Need help with network design.

Unanswered Question
Jun 15th, 2012
User Badges:

Hello cisco community,


I have been recently asked to design a network. What I have for equipment is four 2960G's and one 1941 router.

One switch is a root switch and the other three will have end devices on them.


I have decided on three Vlans to go with: VLAN20 Data, VLAN30 ISCSI, and VLAN99 Management each with seperate trunk links and redundancy (see picture below)

I have a seperate trunks for each Vlan using the switchport trunk allowed. With exception to the Data Vlan.

My design has the Data Vlan as the native because it is going to be receiving untagged traffic from the external network.

I have set up intervlan routing on the 1941 via sub-interfaces to allow them to talk to eachother (or because of allowed they cannot?)

I have one port coming from my router to my switch via Ethernet cable which is my bridge out.

I have my external port doing a NAT translation for my inside addresses and a Default route set up ip route 0.0.0.0 0.0.0.0 gig0/0

I am using rapid-PVST to prevent loops and provide my zero downtime convergence when a link goes down.

As it stands right now I cannot talk out of my network or inside of my network.



untitled.jpg

You can see it is highly redundant and I do not want to change it. This network is going to be deployed but there will never be anybody physically there to manage it which is why I made it as redundant as humanly possible.


I am looking suggestions to help a first time designer make this complexity a little more simple.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Leo Laohoo Fri, 06/15/2012 - 22:59
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

You're design is an STP nightmare in the making.


Are the 2960G in the same cabinet? 

Hitesh Vinzoda Sat, 06/16/2012 - 04:23
User Badges:
  • Silver, 250 points or more

Hi,


Redundancy is fine but the most of the uplinks will be in blocked state due to STP and that is good. Ensure that your centre switch is always elected as root using spanning tree priority command and enable bpdu guard feature along with port recovery using err disable recovery command so that noone can plug in switches in this network without your knowledge and could introduce potential loop.


HTH


Hitesh Vinzoda

Pls rate useful posts.

soroushm Sat, 06/16/2012 - 06:13
User Badges:
  • Gold, 750 points or more

hi,


Look, no matter how complicated u make this layer 2 network, aka the STP nightmare, at last u want inter-vlan routing and there is a big single point of failure (1941 connection), have that in mind.


Regards,


Soroush.

JohnTylerPearce Sat, 06/16/2012 - 06:28
User Badges:
  • Silver, 250 points or more

I agree with Leo, redundancy is a good thing, but too much redundancy can lead to nightmare scenarios. I agree with using RPVST+, on the switched network. Why not have the router go to a core switch, and then have each access switch connecting to the core switch via a 2-link L2 Etherchannel bundle, and or just implementing L3 links and have the vlans terminated at the access layer. Remember, Keep it simple stupid. That's the best advise that you can give yourself for almost anything.

Peter Paluch Sat, 06/16/2012 - 06:46
User Badges:
  • Cisco Employee,

Dear friends,


I do not think that at this point the network is overly redundant or "nightmarish". What I see is simply four switches connected in a full mesh with three links each. Almost identical for CCNP:SWITCH labs, by the way.


My suggestions:


  1. Do not use switchport trunk allowed vlan. That essentially removes the redundancy from your network for each particular VLAN - if a trunk with a particular allowed VLAN breaks, the only backup path is probably around the entire topology, and then again only through the trunks where the particular VLAN is allowed. With a little planning, you can always assign such STP port priorities that if one of the parallel trunks fails, the other will take on both VLANs without changing the entire "route" of the frame. This can get tedious, however, so see Suggestion 2
  2. Even better, I suggest using EtherChannels all the time, again without using switchport trunk allowed vlan. This will both allow you to better use the available bandwidth in your network, and at the same time, simplify the operation of STP in cases of link failures. Unless the entire port bundle fails, the STP does not really care and does not need to reconverge.
  3. At all costs, avoid using native VLAN for any purpose! Having devices in native VLAN means allowing your network to be susceptible for VLAN hopping attacks by double tagging. Configure your trunks with a separate native VLAN that is never used as an access VLAN. In other words, avoid using native VLAN for anything else. Also avoid using VLAN 1. Do not be concerned with the data VLAN receiving untagged data from external networks: simply allocate an access port in the data VLAN for the external network. An access port does not need tags anyway, and will properly assign the traffic into the data VLAN.


Best regards,

Peter

Leo Laohoo Sat, 06/16/2012 - 17:55
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

G'evening Peter (when do you ever sleep!).


If I ever come across a layer 2 link with muliple uplinks going to a single or mesh, it brings back moments when we had issues with early generation of switches (2900/3500XL) and STP.   (I still get occassional twitches when I see designs like the one above.)


In the end, we went with Layer2 or Layer3 etherchannels.

Eddie.brown1986 Mon, 06/18/2012 - 20:37
User Badges:

Thanks everyone for the replies. Now by spillitng the trunks into a seperate vlan only cnfiguration I am trying to seperate the traffic from seeing eachother on the trunks. On the other hand I am using intervlan routing (router on a stick configuration) to make my vlans talk to eachother which is essential only on the interior.


I do not want VLAN99 or VLAN30 to ever see the outside. However I do need vlan 30 to talk to 20 and vice versa. Vlan 99 is strictly for management ports of my devices and do not to see vlan 20 unless to traverse the network for telnet ect. and that is where I am having the most difficulty. I am wondering if by using intervlan routing that it goes to the router port with the sub ints. The router then decides where it needs to go and send it out on the native vlan and the native vlan will deliver it to the vlan it needs to end up. That is where I get confused is how it travels from the router back to tne switches.


What other command is there other then the trunk- allowed, native and pruning?



Hitesh:

I was thinking of using Mac blocking instead of BPDU guard.


Peter:


1. I do want to keep the traffic seperate from one another. Another question I have is I have the ability to add three more links from the router to the switches. But not sure if STP works on a router in the same sense as a switch.


2.If I use a native vlan and I only use it on the trunk from the router to the root switch with zero access ports attached to it will it deliver the traffic destined to vlan20 on the vlan 20 trunk? or will it no longer know what to do with it because all of the other trunks are segmented to their particular vlan.


3. I was thinking of using etherchannel the only problem is I am running low on ports as it is. I have alot of end devices eating up 75% of my ports already.

Peter Paluch Tue, 06/19/2012 - 01:23
User Badges:
  • Cisco Employee,

Hello Eddie,


Now by spillitng the trunks into a seperate vlan only cnfiguration I am  trying to seperate the traffic from seeing eachother on the trunks.


I  am sure you know that even though trunks carry the traffic of many  VLANs, these VLANs never mix together, thanks to taggind the traffic  with the appropriate VLAN tag. It does not matter that two or more VLANs  are carried through a single physical trunk - they won't leak into each  other. If you are planning to configure each trunk for a single allowed  VLAN only then you don't need trunks at all. You could achieve the same  by configuring each link as an access link within a particular access  VLAN. But I do not recommend using this kind of setup.


I am wondering if by using intervlan routing that it goes to the router  port with the sub ints. The router then decides where it needs to go  and send it out on the native vlan and the native vlan will deliver it  to the vlan it needs to end up. That is where I get confused is how it  travels from the router back to tne switches.


In  the easiest approach, the router will have subinterfaces configured for  each VLAN. Each of these interfaces will be configured with the VLAN  number of its respective VLAN and its own IP address in non-overlapping  networks. In the routing table, each of these networks will appear as  directly connected to the particular subinterface. When a router needs  to send a packet to the particular VLAN, it will see that it is  connected to the particular subinterface, and will tag the packet using  the preconfigured VLAN number of that subinterface.


So  when a packet arrives from VLAN 20 and is addressed to an IP station in  VLAN 30, the router will receive the packet through subinterface in the  VLAN 20, extract the destination IP address, perform a routing table  lookup and it will see that the destination is in the network that is  directly connected to the subinterface for VLAN 30. So the router will  send the packet out the same physical interface but will add the VLAN  tag of 30 (the former VLAN 20 tag is removed before). Essentially, with  inter-VLAN routing using an external router, the packets arrive to the  router with one VLAN tag and are sent back through the same link with a  different VLAN tag. It's as easy as that.


Please note  that I am not mentioning the native VLAN here at all. I suggest you  don't try to wrap your head around the native VLAN at this point. For  what you need to configure, the native VLAN is an irrelevant topic. It  proves to be one of the most confusing and useless aspects of 802.1Q  tagging standard.


1. I do want to keep the traffic seperate from one another. Another  question I have is I have the ability to add three more links from the  router to the switches. But not sure if STP works on a router in the  same sense as a switch.


Keeping  the traffic on separate trunks does no harm, but at the same time, it  may complicate things without having any significant advantage. Why do  you want to do that?


Regarding the external router and  three more links - routers do not commonly speak STP on their routed  ports and do not need it, because they do not perform bridging/switching  functions on them.


2.If I use a native vlan and I only use it on the trunk from the router  to the root switch with zero access ports attached to it will it deliver  the traffic destined to vlan20 on the vlan 20 trunk? or will it no  longer know what to do with it because all of the other trunks are  segmented to their particular vlan.


Each  trunk has a native VLAN, Eddie. There is no such thing as "using the  native VLAN only on the trunk from the router to the root switch". At  this point, I believe, you need to first get a good grasp of VLANs,  trunks and inter-VLAN routing. The native VLAN is a niche concept that  you don't need to worry about right now. Simply - do not configure  native VLAN, do not use it, do not think of it. Leave it alone - it is  currently VLAN 1, so avoid using VLAN 1 for whatever purposes. At this  point, it's one problem less to think about, rather than trying to think  in a big picture and get lost because of these quirks.


3. I was thinking of using etherchannel the only problem is I am running  low on ports as it is. I have alot of end devices eating up 75% of my  ports already.


I  was thinking about using EtherChannels between your switches. You  already have multiple parallel links running between your switches, and I  suggest bundling them into EtherChannel groups. No additional physical  ports should be used for that.


Best regards,

Peter

Eddie.brown1986 Tue, 06/19/2012 - 07:00
User Badges:

Thanks Peter,

I have been taking a methodical approach for this design and doing some learning at the same time. I will forget about the native vlan for my design until I fully understand what it is doing.


You said that each trunk has a naitve Vlan and by default Vlan1 is the native. But when I issue the switchport trunk native vlan x command I am then switching the native vlan on that particular trunk to something other then 1. Or does Vlan 1 still exist on that trunk.


I am going to combine these trunks uning etherchannel and allow all my vlans to traverese them. So I would use the "allowed 20,30,99" command for that.

The only reason I wanted them to be on diffrent trunks completly is to save on bandwidth. The 30 is going to be using about the same amount of bandwidth as the 20 I figured if I dedicated them a trunk each I would have no problems with the flow of traffic. Yes a  little more complexity but alot less headaches when it starts to bottle neck.


I am going to remove the trunk native vlan 20 command from my interfaces and switch it the allow 20,30,99 instead to see how it all works without a native being defined on that trunk.


Thanks again,

Eddie

vijay.swaminathan Tue, 06/19/2012 - 07:21
User Badges:

Hi Eddie,


Just wanted to comment on the section highligted below.


You said that each trunk has a naitve Vlan and by default Vlan1 is the native. But when I issue the switchport trunk native vlan x command I am then switching the native vlan on that particular trunk to something other then 1. Or does Vlan 1 still exist on that trunk.


When you say switchport trunk native vlan x , the native vlan is set to 'x' on that trunk link and all untagged traffic belongs to vlan 'x'


whereas when you don't specify the native vlan, then by native vlan would be the default vlan (vlan 1) and all untagged traffic belongs to vlan 1.


HTH

-Vijay

Actions

This Discussion