Re: New Core/Distribution Switch Design

John Apricena · ‎08-12-2013

Hello,

We would like to update some of our equipment, as some it is very old, however since we have many users we would like as little downtime as possible. I have attached a diagram which includes what we currently have (on the right), and what we would like to add in (on the left). Currently all traffic routing resides on the Cisco 6509 and it pushes up towards the firewall and out to the internet. We would like routing services turned off of the 6509 and to be soley on the two new Cisco 4500x switches. Also, all VLANs are defined on the 6509 and the 6509 has all trunk links to the 4006s. Traffic currently flows from 4500x switch on top right down to the firewall and then then the 6509 to the access 4006.

My question is more of a design question and if this looks good or not. Please all advise, feedback, and criticism are welcomed. We would like the 4500x switches to carry all the routes and layer 3 traffic, and be redundnant, so if one fails the network can still function. Here's how I invision it: I uplink the two new 4500x with Layer 3 uplinks to the Edge routers. Then, uplink each 4500x switch to the 6509 using trunk ports. This is so the 4500x switch will know about all the VLANs. I will use EIGRP between th new 4500x switches and the Cisco 1900 and 4500x to share routing info. I would also like to uplink the two 4500x switches together and use HSRP to create floating SVI for each VLAN between the two.

Once this is in place, I will then switch the 4500x switch on top right to route its traffic towards the 4500x switches. My question here is how can I do this in a load balancing fashion? Is there a layer 3 floating IP I could use or something to that effect? This routing change will virtually remove the firewall from the equation, but for temporily that is fine.

Traffic will then flow from the 4500x switch on top right to the 4500x switches on the left, to the 6509 and then to the 4006. Then, one by one we can replace the 4006 chassis switches with newly pruchased 4507s that uplink to the new 4500x switches instead of the 6509.

Please advise if the above seems reasonable, and if you see any trouble from this, again any criticism is welcomed, and thanks in advance!

shillings · ‎08-12-2013

I think I understand. A few points and questions:

You are proposing a dual redundant pair of 4500-X switches for a new core. However, you're only uplinking them to a single WAN edge switch, yet you have two Internet feeds.
You can easily load balance outbound traffic, on a per-session basis. Note that a single VPN connection or file transfer, for example, will be seen as one session, so traffic may or may not be load balanced very evenly. Also check out Performance Routing (PfR), but I've not used that yet. Inbound traffic is even harder to load balance, but you can still utilise both links. Is this what you want to do? Are both Internet feeds with the same ISP? If not, do you have a provider independent prefix?
Where is your firewall going to be in the final solution? How will you secure the LAN during the transition phase? And surely you need dual-redundant firewalls. Makes no sense to have dual-redunant core switches and two Internet circuits, but only one firewall.
Are you aware that the 4500-X can use VSS to form a single logical switch?

Marvin Rhoads · ‎08-12-2013

It looks generally reasonable. I did a similar upgrade for a customer late last year.

You should consider linking the 4500X's together in a VSS. That makes them look like a single switch and allows the uplinks from the new 4507s to be 20 Gbps L2 portchannel instead of 2 x 10 Gbps links with one forwarding and one blocking in spanning-tree. That also removes the need to run HSRP between the 4500X cores and removes the concern about balancing the load between the edge 4500X and the core. If you want to add resiliency between the edge and core, you can make that a L3 portchannel.

You should run the latest IOS-XE release - currently 3.4.1SG - if you use VSS. The initial 3.4.0SG release had a bug that could cause the switch to crash. If you decide against adopting VSS then the recommendation is 3.3.1SG.

John Apricena · ‎08-12-2013

Shillings/Marvin Rhoads,

Thna you guys so much for youre input! Please see my below responses.

Shillings

1. Both 4500x switches will uplink to both WAN routers, sorry if the image didn't portray that.

2. We will not load balance between providers, but I was asking if we could looad balance internally, which VSS seems like the solution there.

3. I think the firewall will be behind the 4500x switches, and redundant firewalla will be purchased if in budget.

4. I wasn't aware and thank you so much for this info.

Marvin Rhoads,

1. Even with VSS configured, can I have it uplink to the core with layer 3 uplinks using like EIGRP, and uplink it to the 6509 using trunk ports?

shillings · ‎08-12-2013

3. I think the firewall will be behind the 4500x switches, and redundant firewalla will be purchased if in budget.

I presume you mean that the firewall/s will sit between the 4500-X core switches and the Internet edge devices - is that correct?

John Apricena · ‎08-12-2013

Yes, either there or in between the 4500x switches and the 6509.

shillings · ‎08-12-2013

You're getting rid of the 6509 long term though, correct?

Just bear in mind that your firewall can't route between VLANs at anything like the speed of layer-3 switches, be that the proposed 4500-X pair or your existing 6509. And once that firewall CPU is max'd out, which could be easy to acheive, then your entire network will grind to a hault.

John Apricena · ‎08-12-2013

Ah, understod. So in between the 4500x and core devicesis where it should go. Thanks!

One more question. Even with VSS configured, can I have it uplink to the core with layer 3 uplinks using like EIGRP, and uplink it to the 6509 using trunk ports?

Thanks again Shillings!

shillings · ‎08-12-2013

Ah, understod. So in between the 4500x and core devicesis where it should go.

No, a firewall would normally be positioned at your Internet edge. In other words, between Internet edge router/s and the collapsed core/distribution layer. Basically, you would point a default route at the firewall on a routed link. You wouldn't trunk all your VLANs up to the firewall and expect it to route between them, and also forward traffic to the Internet, if required.

John Apricena · ‎08-13-2013

Thanks Shillings! Is there currently any simulator I could use to simulate VSS before bringing it online with the hardware, or do I have to use the hardware itself?

Marvin Rhoads · ‎08-13-2013

John,

Re the different types of links, you can mix and match them - routed to the edge and layer 2 trunked toward the 6509 is a perfectly fine option. In either case they can also be combined into Etherchannels.

Re simulating, there's no simulation software to allow you to run a 4500X VSS cluster (that I know of). Even when I took the Cisco partner training, we remotely interacted with real hardware in their labs.

When we put these in for customers, we typically stage the equipment on out lab workbench first to work out the exact configuration (and familiarize ourselves with the gear if it's the first time with a particular model or software image, ensure functional parts, etc.) before scheduling the production cutover.