Network for 600 users

Answered Question
Sep 17th, 2009
User Badges:

I am currently managing a network for 600 users. I am using a 3750G-12S-E as the WAN switch/router. I have 13 X 2960 connected with the main switch in a ring topology using Fibre cable. I have a total of 10 meg of internet bandwidth. There are business and home users. A business users want their dedicated 2 meg bandwidth for 48 users. Another business user want 5 meg dedicated for their users. At night they want all the bandwidth to be aggregated and shared by home users.


Any idea how I can do that.


Much appreciated

OJ

Correct Answer by Joseph W. Doherty about 7 years 9 months ago

(NB: syntax might be incorrect)


Example for egress (on WAN facing interface)


time-range busHours

periodic weekdays 8:00 to 18:00


ip access-list extended busHoursNow

permit ip any any time-range busHours


ip access-line extended cusA

permit ip x.x.x.x y.y.y.y any


ip access-line extended cusB

permit ip x.x.x.x y.y.y.y any


class-map match-all cusA_busHours

match access-group busHoursNow

match access-group cusA


class-map match-all cusB_busHours

match access-group busHoursNow

match access-group cusB


policy-map WAN_shaper

class class-default

!if physical interface allows more than purchased bandwidth

shape average 10000000

service-policy allocateBandwidths


policy-map allocateBandwidths

class cusA_busHours

bandwidth 2000

(optional) shape average 2000000

class cusA_busHours

bandwidth 7000

(optional) shape average 7000000


interface gig of fast Ethernet #

service-policy output WAN_shaper

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
Loading.
srue Thu, 09/17/2009 - 11:08
User Badges:
  • Blue, 1500 points or more

how are these businesses logically and physically separated?

bansal.ojasvi Thu, 09/17/2009 - 11:12
User Badges:

Logically they are on a different vlan on the main switch. Physically they have a separate port.

Joseph W. Doherty Thu, 09/17/2009 - 19:16
User Badges:
  • Super Bronze, 10000 points or more

The 2 and 5 meg you want to control is in reference to the 10 meg Internet bandwidth? If so, what about the other 3 meg?


You can, I believe, likely police rates to/from the internet. However, the 3750 series isn't the best platfrom for complex traffic management, and I don't recall whether it could integrate such control with timebased ACLs. You may want to consider adding a small router between 3750G and the Internet.


However, even with a router, alhough you can easily control amount of Internet bandwidth made available to different LAN hosts, there are Internet ingress issues unless you can manage the other side of the Internet's link to you.

bansal.ojasvi Fri, 09/18/2009 - 06:34
User Badges:

Yes, 2 and 5 meg is part of 10 meg bandwidth. The other 3 meg will be used by home users during day time.


What kind of router do you suggest? We use fiber cables.


I don't have any control on the ingress queue. However, I can ask my ISP if they could do anything.


Appreciate your response.

OJ

Joseph W. Doherty Fri, 09/18/2009 - 15:58
User Badges:
  • Super Bronze, 10000 points or more

This is gig fiber? If so, any ISR that can use a HWIC-1GE-SFP and provide 10 Mbps forwarding. Any in table 3 in http://cisco.com/en/US/prod/collateral/routers/ps5854/product_data_sheet0900aecd8016be8d.html should do, including the 1841. (NB: Not 100% positive about IOS features on the 1841/1861, but believe they should be like the 2800/3800.)


However, looking a bit more over the 3560 (3750) IOS configuration guide, Time-Based ACLs are supported. This, with various class-map policing, might also satisify your requirement, although I'm not real keen on using rate limiters, and again, you might not obtain exactly the benefit hoped for, for inbound Internet traffic.

bansal.ojasvi Sun, 09/20/2009 - 09:04
User Badges:

Yes this is a gig fiber. I have a spare Cisco 2811 (does it have resources to support 600 users?). What you are saying is, use a HWIC-1GE-SFP on the router and use it in front of the 3750 Switch.


I have 13 VLANs configured on 3750 and it acts as a DHCP server as well. Should I configure VLANs on 2811 and use it as DHCP. My understanding is that keep the network wide open until it data reaches 2811 and then police/shape it there based on VLAN/IP addresses. Is that right?


Also, the 3750 I have now doesn't support service-policy output command. So the only option for me is to use rate limiters. You are absolutely right that rate limiters is not a very good option.


I am attaching a diagram with rate-limit config. Please take a look and let me know if I am going the right path.



Attachment: 
Joseph W. Doherty Sun, 09/20/2009 - 15:21
User Badges:
  • Super Bronze, 10000 points or more

"I have a spare Cisco 2811 (does it have resources to support 600 users?)."


It's not so much a question of uses but of supported bandwidth. If your Internet connection is 10 Mbps, the 2811 should be able to support that amount of bandwidth.


"What you are saying is, use a HWIC-1GE-SFP on the router and use it in front of the 3750 Switch. "


Correct.


"Should I configure VLANs on 2811 and use it as DHCP."


No good reason comes to my mind.


"My understanding is that keep the network wide open until it data reaches 2811 and then police/shape it there based on VLAN/IP addresses. Is that right? "


Yes, since you only need to control Internet bandwidth utilization. As for carrying VLANs to the 2811, you could, but I would just pass the data to/from the 3750 across a single transit subnet link. You can match traffic per subnet (I assume the VLANs have different subnets).


PS:

BTW, because of your LAN topology, you might also want to consider using QoS on the cross switch links.

bansal.ojasvi Sun, 09/20/2009 - 16:18
User Badges:

Thanks for your response.


Do you have an example of a similar config that would go on to 2811?


I am not sure, if I understood "BTW, because .......switch links". Could you please explain a bit.


Much appreciated

OJ

Joseph W. Doherty Sun, 09/20/2009 - 18:25
User Badges:
  • Super Bronze, 10000 points or more

"Do you have an example of a similar config that would go on to 2811? "


To do exactly what? (I.e. ingress or egress, shape or police, time based or not, etc.) With what IOS?


"I am not sure, if I understood "BTW, because .......switch links". Could you please explain a bit. "


The disadvantage of your ring topology, hosts that need to communicate with other hosts on different switches need to share the connecting switch link bandwidth. If each VLAN's traffic stays per switch, then this shouldn't be much of an issue.

bansal.ojasvi Sun, 09/20/2009 - 18:44
User Badges:

Ingress, egress and timed based. c2800nm-advipservicesk9-mz.124-15.T1.bin


No hosts talk to other hosts in different vlan. The only traffic that goes out or comes in is the internet.


Thanks

OJ

Correct Answer
Joseph W. Doherty Mon, 09/21/2009 - 15:21
User Badges:
  • Super Bronze, 10000 points or more

(NB: syntax might be incorrect)


Example for egress (on WAN facing interface)


time-range busHours

periodic weekdays 8:00 to 18:00


ip access-list extended busHoursNow

permit ip any any time-range busHours


ip access-line extended cusA

permit ip x.x.x.x y.y.y.y any


ip access-line extended cusB

permit ip x.x.x.x y.y.y.y any


class-map match-all cusA_busHours

match access-group busHoursNow

match access-group cusA


class-map match-all cusB_busHours

match access-group busHoursNow

match access-group cusB


policy-map WAN_shaper

class class-default

!if physical interface allows more than purchased bandwidth

shape average 10000000

service-policy allocateBandwidths


policy-map allocateBandwidths

class cusA_busHours

bandwidth 2000

(optional) shape average 2000000

class cusA_busHours

bandwidth 7000

(optional) shape average 7000000


interface gig of fast Ethernet #

service-policy output WAN_shaper

bansal.ojasvi Mon, 09/21/2009 - 19:33
User Badges:

Wow...I can't thank you enough but THANK YOU. You are awesome.


One more question. While I have been sleeping on this issue, another idea came to my mind. Since my access switches are on different port on the main 3750, why don't I run routing between all the switches and use rate-limiter. Having said that, I tried doing that but my WS-C2960-48TC-L with c2960-lanbase-mz.122-25.SEE2.bin doesn't allow me to put an interface in routed mode.


Switch1config)#int fa 0/1

Switch1config-if)#no sw

Switch1config-if)#no switchport ?

access Set access mode characteristics of the interface

backup Set backup for the interface

block Disable forwarding of unknown uni/multi cast addresses

host Set port host

mode Set trunking mode of the interface

nonegotiate Device will not engage in negotiation protocol on this interface

port-security Security related command

priority Set appliance 802.1p priority

protected Configure an interface to be a protected port

trunk Set trunking characteristics of the interface

voice Voice appliance attributes


Not even the interface, the switch also doesn't allow me to configure IP routing on it.


Switch1(config)#ip rou?

% Unrecognized command


Do you think that upgrading the IOS would resolve this issue?


Once again, I really appreciate your efforts in helping me.


Thanks

OJ

Joseph W. Doherty Tue, 09/22/2009 - 03:06
User Badges:
  • Super Bronze, 10000 points or more

re: routing on 2960


"Do you think that upgrading the IOS would resolve this issue? "


No, because routing not supported on 2960 series (as it is on your 3750).


PS:

BTW, forgot to mention, on your 2811, if you have maintenance, you might want to upgrade the IOS from c2800nm-advipservicesk9-mz.124-15.T1.bin an ED version to a MD version (T8, T9 or T10).

Actions

This Discussion