Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
892
Views
0
Helpful
4
Replies

SVI Placement

Chad Parish
Level 1
Level 1

‎11-14-2017 09:01 AM - edited ‎03-08-2019 12:44 PM

We currently configure all SVI's one the Core 6509's.  Downstream we have a pair of layer2 5648 Nexus switches into which is connected our DC servers and our fabric interconnects with the UCS chassis below the Interconnects.

 

We are looking into upgrading our 6509 core switches with 7706 switches.  

 

I'd like to keep the SVI's on the new 7706's but separate them by VDC's, so the production server vlans would be located in VDC PROD, the Dev server SVI in VDC DEV, System Admin SVI in VDC SYS-AD, etc...

 

My team is thinking it would be better to enable Layer3 routing on the 5648 and then move the SVI's specific to the server vlans into the 5K, while keeping the other VLAN SVI's on the new 7706 cores.  In this way traffic between a prod server and a dev server both downstream from the 5K would not have to traverse up to the cores to route between vlans.

 

I have always seen SVIs implemented at the Core, is there any reason not to put some SVI's at the 5k and the rest upstream at the Core.  And should I separate SVI's into different VDC's at the Core 7706? 

 

Labels:
0 Helpful
4 Replies 4

Seb Rupik
VIP Alumni
VIP Alumni

‎11-14-2017 09:11 AM

Hi there,

Sounds like you are moving towards a 3-tier network topology. Nothing unusual about that but normally seen in very large 'campus' networks.

 

Regarding the use of VDCs, unless there you are planing on having the different VDCs exclusively administered by different teams then it is a bit of an excessive way creating separate routing domains. You could achieve the same with VRFs.

Keep in mind how you will get these routing domain to communicate, are you also purchasing internal firewalls to service this east-west traffic?

 

cheers,

Seb.

0 Helpful

Chad Parish
Level 1
Level 1
In response to Seb Rupik

‎11-14-2017 09:25 AM

I was thinking more in terms of just separating the Prod, Dev and 3rd party networks fromone another, but VRFs could work as well. There are are firewals between the DMZ and the rest of the internal network.

But then your saying there is no issue with breaking up where SVI's are configured. We could have some on the 5K and some upstream on the cores with no issue.
0 Helpful

Chad Parish
Level 1
Level 1
In response to Chad Parish

‎11-14-2017 09:28 AM

Also, if we enable the 5k's for layer 3 routing up to the core, we cannot also have trunk links between 7K's and 5k's. So no VPCs?
0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to Chad Parish

‎11-14-2017 09:47 AM

Best practice it to run separate Layer3 links between 5K and 7K. Also it was the case with the 7000 that you would also need a Layer3 link between two vPC chassis. I can't find any document that suggest it is any different on the 7700.

 

Regarding the VRF/ firewall design, you may want to create an separate context on your ASAs to further segregate the traffic from the north-south flows to your installation. To that end you may want to consider additional 10G links from your core to the FWs to cater for this traffic.

0 Helpful
Related community topics
Customers Also Viewed These Support Documents
Top