Design question

Unanswered Question
Dec 14th, 2009
User Badges:

Pls give me some advice in designing the corporate lan
(The main goal of the setup is high availability)
(Look at the attachement)


Let's start from the bottom. We have four 2950 switches at the access layer.
And two 3560 switches at the distribution layer
There is one more 3560 switch (and we are planning to buy two 3750 switches)

I've got the following ideas:

Access layer switches will be connected to the distribution layer via 2 links. Default gateways will be reserved via HSRP on the distribution 3560 switches.
(Perhaps I will divide the gateways for different vlans between 3560 to effectively utilize the links)
There will be L3 links between two 3560, and between 3750 stack and each 3560.
Thought about running OSPF between this switches. But doubt about IOS featureset on 3750.Maybe there are some other optimal design setups if it is not possible to run dynamic routing between this switches?
Servers will be connected to the 3750 stack via Etherchannels.
There will also be HSRP link between WAN routers and the 3750 stack.


Pls share your opinion about my setup.
Maybe there are some best practices?

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
saurabh_knl Mon, 12/14/2009 - 04:16
User Badges:

Hi,


Here are some suggestions:


1. Rename your destribution switches, as core switches. A 2-tier architecture looks good for your setup.

2. Servers should ideally be connected via a firewall on the DMZ interface. The setup becomes more essential if your servers will be accessed across the WAN.

3. If there is no firewall (or no external usage requirement), use the CAT3750 stack switches connected to your core switches. The server farm should never be exposed to the WAN routers.

4. Run the routing protocol between your core switches, and WAN routers. This way, you can eliminated the need of HSRP on the WAN routers.

5. Create only management SVI's on your respective access switches.

6. Have all your access-ports configured as auto/auto.

7. Use portfast, and bpduguard enable on access ports.

8. Have all your ports hard-coded when connecting between switches, switch-router, switch-server, switch-firewall, etc.

9. As per design conventions, do not use your WAN routers with a symbol V on them. That normally denotes for voice devices.

10. Have etherchannel for connectivity between access/core, core/stack, stack/servers.



HTH


cheers,

Saurabh

Rick Morris Tue, 12/15/2009 - 14:01
User Badges:
  • Silver, 250 points or more

"2. Servers should ideally be connected via a firewall on the DMZ interface. The setup becomes more essential if your servers will be accessed across the WAN."


True only if they are external facing.  If they are for internal resources then it does not matter.  If you want to restrict access build ACL on switch.

sachinraja Mon, 12/14/2009 - 10:57
User Badges:
  • Red, 2250 points or more

Hi Dimae


In addition to Saurabh's comments, you need to consider the following:


1) 3750 with base image will just support static routing & RIP (officially)... you need to have IP Services image for dynamic protocols like ospf, eigrp, bgp to work..


2) Also when designing, you can consider vrrp for hsrp... vrrp is an open standard protocol (hsrp - cisco prop), and has fast timers as compared to hsrp.. in anycase if the network size is less, and has only cisco components, hsrp would be more than enough. you can also think of glbp, if you consider load sharing traffic between the routers.


3) If possible , have the service nic in active/passive mode when connecting to two different switches.. there can be issues if you have active/active NICs with spanning tree instance flapping between the two switches.. it can send unncessary TCNs on your LAN network...


4) If you hadnt bought 3750's yet, look for 3750-Es.. These are new switches which have many advantages over 3750's, considering the fact that they can run on 128 Gbps backplane throughput over stackwise technology, and support 10Gig uplinks...


Hope this helps.. All the best..


Raj

Rick Morris Tue, 12/15/2009 - 14:09
User Badges:
  • Silver, 250 points or more

The design is good and simple.  Simple is good.  People try to over complicate things and it does not need to be that way for most cases.

With the 3750 and the Routers, it might be good to run iBGP and send default routes, or what I just did is run GLBP, which will allow use of both routers and provide load sharing.  Even if you run iBGP and send default routes to the switch it will still prefer one router over the other even though both are equal costs.


Also, there have been some who say keep servers behind firewalls.  This is true if the server is for external use.  If a server is being used for internal then there is no need unless you need to restrict access internally too.  If that is the case then you can restrict via ACL's.  However, you can get the same function with firewall feature set on the routers for static nat to the public (web, mail) servers.  Also, with 2 routers have you figured out how your routing will be on the WAN?  You will need to run iBGP between them so you can route between them.  It would be a good idea to get your own IP address space and AS number.  This way you can control your route announcement upstream.

OOO Complex Tel... Tue, 12/22/2009 - 02:49
User Badges:

Thank you for your replies


I have one more question. I need to span several VLANs across all access switches. So I suppose I will have looped l2 enviroment here ( loops in the form of the "8") Is this topology still optimal for such situation?


May be it's better two set a trunk between two 3560s ( and to create one VLAN to form OSPF adj between them, other VLANS will be passive) so that this loops were smaller. Not sure how to deal with HSRP here though.


And one more - what about CPU utilisation. Will 3560s handle OSPF+HSRP+users traffic?

Jon Marshall Tue, 12/22/2009 - 05:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

dimae-cts wrote:


Thank you for your replies


I have one more question. I need to span several VLANs across all access switches. So I suppose I will have looped l2 enviroment here ( loops in the form of the "8") Is this topology still optimal for such situation?


May be it's better two set a trunk between two 3560s ( and to create one VLAN to form OSPF adj between them, other VLANS will be passive) so that this loops were smaller. Not sure how to deal with HSRP here though.


And one more - what about CPU utilisation. Will 3560s handle OSPF+HSRP+users traffic?

I agree with a lot of what has been said. Personally, if you have the right image on your 3750s, i would run a routing protocol EIGRP/OSPF between the 3750 stack and the WAN routers. That way both uplinks will be used. With HSRP you only use one link.


If you need to have the same vlan across multiple access-layer switches then you could face traffic problems if you leave the interconnect between the 3560s as L3. It all depends on which switch is HSRP active for which vlans. I like your current design and so would recommend you try to remove the need for the same vlan across multiple switches if at all possible.


If not then yes, make the link a trunk and just have 2 vlan interfaces peering with each other and make the rest passive. Without knowing the amount of vlans etc. it's difficult to say, but from the looks of your network diagram the 3560s should be able to cope.


Jon

sachinraja Tue, 12/22/2009 - 11:10
User Badges:
  • Red, 2250 points or more

Agree with Jon...


Recent trends is to have layer 3 on the access, restricting the vlans on the edge, which gives a much stable and resilient network architecture.. Spanning tree if not configured properly can be a devil , on layer 2 networks.. if you keep extending your layer 2 across many switches, you can end up sourcing lots of unnecessary broadcasts on your network..try to restrict this as much as possible.. if spanning vlans is a necessity, then configure trunks, as Jon mentioned.. have vtp pruning enabled on switches to manually allow only vlans which are required on edge switches.. if your user count is nominal, i dont think HSRP, OSPF will increase your CPU, but it really depends on your scenario..


Hope this helps.. all the best


Raj

Actions

This Discussion