Layer 2 design confirmation

Unanswered Question
May 24th, 2010

Hi All,

I look after a small network of around 100 workstations, 35 printers, 70 servers.

My design is such. I use Cisco 2960G's and 3560G's at my access layer. To route between the VLANs I use the 3560G's. I then use an alternative provider for my firewall (DMZ, etc).

At the core of my network is a stack of 3750G's (x4) that my servers are plugged into. I also have my access layer switches connected to the core through portchannels.

My VLANS are as such:

VLAN1: native (this needs to be changed and will be in weeks to come), and also houses some servers and workstations

VLAN8: new server VLAN

VLAN20: new workstation VLAN

VLAN21: printer VLAN

VLAN40: UNIX vlan

VLAN70: management VLAN

VLAN100: voice VLAN (no VOIP solution in place).

The core switch (SW001) is configured as the root bridge for all of my VLANs. I want to optimise the forwarding path for all VLANs and ensure that I am not causing any issues at L2 with the configuration I currently have in place. I have nominated a secondary root in the design. The two L3 switches that do the routing use HSRP. I have removed those VLANs not in use from the trunk links.

My question is, would anybody advise me to do things differently with regards to the root bridge for the VLANs? The utilisation of the switches is very low, as is the throughput of the port channels. The network is over spec for what is required, but when it was put in it was designned for future growth.

There are, I know, issues with the design, that we are addressing. At this stage I just want to ensure that the L2 configuration is optimal.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Reza Sharifi Mon, 05/24/2010 - 05:37

Hi Darren,

The location of your root bridge (Core SW001) is good since that is the most centralized switch.  The only other change beside VLAN 1 I would do is to duly uplink your access switches to 2 different core 3750s using Etherchannel if you have not done so.



darren-carr Mon, 05/24/2010 - 16:06

Hi Reza,

If you look at the design (and the port mappings at the bottom) you will see that from the access switches (2960/3560) that they have patches to different switches within the core stack (etherchannel).

What intrigues me is that I read somewhere that if for example (using the example of switch SW011 in my network) that the VLAN only exists on this switch (my UNIX environment), that this switch should become the 'root bridge' for this VLAN.

I have consolidated everything into the stack as this is the core of my network, and is where the etherchannels patch into. Just wondering if I should consider moving the root bridge for VLANs 20 (workstations),21 (printers) to SW002/SW003 and no workstations patch into the stack.



Reza Sharifi Mon, 05/24/2010 - 19:41

Hi Darren,

< Just wondering if I should consider moving the root bridge for VLANs 20 (workstations),21 (printers) to SW002/SW003 and no workstations patch into the stack.>

Since the 3750s are stacked, the stack acts as one logical box.  The config applys to all switches in the stack.  So no need to move any root bridge around.  As for patching workstations to the stack, if possible, I would path them to the access switches (2960/3560), this way your core does not serve as an access switch but if it is not possible, oh, well.



darren-carr Mon, 05/24/2010 - 19:48

Hi Reza,

I think you have misunderstood my question. I appreciate the stack forms a single switch (I've looked after stacks for a considerable amount of time), and all of my workstations as I mentioned are already patched into the access switches.

My question related to the best position of the root-bridge for VLANS 20,21.

Given that there are few access ports defined on my core stack for any of these VLANS, with the majority being defined on SW002/SW003/SW010/SW014, would it be a better L2 design if the root-bridge was defined for these VLANS only, on one of these switches. As I mentioned, I read somewhere that you should define the root-bridge for a VLAN where the most instances (ports assigned to the VLAN) occur?

So, using my example above, is it preferred to have my root-bridge for VLANS 20,21 as the core switch, if there are so few ports defined for these VLANS on the switch (stack).



Reza Sharifi Mon, 05/24/2010 - 19:59

Hi Darren,

Appreciate your explanation.  I think your design if fine in regards with the location of the root bridge and don't see the need to move it for vlan 20 and 21.




This Discussion