Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Campus Network Design with Cisco expert Chetan Sharan. Chetan is a Technical Marketing Engineer with Enterprise Solutions Engineering. Feel free to post any questions relating to Campus Network Design.
Chetan may not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 15. Visit this forum often to view responses to your questions and the questions of other community members.
VLAN design: I have a Cat5500 with integrated RSM that is performing InterVlan routing for about 35 VLANs. We have an ATM card (LS-1015) in the 5500 that switches to 4 other offices and each VC has a clockwise and anti-clockwise VLAN configured. On VLAN 80 and 88 we have about 1,000 devices on each, plus VLAN 500 is our Internet connection ( a FE connections to an ISP). We have three big access-lists on the RSM also. We run IP and IPX on nearly all VLANs.
Every now and then we experience the CPU bursting to 100% when it is normally at 15%. Does our network design cause this do ou think?
The LS1010 blade inside the 5500 does not pass the traffic through the backplane. You still need either a LANE blade or an RSM/VIP with an ATM port adaptor connected to the PAM port. If you define PVCs on the LANE blades, it can only be bound to "ONE" VLAN. If it is running LANE, then each LANE client gets 5 mandatory VCs. If the same is done on the PAs, you simply define the PVC (you don't have the binding option) OR run LANE the same way as what is done on LANE blades. Apart from this, PAs can also run SVCs. Again, there is no way you can associate one VC with two VLANs.
What do you mean by clockwise and anti-clockwise VLANs? This might be a term used by some other networking vendor.
I think you have too many devices on a VLAN and might be seeing high CPU utilization due to some of the reasons mentioned at http://www.cisco.com/warp/customer/63/highcpu.html
I have 2 Cataylst 6509's that are connected to each other using 2x 1Gbit SX Fiber GBICs. The fiber links are running EtherChannel so as to form a 2 Gbit link. Is there any way to find out how much of this link is being used at a given time?
I want to know if I need to put in another fiber link between the 2 cores that I will run as the primary link for another VLAN (by setting the spanning tree cost of the 2 Gig link to a high number). If the trunk is not excessively used, then I can still route the new VLAN over the EtherChannel link.
Thanks for the help,
I am needing to implement Frame-Relay Broadcast-Queue in a network I currently manage, however I cant find any detailed information usage and how to calculate out the correct parameters. Its a very large network currently suffering from lots of dropped eigrp broadcasts and causing, both eigrp neighbor changes and SIA issues. Ive read all the Cisco documentation on their website, but no luck. For instance:
Do you apply the Frame-Relay Broadcast-Queue to the parent or sub-interface?
Are the calculations based upon all DLCIs on the router, or just the parent and related sub-interfaces?
Is their a formula I could use to figure out what numbers to use for the Frame-Relay Broadcast-Queue command?
for help with Stuck in Active messages.
Frame-Relay Broadcast-Queue is a main interface command. The link below has some more useful information.
Since, I am not familiar with your network, I can't assist you with specific timers needed to tune EIGRP or Frame Relay parameters in this forum. You can contact your Cisco Account team or a Cisco Partner to make best practice recommendations and tuning needed for your environment.
Vlan scalability question. We have a 6509 Catalyst Switch in which we've installed a 16-port 1000BaseSX Ethernet module. We are connecting each port via fiber to 3548's. Each 3548 may or may not be stacked with additional 3548's. No Vlans have been created other than the default Vlan1. At what point do we consider segmenting the traffic for Vlan1? That is, can we continue in this manner until all 16 ports are full? Could we add another 16-port module to this 6509 and continue? What indicators would help us determine that another Vlan would be needed to keep broadcast traffic down? Sorry for the newbie question......
If you segregate traffic into VLANs on the 6509, which is a good idea to keep broadcasts down and confine layer 2 domain, you will need a router to route between the VLANs. This can either be accomplished thorough the MSFC on the 6500 Supervisor Module or an external router. MSFC will enable you to do Layer 3 switching in hardware in the 6500.
Regarding what's the threshold to start segregating ports into VLAN, it depends on your network and the type of traffic. Protocols like IPX are more chatty than IP for example. It also depends on user traffic, and applications using broadcast and multicast on the network. Typically a VLAN also maps into a Layer 3 subnet. So you want to keep that in mind too to see how many hosts you can fit with what mask on the layer 3 subnet.
I would recommend not having more than 250 stations on a vlan. May be a little less if there is a good amount of broadcast on the network. This also makes the network easy to manage.
now i am having seven locations with in the campus and each locations clients are connected to switch (cisco 1924).now we are moving to layer 3 switching and we tried to do so.l3 switch is cisco 2948GL3.
all the clients log in a netware environment and a netware server serves the issue.also internet connection to the campus is from a linux proxy acting as a firewall. the campus is having its dns with linux server and a web server.actually we planned to connect all the 1924 uplinks to seprate ports and each port carrying different subnet address.we also planned to connect all servers to different ports and the firewall connection for internet browsing on other port.now what happens is that we are not able to connect the netware server to l3 switch.so to save the scene we have connected the netware server to one of the layer 2 switch and it is working fine.i am wondered and not able to find a reasonable reason for this. the layer 3 switch is running the 12 ios not the advanced pack for running ip nad ipx on the same platform.
and also we are not able to use the original ip on linux.the set up now is accepting the alais ip of the lan interface in the linux server.
there are my issues and now the solutions i want?
i want to improve the speed in the network.i have tried with wins running but not a good result.
i have not tried with vlans because i don't have any enterprise version of ios running in the 1924 switch.
what i have done to get here is that i have created a bridge group and i have mapped all the port participating in the communication in the same group
now i want to clarify that is it possible to create two bridge group one for the client ports and other for server group and is it possible to make routes for this groups communicate each other over some access policies
pls get me on email@example.com
or if it is possible pls get me online on firstname.lastname@example.org for some minutes will be great
expecting the response
You can put your servers and clients in different bridge groups. Then they can be mapped to separate BVIs in different subnets for clients and servers.
Is there is any way to find out how much a paricular port is utalized in 6509 switch ( I am in hybrid mode) in Cat OS mode?.
Is there is any way to find out a figure say xx/255 or so like the way a router displays the link utalization?.
You can try the "show top" command in Hybrid
Can our new Cisco gear isolate certain switch ports (into a VLAN??) at both ends of a T1, while still sharing the T1 with other traffic?
Sites A,B,C are linked by T1s into a triangle. All have 3640s and 6509s with 3548s in IDFs. Several ports at site A and several ports at B should connect to each other, but with their traffic inaccessible to anyone else, and without hogging the T1s.
Doable? Recommended? It would replace an existing VPN.
Thank you! (oops! T1 is not campus. can you help anyway?)
NJ Dept of Health
You can definately segregate switch ports into VLANs on the same switch. Which is a good way to isolate the ports. The router with the T1 interface can route between the VLANs or enforce policies (access lists) for what traffic you want to pass where.
Since, I am not familiar with your topology, I might not be understanding your question correctly. You might want to work with the Cisco Account Team or a Partner or implmentation of the topology and network design.
a) STP question:
Our campus network is required to be 99,999% time available. So I'd like to decrease the STP convergence time in the case of adding new trunk, e.g.
Do you think that the latest CatOS 7.1.2 is stable enough to configure Multiple Spanning Tree (MST) in our distribution layer? The distribution layer is Cat4000 based with one Cat6006 connecting our server farm. The problem I'm afraid are Cat3500, 2900, 2950 in the access layer which don't support MST. So there would be a big number of PSVT+ switches connected to MST region and I'm afraid of the possible interaction problems.
b) Hitless upgrade question:
I expected that CatOS 7.1.1 would be upgradable to 7.1.2 with "hitless upgrade" feature on Cat6000. But when I tried to use "high availability versioning" the result of "show system highavailability" command was OFF!! I know it works from CatOS 6.1 to 6.2 but not from 6.2 to 6.3. There was a notice in release notes about some basic change in 6.3 which caused the incompatibility. But there was nothing about 7.1.2!!
Is there any rule for CatOS version compatibility or is the "hitless upgrade" only a market trick?
CatOS currently supports 802.1s and 802.1w for Catalyst 4000 and 6000 series. CatOS is stable for the support. The standard itself is a fairly new standard ratified by IEEE in comparison to 802.1d. You need interoperability between MST and PVST+ because of the reason you pointed out. Please look at the following URL for understanding the protocol and interoperability example
In order for HA to work the images have to be compatible. Images are not compatible when there has been some significant change in code for example firmware changes. Because of this there is no guarantee that from one release to another in the same train, HA compatibility would always be there. You can use HA for Hitless software upgrade and it does work but you need to consult the release notes for version compatibility
If you are having problems with HA versioning on a compatible version, or you believe the Release Notes are not correct, please contact Cisco TAC at http://www.cisco.com/tac for troubleshooting the problem.
My question is related with the wireless network IEEE 802.11b especially its physical layer.
Is there a software (or an additionally PC Card) to use with the PCMCIA Card IEEE 802.11b in a Laptop in order to extract some measurements concerning the physical layer such us the channel impulse response (frequency response or time response)?
This sounds more like an RF compliance measurement or an RF analyzer. I don't believe there is anything of this sort available via a PCMCIA NIC. You might want to try posting your question on Wireless forums at:
I have a 2611 router with a serial interface and a ethernet interface. I want all traffic destined for networks out of the serial interface to use the interface address of Eth0/0. Can this be done?
I am using static routes, no routing protocols are enabled...
... I dont think this can be done, however I just need varification.
Thanks in advance,
Yes, this can be done through Network Address Translation. Please look throught the NAT documents on www.cisco.com/tac
I have Cat5505 and 3620 with 2 FE. And I'v read this bookmark
I whant to conf MLS with ext router. But on practice
in first time configuration I don't get the positive
By default sc0 int in VLAN1. It have an IP addr 172.16.27.103 255.255.0.0. I'm add two vlans: 2 & 6.
Set group of ports to this VLAN's.
On router I have configured 3 sub-if for each vlan:
fa0/0.1 vlan1, fa0/0.2 vlan2, fa0/0.6 vlan6. And I
make all steps on router and switch in according to
document highlighted above.
Primary router interface don't have an IP. And switch
cannot see the router.
What shoud I do and where is my mistakes?
Can you post any working config SW and router.
I have a setup where 6509 is configured as the core switch, 4908G as distribution switch and 3548 as access switch. There are 7 blocks and 28
VLANs in total. But some of the vlans (8 nos) are distributed all over the campus.Others are particular to that block. I am doing intervlan routing for these vlans(belonging to that block) in distribution layer itself.
But my concern is:
1. I will have to do intervlan routing for other vlans spread all over the campus in 6509. If I do it in core switch, then if the link between distribution and core fails he will not be able to reach default gateway configured in 6509. And hence he may not be able to communicate with other vlans that is configured in his own block.
3. If I configure BVI interfaces in distribution and pass vlan info to 6509, what about other blocks.
The ip address of default gateway will be the address of BVI interface configured in 4908G of that particular block. This will lead to configuring different default gateways belonging to same network in each block.
How will I go about it?
Can a port belong to two vlans. Can you explain the concept of Multi-vlan.
Thanks and regards
I assume for the first questions you meant that the default gateways for clients on 3548 is configured on the Core 6500. If you dual attach your 4908 to 2 Cores then you won't have this problem. Having a redundant core buys you availability for the situation you described.
You should have each block on its own Subnet. And the distribution layer switch of that block becomes the default gateway for the clients in that block. Redundant distribution layer switches can offer first hop redundancy (default gateway redundancy) thorough HSRP.
On 6500 series ports can't belong to 2 vlans (multivlan). Multivlan is basically a port which is part of 2 vlans at the same time. In short it merges 2 layer domains together. We offer this feature in some of our switches like the XL series. Higher end switching platrom like Catalyst 6500 and 4000 never supported this feature. Also, future software releases might not support this feature.
If I understand correctly, you are trying to use do External MLS on Catalyst 5505 with an external 3620 router. Look for Multilayer Switching in the following URL. It should provide you with good information and examples of config to get started.
Thanks. I find this link very helpfull.
And I have tuned up MLS IP&IPX on test router and
But today I have another problem:
how can I make visible all MLS-Windows-network from
one segment? I mean visible All Windows Groups
in Network Neighborhood on PC in each network segment. On all PC we have running NetBIOS over TCP.
Some segment have Primary Domain Controller, some
of it not - simple Windows workgroup of PC with W98/NTWS/2000.
How can I tune router to make it posible?
One more thanks.
The following links should help you with the answers: