cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1879
Views
0
Helpful
4
Replies

Resilient Small Business Network Design

I am installing a new network infrastructure and the desire is for it to be as resilient as possible.  Here is the equipment I have available to me.

  • 2xSG300-20
  • 3x2950-24
  • 1xPIX 515e (running 8.3 software)

There are no routing protocols on the SG300's, only the ability to turn on routing to use static routes.It's a small network with a few virtual servers, a few physical servers, and shared storage on iSCSI.  There are about 70 users. There are three VLANS

  • VLAN 10 - 10.1.0.0/16   - Data (servers, Users, Printers)
  • VLAN 30 - 10.10.30.0/24 - iSCSI (NAS Storage)
  • VLAN 99 - 10.10.99.0/24 - Management

I want to use the two SG300-20's as a collapsed Core.  The servers will plug in directly to the SG300's on VLAN 10 ports.  The NAS and iSCSI NICs will plug in directly to the SG300's on VLAN 30 ports.  Several old 2950 switches will be connected to the SG300's on VLAN 10 ports to be used for end user devices and printers, etc. Each server has 4 NICs in them,Two NICs are VLAN 10, one to each of the SG300 switchesTwo NICS are VLAN 30, one to each of the SG300 switches.

Here are my Questions:

  1. Do I turn on routing on one or both of the SG300's?
  2. Should the SG300's have a direct connection to eachother, and if so, is that a Layer 2 or 3 connection?
  3. Should the 2950's have a direction connection to eachother?
  4. Should the NICs on the servers be teamed or stand-alone?
  5. Any advice on Spanning Tree or BPDU guard?

Thanks for your assistance on this.  I understand the non-resilient configuration, but can't figure out how to design the redundancy.  I've spent the last day and a half looking for design/configuration guides for small business resiliancy but haven't found anything.

Chris

4 Replies 4

Tom Watts
VIP Alumni
VIP Alumni

Hi Christina, usually resilient network designs incorporate concepts of a full mesh topology.Basically for redundancy and high availability there should be a redundant link on each device as your diagram mostly depicts.

What I see missing on your Diagram is redundant links between the switches and the bridge ID to dictate your spanning-tree election.

The NAS in the VLAN 30 appears to be okay, going to both switches. The server in the middle seems okay, going to both switches. The first 2950 access switch (closest to the middle) does not have redundancy to the top SX300 switch. The second 2950 access switch (furthest from the middle) does not have redundancy to the bottom SX300 switch. If either SX300 switch goes down, you will lose a port of that access layer. It also may be a good idea to put a redundant link between the 2950's and again specify the bridge ID for spanning tree. The SX300 by default is RSTP mode and has auto edge port for the portfast negotiations.

To address other points, if your servers have the ability to LAG either statically or through LACP, it would better to LAG them, as the LAG and service as a failover as well but also support better throughput. The access layer should always be managed in layer 2 as l2 switching is much faster than l3 routing. As for the SX300 in layer 3 mode, if that is your true core, layer 3 routing is where this takes place as the distribution and access layers tend to be layer 2.  The SX300 I would recommend to LAG between them using a static LAG.

It's not particularly clear me if you are planning to use the PIX for any routing or if you will rely on one or both of the SX300 to load the network or if one of the SX300 is the core, the second is the distribution. But also how those are interconnecting to the PIX. The SX300 series doesn't support VRRP like the SX500X series does so you can't really specify a next hope in the occurence of a failure.

Basically, spanning tree is going to be your friend here, putting all of the lowest cost paths in to blocking state and in the event of failure on the path cost, the redundant links are to activate. What you want to avoid is a ridiculous election process, therefore setting your bridge ID on each unit is EXTREMELY important. This also eliminates the need for BPDU guard since spanning-tree should be enabled and setting your Bridge ID will dictate the election.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

I would love to see Cisco come out with some SMB Smart Designs that address the items that Christina has brought up.

Thomas Watts wrote:

...It's not particularly clear me if you are planning to use the PIX for any routing or if you will rely on one or both of the SX300 to load the network or if one of the SX300 is the core, the second is the distribution. But also how those are interconnecting to the PIX. The SX300 series doesn't support VRRP like the SX500X series does so you can't really specify a next hope in the occurence of a failure....

We couldn't afford the SX500 series, so we have two SG300's.  I didn't put in the connection to the PIX because I wasn't sure where it would need to go.  I prefer to do the routing on the SG300's and not the PIX.  With that in mind, would I be correct to turn on L3 on only one SG300 and plug the PIX into that switch?

My intent is to use ports 1-8 on each switch for VLAN10 and ports 9-16 on each switch for VLAN30.  I would use port 17 on each switch as a trunk for both VLANs.  With that design, I would have link redundancy, but not core/routing redundancy due to the fact that the SG300 does not have VRRP or other routing protocols.

Does that sound like a solid design for the equipment/limitations that I have?  Once it's all up and running I will repost with the working configs.

Thanks,

Chris

Hi Christina, depending how to set up the LAN, you can split the routing load on both switches - which I would recommend. The SG300 are designed for hardware switching 100 IP and less. So if you configure parts of your LAN for default gateway residing on one of the switches and default gateway residing on the other switch, it will balance the LAN route path and let the switch decide where to send it. Additionally, although you don't have a route protocol, you can still force redundancy if you have 2 available ports on the PIX, but again making the spanning tree block one of the ports OR making a MSTP instance for each VLAN. You could ideally have 1 switch primarily service VLAN 10 while the other primarily service VLAN 30 and still maintain a connect between both switches, especially if you particularly wanted VLAN 10 or 30 to remain more local to the LAN but want the other VLAN to have a shorter path to the PIX.. Or, under a more traditional circumstance simply trunk and tagging to the PIX, whatever your creativity desires.

I feel if you follow the traditional models of resilient networks / redundancy, the ideals apply just the same. You should definitely consider linking the 2900's if the resources permit. That should be a pretty solid network, especially if you can get everything LAG together, you will be zipping around quite nicely.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/