What Device/System to use as a “router on a stick”

routingvlan

I need to create several distinct VLANs, and provide a way for traffic to move between them. A "router on a stick" approach seems ideal:


                                Internet
                                   |
                      Router with Trunking Capability ("router on a stick")
                                   *
                                   *  Trunk between router and switch
                                   *
                      Switch with Trunking Capability
                       |      |       |      |      |
                       |      |       |      |      |
                       |    LAN 2     |    LAN 4    |
                       | 10.0.2.0/24  | 10.0.4.0/24 |
                       |              |             |
                     LAN 1          LAN 3         LAN 5
                  10.0.1.0/24    10.0.3.0/24   10.0.5.0/24

We have trunk-capable Layer-2 switches. The question is what to use as the router on a stick. My choices seem to be:

Use an existing Cisco 5505 ASA firewall. It appears the ASA can do the routing, but it's a 100Mbps device, and so seems sub-optimal at best
Buy a router. This seems overkill.
Buy a Layer-3 switch. Also seems overkill.
Use an existing, shared Linux Box as a router (e.g. the NIS server)
Use a dedicated Linux box as a router
Something I'm not thinking of

I think either (4) or (5) is my best option, but I'm not sure how to choose between them. I expect the amount of traffic that has to cross the VLANs to be somewhat small, but bursty. How much load does routing add to a CentOS machine?

Best Answer

Option 1 is good as:

ASA hardware is very reliable and if you have add-on module like CSC then you get anti-virus protection between LANs (For HTTP/FTP/SMTP/POP3 Only).
If you are using ASA you reduce points of failure and you would already be familiar with ASA firewall syntax.

Option 2 and 3 are not desirable due to cost over head.

Option 4 and 5 both are ok. If your NIS server remains up most of the time and does not require tinkering. If you use NIS server for interVLAN routing then whenever you reboot server for maintenance, network will stop working. If NIS server is not reliable or requires frequent reboots then dedicated server is better. Again depends on how much cost of one additional server matters.

Option 4 and 5 will allow you to put basic firewall rules in iptables if you want to allow only certain type of interVLAN traffic. You can also capture packets using tcpdump/wireshark and analyze in case of problems. Having a Linux machine as main router would be heaven for people who want to learn network diagnostics by capturing and analysing packets. You can also run DHCP server on this machine, since you do not have Layer 3 switch you cannot specify 'ip helper-address', so this is the only way to have centralized DHCP server without having a L3 switch.

Related Solutions

VLAN over WAN

Firstoff, the Cisco 2821 is just a router. I don't know where you've gotten this "layer 2 router" business from (the statement is an oxymoron in itself), but a 2821 is a perfectly capable IP router.

You don't want to extend a layer 2 broadcast domain across a VPN. You won't like how it performs.

Let's call your existing location "site A" and the new location "site B". Let's call the networks:

Site A Data subnet - VLAN id 1 - 192.168.0.0/24
Site A Voice subnet - VLAN id 2 - 192.168.1.0/24
Site B Data subnet - VLAN id 1 - 192.168.2.0/24
Site B Voice subnet - VLAN id 2 - 192.168.3.0/24

In your 2821's, you'd setup an IPSEC tunnel between the sites. Here's a decent example using a static key: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Once you've got that, you'll create VLAN interfaces on the routers on each end, assigning the routers IP addresses in each VLAN:

Router in Site A:

interface FastEthernet0/0
no ip address
no shutdown
interface FastEthernet0/0.1
encapsulation dot1q 1 native
ip address 192.168.0.1 255.255.255.0 
interface FastEthernet0/0.2
encapsulation dot1q 2
ip address 192.168.1.1 255.255.255.0

Router in Site B:

interface FastEthernet0/0
no ip address
no shutdown
interface FastEthernet0/0.1
encapsulation dot1q 1 native
ip address 192.168.2.1 255.255.255.0 
interface FastEthernet0/0.2
encapsulation dot1q 2
ip address 192.168.3.1 255.255.255.0

Assuming you've set the IPSEC tunnel up properly w/ the proper addresses being excluded from NAT, traffic between the various subnets in the sites will be transparently encrypted and sent to the other end. The routers at each end will, because of their VLAN interfaces and static routing table entries, automatically tag traffic with the appropriate VLAN tags and drop them onto the Ethernet.

You'll need to configure the switches at both ends with trunk ports to connect the routers to, and you'll have to figure out how to integrate the Site A router into your existing routing topology re: the existing ASA-5505, but this should give you enough to go on to get started.

Firewall – VLAN ACLs and when to go Layer 3

Keep in mind that, fundamentally, if two hosts are configured with IP addresses in different subnets those hosts will need to communicate through one or more routers with interfaces in their respective subnets in order to communicate. A "layer 3 switch" isn't anything more than a router with the ability to create virtual interfaces that are exposed to the broadcast medium of a VLAN.

re: #1 - To conceptualize VLANs, just imagine that the ports in each VLAN are a physically disperate switch. In a flaw-free VLAN implementation (where traffic can't "leak" between VLANs) that's the effective behavior-- each VLAN acts as a separate switch. ACLs applied at layer 2 will name only MACs (and, if the switch supports quasi-layer 1 ACLs, ports). Any ACLs naming IP addresses, TCP ports, etc, aren't layer 2 ACLs. (There may be switches that have "layer 2.5" functionality whereby they examine the payloads of IP packets without actually being able to route packets, but I'd be wary of such things.)

re: #2 - VLAN tags allow the traffic of multiple VLANs to be carried on a single port, typically called a "trunk". You can conceptualize them as virtually subdividing a connection between two devices into smaller "ports" that each carry the traffic for a single VLAN. There's nothing you can do with "trunking" that you couldn't do by using multiple non-trunked ports, but using trunk ports and tagging packets allows you to carry the traffic of multiple VLANs between physically disperate switches w/o using a large number of physical ports for inter-switch links.

re: #3 - Routing IP between different subnets (irrespective of VLANs-- it's typically convenient to have a 1:1 relationship between VLANs and subnets, but it's not required) requires a routing capability. If you need to route IP between different subnets then you need a router. It could be an embedded layer 3 entity in a switch, or it could be a "router on a stick". Anything that can route IP between different subnets is a router. re: ACLs - Like I said in #1-- I'd be wary of a device that did "quasi layer 3" functions. Either it's a router or it isn't.

A couple decent background questions:

Best Answer

Related Solutions

VLAN over WAN

Firewall – VLAN ACLs and when to go Layer 3

Related Topic