ASK THE EXPERT - HIGH AVAILABILITY IN CAMPUS NETWORKS

Unanswered Question
Mar 23rd, 2007
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Bobby Thekkekandam about the concepts and best practices for high availability and redundancy within a campus network, from redundant hardware, processors, and line cards. Bobby joined Cisco Systems, Inc. in the Customer Proof of Concept (CPOC) lab in 1998, and has been an engineer in the Technical Assistance Center (TAC) LAN switching group since 2002. His current responsibilities include escalations and troubleshooting complex issues related to the Cisco Catalyst series switches as well as providing training.


Remember to use the rating system to let Bobby know if you have received an adequate response.


Bobby might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through April 6, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
sanjay.sangwan Sun, 03/25/2007 - 05:04
User Badges:

Hi,


I want to know can 3 differrent FWSM module in 3 differrent Cat 6500 switches can act as redundant to each other?Suppose switch1 is primary, switch2 is HSRP secondary standby and Switch3 is 3rd Standby in same HSRP group.

FWSm module in switch1 is active and switch2 is standby how I can make use of 3rd FWSm in switch3.Can it also join FWSM redundancy group?


Sanjay



Bobby Thekkekandam Sun, 03/25/2007 - 07:16
User Badges:
  • Cisco Employee,

Hi Sanjay,


While it would be a nice feature to have, FWSM failover only has support for an active and standby unit.


HTH,


Bobby

arnaud.gte Mon, 03/26/2007 - 02:53
User Badges:

hi,

I have a question about le release note 12.1(22)EA9 for the cat2950. I found that this release is just below the versions 12.1.22-EA8a.


for exemple:

12.1.22-EA8a (ED)

12.1.22-EA6a (ED)

12.1.22-EA5a (ED)

12.1.22-EA4a (ED)

12.1(22)EA9


Why the download page recommende that? Is that means the version 12.1.22-EA8a (ED) is more recent than 12.1(22)EA9? And we should choose 12.1.22-EA8a?


The link page web download:

http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?get_crypto=&data_from=&hardware_name=&software_name=&release_name=&majorRel=12.1&state=&type=



Thank you and best regards

Bobby Thekkekandam Tue, 03/27/2007 - 12:06
User Badges:
  • Cisco Employee,

Hi,


Thank you for your question, but your question is unrelated to the topic of High Availability or Redundancy in switched networks, so I would suggest posting your question as a new topic in the "LAN Switching and Routing" section.


thanks,


Bobby


n.nojkovska Tue, 03/27/2007 - 02:40
User Badges:

Hello all,

This is my first for me join this kind of discussant. I hope that I am doing it in the right way.

So now my question:

Could any of you compare for me Cisco Router 2811 and any Layer 3 switch in meaning of throughput supported?

One of my clients is asking me what is best for him to buy a Router or a Layer 3 Switch and what the throughput is supported by each one?

Thank for your time.


Bobby Thekkekandam Tue, 03/27/2007 - 12:06
User Badges:
  • Cisco Employee,

Hi Nojkovska,


Hi,


Thank you for your question, but your question is unrelated to the topic of High Availability or Redundancy in switched networks, so I would suggest posting your question as a new topic in the "LAN Switching and Routing" section.


thanks,


Bobby



kirkster Tue, 03/27/2007 - 04:23
User Badges:

Hi Bobby,

I have four copper gigabit connections between a 6513 and a 2 switch 3750 stack (on the gigabit SFP's). I have placed all of these in an etherchannel to give me a 4 Gig pipe. However, since I am using cross stack etherchannel, I have had to force the channel group to be on - desirable is not an option in this config. This all works fine but I am worried about a loop occuring in case of a fault. I thought there used to be a type of etherchannel Spanning tree tool to guard against this?


What would you recommend? Since the customer does not require anything like 4 gig of bandwdith I thought of breaking the Etherchannel into two seperate 2-gig bundles, one on each 3750 in the stack so that I can run desirable mode.


What do you think?


Thanks, Steve

Bobby Thekkekandam Tue, 03/27/2007 - 12:12
User Badges:
  • Cisco Employee,

Hi Steve,


Using mode "on" disables channel negotiation as you know, which can potentially mask underlying problems.


If the channel partner supports it, you can use LACP to negotiate the channel. LACP does support cross-stack channeling. Please refer to the following document for more info:


http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sec/3750scg/


HTH,


Bobby


kirkster Wed, 03/28/2007 - 01:26
User Badges:

Thanks Bobby !! That fixes my problem !!

Regards,

steve

Akhilbindal Tue, 03/27/2007 - 04:47
User Badges:

Hi Bobby,


I have a query on the High Availability and Redundancy model in a Campus LAN..


What would be the best practice model for High Availability and Redundancy at both L2(STP) and L3(HSRP,GLBP,etc) to be implemented in a Campus LAN when we have multiple VLAN's which are extended VLAN's(on different switches across the campus)..Could you please ellaborate with an example and a diagram as an example to be followed..


Thanks


Akki



Bobby Thekkekandam Wed, 03/28/2007 - 10:09
User Badges:
  • Cisco Employee,

Hi Akki,


For STP, Cisco's best practices are the following:


-Do not change timers, as this can adversely affect stability.

-Ideally, keep user traffic off the management VLAN.

-Do not over-design redundancy.

-Keep the total SPT diameter under seven hops.

-Influence and know where Root functionality and blocked ports reside, and document them on the topology diagram.

-Prune unnecessary VLANs off trunk-ports


For more detail on these best practices please refer to the following document:

http://www.cisco.com/en/US/customer/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml#stp


For HSRP/GLBP, best practices are going to vary by topology, but for a great example, please refer to page 12 of the following PDF:


http://www.cisco.com/warp/public/779/largeent/learn/technologies/campuslan.pdf

b.petronio Tue, 03/27/2007 - 09:17
User Badges:

Hi Bobby,


Im new on this too, so i hope i follow the rules.


My question resides on the following scenario:


I have a client with 2 WS-C6006, with 1 WS-X6K-SUP1A-2GE each other and HSRP on Vlan1, connected between them in 1 GigaEthernet trunk.

These are the distributed switch my client have to connect to the access switchs.


Connecting these 2 WS-C6006 they have a WS-C4506, making a "ring", with a Supervisor WS-X4013+ without a redundant one.


I have several servers on this switch and

this switch split the User Access Area from connections to WAN, FireWall, DMZ's and Internet.


1st. Could i call this Switch a Core Switch ? or should i stand calling a Distributed one?


2nd. Is this kind of topology the best one with the existing equipment ?


3rd. If something fails on WS-4506, my client will lost most of application services, cause there is no redundancy on that.

Any best practises on this faulty solution?


I attach a brief of the network im talking about.


Best Regards,

Petr?nio



Attachment: 
Bobby Thekkekandam Wed, 03/28/2007 - 10:32
User Badges:
  • Cisco Employee,

Hi Petronio,


for your questions:


1) The layout doesn't specifically follow the Hierarchical Design model, so the referenced nomenclature doesn't really matter.


2) From a design standpoint, there appear to be multiple single points of failure, and implementing the hierarchical design model may better enable you to design resiliency into the network. For more on this, see:


http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd2002.htm


3) Certainly, the 4506 is a single point of failure. Possible solutions here include adding another 4506 switch and dual-homing the firewall to each. The same applies for the WAN router. Alternately, you can migrate the WAN and Firewall connections such that each are dual homed to the 6006 switches which will give you multiple points of failure to your application services (assuming they are on the other end of the WAN or firewall)


Design is a very subjective thing and there are certainly a plethora of valid designs that will accomplish the same thing. The hierarchical design model is one that is time tested and well documented, and what Cisco generally recommends.


Another great document on Switched Network design using the Hierarchical Model:

http://www.cisco.com/en/US/tech/tk1330/technologies_design_guide_chapter09186a0080666712.html


HTH,


Bobby


response3 Tue, 03/27/2007 - 16:55
User Badges:

I've been doing some research on L2 vs. L3 links between redundant distribution switches, and I have seen articles advocating both solutions.


In a 3-tier model, assuming that vlan's do not span more than one distribution switchport or access switch, what type of link between redundant distribution switches (L2 vs. L3) would be recommended, and why? Thanks.

response3 Mon, 04/02/2007 - 15:22
User Badges:

Hi Bobby, is there any documentation regarding when to use a Layer 2 trunk link versus a L3 routed link between redundant distribution switches? Thank you.

Bobby Thekkekandam Tue, 04/03/2007 - 06:58
User Badges:
  • Cisco Employee,

Hi,


In general, you'll want L3 between your distribution switches, and in your case as detailed above, since your VLANs are terminated locally from the perspective of the distribution switches, this certainly holds true.


Additionally, you may want to consider a routed access layer, for faster convergence, isolating network disruption, simplified redundancy (no need to deal with the complexities of spanning-tree, root election, loop mitigation, etc.).


Here are a few documents that cover this in greater depth:


http://www.cisco.com/application/pdf/en/us/guest/netsol/ns17/c664/cdccont_0900aecd804598c2.pdf


http://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmigration_09186a00805fccbf.pdf


HTH,


Bobby

response3 Tue, 04/03/2007 - 08:49
User Badges:

Thanks for the reply. As far as the routed access layer, I'm reluctant to think that is a viable solution for all but a few organizations. The reason for this is the sheer cost of purchasing L3 access switches, such as the 3560/ 4500/6500's. Once the price comes down on those, or a more affordable model is released, I'd be all over it.

rolandshum Tue, 03/27/2007 - 18:27
User Badges:

I have 2 windows 2000 servers running RADIUS, both on the same VLAN on the same 6509 running IOS 12.2. Is there a way for me to use the switches to load balance between the two servers without using Microsoft's HA feature in Windows?


If the answer is yes, would this be on a per packet basis or a per connection basis?


Thanks

Bobby Thekkekandam Thu, 03/29/2007 - 08:12
User Badges:
  • Cisco Employee,

Yes, you can use IOS Server Load Balancing to accomplish this.


You can define a virtual server that represents a group of real servers in a cluster of network servers known as a server farm. In this environment, the clients connect to the IP address of the virtual server. When a client initiates a connection to the virtual server, the IOS SLB function chooses a real server for the connection based on a configured load-balancing algorithm.


Depending on which algorithm use, the load balancing will still be on a per connection basis rather than a per packet basis, as it wouldn't be feasible for server A to service one packet and server B to service another, as the information to complete the transaction would not be complete.


Please refer to the following document for more info:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a97.html


HTH,


Bobby


rajeshprane Wed, 03/28/2007 - 00:41
User Badges:

Hi,


Why we have data and voice VLANs for a cisco IPCC architecture. I would like to know from a security point of view.


Thanks

Rajesh


pnicolette Wed, 03/28/2007 - 17:23
User Badges:

Hi, Bobby.


While I agree that "design is a very subjective thing," from an engineering standpoint it seems that a wise design for redundancy would be guided by actual field data on the relative (or absolute) reliability of various components. Does Cisco ever make such data available?


Or should I only bother asking if I'm among Cisco's top 20 global customers :-) ?


Thank you.


Paul

Bobby Thekkekandam Thu, 03/29/2007 - 08:21
User Badges:
  • Cisco Employee,

Paul,


Certainly, there are designs that are time, lab, and field tested to be sound from an engineering and availability standpoint.


Case Studies, Design Guides, and White Papers are often published with such data. For example, you can find such information specifically for the large enterprise here:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/networking_solutions_packages_list.html


HTH,


Bobby


kirkster Thu, 03/29/2007 - 09:54
User Badges:

Hi Bobby,

Could you point me to a document that explains the switching modes on the 6500 please? For example, there are all types of switching modes like truncated etc. If I have a chassis full of 67xx cards and I install a 6148 card, say, does that impact on the performance of my 67xx series? If so why? Each of the 67xx cards has its dedicated CEF 720 traces to the crossbar so why should a classic card upset the 67xx's?


Am I am also correct in thinking that the DFC modules only allow autonomous switching descsions to be made on the line card concerned? The DFC does not allow slot to slot comunications without going across the supervisor?


THanks if you can point me to some useful doc on this; the configuration guides don't really exaplain this in detail.


TIA


Steve



ciscobuddy Sun, 04/01/2007 - 15:42
User Badges:

hi bobby,


I will explain about one of customer network (BPO), having campus network with core switches of 4506 back to back connected. configure vlans . using 3550 as access switches.


i will explain one of his customer network.

3550--4506--Pix firewall--WAN Route--CE Router---ISP cloud


Already impleted one MPLS data circuit and planning for one more mpls circuit. now he is asking me about high availabiliy .


How the 2 CE router will connect to his LAN.


Thanks




Bobby Thekkekandam Tue, 04/03/2007 - 11:02
User Badges:
  • Cisco Employee,

Hi,


This question is out of the scope of this discussion. I suggest posting this question in the LAN Switching, and Routing section.


Thanks,


Bobby


chris.humphries Sun, 04/01/2007 - 17:03
User Badges:

We are installing a new 6500 with dual Sup's in our data centre. Is it possible to do a no impact IOS upgrade if you have dual sup-720 installed??


When I install the new IOS on the backup sup and reload it, redudancy changes to RPR (from SSO) and backup sup is seen as Cold standby.

When I do a force-reload switchover - fails over to backup-sup all line cards reload and get an outage of upto 5minutes.


Can this outage be reduced if modular IOS is used???

Is there such a thing a no outage IOS upgrade?? i.e. true high availability

chris.humphries Mon, 04/02/2007 - 15:15
User Badges:

Basically want I'm asking is when will ISSU (In Service Software Updates) be available on the 6500 platform.

Understand it is already available with modular ios patching. But not is the base image needs upgrading??


Bobby Thekkekandam Tue, 04/03/2007 - 11:04
User Badges:
  • Cisco Employee,

Hi Chris,


At this point in time, there is no way to do a hitless upgrade even with modular IOS. However, as modular IOS matures, This will be a feature that will be available, although I'm not currently aware of any specific timeframes for this.


-Bobby

Bobby Thekkekandam Tue, 04/03/2007 - 11:05
User Badges:
  • Cisco Employee,

Thanks for your post. However that question is out of scope for the topic of this discussion. I trust that someone will be able to answer your question in the original thread.


-Bobby


faisal_shah Tue, 04/03/2007 - 00:17
User Badges:

hi,

i am facing a problem regarding LAN that here a message appears on cleint computers that "Servar is Overloaded" then i have to switch off the network to comunicate again.

dunc Tue, 04/03/2007 - 01:22
User Badges:

Hi,


My question relates to comparing VRRP to HSRP.


I'm looking at VRRP as an alternative to HSRP particularly for its ability to have the virtual IP address be homed on the master router, which in one case allows me to set the BGP peer address and the default gateway for a customer to the same IP address.


Our standard HSRP configuration includes a 180 second preemption delay which stops a router from becoming the Active router before its routing protocols have converged.


The unfortunate drawback I have found with VRRP in this mode (sharing the virtual IP with an interface IP) is that the preempt delay feature has no effect. That is, if the master router recovers, it takes over as master router immediately.


Does this mean that VRRP in this configuration is "unsafe"? And by that I mean that the master will become the Active router before enough time has passed for its routing protocols to converge?


Is there a way around this?


(by the way I haven't found this covered in any BCMSN texts or VRRP documents)

Bobby Thekkekandam Tue, 04/03/2007 - 11:12
User Badges:
  • Cisco Employee,

In some platforms there is a delay in forwarding of traffic after the interface comes up. This sometimes causes a VRRP router to preempt the current Master even if this is not currently desired. The same problem was solved in HSRP by introducing the "standby delay" command. This allows users to configure a delay value between an interface state changing to UP, and the Master down timer starting.


Right now there is no workaround, but there is an internal feature request to add this feature to VRRP.


HTH,


Bobby


hoogen_82 Tue, 04/03/2007 - 11:22
User Badges:
  • Silver, 250 points or more

Hi Bobby,


Could you suggest some design documents while implementing modules like FWSM, IDS and CSS on the 6500 on the basis of redundancy, load balancing.


Also if you could point to any Cisco press publication which deals with the implementation of the modules on the 6500.


-Hoogen

Bobby Thekkekandam Thu, 04/05/2007 - 06:23
User Badges:
  • Cisco Employee,

Hi Hoogen,


I took a look but couldn't find any such documents or design guides. Let me check with a couple of other resources and I'll report back.


-Bobby


Bobby Thekkekandam Fri, 04/06/2007 - 06:35
User Badges:
  • Cisco Employee,

Hi Hoogen,


Unfortunately, there doesn't seem to exist any such design guides or best practice documents specifically for redundancy and high availability for the service modules, beyond what you can find in the configuration guides.


-Bobby

Actions

This Discussion