Routed links in the core/edge

Unanswered Question
Feb 20th, 2009

Hi guys,

Please help me with thia design, i don't know how to move forward with this.

I need to assign ip addresses to the connections between the core devices and the edge devices. I want to have routed point to point links between the devices but i also want to run hsrp so traffic destined for the core devices would point to the hsrp address, likewise traffic head out towards the edge of the network.

Is this acheivable? I don't even know how to properly explain what I need but hopefully you get my drift.

Currently there is a /30 p2p routed link between the single core and edge device that exist. I am adding a further edge switch and core switch (both MLS) and I need to make this as resilient as possible.

Should I have all the interfaces between the core and edge in the same subnet - maybe a /28? How else will the edge see the core if for instance I have the core1 to core 2 connections plus their hsrp in a separate /29 address to the edge devices??

I also would like to implement some policy based routing on the edge switches so that routing to the firewalls and the encryption routers will be resilient.

Please help, any requests for clarification will be promptly responded to.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mfawehin Fri, 02/20/2009 - 14:40

Hi Andrew,

Thanks so much for you response. Your diagram looks great and I appreciate it. Could you please help me by adding IP addresses to the diagram. Are they /30 addresses?

I definitely dont want to over complicate things just for the sake of it but I thought going for the routed links would be the best way forward, is this not right?

I really would appreciate you taking the time to explain the design and how I go about configuring it especially from the core upwards.

Many thanks,


Personally I would use 1x /24 address range for all devices in a management vlan.

For the connections between the access and dsitribution would be layer 2 trunks. The access/distribution switches would have an IP address for management.

Connections between distribution to core would be layer 2 trunks - all ip routing would be handled by the core. The 2 core switches have multiple links connected via layer 2 ether-channel trunk.

The core switches will be the VTP serversm the distribution and access will be VTP clients. I would recommend running RSTP over the whole layer 2 connectivity - with the s core switches being the primary and secondary root bridges.

The core switches would run HSRP on the SVI interfaces oer VLAN instance, providing failover layer 3 IP connectivity.

The PIX/ASA and ecryption routers have IP addresses in the same range, with default routes pointing to the next hop devices. The PIX/ASA are a statefull failover pair with primary and standby IP addresses.

What purpose are the encryption routers for?


mfawehin Sat, 02/21/2009 - 23:16

Hi Andrew,

The encryption routers are specifically for sewnding some encrypted traffic to some 3rd party company acroiss vpn tunnels so the relevant traffic would go from the specific users desktops to the core switch which forward the traffic to the edge devices which then send it to the encryption routers which then sends it out via vpn tunnels (i think is its the Pix but I can confirm tomorrow).

Thanks for the advice about the core/dist links, that was what I was planning initially but then thought about having P2P routed link with no load sharing and with ospf doing the failover so one link from each DS to the core is not active, good idea or bonkers?? I'm still a bit confused about the core/edge connections also.

Do I just implement P2P routed links? I have put the cabling in place so there is connectivity from CS1 to Edge1 and CS2 to Edge2 and connectivity between both core and edge devices, I have just not assigned any IP addresses because I want to use hsrp but dont know if its possible.

Also i want to put some PBR or something in place so if either encryption router failed, traffic would still get to the Pix through the other one which would have the same config.

I appreciate your help so far, just still a bit confused.

I was trying to do away with trunks in the core and use routed links as I think that is the way to go but obviously dont think I can. I just want to but in the most efficient, scalable design so all the help I get is most gratefully received.



Giuseppe Larosa Sat, 02/21/2009 - 23:56

Hello Martha,

if you use OSPF you shouldn't need to use HSRP also and this could allow you to use p-t-p links.

If there is a need to be able to support HSRP this implies a common subnet and p-t-p links are not a choice in this case.

I don't think you should need HSRP between your core switches and the device that you call edge switches: if you are going to use OSPF.

These edge switches are actually in the WAN block of your campus to connect to other sites as discussed in the other thread.

Andrew's suggestions are good to implement a common subnet and usage of Rapid STP is mandatory to avoid to have OSPF to wait for STP.

The whole picture including the encryption devices may require PBR or not.

if both encryption devices are not available what path should be taken by the protected flows ?

In other terms:

a common subnet is needed between the two edge switches and the two encryption devices:

in this case you need an horizontal L2 link between the edge switches carrying the vlan.

Between edge and core you can use a common subnet or point-to-point links but if you decide to use point-to-point I would recommend a full mesh between them (4 links)

Hope to help


mfawehin Sun, 02/22/2009 - 04:51

Guiseppe, as always thanks for your comprehensive response.

Thanks also to Andrew, both your responses to both threads have helped me get this far so just to be certain we are all on the same page, this is the proposed design as I understand it:

1. Distribution switches would have links to both core switches using p-t-p links with the OSPF cost determining the primary route and the 2nd connection simply as backup. There is no load sharing primarily because I can't implement glbp due to the DS's not being Cisco.

2. Core - both core devices would be connected by p-t-p links and there would also be p-t-p routed links between the core andedge devices so again no hsrp.

I have currently cabled uo CS1 to ES1 and CS2 to ES2, both edge switches and core switches are connected to its partner switch but it is not actually fully meshed as such i.e CS1 does not have a connection to both edge switches and vice versa yet. I will check that the cabling exists and if it does implement p-t-p links but if not the use hsrp, but I agree with your recommendation not to use HSRP between the core switches and the edge devices and would really rather not.

3. The edge - I will implement a common subnet between the edge devices and the encryption devices and use hsrp here.

I have not considered the scenario where both encryption routers are unavailable, that would be incredibly unlucky and I suppose if that happened they would not be able to send the protected data as it has to be specially encrypted using one of these devices.

I will definitely implement RSTP.

I would like to implement PBR though but dont know where to start, any pointers?

So far do you think I have a decent enough understanding of the advice you and Andrew have been giving me?

Can I possibly trouble either of you to modify Andrew's modified network diagram sent earlier in the thread with sample IP addresses soI know where to use p-t-p links and whats masks to use etc.

I really appreciate youir help, especially as its a Sunday.

Enjoy whats left of the weekend.



Giuseppe Larosa Mon, 02/23/2009 - 02:24

Hello Martha,

a link for PBR on C4500

very important: you need to verify if the hardware supports PBR for example C4500 with new SUP 6E doesn't support it.

I don't know what is the model of the edge switches but it is important to check.

About the double fault of encryption devices I agree the design cannot handle this event but this is reasonable.

Hope to help


mfawehin Mon, 02/23/2009 - 04:59

Thanks for the link Giuseppe.

The edge devices are 3750G-24TS-E with IP Services IOS so they are capable.

But aside from the PBR, did you think my design so far is okay? Routed core/distribution links and hsrp from core towards edge and between edge and encryption router?

Giuseppe Larosa Mon, 02/23/2009 - 05:35

Hello Martha,

the design looks like reasonable.

My understanding is that HSRP is needed only on the subnet to the encrpytion devices.

the encryption devices if they are PIX can act as a failover pair and only one of them is active at a given time.

However, traffic to the active encryption device can be sent via both edge devices with no problem it is coming from the same inside interface.

So OSPF can handle all traffic including edge-core links.

By the way, you probably need on the edge switches to redistribute static in OSPF the prefixes of the traffic that need to encrypted.

In this way you don't need to use HSRP between edge and core switches.

Hope to help


mfawehin Mon, 02/23/2009 - 07:03

Thanks Giuseppe, I'll start writing up my scripts and see how I get on.

I only have a small downtime window so would like to get it right quickly.

I'll post my configs/diagram when I get to that stage.


This Discussion