Re: LAN Design: L3 switching

colmgrier · ‎10-28-2008

Looking for advice and Cisco â€œbest practiceâ€ for setting up a L3 switching LAN. The below is the solution I have setup in a lab environment.

Q. Is there a better way to design this solution?

Q. Will this solution work?

Q. Advantages/ disadvantages of design?

Inventory

Core switches: 2x6509 & 1x4500

Access Switches 3560 POE-SW

LAN Overview

All core and access switches are connected over L2 dot1q trunk links. (Cannot use L3 routing ports between core switches because of legacy devices communicate over L2 dot1q links)

All switches use native vlan 1 for trunk links and management VLANS

All Voice and Data VLANs for access switches are terminated on the core switches (Default Gateway)

All Core switches will be running Eigrp routing for the Data and Voice VLANS terminating on the core switches.

All edge switches do not support Eigrp routing.

! Core_1

vlan 1 MGMT

vlan 10 DATA

vlan 110 Voice

int vlan 1

ip address 10.0.0.1/24

int vlan 10

ip address 192.168.10.0/24

int vlan 110

ip address 192.168.110.1/25

router eigrp 250

no auto-sum

network 10.0.0.0

network 192.168.10.0

network 192.168.110.0

! AS_1

int vlan

ip address 10.0.0.10

! Core_2

vlan 1 MGMT

vlan 20 DATA

vlan 120 Voice

int vlan 1

ip address 10.0.0.1/24

int vlan 20

ip address 192.168.20.0/24

int vlan 120

ip address 192.168.120.1/25

router eigrp 250

no auto-sum

network 10.0.0.0

network 192.168.20.0

network 192.168.120.0

! AS_2

int vlan 1

ip address 10.0.0.20

! Core_3

vlan 1 MGMT

vlan 30 DATA

vlan 130 Voice

int vlan 1

ip address 10.0.0.3/24

int vlan 20

ip address 192.168.30.0/24

int vlan 120

ip address 192.168.130.1/25

router eigrp 250

no auto-sum

network 10.0.0.0

network 192.168.30.0

network 192.168.130.0

! AS_3

int vlan 1

ip address 10.0.0.30

glen.grant · ‎10-28-2008

I would not use vlan 1 , make it a different vlan . vlan 1 is the default vlan and runs a lot of the control info such as cdp,vtp etc.. and it is best not to use vlan for data. Any other vlan number is fine .

Jon Marshall · ‎10-28-2008

Colm

There are a number of things here that are unclear.

Firstly i agree totally with Glen. You should

1) Use a vlan other than vlan 1 for managing the switches.

2) Use a vlan other than vlan 1 and not the vlan you use for managing the switches for the native vlan. This vlan does not need a L3 vlan interface in your core because there is no need to route the native vlan.

Attached is a link to best practice for 4500/6500 IOS configuration. It's worth a look in terms of native vlan/management vlan/STP/VTP etc..

http://www.cisco.com/en/US/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml

It's a fairly long read - you don't need to read it all just the bits relevant to your setup.

Core/Distribution layer

=======================

1) What is the purpose of the 4500. I'm not sure what you gain by having a core 3 switch. I would just use your 6500 switches as the core and relegate your 4500 to an access-layer switch and migrate the L3 svi's on the 4500 to the 6500's. Note obviously you will still need a L3 svi on the 4500 for managment.

2) You have no redundancy for your L3 gateway's in your design because each switch (6500 x 2 + 4500) are running different L3 SVI's. You should create the same L3 vlan interface on both 6500 switches and run HSRP or GLBP between the 2 6500 switches.

Access layer

============

1) You have no redundancy from the access to the distro/core layer. Each access-later switch should be dual connected to the 6500 switches so if one of the 6500 switches fails each access-layer switch still has a path and the end clients can still access their gateways.

General

=======

If you do relegate the 4500 to the access-layer then you don't necessarily need to run EIGRP but you can with no problems.

The above are some things to think about. The key ones are lack of redundancy and the use of the 4500. Note that what you have proposed would work and my advice is just that, advice.

If you have further queries please come back.

Jon

Amit Singh · ‎10-29-2008

In Addition to Jon's post another design would be a routed access design as all the switches are L3 capable. Make each access switch dual uplink to Cat6500's and configure all the ports as L3 and run a routing protocol among all the switches. This design is best sutited in a big campus LAN design. I dont know if that can suit you but just an advise on the design front.

Please see whitepaper on routed access design.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/routed-ex.html

-amit singh

colmgrier · ‎10-29-2008

Thanks to all that replied. Sorry I did not explain the problem Im having with upgrading LAN design.

Please advise on proposed upgrade.

Overview

The customer has an existing network consisting of the 3 buildings; each building has a core switch (2x6509 & 1x4500).

Each core switch has about 20 access switches connected. There are some access switches which have other switches daisy chained to it.

All switches are using vlan 1 for native VLAN.

The customer will not upgrade the 4500 switch at this time.

Access switches do not have dual connects to the core switches. Therefore no redundancy for any access switches.

All core switches will be connected over Layer2 dot1q trunk link. (Some customer equipment only runs over l2 links). Therefore cannot use l3 ports between the core switches

Proposed Upgrade Design.

This is what I plan to use.

Each access switch will have a unique Data and Voice Vlan. The Core switch connected to the access switches will be the Default Gateway for the Data and Voice vlans on each access switch

Each core switches will run Eigrp between them.

All access switches will be connected over vlan 100 (Native Vlan)

Jon Marshall · ‎10-29-2008

Colm

Could you just explain what the setup is now as opposed to your proposed upgrade.

You setup will work and it may be the best option with the kit but i would still be concerned the complete lack of redundancy.

Jon

colmgrier · ‎10-29-2008

Hi Jon,

Basically HSRP is running between the two Core 6509 switches for VLAN 1,10,110. This is the Default Gateways for the Voice and Data VLANS.

The 4500 switch has a link to both Core 6509 switches.

All links are L2 dot1q trunks.

Diagram uploaded

Jon Marshall · ‎10-29-2008

Okay, so what you are trying to do in effect is trying to limit the extent of the L2 broadcast domains by terminating the vlans on each core switch respective to their buildings ?

The only problem is you are still running a L2 trunk between the buildings - what are these for ? if you are containing the vlans within each building why can you not use L3 routed links between the 4500 and the 6500 switches ? I know you talk about legacy L2 - could you expand on that a bit.

Do you have spare fibres between all the buildings ?

Jon

colmgrier · ‎10-29-2008

There is one spare fibre between all buildings.

The LAN is based in a hospital environment and legacy medicial equipement will only communicate over L2 links. This has been tested over layer3 links and will not work.

Is it still a good idea to use Eigrp routing over L2 trunk for the core switches?

Thanks again,

Colm

Jon Marshall · ‎10-30-2008

Colm

Apologies for not getting back sooner.

So can i assume that this L2 legacy equipment runs across all 3 buildings and that means you must have L2 adjacency between all buildings ?

If so how does this equipment work. Is it a server based application ?. Where i am a little confused is that you have dedicated vlans/subnets in each building for clients so they would not be L2 adjacent for the servers anyway.

One possible use of the extra fibre would be to have both L3 and L2 links between buildings with most of the traffic going via L3 links which would protect you somewhat from STP loops and if the legacy equipment is finally replaced you have a L3 routed design to go forward with.

But without understanding the legacy application and how it works between buildings it's difficult to say.

Jon

pkaretnikov · ‎10-30-2008

I had a very similar hospital setup with a very similar setup and everything ran just fine but there are a few things I think you should look at.

1. The point of HSRP is to provide multiple layer 3 gateways in case of failure. If the equipment(core) fails, the line will be dead and no one will get out regardless, so you might as well scrap it.

2. Trunks between buildings is a good thing. You may want to consider running what I'll call 'local VLANs'. Use the same VLAN in each building for the users, let's say VLAN 100, but don't allow it over the core to core links(e.g. switchport trunk vlan allowed 1-99,101-2000). Limit some of the heavier traffic from spilling over your links. Each site will have it's own subnet, which will also make locating problems slightly easier.

3. If you want to run more bandwidth between buildings or you can convince them to have dual/redundant cores in each building, I would suggest you take a look at CWDM

http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6575/product_data_sheet09186a00801a557c_ps4999_Products_Data_Sheet.html

multiple links over a single fiber. If you did have multiple cores, then you would want to run HSRP or GLBP between them.

4. EIGRP is Cisco only. As much as I like Cisco products I never want to be 100% bound to anything too proprietary. OSPF is almost as fast and is an industry standard. If you ever have to implement any non-Cisco equipment in the future it'll make your life a lot easier.