We currently have 2 Cisco 3550 EMI versions in our network. Everything is done in Static Mode presently. We have 2 providers to which we advertise our IP's manually. So we simply tell them our routes and they add them in their BGP and for outgoing routes we only have ONE provider to which it goes since there is no real routing being done.
In any case, we are wanting to know if we can run a GOOD BGP network using 3550 EMI or do we need to upgrade our infrastructure and if so what would you recommend.
We will run about 500-1000 servers within 1 year and currently run at about 100 MBIT persistent bandwidth per month. We are looking to expand very fast and we wanted something pretty solid that will let us run a FULL BGP service with immediate provider failover etc...
We were looking either at the new Cisco 4948 or Cisco 3750 but we wanted expert advice...
Can someone please recommend us a solution or if our existing hardware can do it pretty well... ?
You have mentioned you want to run "full" bgp, so I assume you want to take full Internet routes from your providers.
The 3550, whilst it can do BGP will not handle full Internet routes. You could take just default routes from your providers, but even still I have noticed that the 3550's suffer a big performance hit when pushing large amounts of traffic and running BGP in a production environment.
I would definately be looking at buying some new routers to serve as the border routers between your providers and your network and keep the 3550's as a distribution layer (end user/server connections) only.
The 3750 will certainly run BGP, but I am not sure how it will perform taking full routes from multiple providers. If you just want to take directly connected + default routes (depending on the size of your provider) then they should suffice and work fairly well. If you are wanting to take full routes, I would look at the 7200VXR series... very affordable (both new and second hand from authorised cisco resellers) and they have enough grunt with the NPE-G1 or G2 processing engine to take full routing tables from multiple providers and give you more room to grow into.
In addition to above post,You can also look for getting a 6500/7600 with Sup-720. This will work for you and easliy scalable solution.
Cat3550,3750,4948,Cat4500 will not take the full BGP routing table.
But what is the main advantage is us taking FULL ROUTES or not...? We want to run a good network with multiple providers on BGP.. I do not understand what full routes or minimal routes mean.. can you please elaborate?
Most providers will send you these basic sets of routes, and maybe some others...
Default: You recieve only a default route from the provider. You have no visibility past your providers next hop router of what routes are where.
Connected + Default: The provider sends you the routes of all its directly connected customers and a default route. You have visibility of the providers network and customers but nothing further out.
Full Routes: You recieve all 200,000+ routes currently on the Internet. You have complete visibility of the Internet and various options for routing to various networks.
The advantage of taking full routes is you can then start setting up traffic engineering to prefer certain providers/paths for certain traffic and a host of other things.
Can you tell me if the Cisco SWITCH not router but SWITCH 4500 will do FULL ROUTE BGP ? and if yes, what modules are needed for us to buy? If not, what switch and modules should I buy that will do all this...
Do you know if private Vlan is available with CAT3550.
Do you know how many VLAN CAT 3550 can manage.
Do you know how maximum bandwith a CAT 3550 can handle. (or can uplink to the core CAT6500)
The way i see thing, we would setup a 6500 as the core Switch with a full BGP with our provider.
We would put the 2 X CAT3550 in HSRP and in BGP with the CAT6500 for the default route and redundancy route in case one of the CAT3550 died.
We currently using layer 2 switch as end user switch. 1 server per port. The best way would have to create a VLAN per port or per client (in case a client has more than 1 server with us). The problem is the number of VLAN it would take and the lost of 2 IP per VLAN. Private VLAN would be the solution, but i think each end user switch must support pvlan. who is not the case actually and the cost of pvlan switch are expensive. The other issue is if we have 24 end user switch connect to the CAT 3550, the total bandwith will saturate the CAT 3550.
What can we do to bypass the constraint and what would be the best way of doing thing for our needs.
Let us know if you need more detail.
4500 Doesnot take the full BGP routing table.You need atleast 6500/7600 switch with Sup720.
No, private vlans are not avialble on 3550
3550 supports upto 1005 vlans.
3550 has 24 GBPS backplane capacity.The maximum uplink bandwidth it can manage is upto 16GB.
Yes, You should use 6500 peering up with your BGP provider.
Why you need 3550's. My suggestion is to use to 6500's with BGP peering to your ISP and run them in HSRP.Then uplink your access switches directly to core if you have a 2 two-tier architecture.
I am a little confused after reading your last pvlan questions. Please explain your requirement.
HTH,Please rate if it does.
We have 2 /22 IP range to provide all our dedicated server client. We are in the business of server rental.
Currently we setup 1 vlan per switch but it allows client to steal IP from other client and it is hard to manage when client need new IP and we do not have any more empty IP in the range of the VLAN. We usually manually route IP to the vlan but it cames to become a big routing table with xxx.xxx.xxx.xxx 255.255.255.255 entry.
What i was thinking to do were to setup private vlan for our customer instead of vlan. 1 private vlan per server with the range of IP allocate to this server.
The goal is to avoid client stealing unused IP. To get a better easy control over how our IP are use and for security. (avoiding a client in a vlan being able of seeing all traffic in promiscuous mode.)
Just to be sure it is more clear :
we have 300 servers on 8 differents end user switch layer 2. those 8 switchs are connected to the 3550 switch who are the core switch for now. 1 vlan per switch with a /24 IP range per vlan. i would like to optimize this architecture and have more control over IP and the way our client see the network. Some client could be abuser (cracking other server, stealing ressource etc.) I want more control over all our client.
I'm a little confused about the topology you suggest.
You Wrote :
Why you need 3550's. My suggestion is to use to 6500's with BGP peering to your ISP and run them in HSRP
i'm a littel confuse with and run them in HSPR *are you referring to the 3550?*
You wrote :
Then uplink your access switches directly to core if you have a 2 two-tier architecture.
I'm a little confuse with uplink your access switches directly to the core. *Do you mean connecting our end user switch layer 2 directly to the 6500 core switch?*
As per the 2 two-tier architecture could you develop more about it? i'm not sure to understand what it means exactly.
There's a few options with the 3550, but I'm not sure how well it'll scale:
* You could configure up customers with L3 ports (if they only need one port) or an SVI if they need more than one port; then just use static routes on the 3550's to route 'extra' IPs to customers who need em. Then use an IGP to distribute the routing information between your 3550's and whatever edge routers you have.
* You could go for the "really big" VLAN setup and use 802.1x authentication with port ACLs. You can then define port ACLs to limit what users can see/do. I've only done this on a small scale so I'm not sure how well it'll scale in your hosting provider setup. You can read more about 802.1x authentication (with port ACLs) at:
I really would suggest going down the path of seperate L3 (ie, routed) ports per client and just using static routes on each 3550 to route extra IPs to the clients. I'd do that for new clients that came along and consider port ACLs for existing clients (static port ACLs or 802.1x-fed ACLs.)
The 3550's run BGP fine - I'm running a pair as edge routers for a small network here - and they'll happily route a couple hundred megabits fine. They and the other workgroup/LAN switches (so 3550, 3560, 3750, 4948, 4000/4500, low-end 6500 supervisors) don't have enough TCAM to install all of the BGP table into the local routing table.
You can use the above as BGP peers and configure for two upstreams relatively simply. You'd just ask your providers to announce a default route to you (or inject it yourself) and announce your networks how you want. They'll provide most of what you need for provider failover - but a full BGP table lets you notice when your provider suddenly can't reach parts of the internet; allowing you to start routing to those destinations via another provider. As others have said, you won't be able to take a full routing table (or on the 3xxx series stuff, anything close to a full BGP routing table) so you can't do much in the way of traffic engineering with them.
For 100mbit + and full BGP I'd second the suggestion of 7200VXR+NPE-G1 or 730x. You could go down the path of 6500/7600 with whatever the latest supervisor modules are that'll take the 200,000 + routes in the global BGP table and it'll scale far past 100 megabits of transit but it'll get reasonably pricey very quickly. The NPE-G1 or NPE-G2 will be significantly cheaper and I think a good investment for the time being.
Take a look at the pricing for the above with your account managers and see what they can do for you.
What module do we need exactly on a Cisco Cat 6500 to do full BGP, and provide a network of thousand of servers with 100mbs link to internet.
We consider having more than 2 Internet provider shortly and would like to get a full redundant solution in case of an ISP come down.
We need to be able to mitigate DDoS attack against us to protect our client.
We would like to know which part we need (module) and which software we need.
We looked a little at cisco and found some information about the different module but it seems quite complex to just choose without deeper knowledge about how the module interact between each other in production.
You'll want to look into the Sup720-3BXL. The key thing to look at is the number of Unicast routes the hardware supports. The Sup720 supports 256,000 routing entries which doesn't give you much room to move with the current full routing table being @ 200,000 routes. The Sup720-3BXL supports 1million routes.
I'd also suggest you have a chat with your cisco account manager and find out what their roadmap for the 6500 and 7600 (6500 designed for internet rather than enterprise) is.
Take a look at the Supervisor 32 and see how many IPv4 unicast routes the platform supports. If its not more than 250,000 then you should stay away.
what kind of BGP can I run on those two switches:
1) Cisco Catalyst 3550 48 EMI Switch
2) Cisco Catalyst 3750G-48TS-E
1) I want to know what extent of BGP I can run with those two switches WITHOUT affecting performance.
2) I want to have TWO providers in redundancy talking BGP to them, is that possible with those switches?
3) I want to know what my limits will be in term of performance, bandwidth, packets etc... for both of the switches mentionned above.
4) In terms of the BGP, i know for sure I cannot take full internet routes with those, I just want to know what kind of BGP I can run of course without affecting performance and is that kind of BGP good enough for network redundancy between providers seemlessly without human intervention ?
Please enumerate the answers so we can know to what questions you are answering
I don't think you'll be able to run BGP on either of those without careful tuning and monitoring. You won't be pulling a full BGP table from either peer so you'll need to supplement your received routing information with a default route. It'll be easiest to do if at least one of your peers can send you a default route via BGP (ie 0.0.0.0/0) but its not impossible to do if they can't.
The main trouble with the 3550/3750 is that their CPU takes care of your LAN stuff too and so high CPU due to LAN issues (eg say spanning tree goes nuts) then your CPU may not be able to keep up with BGP and your BGP peering sessions may drop. Similarly, CPU usage due to BGP updates might impact other routing and LAN protocols. Its unlikely, but I've seen it happen more than once w/ 3550/3750 edge devices.
If you can run 3550/3750's as your edge and seperate devices as your internal routing/LAN network then you'll be better off.
As for performance, the 3550/3750 will switch and route at their specified limits regardless of what you're doing with BGP. Standard rules for the platform apply (ie, if you do something to exceed the hardware TCAM limits such as policy routing, QoS/ACLs, then traffic will be CPU processed.)