VLANs and IP Routing on an Cisco Switch and Router

Michael McNamara — Thu, 16 Jun 2016 23:15:44 +0000

One of the most popular blog posts I’ve written in the past five years is, VLANs and IP Routing on an Ethernet Routing Switch. It continues to be the top post on my blog so I decided to write a follow-up using Cisco equipment. This has been covered many times on the Internet before but I’m going to try and add my spin to it here. In this example I’m going to take a Cisco 1921 router and a Cisco 3560-CX switch and show two different examples of how you could design a simple topology.

Example 1 – VLAN Routing on Router (Layer 2 Switching)

In the old days when we only had Layer 2 switching we could create an 802.1Q/ISL trunk between the switch and the router and we would route from the physical router itself. The switch would have an IP address just for management and was generally incapable of routing traffic. The router would have the IP address for every VLAN and that would be the default gateway for every device in that specific VLAN. If there is no WAN or Internet link this topology is often referred to as a router on a stick. The topology might look something like this;

This was and still is a widely accepted design although it has significant limitations since the legacy Cisco router is generally not capable of wire speed routing. In the case of the Cisco 1921 it can handle anywhere from 68Mbps – 110Mbps depending on packet size and configured features. Lots of people upgrade their Layer 2 switches to Gigabit only to later figure out that they can’t achieve Gigabit speeds between VLANs because they are routing between VLANs on a legacy software based router.

Example 2 – VLAN Routing on Switch (Layer 3 Switching)

The newer accepted design is to do Layer 3 switching (routing) right on the switch itself, no need to include the legacy router. The IP interface for each VLAN is moved to the actual switch and traffic between those VLANs doesn’t need to leave the physical switch. That topology might look something like this;

In this design all the internal routing occurs on the Cisco 3560 which is capable or wire speed switching and routing thanks to the ASIC hardware. In this case we can now achieve near Gigabit transfer speeds between the VLANs, the only real variable is the speed of the actual source and destination device – servers, laptops, desktops, etc. We isolate the WAN router so it’s only required when we need to communicate with the WAN or Internet. We might only have a 50Mbps Internet connection so the legacy router is capable of handling that amount of traffic and provides additional features such as NAT for hiding our private network from the public Internet.

So what’s the configuration look like, it’s actually pretty straight forward;

Example 1 – Cisco 3560-CX Switch

enable
config t

username mike privilege 15 secret mypassword
enable secret myenable

vlan 100
 name "VLAN_100"
vlan 200
 name "VLAN_200"

inter vlan 1
 ip address 192.168.1.10 255.255.255.0
 no shut

inter range gig0/1-2
 switchport mode access
 switchport access vlan 1
inter range gig0/3-4
 switchport mode access
 switchport access vlan 100
inter range gig0/5-6
 switchport mode access
 switchport access vlan 200
inter gig0/10
 switchport mode trunk

line vty 0 4
 login local

Example 1 – Cisco 1921 Router

enable
config t

username mike privilege 15 secret mypassword
enable secret myenable

inter gig0/0.1
encapsulation dot1q 1
ip address 192.168.1.1 255.255.255.0
description VLAN_1
exit

inter gig0/0.100
encapsulation dot1q 100
ip address 192.168.100.1 255.255.255.0
description VLAN_100
exit

inter gig0/0.200
encapsulation dot1q 200
ip address 192.168.200.1 255.255.255.0
description VLAN_200
exit

line vty 0 4
 login local

Let’s look at the commands needed for the second example. In this case you’ll notice that I added a few IP routes to the configuration. In this case I added a default route on the Cisco 3560 forwarding traffic to the Cisco 2921. I also added IP routes to the Cisco 2921 for the IP subnets that we configured on the Cisco 3560. It’s not enough that the network knows where to send traffic to the destination. The network also needs to know how to send the replies back to the source devices, so we need routes in both directions.

Example 2 – Cisco 3560-CX Switch

enable
config t

username mike privilege 15 secret mypassword
enable secret myenable

vlan 100
 name "VLAN_100"
vlan 200
 name "VLAN_200"

inter vlan 1
 ip address 192.168.1.1 255.255.255.0
 no shut

inter vlan 100
 ip address 192.168.100.1 255.255.255.0
 no shut

inter vlan 200
 ip address 192.168.200.1 255.255.255.0


inter range gig0/1-2
 switchport mode access
 switchport access vlan 1
inter range gig0/3-4
 switchport mode access
 switchport access vlan 100
inter range gig0/5-6
 switchport mode access
 switchport access vlan 200

inter gig0/10
 desc UPLINK_C1921
 no switchport
 ip address 192.168.255.1 255.255.255.252
 no shut

ip route 0.0.0.0 0.0.0.0 192.168.255.2

line vty 0 4
 login local

Example 2 – Cisco 1921 Router

enable
config t

username mike privilege 15 secret mypassword
enable secret myenable

inter gig0/0
 descr UPLINK_C3560
 ip address 192.168.255.2 255.255.255.0
 exit

ip route 192.168.1.0 255.255.255.0 192.168.255.1 
ip route 192.168.100.0 255.255.255.0 192.168.255.1 
ip route 192.168.200.0 255.255.255.0 192.168.255.1 

line vty 0 4
 login local

Cheers!

Note: Thanks to Cisco for providing the equipment I’m using today, it’s a small switch and router but it’s really helpful when working through example topologies to work on real equipment.

Layer 3 Access Port Adoption

Michael McNamara — Fri, 23 Nov 2007 15:00:00 +0000

The release of v3.x software for the Motorola WS5100 and v1.x software for the Motorola RFS7000 finally supports the deployment of Layer 3 Access Ports (APs that could be deployed across a Layer 3 network as opposed to those that can only be deployed across a Layer 2 network).

The latest release of firmware for the AP300 will first attempt to locate a wireless switch for adoption via a Layer 2 broadcast request. If it’s unable to locate a wireless switch it will make a DHCP request for an IP address. If the DHCP response does not include option 189 (string) it will make a DNS request to try and locate the wireless switch.

There are two ways the Access Port can locate the Wireless LAN Switch (WS5100/RFS7000) in Layer 3 mode;

DHCP Option
DNS Query

You can use DHCP and configure option 189 (string) with the IP address of the Motorola Wireless LAN Switch. You should note that you may need to enclose the string in quotation marks depending on your DHCP server software.

You can also create a DNS alias which the AP can use to locate the switch through a DNS query. The default DNS name requested by an AP300 is “Symbol-CAPWAP-Address”.

You might also notice that the AP300 will also support LLDP (802.1ab) if your Ethernet switch supports it.

Cheers!

Update: August 27, 2008
I should point out that you may need to “prime” the AP300 with the latest firmware by connecting it to a WS5100/RFS7000 over a Layer 2 network. If the AP300 has an older firmware it won’t be able to connect up over a Layer 3 network so you may need to connect it over a Layer 2 network first to allow the AP300 to upgrade after which you’ll be able to connect it over a Layer 2/3 network. The AP300 will automatically upgrade once it connects to the WS5100/RFS7000, there’s nothing that needs to be done by the user or administrator. The WS5100/RFS7000 will need to be running v3.x or v1.x respectively.

Cheers!