Question about redundant NW design

spivy6666 · ‎01-15-2013

Guys,

I have 9 L2 2960x flexstack and one L3 3560. I'M curious how i would design this network with as much redundancy as i can ?

Lest say i have 8 Vlans ,I figure setting 2/3 ports ether-channel/vlan trunk from L3 to first L2 switch in stack. Then for redundancy god for bid any one of my switches went bad or even flex cable ,setup another ether-channel for each switch back to the l3 switch or just connect cable without ether-channel and let STP do it's job, should be in blocking mode until other link dies ?

My real serious question is my I only have one L3 switch , so if that goes I'm screwed, so if i bought another L3 switch one how would i make it redundant for the other access switches to the net?, do i need hsrp/vrrp because on i only have ip base (SMI) not EMI, so that would not work, plus the isp router only has one connecting? Any hep would be great ,thanks guys

SO HERE MY SETUP I'm looking to design..

NET <----isp router----->L3intervlan------>9 L2 flex stack 8 switches

CCNA

shillings · ‎01-16-2013

If your 2960-S stacks contain the full 4 stack members and you plan to present a pair of 3560 EtherChannel uplinks to each stack, then Cisco recommend you terminate your two EtherChannel links on stack members 2 and 4. There is some logic to this, but see the following for details (figure 9): -

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/white_paper_c11-578928.html

If you stick to a single core/distribution layer switch and use EtherChannel, then you won't need Spanning Tree to actively block an any uplinks between the core and access layer stacks. Instead, EtherChannel can load balance across all uplinks.

Yes, you are 'screwed' if the 3560 or ISP router fails. Shame you haven't got a 3750 instead of the 3560, because you could then buy another 3750 and stack them. There are pro's and con's to stacking a pair of 3750s verses a pair of 3560s though.

If you buy another core/distribution layer 3560, then you would need to rely on Spanning Tree to actively block the redundant uplink to each 2960-S acces switch stack. This is because you cannot run EtherChannel load balancing between both 3560s and each stack. EtherChannel will only work between each individual 3560 and each stack (a pair of 3750s would get around this limitation though).

Reference connectivity between a pair of core 3560s and your ISP router, HSRP would be nice and simple, but if not available, then you could implement layer-3 routed links. Either way, the ISP router would need two LAN interfaces, one connected to each 3560. You'll also need a direct link between the two 3560s.

If using routed links, then you'll need to establish routing between all three devices. This can be done with an IGP, such as OSFP, or static routing.

Any plans to add a second ISP link for redundancy? What's the primary circuit link type?

Where's your firewall?

Hope that helps. Let me know if anything is unclear.

spivy6666 · ‎01-16-2013

Thanks for your reply, I have a few questions...

I think i understand what your saying and excuse for my igronance and i'm repeating what your saying, but if i only have one distro L3 sw and even tho the L2 sw's are stacked 4 each, doesnt it make sense to create one channel on each stack and have one nw cable on each switch going to the l3 switch for redundance?

I understand no spaning tree is needed for the stack switches but from the L2 to L3 connection is what i'm asking.

I dont think HSRP is going to happend becuse I will have an ip base not EMI and i believe hsrp is not alvalibale with ip base, I would need to upgrade.

No plans on getting a second wan link. I have a fiber pipe 100mbs and the isp gave me a cisco 1841 with a /27 block. So, the way I setup the nw is the trusted inter on 1841 is in my current L2 switch in a sepreate vlan which includes my firewall web server and the rest of the /27 block. So yes i would need another modula card (1841) from the ISP for reduncace for net activity.

But the real question is snice I plan on doing VTP can I use a L2 in case my l3 switch dies for net redunace?Meaning if i got another modular card in the 1841 one connecting to l3 switch and one connection to l2 switch. Or would that not work with hsrp ?

I forgot to tell you that i have my firewall setup in a HA pair but as you know both external interfaces are in the same current l2 switch in that public vlan.

I know this sounds confussing and i thank you for all your input.

CCNA

donlindsay70 · ‎01-16-2013

If you are using the full 100Mb from your ISP on the fibre then you will want to look again at the throughput of the 1841 as it's pps rate is going to limit full bandwidth use.

Sent from Cisco Technical Support iPad App

spivy6666 · ‎01-16-2013

Donlindsay70,

Actualy its using 80mb 20 is for phones. You still think i shoudl ask my ISP for another router. One thing I forgot to add I only have about 350 nodes. So I don't think im using more then 30mb at one time . Whats the max packet per second for this router?

CCNA

donlindsay70 · ‎01-17-2013

The rated throughput for an 1841 using small 64 byte packet sizes and no features enabled is 38.4Mbps.

See link below

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

I would query your ISP based on your ordered bandwidth.

Sent from Cisco Technical Support iPad App

spivy6666 · ‎01-18-2013

Ok great, so I should be looking more at a 2811 or a 2821 from my isp. Thanks Don

CCNA

spivy6666 · ‎01-18-2013

Guys,

One more questions about design if you dont mind..

It is better pratice to have all my servers pluged into aa access swith and then have that access switch pluged into distro/core switch , or if I have the port room on the distro/core switchs plug my server into them? lets forget about redudency for a sec.

I just need to understand are disro/core l3 switches only supposed to be used for vlan /acls and ether-channel to other access switches or can you plug in servers ?

CCNA

shillings · ‎01-18-2013

Sorry I couldn't reply sooner - been quite busy all of a sudden.

As networks get larger, you want to reserve the core layer for routing only and not directly terminate servers. You really don't want the core devices performing QoS on some directly connected devices. However, in a network of this size, it is quite common to see servers directly connected. Personally, I would avoid it for the sake of a couple of server switches.

Also, I would aim for a situation where you can perform emergency in-service changes to the core, such as a core switch reload or IOS update. Obviously, you'd avoid this at all cost and try to postpone until the end of that day's business, but Cisco does have a feature called ISSU (In-Service Software Upgrade). However, if you have a bunch of single-homed servers directly connected into the core, and they provide essential services, then you can't do this without creating much wider disruption.

Therefore, I would always aim to terminate redundant core connections to all your access/distribution layer switches, firewalls, WAN routers, server switches etc. And, if you do decide to directly terminate servers into the core, then those too.

spivy6666 · ‎01-18-2013

Shillings,

Thank for the detailed reply, I figured you were going to say that. I just want to make sure I'm using good pratice as my nw gets larger. Thanks again! I feel alot more confident.

CCNA

shillings · ‎01-19-2013

You're welcome.

Just looking back at your previous posts, shame you can't get sign off for a redundant Internet link as you already have a HA pair of firewalls. You could ask your current provider if they offer any forms of redundancy, instead of using an entirely differnet provider and doubling your costs. If your existing provider can police your traffic across both links to just 100Mbps, then you wouldn't be charged for another 100Mbps that you don't need.

I guarantee you that if your business ever suffers a substantial ISP outage, then the next day you'll be asked for costs for a redundant circuit! Unfortunately, it's the way many businesses operate.