Solved: Re: Design concern of VRRP on distribution/core switches

Ahmad Saad4 · ‎06-11-2019

We have a Small-medium-sized client who has flat network ( VLAN 1) for everything (Phones, Servers and PCs)
And they have remote sites which uses VPN to connect to their HQ.

They want to use different VLANs for Phones, DATA and Servers.

So they got two cisco SG550X as core switches as shown in the diagram below ..

I've got few questions about the design below if someone could help :

1) First regarding VRRP: I will configure it for VLAN 1,2 and 3, Can I do it for VLAN 16 & 17 ( connecting to FWs)? or it's not recommended?

2) Do I need to connect the core switches (SW-Core1-550 & SW-CORE2-550 ) together (uplink)?

3) As you can see in the diagram, the two core switches are connected to one access switch (1gig switch), is it better to split the connection into two access switch instead of one?

4) Is it better to connect Netgear switch (10gig switch) to the two core switches instead of the (1gig) HPE access switch?

5) As in the old design they have only default VLAN1, now with new design we need to create all VLANs in all access switches and configure all uplinks between switches as trunk...is that right?

6)As you can see the AVAYA IP Office manager (Server) is in different subnet (192.168.50.9) than phone VLAN (192.168.2.0/24)
Will the phone devices be able to reach the call manger to register?

Note:
IP routing is enabled on the core switches.
-DHCP Relay/IP helper is enabled on the core switches.
-Windows server( 192.168.50.2) is used as DHCP Server.(created 3 DHCP Scopes for the 3 VLANs with required option for AVAYA)

Giuseppe Larosa · ‎06-12-2019

Hello Ahmad,

ip helper-address 192.166.50.2 is the right command on IOS devices.

Your devices are small business switches.

We need to verify on their user guide

Note: the switches can be stacked. Something you may want to consider.

Edit:

I am looking at latest firmware command reference

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/550xseries/cli_guide/CLI_Tesla_Sx550X_SG550XG_2_2_5.pdf

Your device is not running IOS but a different OS.

The commands are provided on pag 284 and following

You need to enable dhcp relay in global configuration

ip dhcp relay enable

Then you need to add a command in global config to specify the DHCP server address

DHCP Relay Commands286SG550XG and Sx550X Ph. 2.2.5 Devices - Command Line Interface Reference Guide1111.3 ip dhcp relay address (Global)Use the ip dhcp relay address Global Configuration mode command to define the DHCP servers available for the DHCP relay. Use the no form of this command to remove the server from the list.

Syntax

ip dhcp relay addressip-address

pag 286 of the above guide

I would suggest you to download it for your reference.

The first command can be given also in interface mode.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎06-12-2019

Hello Ahmad,

I do not see any network diagram attached to the post.

I will try to answer your questions below

1) First regarding VRRP: I will configure it for VLAN 1,2 and 3, Can I do it for VLAN 16 & 17 ( connecting to FWs)? or it's not recommended?

You can use the VRRP also on the vlan 16, 17 to the Firewalls but the firewalls need to use the VRRP VIP address as the next-hop for their static routes for internal subnets.

2) Do I need to connect the core switches (SW-Core1-550 & SW-CORE2-550 ) together (uplink)?

Yes indeed use a port channel with at least two member links and make it a L2 802.1Q trunk carrying all Vlans.

3) As you can see in the diagram, the two core switches are connected to one access switch (1gig switch), is it better to split the connection into two access switch instead of one?

For fault tolerant design each access layer switch needs to be connected to both core switches. STP will make one link a standby link. Be sure that you configure STP on core switches so that one of them is the root bridge anf the other one is the backup (you need to lower STP priority).

4) Is it better to connect Netgear switch (10gig switch) to the two core switches instead of the (1gig) HPE access switch?

If possible each access layer switch should have two links directly to the core switches.

If you have available 10GE ports on the core switches you can use them to connect to this netgear switch

5) As in the old design they have only default VLAN1, now with new design we need to create all VLANs in all access switches and configure all uplinks between switches as trunk...is that right?

This is correct, you have a multivendor environment with switches of different vendors Cisco, Netgear, HPE all of them must be aware of all Vlans defined on core switches. Of course you cannot rely on VTP in this context.

The trunks ports between access layer switches and core switches should allow the required Vlans only on both sides. Allowing all Vlans on trunk ports can be acceptable in your network.

6)As you can see the AVAYA IP Office manager (Server) is in different subnet (192.168.50.9) than phone VLAN (192.168.2.0/24)
Will the phone devices be able to reach the call manger to register?

Note:
IP routing is enabled on the core switches.
-DHCP Relay/IP helper is enabled on the core switches.
-Windows server( 192.168.50.2) is used as DHCP Server.(created 3 DHCP Scopes for the 3 VLANs with required option for AVAYA)

Yes, if DHCP relay is configured on the Voice Vlan SVI interface Vlan (ip helper-address 192.168.50.2) the phones can reach the DHCP server 192.168.50.2 from their subnet and they can get an IP addres and the info to reach the Avaya server via the DHCP option configured in their DHCP scope on the DHCP server.

Hope to help

Giuseppe

Ahmad Saad4 · ‎06-12-2019

Thanks so much for your reply!

Which is the right command for Voice VLAN to reach DHCP server:

ip dhcp relay address 192.168.50.2 or

ip helper-address 192.168.50.2?

Giuseppe Larosa · ‎06-12-2019

Hello Ahmad,

ip helper-address 192.166.50.2 is the right command on IOS devices.

Your devices are small business switches.

We need to verify on their user guide

Note: the switches can be stacked. Something you may want to consider.

Edit:

I am looking at latest firmware command reference

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/550xseries/cli_guide/CLI_Tesla_Sx550X_SG550XG_2_2_5.pdf

Your device is not running IOS but a different OS.

The commands are provided on pag 284 and following

You need to enable dhcp relay in global configuration

ip dhcp relay enable

Then you need to add a command in global config to specify the DHCP server address

DHCP Relay Commands286SG550XG and Sx550X Ph. 2.2.5 Devices - Command Line Interface Reference Guide1111.3 ip dhcp relay address (Global)Use the ip dhcp relay address Global Configuration mode command to define the DHCP servers available for the DHCP relay. Use the no form of this command to remove the server from the list.

Syntax

ip dhcp relay addressip-address

pag 286 of the above guide

I would suggest you to download it for your reference.

The first command can be given also in interface mode.

Hope to help

Giuseppe

Ahmad Saad4 · ‎06-13-2019

Hi there, I tried to do the VRRP to the FWs, but it gives me error on the firewall "ERROR: Name "inside" has been assigned to interface GigabitEthernet0/0
DrayeTek-FW(config-if)# ip address 172.16.1.4 255.255.255.0
ERROR: Failed to apply IP address to interface GigabitEthernet0/1, as the network overlaps with interface GigabitEthernet0/0. Two interfaces cannot be in the same subnet."

Is this the correct design to set up VRRP for VLAN 16 & 17 which connect to 2 FWs? for some reason it's not working for me

Giuseppe Larosa · ‎06-13-2019

Hello Ahmad,

you need to move the L3 configuration to SVI interfaces

interface Vlan 16

ip address 172.16.1.4 255.255.255.0

! ip VRRP comands here

interface Vlan 17

ip address 172.17.1.4 255.255.255.0

The physical interfaces to the firewalls have to be configured as L2 ports

(note I provide you a configuration example for IOS you need to check the changes if any for your switches)

interface gi0/0

switchport

switchport mode access

switchport access vlan 16

desc to Drake FW

!

int gi0/1

desc to Barracuda FW

switchport

switchport mode access

switchport access vlan 17

The Vlan 16 and 17 need to be allowed on the inter switch link (port channel if possible)

Each switch should have a single physical link to each firewall. Links to Drake in Vlan 16 on both switches. Links to Barracuda in Vlan 17 in both switches.

Hope to help

Giuseppe

Ahmad Saad4 · ‎06-13-2019

Hi!

I tried what you suggest "

Each switch should have a single physical link to each firewall. Links to Drake in Vlan 16 on both switches. Links to Barracuda in Vlan 17 in both switches."

unfortunately it gives error that "ERROR: Name "inside" has been assigned to interface GigabitEthernet0/0
DrayeTek-FW(config-if)# ip address 172.16.1.4 255.255.255.0
ERROR: Failed to apply IP address to interface GigabitEthernet0/1, as the network overlaps with interface GigabitEthernet0/0. Two interfaces cannot be in the same subnet."

Giuseppe Larosa · ‎06-13-2019

Hello Ahmad,

I'm sorry I have been unclear.

Also the firewalls need to use SVI interfaces (interface Vlan or their equivalent whatever they are named)

An SVI interface means that L3 configuration is under a logical interface associated to L2 ports in the same Vlan.

Can you tell me what type of device is DrayeTek FW ?

It is a Cisco ASA?

If it is the commands that I have provided can work but you need to remove L3 configuration and interface name inside from physical interface giga 0/0

default interface gi0/0

interface vlan 16

name inside

ip address 172.16.1.4 255.255.255.0

int gi0/0

switchport

switchport mode access

switchport access vlan 16

description to switch SG550-1: gi0/10

int gi0/1

switchport

switchport mode access

switchport access vlan 16

description to switch SG550-2:gi0/10

I hope this is more clear.

Let me know what type of device is the firewall. Model and vendor and software version.

Note:

about DHCP snooping: I think it is something that we can discuss later.

Hope to help

Giuseppe

Ahmad Saad4 · ‎06-13-2019

Sorry Giuseppe,

Do I need to enable DHCP Snooping as well or just DHCP Relay?