09-28-2012 05:00 AM - edited 03-03-2019 06:46 AM
My recommended topology sceanrio as follows :
Internet
|
|
Internet Router
|
Fortigate Firewall
|
Access - sw
/ \
Core-sw-1--------- core-sw-2
/ \
Dist-sw-1 ----------- Dist-sw-2
/ \ / \
Access-1 Access-2 Access-1 Access-2
| | | |
VLAN10 VLAN 20 Vlan 30 VLAN 40
I hope , the above topogy is undersandble and giving short note on the above scenario
1) In this project we are using one cisco 1900 series router as internet router
2) Fortigate firewall is a Internet firewall
3) Two core-sw as 4506 series and two 3750-X as distribution and 2960S switches as access
4) There is a cross connectivity between distribution -1 to core-sw2 and distribution-2 to
Core-sw-1 ( Not shown in Above diagram)
There is connectivity between distribution switches ( shown in diagram)
5) Each access-sw is in each vlan and connected to distribution , end devices are connected to access-switches
Requirements :
1) HSRP configuration including Loadbalancing for each VLAN means some vlans
Core-sw-1 is active and core-sw-2 is standby and viceversa
2) If we go to HSRP-Loadbalancing , How to configure VTP , can we configure two core-switches as server mode then how it works if core-switch-1 fails how the vlan database reflects in other core-switch-2
3) How to configure STP , can we configure Core-Sw-1 as a Root bridge for some vlans and
Core-Sw-2 as root bridge for a remaining vlans , How core-sw-2 will become a Root bridge for the vlans are through Core-sw-1 , if core-sw-1 gets down
4) How the redundancy will be happen , if one core-sw-1 goes down how the repspective vlans traffice will turn through Core-sw-2
5) How the VTP database will be reflected in Core-sw-2 if Core-Sw-1 gets down
6) will do intervlan in Distribution switches , is it ok? , can we make distribution , access switches as a client mode in VTP configuration , i think it wont give any issues , so that
VLANs configure in Core-Switches will be reflcted in each distribution / access-switches
Pls provide a solution for the above and suggest your comments
Regards
Ramu
09-28-2012 08:29 AM
Ramu
If your doing inter-vlan routing on the dist switches (which you should) then why does the core need to know about those vlans ?
The core is primarily there to interconnect multiple distribution blocks at high speed. But you only have one distribution block shown. Are there others you are not showing ? Or are you expecting to be adding more distribution switches in the future ?
Perhaps you could clarify ?
*** Edit - i am not saying the design is wrong i am just trying to undertand the setup more ie. where are your servers, do you have other connectivity not shown etc.
Jon
09-29-2012 01:40 AM
Hi Jon,
Thanks for the reply..
Core-switches should know about VLANs because Planning to make HSRP protocol configuration in two core-switches with Loadbalancing
I.e some vlans core-1 is primary and remainig vlans core-2 is primary.
Requirement is if core-1 fails then the vlans switchover to core-2 automatically, will it happen?
If you observe the proposal design (above diagram) , what about STP root bridge configuration.., can i configure for some
vlans core-1 as a root and remaining vlans core-2 as a root?
Servers are coonected at access-switch which is in between Fortigate firewall to core-switches ( see the above diagram)
PLs suggest and give inputs as i need to submit configuration proposal next week
Let me know if u need more details
Regards
ram
09-29-2012 02:12 PM
Ramu
The reason i am asking about the vlans is because it's not clear where you are doing the inter-vlan routing. For example you say you are going to use the 3750s for imter-vlan routing, presumably for vlans 10,20,30.40. If so you would setup STP root/secondary for these vlans on the 3750s and not the core switches because the core switches don't need to know about these vlans. They simply get routes for the vlan subnets from the 3750 switches.
But you also refer to other vlans ie. server vlans and the firewall vlans and these do not seem to connect to distirbution switches. So you may need to setup STP root/secondary + inter-vlan route for these on the core switches. But it's not clear. How many servers do you have, are they dual honed, what switches do they connect to. Are these vlans different from vlans 10,20,30,40.
So for some vlans you have a 3 tier model ie. access/distribution/core and for some vlans you have a collapsed core model ie. access/dist+core ie. the distribution switches and core switches are the same physical switches.
So perhaps you could give some more details concerning the setup especially concerning the servers ie. how many, how are they connected, what is the speed of the uplinks from the server switches and do these switches connect straight to the core
4500 switches are not cheap switches and at the moment they only seem to connect the 3750s to the firewall switch. However i emphasize i am not criticizing the design as i suspect there is more to it ie. server connectivity which hasn't really been covered so far.
If you are proposing to route vlans 10,20,30,40 on the core switches then why have the 3750s ?
So i'm just trying to get the full picture because it's not entirely clear where you are proposing to handle all the vlan routing, STP setup.
Jon
09-30-2012 07:46 PM
Hi Jon,
Thanks for the reply..
We have only one server which is at Firewall access switch with Gigabit UTP cable
If you see the diagram once again ,
can we configure vlans / intervlan routing ,STP root/ secondary parameters on core-switch , can we configure HSRP
on core-switches?
our main purpose is HSRP with Loadbalancing the vlans , just suggest accordingly..
No probs, distribution has no role , it just conects core- access through Fiber links
only one proxy servers, futute also not much
09-30-2012 10:54 PM
Will you provide a sample refference configuration of a three-tier network model configuration
Regards
Ram
10-02-2012 06:39 AM
<< VLAN Config on Access switch >>
interface GigabitEthernet1/0/44
description Ports of XXXXX
switchport access Vlan 7
switchport mode Access
spanning-tree portfast
Distribution switch
<< Uplink from Access switch >>
interface GigabitEthernet0/23
description from Access Switch - port 1/0/47
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree guard root
<< HSRP Config >>
interface GigabitEthernet0/47
description Etherchanel/HSRP/Trunk to C3560G-USR1-1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode passive
!
interface GigabitEthernet0/48
description Etherchanel/HSRP/Trunk to C3560G-USR1-1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode passive
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
<< SVI for each vlan need to create and use ip helper for DHCP relay >>
<< According to bellow 10.0.7.250 is the Virtual IP for VLAN 7 >>
interface Vlan7
ip address 10.0.7.254 255.255.255.0
standby 7 ip 10.0.7.250
<< Make any dis swicth primary swicth for specific VLANs with following command>>
spanning-tree vlan 7 root primary
Firstly HSRP doenst do Loadbalancing ONLY Failover. On distribution swicthes create SVI to match with VLAN numbers and add to routing process.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide