Moving from L2 to L3 with a Cisco core

[VeeDubbs]

All -

Our network used to be flat Layer 2 to all buildings. We are now working on doing L3 to all buildings.

Problem: With L2 across the entire campus, I could have a building on VLAN 40 (10.3.x.x subnet), and also have a server directly connected to the core on VLAN 40 as well. Now with L3 in place (and static routes in place (i.e., ip route 10.3.0.0 255.255.0.0 10.255.40.2)) getting to that server directly connected to the core is no longer working because it wants to get to head towards 10.255.40.2 first.

Any ideas? This is kind of beyond anything I've done before.

Hopefully I've explained it well enough!

Thanks!

 

[Vito_Corleone]

You can't just separate devices at L3 while keeping them on the same subnet.

 

[/usr/home]

You will need separate subnets for each location/building.

 

[tangoseal]

Devices must be on the same subnet to communicate. A router (aka l3 switch in your specific case) will effectively be a translator for devices on different subnets to be able to talk to one another.

What you are wanting to do is use L3 to bridge the space between different subnets, i.e. VLANs.

In order for this to work you will need a Layer 3 router whether in the form of a true router or a switch at each location. You will then need to create whatever number of VLANs you want between each location and then use a routing protocol to allow the different subnets to communicate across. That or ....

Trunk all your layer 3 devices together and pass the vlans as required between switches. (Easiest method)

What kind of l3 hardware are you planning to use, how many VLANs, and how many sites. We can assist you with basic type configuration to get your gears turning and mind focused on a direction to go.

 

[Shadowspawn]

First off, tangoseal, you hurt my head. "Devices must be on the same subnet to communicate"? Huh?

Problem: With L2 across the entire campus, I could have a building on VLAN 40 (10.3.x.x subnet), and also have a server directly connected to the core on VLAN 40 as well. Now with L3 in place (and static routes in place (i.e., ip route 10.3.0.0 255.255.0.0 10.255.40.2)) getting to that server directly connected to the core is no longer working because it wants to get to head towards 10.255.40.2 first

With a layer 3 switched network as you described, you effectively have a core switch at each building. All of your VLANs will be terminated at the layer 3 switch for that building. Services provided by servers will have their traffic routed at that point, unless you place a server in each building.

For example, at my last job we divided the base into 7 zones. Each zone had an ADN that contained a 6709 Cisco switch. All of the zones were linked with redundant routes to each other via OSPF.

Our Windows domain servers were all located at the main building. Each of the seven core switches Data VLANs used helper addresses to forward broadcasts to the DHCP servers at the main building. The DHCP responses contained the IP addresses of the domain controllers, as well as that systems IP, mask, gateway, etc.

Without knowing what services your server provided on VLAN 40, we can't help much more. I hope my description gives you a basic idea of the design. It sounds like you are in over your head.

Also, when we migrated our base from tactical layer 2 to strategic layer 3, we built the new network parallel to the old and move buildings over one at a time. But then, we had over 250 buildings to migrate.

 

[syn2083]

Given that you said your using CISCO I pulled up some documents describing what I believe your trying to do.

The thing with this stuff is that its really kind of imperative that you actually understand what is happening and how, versus just finding some snippets to re-configure and keep trying until it seems to work. (Not that im trying to imply your trying to skip/do shoddy work, just trying to illustrate that its pretty important to really understand the mechanics)

As all the above folks said, theres a few ways to tackle what your doing, but I think for 'transparency' regarding the previous setup you can make it appear the same, given you understand how the VLANs are setup and configured in a routed network vs a switched network.

This document discusses VLAN setup using IRB (not sure what your currently using for hardware, but its good to look at for principles and to get a feel of what the infrastructure would look like)

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml

If IRB is not possible this document explains how you would alternately configure VLAN bridging/spanning, its a bit lengthy but again, knowledge is power:

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t3/feature/guide/dtbridge.html

And just for some other knowledge about potential issues:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800a7af6.shtml

VLANs are a bit tough at first when dealing with real l3 routing, but once you understand the principles and the tools its not so bad, you just need to plan accordingly and as above it is VERY VERY helpful to create a test/lab environment, throw in 2 or 3 of your 'routers' and setup a contained VLAN structure.

Get it to work in the lab, understand the quirks and programming, and then go live. It will be so much easier, and if issues crop up, your not scrambling to fix the issue, having a building/portion of campus down, and or reverting the entire network.

Hope the above helps some anyway and good luck!

 

[kalthak]

Really depends on what the server is doing to offer the best solution. However, if it is just DHCP, then that is easily solved with the helper address command. Otherwise it may be easiest to just change the ip address of the server and update dns, if it is local to the layer 2 lan it is most likely just accessed by name anyway.

Otherwise, google L2TPV3 and see if your hardware supports it. That is a technique to bridge L2 networks over L3 networks.

 

[d4nnn]

jesus. my brain hurts.

 

[thefreeaccount]

Now with L3 in place (and static routes in place (i.e., ip route 10.3.0.0 255.255.0.0 10.255.40.2)) getting to that server directly connected to the core is no longer working because it wants to get to head towards 10.255.40.2 first.

Since you are using static routes, there should be no problem with giving the server a new IP address and creating a static NAT entry on the router for building VLAN40. This will give you time to fix anything that uses the old, overlapping IP address.

 

[Vito_Corleone]

Otherwise, google L2TPV3 and see if your hardware supports it. That is a technique to bridge L2 networks over L3 networks.

rofl