The process of forwarding packets from a network to another is called routing and you must use a router to accomplish this.
How a router on a stick routes between vlans how to#
They belong to different networks, different broadcast domains and switches do not know how to forward packets from one network to another. Perhaps there are good reasons for doing so much inter-VLAN traffic - but you should really understand those reasons and be able to defend them (at least to yourself) before you get too gung-ho on how ti implement it.A host belonging to a VLAN attached to a specific physical port, for example, VLAN 10 in port FastEthernet0/10 is usually not able to communicate to a host attached to another VLAN, for example, VLAN11 attached to port FastEthernet0/11. Ask yourself why this is even an interesting question (e.g., instead of asking yourself "whats the best way to do inter-VLAN routing?" perhaps you should be asking yourself "why do I need so much inter-VLAN routing.is this even a good use of VLAN?"). When constructed for these reasons it quickly becomes obvious that (1) there is limited traffic that should ever be crossing between VLANs and (2) the traffic that does cross really needs filter, firewall, IDS and perhaps logging.Īgain - be self-critical of your approach. To separate different "tenants" from seeing each other's traffic (i.e., tenant networking in an openstack cluster).To separate the network into functional zones (the "front side" web access vs "back side" database access or to separate "bearer path" from "control plane" from "administrative access").To simulate multiple physical switches when resources don't allow physical separation (i.e., separating your "storage" network from your "workstation" network or your "VM Migration" network).To segregate traffic into security zones (i.e., DMZ vs internal or RED zone/Black zone designs).In well thought out networks there are a few good reasons to use VLAN: Because if the reason is simply that "I have a lot of traffic between these two VLANs" you really ought to rethink why they are segregated into VLANs in the first place. But IMNSHO, if you find yourself doing this you should know and really understand the reason for it. While there are exceptions to everything, in most cases, you probably want to do the inter-VLAN routing in your router/firewall rather than using a lot of layer-3 functions in the switches themselves.Īgain - every rule has its exceptions and there are good reasons you might want to do some layer-3 work in your switch. So, at the end of the day, if you find enough traffic flowing between VLANs that switch-level performance is even interesting to consider then you might need to re-consider the design itself. And if you get these reasons "right" there will actually be limited traffic flowing between VLANs at all - and the traffic that does cross will almost always be subject to filtering/firewall/IDS needs. I believe that in most cases there needs to be a good reason behind each VLAN, a reason that it exists. And since you appear to be doing this for the learning the self-critique will be more valuable than just specifically commenting on details. I think you are generally on the right track - but you need to ask yourself a question: why does "routing between VLANs" become such an interesting question? Getting to the heart of that question will help you self-critique your network design. If you want to save power just get a pair of 40G nics and connect the VM and SAN servers directly and omit the Quanta and only have enough ex3300's to meet your 1G port needs. If you only have 2 boxes with > 1G ports, then all of this is overkill until you add more. If you want higher throughput, make your quanta the core switch and then connect the ex3300's to that acting as edge switches breaking out your 10G to 1G. The stacking would be helpful if you were going to spread your LAGs across multiple physical switches to keep the links alive if you loose a switch, but that is overkill unless you just want to do it for experience with Junos. The stacking on ex3300's is ok if you need it for something specific but there is no great speed advantage as the ports are still 10G (they can't go up to 25G or anything since they are older Broadcom silicon). I would concur with the sentiment of let the switches do 元 between VLANs as long as it is just routing and you are not trying to do packet filtering, firewall or NAT. You can let the VLANs provide the separation of networks and not dedicate physical hardware to each purpose. Unless your ex3300's are in different locations or you need a lot of 1G ports, you could also cut down to just one or 2 there.
0 kommentar(er)
