Solved: Switching Design with Access, Distribution and Core Level

zain_gabon · ‎10-13-2011

Hi Support,

I read that in the Campus architecture, we have 3 levels, Access (connected and users and desktops), Distribution (Connected access Switch) and Core Layer (Connected disctribution Switches).

My Question is it's necessary to access Core Level in Campus Architecture or in way we need to have Core Level?

Your clarification will me appreciated.

Regards

Latchum Naidu · ‎10-13-2011

Hi,

As per the Cisco and best industrial practice the three layer hierarchical model is the best one for enterprise networks. Each layer have its own capabilities and functions.

Core Layer:

Responsible for transporting large amounts of traffic reliably and quickly.
Only purpose is to switch traffic as fast as possible (speed and latency are factors).
Failure at the Core layer can affect every user, design for fault tolerance at this level.

Design specifications

Don't Do at this layer
Don't use access lists, packet filtering, or VLAN Routing.
Don't support workgroup access here.
Don't expand (i.e. more routers), upgrade devices instead (faster with more capacity).

Do at this layer

Design for high reliability (FDDI, Fast Ethernet with redundant links, or ATM).
Design for speed and low latency.
Use routing protocols with low convergence times.

Distribution Layer:

Also called workgroup layer, this is the communication point between the access and core layers.
Primary functions include routing, filtering, WAN access, and determining how packets can access the Core layer if necessary.
Determines fastest/best path and sends request to the Core layer. Core layer will then quickly transport the request to the correct service.
Place to implement network policies.

Distribution Layer Functions

Access lists, packet filtering, queuing.
Security and network policies such as address translation and firewalling.
Re-distribution between routing protocols including static routing.
Routing between VLANs and other workgroup support functions.
Departmental or workgroup access.
Definition of broadcast and multicast domains.
Any media transitions that need to occur.

Access Layer:

Controls local end user access to internetwork resources.
Also called desktop layer.
The resources most users need will be available locally.
Distribution layer handles traffic for remote services.
Continued use of access lists and filters.
Creation of separate collision domains (segmentation).
Workgroup connectivity at Distribution layer.
Technologies such as DDR and Ethernet switching are seen in the Access layer.
Static routing is here.

So this all depends on your network size and organize budget.
Even we can directly have one core switch and do everything in this like WAN connection termination, VLAN, routting and etc.,
As I said it is up to organization and their network size.

Please rate the helpful posts.
Regards,
Naidu.

View solution in original post

Latchum Naidu · ‎10-13-2011

Hi Zain,

You will be fine with what model you have.
You can do both Core and Distribution in 4503.
Also you can use 4503 only for core layer and 3560's for distribution as well as access layer.

I see many clients running their production sites (100 to 300 user count) with only 3750 switch as Core and distribution function and 2960 for access.

So I would say your model based on devices what you have is OK.

Please rate the helpful posts.
Regards,
Naidu.

View solution in original post

Latchum Naidu · ‎10-13-2011

Hi Zain,

Of course...

1. Your WAN link will be terminate on the core.
2. Your dynamic routing protocols like EIGRP, BGP will be run on the core.
2. Your Vlans configuration will be on the core.
3. If you have any specific static routes those will be in the core.

Even if you want to reduce the load on your 4503 core switch, you can configure your inter VLAN routing on your 3560 itself and assign respective vlans to the end user connected ports on the same 3560 itself.

If you want your intervlan routing on the 4503 only then I guess you have VTP to distribute all the vlans to your 3560's

Please rate the helpful posts.
Regards,
Naidu.

View solution in original post

Latchum Naidu · ‎10-13-2011

Hi Zain,

You have very good setup from LAN side (complete mesh). So you no need to worry about single point of failures.
So the present setup is ok.

But if your 3560 fails how you will have connection to your WAN? I guess this is again single point of failure.

So, I would suggest you to connect your WAN links to any D-Link switch then connect your core switches 4503 to that D-Link switch and do all necessary WAN routing part in 4503.

Again you need to keep a space D-Link switch in case the one D-Link switch fails which is in place you can replace with the spare one. So this will not take much time and no need to do any config changes.

I guess your 2 4503 core switches are in HSRP.

Please rate the helpful posts.
Regards,
Naidu.

View solution in original post

Joseph W. Doherty · ‎10-13-2011

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

No, you don't always need a 3 tier design. For smaller topologies, a 2 tier design, such as collapsed core/distribution or collapsed distribution/access, works fine. You can search Cisco's main site and find many design guides describing 2 tier designs.

View solution in original post

Latchum Naidu · ‎10-13-2011

Hi,

As per the Cisco and best industrial practice the three layer hierarchical model is the best one for enterprise networks. Each layer have its own capabilities and functions.

Core Layer:

Responsible for transporting large amounts of traffic reliably and quickly.
Only purpose is to switch traffic as fast as possible (speed and latency are factors).
Failure at the Core layer can affect every user, design for fault tolerance at this level.

Design specifications

Don't Do at this layer
Don't use access lists, packet filtering, or VLAN Routing.
Don't support workgroup access here.
Don't expand (i.e. more routers), upgrade devices instead (faster with more capacity).

Do at this layer

Design for high reliability (FDDI, Fast Ethernet with redundant links, or ATM).
Design for speed and low latency.
Use routing protocols with low convergence times.

Distribution Layer:

Also called workgroup layer, this is the communication point between the access and core layers.
Primary functions include routing, filtering, WAN access, and determining how packets can access the Core layer if necessary.
Determines fastest/best path and sends request to the Core layer. Core layer will then quickly transport the request to the correct service.
Place to implement network policies.

Distribution Layer Functions

Access lists, packet filtering, queuing.
Security and network policies such as address translation and firewalling.
Re-distribution between routing protocols including static routing.
Routing between VLANs and other workgroup support functions.
Departmental or workgroup access.
Definition of broadcast and multicast domains.
Any media transitions that need to occur.

Access Layer:

Controls local end user access to internetwork resources.
Also called desktop layer.
The resources most users need will be available locally.
Distribution layer handles traffic for remote services.
Continued use of access lists and filters.
Creation of separate collision domains (segmentation).
Workgroup connectivity at Distribution layer.
Technologies such as DDR and Ethernet switching are seen in the Access layer.
Static routing is here.

So this all depends on your network size and organize budget.
Even we can directly have one core switch and do everything in this like WAN connection termination, VLAN, routting and etc.,
As I said it is up to organization and their network size.

Please rate the helpful posts.
Regards,
Naidu.

zain_gabon · ‎10-13-2011

Hi Naidu,

Thanks for your quick response,

But in a middle Network, about 300 users, it's necessary to use core Level,

In my case, we have two 4503 at Distribution layer and more 20 3560 and access layer

Regards

Latchum Naidu · ‎10-13-2011

Hi Zain,

You will be fine with what model you have.
You can do both Core and Distribution in 4503.
Also you can use 4503 only for core layer and 3560's for distribution as well as access layer.

I see many clients running their production sites (100 to 300 user count) with only 3750 switch as Core and distribution function and 2960 for access.

So I would say your model based on devices what you have is OK.

Please rate the helpful posts.
Regards,
Naidu.

zain_gabon · ‎10-13-2011

Hi Naidu,

Thanks a lot,

In case where i want to use my 4503 as Distribution and Core, there is a special configuration to be done?

Actually, all vlans and inter vlan routing are done on 4503 with Trunk port to all 3560 access switch.

Regards

Latchum Naidu · ‎10-13-2011

Hi Zain,

Of course...

1. Your WAN link will be terminate on the core.
2. Your dynamic routing protocols like EIGRP, BGP will be run on the core.
2. Your Vlans configuration will be on the core.
3. If you have any specific static routes those will be in the core.

Even if you want to reduce the load on your 4503 core switch, you can configure your inter VLAN routing on your 3560 itself and assign respective vlans to the end user connected ports on the same 3560 itself.

If you want your intervlan routing on the 4503 only then I guess you have VTP to distribute all the vlans to your 3560's

Please rate the helpful posts.
Regards,
Naidu.

zain_gabon · ‎10-13-2011

Hi,

Find my Architecture (in attached file)

Wan router and firewall are connected on the access Layer (3650 switch)

VTP is used on the 4503 switches to update automatically vlans on the vtp domain.

each vlan interface on 4503 as an ip address and inter vlan routing is done automatically.

There is something wrong in my architecture?

I connected wan router and firewall on access layer to have the redundancy in case on link to 4503 failed.

Thanks

Latchum Naidu · ‎10-13-2011

Hi Zain,

There is no any attachments.

I connected wan router and firewall on access layer to have the redundancy in case on link to 4503 failed.

I didnt understand that...

Do you mean that you have connected your want router and firewall to both your core 4503 and access 3560 to have physical connection redundancy? If yes what you are running to prevent the loop?

Please attach the clear diagram so that I can assist you.

Please rate the helpful posts.
Regards,
Naidu.

zain_gabon · ‎10-13-2011

Hi,

I don't find where i can attach a file

The wan router and firewall are connected on 3560 (just on link)

I'm talking about link from 3560 to Core (4503).

If a connect the wan router to 4503 and if that 4503 failed, my wan router will be disconected.

So i connect the wan router and firewall on the 3560 which as two link to the both 4503.

Latchum Naidu · ‎10-13-2011

Hi Zain,

You have very good setup from LAN side (complete mesh). So you no need to worry about single point of failures.
So the present setup is ok.

But if your 3560 fails how you will have connection to your WAN? I guess this is again single point of failure.

So, I would suggest you to connect your WAN links to any D-Link switch then connect your core switches 4503 to that D-Link switch and do all necessary WAN routing part in 4503.

Again you need to keep a space D-Link switch in case the one D-Link switch fails which is in place you can replace with the spare one. So this will not take much time and no need to do any config changes.

I guess your 2 4503 core switches are in HSRP.

Please rate the helpful posts.
Regards,
Naidu.

zain_gabon · ‎10-13-2011

Thanks Naidu,

There will still have a single point of failure.

The 2 4503 are in HSRP with differents priority on vlans.

STP is also used to prevent loop and load sharing.

Jon Marshall · ‎10-13-2011

Re. the WAN link. If possible you should have a router with 2 LAN interfaces and connect to both 4500 switches. Run a dynamic routing protocol between the router and the 4500 swithes and then the 4500 switches will see 2 equal cost paths to all remote destinations.

You definitely do not want to connect your WAN at the access-layer, that is not recommended and makes for very bad traffic patterns.

If you only have one ethernet connection from the router then connect it to one of the 4500 switches at least.

Jon

Joseph W. Doherty · ‎10-13-2011

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

No, you don't always need a 3 tier design. For smaller topologies, a 2 tier design, such as collapsed core/distribution or collapsed distribution/access, works fine. You can search Cisco's main site and find many design guides describing 2 tier designs.