Briefly, Im building a new network for an office of approx. 100 users that will possibly become 200 users in a year or so. I have a new 4510-R, dual SUP-V, dual GB server blades, dual GB core blades & redundant fiber from these cores going to my 3560(PoE) access switches (2 hub rooms, one each floor) and also new 1130AG Aironets for my wireless.
Comments please on best practice & design:
- On all switches kill VLAN1 and create VLAN 999 (or whatever) as my native/management VLAN & then put Loopback0 in there
- HSRP between both cores and have 802.1Q trunks from each core to each access switche
- My 4510 will be the network gateway (no real need for dynamic routing, all static for now)
- Create one VLAN for my corporate network/users (flat topology) which includes corp wireless users and another for my wireless guest LAN (access only to Internet no need for interVLAN routing).
1. Never played with a 4500 before, anything in particular that I need to know before I start?
2. How does your LAN management workstation(s) reach your switches when the management & user VLANs are different?
3. If I were to choose to have several VLANs in my corporate network and route via my core how does one solve the DHCP issue? Does it become a nightmare?
Any/all comments and advice will be much appreciated,
Sounds like your getting off to a good start.
1. 4500 are very straight forward as there configuration goes.
2. You'll use your 4500 to route between the two vlans.
3. Just setup ip helper on each of your routing interfaces to point to your DHCP server.
If you dont see any of your layer 3 vlan interfaces (SVI) show up on routing table, dont panic, because IOS based switches, dont show the SVI's as up and running, unless atleast one PC, phone or server (end-client in general) is connected to the switch on that particular vlan.
Looks pretty good , myself I would add an extra vlan and separate the corp. wireless users to their own subnet.
We are moving into a new building and will have 4506 switches in the closets with dot1Q trunks back to a 6509. We plan on using separate vlans for data, voice, wireless and printing. The vlans will be defined on the 6509 with an ip helper-address pointing to our dhcp server. Also the access switches will be setup for voice and data using the "switchport voice vlan" and "switchport access vlan" on each port since the ip phone and pc will be on the same switch port.
Vtp mode is transparent by default on the 4500, and rapid spanning tree works well. Don't forget to set your spanning tree root on your core switches for each vlan. If you have a syslog server, you can use that to monitor power supply status among other things. I am using 10 VLANs with HSRP between two 4500 (SUP4) switches and it works well. I have a single default route to the WAN router. WAN router has Internet attachments so routing is easy. We just added my 10 subnets (static routes) to the WAN router and redistributed the statics into the WAN (EIGRP). The default route in the WAN router sends traffic to the Internet. Remote SPAN works well between the 4500s, but I have had some issues with 4500-2950 remote SPAN. Link status monitoring is turned off by default, probably so the logs don't get filled up. I have not bothered with loopbacks, I just use a management VLAN for all of my switches and APs. My only failure was a single reboot. There is a prom update that is supposed to have fixed it. That should not be a problem with new units. VLANs and multiple ssids work great on the 1130AP used in conjunction with Cisco switches.
The 4500 is a nice switch. I have 4- 4506 and 6- 4503 switches. I plan to order more.
Thanks all, excellent info.
A few more Qs:
- R Duke: setting STP roots on core switches for each VLAN... why the need? And how?
- What are the commands again for making a VLAN other than VLAN1 to become the management VLAN?
- VLAN1 traffic: they say VLAN1 traffic always passes (untagged?) via 802.1Q trunks... is this so even if VLAN1 has been shutdown and Ive specified another VLAN as native on my trunked interfaces?
- HSRP: I only need it configured (L3 addresses) between SUPs, right? (no need between core blades (L2 only connections) that have redundant fiber runs to access switches in hub rooms).
- Do all devices (blades) connected to the backplane of the 4510 share the one IP configuration (address)? Or do all devices in the chassis require their own IP settings? (sorry, not familiar with a backbone chassis setup)
- I plan on keeping VTP transparent across the network, even at the core (SUPs), thoughts?
- Any (real) benefits to making this network a cluster or a community? (I believe Cisco is moving towards communities, not clusters )
You don't need to set the root for it to work, but it makes sense to define the root because your switches will want to select the best path toward the root bridge. Also, check into the spanning-tree portfast bpduguard command. That command will prevent you from pluging a switch into your ports with "spanning-tree portfast" on them. Plug a switch into one of those ports set for access mode and it will shut down the port - thus preventing loops.
from my main 4500 (set for root at priority 4096, default is over 32000, depends on vlan id, etc)
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1,27-35,37-39,555,667,999 priority 4096
---management port moved to vlan 37 on a 2950 layer 2 switch--
no ip address
no ip route-cache
ip address 172.16.1.1 255.255.255.0
no ip route-cache
regarding VLAN1, assign all of your user and server ports to vlans other than vlan1. It will pass CDP, but no one can access it. I only change the native VLAN when connecting access points with vlans enabled.
I don't have redundant processors but it should be a snap because the startup configs are syncronized automatically.
VTP transparent is safer for many installations; if you do use VTP set a password to help prevent accidents
I don't use CNA so I can't comment on the cluster vs. community use
Not sure what the HSRP question is , but it is pretty easy. On mine, each vlan has .1 on the last octet on the primary switch, and .3 for the backup switch. .2 is the standby address which is applied to both. This is repeated for each VLAN since I have no routing protocols enabled.
Thanks R Duke for the info and your time one this...
- STP root command for all VLANs on the core 4510 switch, any difference between what you did and this one: spanning-tree vlan vlan_id root primary
- OK, so I shutdown VLAN1 and create management VLAN & SVI (999) for all switches in my network, I make VLAN (888) as native on all 802.1Q trunk interfaces, then put all access ports on all switches in appropriate VLANs (other than VLAN1), hence I've eliminated VLAN1 across the network.... what happens if some idiot removes a particular VLAN from a switch (VTP transparent on all, so affects only the local switch) - do the ports that were in that particular VLAN still return to VLAN1 by default?
- 4510/Sup V redundancy: if I understand this correctly, the backplane takes care of redundancy (either RPR or SSO) ... so what are the Giga Uplink ports used for (2 per Sup)??
The "root primary" will just get translated into a number in the config. Enter the command and do a "show run" to see what it translates to. I think it will select 8192, but if there is another switch already set at that level it would have to bump it to number lower. I just picked specific numbers. 4096 on my main switch - the one that is my primary hsrp device, and my backup switch has a priority of 8192. I left all other switches at default, but I could tweak it per vlan if desired to control the path. It does a good job of selecting the best path when there are redundant links. If you were to have a remote switch as the root, you could get a spanning-tree blocked connection between your main switches-not a good thing.
Someone may ding me for this, but I don't see the need for removing vlan1. All you really need to do is move all of your ports in access mode to anything other than vlan 1. As far as I know, the main reason it has gotten a bad rap is that many people leave switches in the default so data ports are on vlan1-considered poor design these days but covenient if you need it to work out of the box. If you put a port in access mode on the same vlan as your native vlan, you would have some of the same security concerns.
Hopefully you won't give passwords to someone who might remove the wrong vlan. VTP transparent would limit the damage to one switch. The ports will go down if you remove the vlan from the switch to which they are assigned. They won't jump back to vlan1. I recently moved to VTP transparent because I had other concerns. Some switches are set to server mode out of the box (2950's), and will learn the domain just by attaching it to the network. Password protecting VTP helps, but was too great of risk for me so I went to transparent.
I used the gig ports on my sups to make a port channel between the two hsrp switches. You can use them for whatever. Sups are linked through the backplane.
1) The configuration for inter-vlan routing on these switches is dead simple. The Supervisor know how to route the networks by the simple "directly attached" knowledge. So all you really need to do is configure each VLAN with an IP address and the routing is taken care of from there. Keep in mind this is Supervisor 2+, I believe that 5's are the same. The redundancy configuration requires a little more, but not much. The R model 4500's are sweet. The fail over is almost 100% transparent. Here is a link I found most useful: http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddae.html
2) The LAN management can reach the other switches by trunking the uplinks to them from the core. In the trunk, include the management VLAN. The core will route (or direct) the management traffic based on the information it has stored.
3) You need scopes for all the seperate networks/VLANs on the DHCP server. You will need to add IP Helper(s) for the DHCP server for each VLAN configuration. If you use the switch as the DHCP server, you will require scopes in all the VLAN configurations. It is definitely a little more work than a "flat" network, but it can be a lot better when troubleshooting.
Then again, by now you have probably figured this out. Sorry for the late advise.