Layer 3 switch (catalyst5000?) as core/dist layer?

j-sicard · ‎03-21-2002

Hi,

(First of all, this is my first big network job, so please bear with me :)

I'm reorganising the network for a organisation (about 100 PCs) and I'm considering using a pair of cat5000 as distribution and core layer. The layout of the network consists of PCs linked with Dlink3624 switches at access layer (3 sets of access switches right now but might expand to 5) for the 2 departments (each department as it's on windows server) and other enterprise servers (www, mail, etc). All the servers are in the same room.

What I want to do is have the 2 cat5000 in the server room, with the servers and the access switches connected to the Cat5000s. I have 2 alternatives though:

1- Each department (split on the access switches) would be on it's own vlan and subnet. Departmental servers would be connected to their respective vlan through either multiple NICs or one NIC with vlan trunk* and be on the same subnet as the vlan. The enterprise servers are on antother separte subnet that are routed through the Cat5000's. (What kind of failover capability between the 2 cats would be availible/required here? HSRP and STP?)

2- Option 2 is to put the department servers on their own subnet and have all traffic routed.*

Only HSRP required for failover here?

So the question is, which option would you recommend (or other suggestion) and is there anything wrong to connecting the server as well as access switches direcly to the Dist/Core switches (Cat5000s)? Any other obvious flaws in the designs?

*One consideratrion is the location of the dhcp servers. Right now both departmental servers are DHCP servers for their part of the lan. Is it possible for a single dhcp server to discriminate from which lan segment on the other side of the router was the request relayed so it can assigne the right ip range?.

Thanx alot!

JC

smorrison · ‎03-21-2002

JC,

First of all the layout I would propose would be the two cat5K switches in the server room trunked together to provide layer 2 (VLAN) redundancy. The servers should be connected to an access switch, if possible, so the access switches can be connected to each of the C5K switches. This provides the easiest redundancy (layer2) but still has a single point of failure (1 access switch) which is usually a managable risk. The issue of having a server with a NIC capable of trunking still leaves you with the problem of connecting to one C5K switch. This is only used for multiple VLAN's (subnets) connecting to the same host.

STP is used for Layer 2 redundancy, ie another path for the layer 2 (VLAN) to take, whereas the HSRP protocol is used to provide host's (PC's and Server's) that can only have one default gateway configured, multiple routed interfaces to use in the event of the primary one failing.

It can be a good idea to put the servers on their own subnet to prevent unnecessary traffic from interfering with them. Yes you can have one DHCP server providing multiple scopes. On the router's interfaces facing the PC's subnet issue the command:

INTERFACE

IP ADDRESS xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

IP HELPER-ADDRESS

This will forward the DHCP requests from the LAN to the DHCP server, and in the packet the router will insert the routers address as the gateway address so the DHCP server knows what scope to chose the address from.

You didn't mention whether or not you had multiple routers, you require at least 2 routers to use HSRP. If you do, than connect one to each of the C5K, create an interface for each VLAN you require on each of the routers. For example:

Router 1

interface vlan 1

ip address 10.1.1.1 255.255.255.0

ip helper-address 10.1.3.254

standby 1 preempt

standby 1 ip 10.1.1.3

standby 1 priority 110

Router 2

interface vlan 1

ip address 10.1.1.2 255.255.255.0

ip helper-address 10.1.3.254

standby 1 preempt

standby 1 ip 10.1.1.3

standby 1 priority 100

This will make router 1 the active default gateway using 10.1.1.3 as the ip address. The priority 100 on router 2 will not show up in the config as it is the default (the higher priority will be the active router).

Hope this helps

snm

j-sicard · ‎03-21-2002

Hi! First thanx for the info it was quite helpful! (Especially the DHCP thing.. that was getting in my way quite a bit.. Wasn't sure you could do such :)

Let me just go over my design as I see it now:

Since I can correctly DHCP through the routers (cat5k) I'll put every group in their own subnet but still use vlans for ease of physically moving computers without changing logical architecture. So I will, like you suggested, trunk the 2 cat5ks together (do I need STP with that?).

It's my understanding that with layer3 switches you don't have to obey the 80/20 rule since it's routed at switching speed, right?

Since I'd rely only on routing for alternat paths I don't need STP (unless I need it cuz of the trunk).

All my hosts support multiple gateways (all windows boxes do I beleive and pretty much all other OS (except small stacks like in network printers??)) so I guess I don't even need HSRP, just put the 2 gateways in host configurations, even splitting the load by inversing the gateway orders on half the hosts.

Now the reason I wanted to connect my servers directly to the cat5ks was (like you said) to avoid single points of failure on that end: I planned on having paires of NICs on each server, one connected to each Cat5k, (ie multihoming the servers, else I'd have to use STP I guess right?).. Would this be wrong?

Other than the 2 cat5Ks I don't (won't, actually. Not bought yet) have other routers except the for the openbsd firewall which I'll probably double also (depends on how the Internet connection comes in... (well be getting 10mbps shared ethernet Internet connection, do they (ISPs) usually put a router at the end of that?)

Don't know if that sounds better? At least it's much clearer to me!

Thanx again!

JC

j-sicard · ‎03-21-2002

I've been checking the product range and it seems that a cat3550 series (12-t) is more appropriate in my case...

JC

mberrocal · ‎03-24-2002

if you don't have the cat5000, then don't buy those (they are too old to me).

Ok, if you go for the 3550-12T with EMI, then you can do inter-vlan routing with them and have HSRP configured (this is the way to go).

Don't worry so much about STP, it's always on, and no harm done. Yet you can turn it off in ports connected to servers, and PCs.

For your servers, I think there are some NIC's wich support backup, so one is in standby, and if one fails the other one comes up with the same IP and MAC address (no different VLANs nor trunking required).

j-sicard · ‎04-04-2002

How about the 3550-24pt with EMI? I don't need the giga bandwith (this network isn't excpected to have more than 200 PCs ever(about 100 right now)... Anything different between these two besides the 12gigabit vs 24 100mbps ports? I'd prefer to use fastEtherchanneling for a little added bandwith and redundancy. Also the Intel pro/100 S adapters support fast etherchannel and 802.3ad...

On another point, anyone know if Cisco has discounts for academic institutions in Canada? Haven't found any info on that on the web...

Thanx

JC

karl.jones · ‎04-08-2002

Hi Manuel

Do the 3550's do layer 3 switching as the 5500's do the RSM built in. Also do you know how they compare in terms of performance to the 5500's.

Thanks in advance

srittenberg · ‎03-24-2002

this is what I would do based on my experence. One, I would not do trunking with the two VLANs, you don't need to. two, you can't have one dhcp scope to serve two vlans, but you could use one dhcp server to serve two vlan, you just need to create another dhcp scope (server) in one server. I setup three dhcp servers for the company that serves 14 dhcp scopes for 14 vlans. it's very easy to setup if you are using the Microsoft dhcp server. three, you could use hsrp on layer 3, that's what I did with our two cat6509 and two cat6009 switch. you will route the vlans in layer3. I see no problems adding servers to the cat5000. If you are not familiar with setting up hsrp, I could give you the commands. HSRP auto failover based on the preempt delay you specify in the config. Normally, 10 to 15 seconds.

hope this help