you're the one being absurd. You won't even acknowledge the usefulness/benefits of /31s simply because you don't want to admit that you were wrong two pages ago, despite people other than me saying that this is common. You are apparently set in your ways and cannot open your eyes to new things. With that type of attitude I don't see how you could last in this field or be a "good engineer". I feel like we're going in circles here. Honestly, I don't see the point. Obviously you're going to continue saying you're right and I'm going to continue pointing out how wrong you are.
 
You won't even acknowledge the usefulness/benefits of /31s
Click to expand...
Because there is no benefit to it on a private LAN with over 17 million available addresses, which is what this whole thread is about. The OP could use a /9 and it wouldn't make a lick of difference in reality. This is irrefutable

More common != better.
Click to expand...
Using common and accepted practices keeps my phone from ringing on nights and weekends.
 
vito says that its more efficient to use a /31 mask, i'll agree, less address usage. with that said, does it matter that hes on a private LAN. i think i would rather just use a /31 mask now even though its private network and forget about it, i mean what if the company does manage to grow to huge proportions and down the road they decide it should have been done that way(hypothetical i know). I'm don't even hold a CCNA and i know i would rather use the more efficient use of addressing even if only on private lan
 
Save us the dribble matt. You're acting like we running some blackbox O(n!) routing protocol on our backbones. /31 makes complete logical sense -- what's going to be on the other side if it's up? The only other possible address.

Can you use a /30? Absolutely -- and it will work great. But based on the way you quoted Vito, you didn't know that a /31 was valid -- just accept it already. The only call you'll be getting on the weekend about a /31 is from someone else at your place who doesn't know what it is. I learn new shit everyday from senior engineers and I don't whine about it; I embrace it.

And for the record, I've already exhausted all RFC1918 space long ago.

/deadthread.. NCAA championship is back on.
 
matt, stop digging the hole deeper
you didn't know what a /31 was and now you're trying to backpedal on it.

just accept it.

if you're complaining about having virtually unlimited space, why are you suggesting a /30?
if you're suggesting a /30, you might as well suggest a /31.

get over it - you're wrong
 
1. The OP is not concerned with running out of addresses.
2. This is not a publicly addressed WAN, it's a privately addressed LAN.
3. /30 is unarguably a more common approach.
4. /30 is the "right" answer for the CCNA.
 
*What is right for an exam is not always right for the real world.

You're making the argument that he doesn't NEED to be efficient because it's a small network--that's total horseshit and you ought to be ashamed of yourself.
 
Last edited:
You must log in or register to reply here.
Back
Top