L2/L3 VLAN question - admin delete

RumorConsumer
Head in the Cloud

L2/L3 VLAN question - admin delete

Hey all

 

Question for you

 

Lets say my network has a segment that looks like

 

MX-->L3 switch --> L2 switch on an access port providing the same vlan to all its clients

 

Obvoiusly the L2 switch cant do its own VLAN routing but I had never before thought about the implications of that. I had heard that the packets have to go all the way back to the router. Is that true? Can the L3 switch do it in this configuration? What are the laws of gravity here? Thanks y'all.

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
29 Replies 29
PhilipDAth
Kind of a big deal
Kind of a big deal

>I had heard that the packets have to go all the way back to the router.

 

If packets need to be routed between VLANs on the same L3 switch, then they need to go back to the default gateway of the VLANs concerned.

RumorConsumer
Head in the Cloud

@PhilipDAth @Inderdeep  Thanks for the replies.

 

So am I to understand that if all clients are only members of a single VLAN and communicating to the internet and members of their own VLAN (facetime calls with eachother), that a L3 switch and a L2 switch are going to be functionally equivalent here? There's no benefit to me to using an L3 switch in this scenario? Or am I reading that incorrectly?

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
PhilipDAth
Kind of a big deal
Kind of a big deal

Correct.

Inderdeep
Kind of a big deal
Kind of a big deal

You are right !

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
RumorConsumer
Head in the Cloud

OK @Inderdeep @PhilipDAth that was round 1. Here is round 2.

 

Lets say that instead of the port connecting the L3 to the L2 switch being an access port its a trunk port with VLAN 1 as the default VLAN and VLAN 4 as a tagged VLAN. One port on the L2 switch is uplink to the L3, but the other 7/8 ports on the L2 switch are MR52 access points that exist on VLAN 1 (default) but serve an SSID that corresponds to VLAN 4 and all client traffic both to and from the WAN as well as inter-client connection downstream of the L2 switch occurs on VLAN 4. Same thing? 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
PhilipDAth
Kind of a big deal
Kind of a big deal

You are correct.

Inderdeep
Kind of a big deal
Kind of a big deal

Right … any round 3 😊?

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
RumorConsumer
Head in the Cloud

@PhilipDAth @Inderdeep 

 

"Right … any round 3 😀?"

 

Ok why not!

 

So then the only case where it makes sense to bring in an L3 switch instead of the L2 in this situation is where I would be introducing another VLAN into the mix, say on another SSID or tagged wired on an access port or something, and traffic would be communicating back and forth between VLANs. Thats what Im getting from this. As long as the VLAN traffic is going between like-like VLAN clients and to and from WAN, this is fine. But once there begins to be inter-VLAN communication thats where it needs to return to the gateway which makes sense on L2. But with an L3 switch, traffic doesnt need to return to the gateway. It can be switched at L3 however many levels below the gateway it is located. I have all that right? 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
PhilipDAth
Kind of a big deal
Kind of a big deal

If the traffic volume is low, you would just stick with letting the MX do all the routing.

 

If the traffic volume was high, such as a 10Gbe connected backup server then you would want to use a layer 3 switch, because it can do routing at wire speed, considerably faster than an MX.

 

I only use L3 switches when the traffic volume is too great for an MX to handle.

RumorConsumer
Head in the Cloud

@PhilipDAth oh wow. So you just let all the traffic zoom around undifferentiated in the switch? Youre the pro here but doenst have have some security concerns or no?

 

Ok so one more twist here is that the L2 switch is on the other side of a Ubiquiti wireless link (if Meraki made one that was as good id use it but the damn ubiquiti Point to point links are incredibly good) so there is a little extra latency involved if the packets have to do an extra trip. The traffic is not super low here. I have around 30 clients doing all manner of zoom calls, downloads, all kinds of stuff all day. There is a segment of the network that is 10GbE and uses L3 10GbE switches for just that reason - lots of 10GbE large transfers happening regularly there. I have around 70mbit going up and down at any given moment on my network consisting of various backups and things, on a total 250/250 fiber line which we rarely but sometimes peg. The communications are the most important thing. I have QOS enabled and all that but my main concern is if I have to spend a little more to make it just that much more idiot proof if somebody initiates a large file copy across the regular network, I want my bosses zoom or FaceTime or whatever to not miss a single beat. 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
PhilipDAth
Kind of a big deal
Kind of a big deal

>So you just let all the traffic zoom around undifferentiated in the switch? Youre the pro here but doenst have have some security concerns or no?

 

No.  You still use separate VLANs.  You just decide where to do the inter-VLAN routing.  A L3 switch is faster but costs more.  An MX is cheaper and has more configurable security controls.

 

Both are valid options with different strengths and weaknesses.

Inderdeep
Kind of a big deal
Kind of a big deal

@RumorConsumer @To your round 3 , design should always be taking into consideration of future needs although if MX can handle that is is good of course but if not layer 3 switch should be required

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
RumorConsumer
Head in the Cloud

@PhilipDAth @Inderdeep  man you guys are good. thanks

 

you learn something new every day.

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
Inderdeep
Kind of a big deal
Kind of a big deal

Good luck @RumorConsumer 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
RumorConsumer
Head in the Cloud

@PhilipDAth the other scenario where you couldn't get away with a L2 switch with multiple VLANs is if you wanted to create an access port for a wired client that couldn't do its own 802.1q VLAN selection, correct? If youre just throwing MR's up there no problem as they handle the VLAN tagging to clients. But wired clients which cant do a virtual interface would necessitate the L3 or they'd be subject to obtaining an IP on the default VLAN whatever it is on the nearest upstream port capable of setting a default VLAN. Yeah? 

 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
RumorConsumer
Head in the Cloud

@PhilipDAth Re

 

>>>>>>@PhilipDAth the other scenario where you couldn't get away with a L2 switch with multiple VLANs is if you wanted to create an access port for a wired client that couldn't do its own 802.1q VLAN selection, correct? If youre just throwing MR's up there no problem as they handle the VLAN tagging to clients. But wired clients which cant do a virtual interface would necessitate the L3 or they'd be subject to obtaining an IP on the default VLAN whatever it is on the nearest upstream port capable of setting a default VLAN. Yeah? 

 

---

Wondering how you handle this with L2 switches. Like my guess is youre doing mostly wireless deployments. I have a mixed network and I want my default VLAN separate from the client VLAN, so by necessity Id need to be able to set the default VLAN on a smattering of ports to my client VLAN along the way, while some of them remain the standard default so that the MRs connected to them live on that VLAN. And then without 802.1q, wired devices will default to the wrong VLAN. Im saying all this so that you can confirm I am not a total moron and am not missing some massive piece of information that would change how I understand VLANs.

 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
Bruce
Kind of a big deal

@RumorConsumer Layer 2 switches still support VLAN tagging on trunk ports, but if you use an access port to connect a PC you don’t need it. An access port doesn’t require tagging, you configure the VLAN it belongs to, if traffic from this port then gets forwarded over a trunk the switch will add the VLAN (802.1q) tag to the frame to indicate it’s VLAN.

 

So for PCs, etc. that only need one VLAN you use an access port and specify the VLAN, and the host doesn’t need to know anything about VLAN tags (the VLAN is defined by the port setting). Where you need multiple VLANs, like to an access point or another switch, you use a trunk and the device needs to be able to tag traffic correctly - like an access point does.

RumorConsumer
Head in the Cloud

@Bruce  
this

So for PCs, etc. that only need one VLAN you use an access port and specify the VLAN, and the host doesn’t need to know anything about VLAN tags (the VLAN is defined by the port setting).”

 

this requires an L3 switch if I want to single out a port on a switch for use on my client vlan (4) while my default is, say, 1. On an L2 switch all ports come out as whatever the default VLAN is on the last upstream port capable of setting a default VLAN is. 

 

“Where you need multiple VLANs, like to an access point or another switch, you use a trunk and the device needs to be able to tag traffic correctly - like an access point does.”


Yea - which is great if I’m just doing a bunch of MRs. But my situation is somewhat fluid in the sense that at any given moment I may need to change a room from just having an MR in it to being a lab with 5 wired clients plus that MR. So the MR’s port would be trunk and SSID routed to VLAN 4, and the ports for all the wired machines would need to be flipped to access ports where VLAN 4 is the default so that all the clients join 4 without needing a virtual interface set up in their network config. All that make sense?

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
Bruce
Kind of a big deal

this requires an L3 switch if I want to single out a port on a switch for use on my client vlan (4) while my default is, say, 1. On an L2 switch all ports come out as whatever the default VLAN is on the last upstream port capable of setting a default VLAN is”


I’m not sure what brand of switches you are using, but this is certainly not the case on Meraki Layer 2 switches. You can configure an access port to be any VLAN you want, and the switch tags it appropriately as it puts it onto the uplink, which is usually a trunk (so long as that VLAN is allowed on the trunk).

RumorConsumer
Head in the Cloud

@Bruce Yeah I think it would be good to clarify what we mean here. I’m referring to your standard Netgear managed switch versus a standard Netgear unmanaged switch. Managed versus unmanaged is what I’m calling level three versus level two. Level two being synonymous with having zero granular control over what each port does by virtue of there being no interface through which to modify them. L2 Meraki switch is maybe L2+ which is probably what netgear calls “managed” like this for example:

 

https://www.amazon.com/dp/B07L644PRY/ref=cm_sw_r_cp_api_glt_fabc_DQZH0E0H2C1FZ08Q2EK4?_encoding=UTF8...

 

Sure enough…

 

3011B795-76DD-48A9-B197-BAEE18606EBC.png

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
Bruce
Kind of a big deal

If you're talking about unmanaged Layer 2 switches then your best bet is to not to configure any connected devices with trunks, and avoid using the 802.1q tags altogether as you can't be sure how the switch will handle them. See this post, https://community.netgear.com/t5/Unmanaged-Switches-Forum/ingress-tagged-traffic-on-unmanaged-switch.... An unmanaged switch may drop the frame, may maintain the tag (potentially forwarding it out all ports in the event of a flood or broadcast), or it may forward it completely untagged - all of which are undesirable and may well result on bridging VLANs.

 

All the Meraki MS switches are managed switches which support VLANs, and so all can be configured with different VLANs on different access ports and with trunks containing multiple VLANs without issue.

RumorConsumer
Head in the Cloud

@Bruce  understood.

 

@PhilipDAth this might clear up a little misunderstanding. When you said L2, did you mean unmanaged or managed L2 (L2+ or whatever)

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
PhilipDAth
Kind of a big deal
Kind of a big deal

Managed.

RumorConsumer
Head in the Cloud

@PhilipDAth sorry for screwing up the nomenclature. I appreciate your time always. And @Inderdeep and @Bruce 

 

So then we are agreed managed switches whenever possible as opposed to unmanaged.

 

Imagine, if you would, my same question, but instead instead of L3 and L2, I meant an "L2+" managed v standard unmanaged gigabit switch. 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
PhilipDAth
Kind of a big deal
Kind of a big deal

>I have around 30 clients doing all manner of zoom calls, downloads, all kinds of stuff all day

 

None of those things is likely to result in a client directly talk to another client; they all go via the Internet.  With the special exception is you can create a more complex Zoom configuration to allow peer to peer communication.  But if you are just using the standard software client and haven't done any special configuration, this won't be the case.  If person 'A' calls person 'B' sitting next to them it will go to the Internet and back again.

Inderdeep
Kind of a big deal
Kind of a big deal

@RumorConsumer : At last I would say it doesn’t matter how much traffic you are pushing out from L2 to MX if it is capable then you are always good but would think of what are your future needs how much traffic more you think comes and MX will handle. 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
RumorConsumer
Head in the Cloud

@Inderdeep to this:

 

>>>At last I would say it doesn’t matter how much traffic you are pushing out from L2 to MX if it is capable then you are always good but would think of what are your future needs how much traffic more you think comes and MX will handle. 

 

 

 

you mean specifically inter-VLAN traffic, correct? 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
Inderdeep
Kind of a big deal
Kind of a big deal

@RumorConsumer : yes 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Inderdeep
Kind of a big deal
Kind of a big deal

When you say inter-vlan routing it should required the gateway to exit from one vlan. We can do that on layer 3 switch. Check this below layer 2 and layer 3 switch and the routing between the vlans below 

https://documentation.meraki.com/MS/Layer_3_Switching/Layer_3_vs_Layer_2_Switching

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Get notified when there are additional replies to this discussion.