Campus design

Hello all,
I'm relative new in cisco networking and i need some clarifications on cisco hierarchical campus network design.
1. Why do i have to use L3 switches on the core and distribution layers; A router implementing CEF doesn't performs switching in the same speed;
2.In the access-distribution layer(switch block), does 1 vlan has to be restricted in the boundaries of 1 access switch or is it better to extend to more than 1 access switches by using L2 ports on distribution switch? (I think that L3 traffic load balancing on the uplinks to distribution switches - using 2 distrib. switches - is done only if configure 1 vlan per access switch, doesn't it?)
ANY help will be appreciated.
THANKS
Peter

I'm not a desing expert, but I work on a network that follows cisco hierarchical designs.
1. the question should then be? Will you be using a layer 2 switch to connect 2 cores and 2 distributions routers (for redundancy and load balancing)?
2. For what Ive seen its better to keep the vlans for just a single access switch to avoid STP issues (and suboptimal layer2 paths).
For the load balancing, you can configure HSRP for vlans configured in more than 1 access switch.
Im not sure I've followed your questions.
But, just my thoughts on the subject.
Vlad

Similar Messages

How to span vlans across core layer in core/distribution/access campus design?

Hi,
I studied Cisco Borderless Campus Design Guide 1.0 (http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1-0/Borderless_Campus_1-0_Design_Guide.html) last week because we plan to redesign our campus backbone to a three tier Core/Distribution/Access Design.
Today we use a collapsed backbone where a lot of vlans are spanned across the backbone because they are needed in different buildings.
Could anybody give me a hint how Cisco recommends to deal with that kind of vlans in the multi-tier design?
In my eyes between core and distribution layer there is only routing functionality and no l2 transport of vlans.
So using the same vlan in different buildings seems not to be supported?
Best Regards,
Thorsten

Thorsten
Just to add to Joseph's post.
It is quite common for a vlan to be spanned when it doesn't actually need to be ie. the network has evolved that way.
Most things do not need L2 adjacency, they can happily use L3. Servers sometimes do but in the campus design your servers are usually located in one site so you don't need to extend vlans to other sites in your campus.
Not suggesting this is the case for you but it may be worth checking whether you really do. (apologies if you already have)
As Joseph mentioned you really want to avoid it if at all possible ie. ideally all connections to the core switches are L3 ie. no need for vlans at all in the core.
If you need to extend a few vlans then you can do this but still route for all other vlans ie. you would configure your distribution to core connections as trunks and then allow the vlans you need to extend plus one other vlan, unique per distribution pair, to route all other vlans. So per site your distribution switches route all vlans except the extended vlans and of they need to route to a vlan in another site they use that unique vlan.
But this is not ideal because you then need to extend certain vlans across the core and because you are using L2 connections STP could come into it although that does depend on your core switch selection eg. 4500/6500 VSS etc. would alleviate this.
There are ways to extend vlans across a L3 network but the solutions available are very much dependant on the kit you use and their capabilities so if you do need multiple vlans in multiple sites but still want to keep a L3 core you may want to investigate some of those before purchasing kit (unless of course you have already purchased it).
What you do really depends on just how many vlans you actually need to extend between sites.
Jon

Campus design choice for VoIP?

Hi...
I have been reading a lot about the differences between routed campus design and other dedsigns based on spanning tree.
I am also in the process of providing a solution to a customer whose main campus consists of 1000 users and includes several remote sites connected via E1 links. I am planning to give a Core/Distribution/access layer routed solution, unless the customer opts for a collapsed core solution which will probably make the network no suited for a routed solution.
I would like to know which solution is best and what considerations I should keep in mind when giving either solution.
Thanks.

Usually, the terminology is or design concepts are based on three layers as you mentioned Core, Distribution, Access. Most companies go to the collapsed core where they combine the Distribution and Core layers funcionalities. The reason they go to this approach is budgets constraints. Otherwise the best would be following the first design concept.
Therefore, both of them do the job. Both of them are sound designs. However, you have tho check the requirements to spec the right devices and scale your desing according to the budget while providing the functionality.
Check what are the software requirements in terms of throughput, latency, delay. Check ports requirements and future scalability. Check for High availability etc....
I hope I could help you in some of the key points,
Remark: The above design concept of Distribution, core, and access layer is usually used in small to medium campuses. However, in enterprise environement you have to consider the enterprise composite design where the network is divided into modular layers each layer may contain core, distribution and access layer. This is included in CCDP.
Please rate if you find the above helpful,
Regards,

Named VLANs and Campus Topology

We have a campus of several groups and sub-groups and distributed accross an expanssive campus. We want to enable improved mobility (not just wireless) of users while retaining user authorizations and entitlements.
We consider implementing a named vlan structure with the groups defined at every access/distribution layer.
Does anyone know what problems this implementation might cause?

In a large campus design the traditional Cisco recommendations are for at least two VLAN's per access layer switch, which is then dual-homed to a distribution L3 switch where the VLAN's are terminated. We also recommend that the VLAN's do not extend beyond a single closet. This enables us to scale the wired switched networks very well, support fast STP convergence, and provide predictable behaviour under failure conditions. In this scenario it is advised against any end to end VLAN's, not even VLAN 1 for management.

A Design Dilemma by a net Admin turning into Architect

In a big hierarchical network architecture (Core-Distribution-Access) is right to have ospf routing running on core switches? I mean... should I build an high speed L2 Core or should I connect the Core to the different distributions using small interconnection subnets (interface VLANs) and a routing protocol (OSPF)? In this case is the use of a distributed default route originated by all core switches suggested?

If you are starting from scratch consider a High Availability Routed Campus Design completely Layer3 all the way up to the Access Layer. You will be able to have multiple VLANs at each Access switch with no Spanning Trees.
Run EIGRP with Access switches as Stubs. Summarize Access routes on the Distribution to Core, and the Core summarizes Distribution routes to WAN, Datacenter, and Internet Layers.
As the previous poster mentioned, OSPF is an option too, but this requires manual tuning of the timers to match the convergence time of EIGRP.
Do not put dual supervisors in the Distribution or Core layers, only the Access Layer (assuming a chassis based Access). Dual Sups in the Dist/Core slows down convergence in a High Availability Routed Campus design.
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmigration_09186a00805fccbf.pdf
Give a read to the linked document.
Please rate all helpful posts.
Regards,
Brad

Camus Design!

I have more than 70 access switches 2950T, that will be connected to two Cisco distribution switches, Two uplinks that will connect each access switch to the distribution (2 G links)!
I read many documents about the campus Design! I think to use routed interfaces with GLBP between Access to the distribution switches is the best design.
Just i need ur feedback about this design! and if you guide me to Cisco best practises about this design, and also config. documents?
I will use separate VLAN for each access switch.
Thanks in advance
Abd Alqader

At my design! NO SVIs (NO VLANs).
Each access switch will has a two gigabit uplinks connection (Link1 to Dist. A, and Link2 to Dist. B), The GLBP will be configured as follows:
At (For example) interface giga 2/1 at Dist. A the Link1 will be connected, and also At interface 2/1 at Dist. B the Link2 will be connected, now the giga interfaces at the distribution switches GLBP will be configured (same group for each gigabit interfaces at the two dist. switches that connect that access switch). i.e. Layer 3 interfaces will be configured at the gigabit interfaces that will connect each access switch. NO VLANS.
My question is about this design, is it good and also i think no VLANs will be required at each access switch (NO more than one VLAN will be required at each access switch if we will configure VLANs).
I hope that you got my point!
Thanks alot
Abd Alqader

Design suggestions for a four 6500 layer 3 network?

Hi folks,
We've just purchased two 6509's with redundant sup720's and two 6506's with sup32's, and I need to configure them to replace our aging Extreme switches.
Two will be in the MDF on ground floor, and two in the IDF on second floor. All floors have their own VLAN and IP subnet, and there is a datacenter VLAN for servers, and a firewall VLAN acting as a glue network to the internet.
I'll use GigE channels for trunks between them in a fully meshed configuration.
My question concerns how to configure the VSI's on each switch. Each subnet has a default gateway, but how to virtualize this among the sup modules? It seems that HSRP, VRRP, and GLBP are available, with GLBP being preferred(correct me if I'm wrong).
Would I need to configure a separate VSI for each VLAN on each switch, then setup GLBP for all of them? Can this even be done?
Help please because I'm out of my depth on this one. Thanks for any responses,
Ian

Couple of options here:
1) You keep the Sup32's in the IDF Layer2 only, connecting with DOT1Q trunks to the 720s in the MDF. Only the 720s have the Layer3 SVIs.
2) You configure the Sup32s as Layer3, with 'no switchport' Layer3 links to the 720s in the MDF. Each Sup32 has an SVI for each VLANs on its switch.
Option 1 is your typical Campus Wide VLAN approach.
Option 2 is a Routed Campus Design.
Take a look at the attached document.
Hope this helps.
Please rate all helpful posts.
Regards,
Brad

Term ...edge of the network

Hi,
I usually read this term 'The switch should be at the edge of the network' but not too sure what it means ...
My understanding is that the switch should be the distribution switch or something of this sort. Is this correct, if no, please help to explain.
Thank you.
-SN-

Hi,
Typically, the "edge" of the network is referred to as the point that host devices connect to the network.
When speaking in terms of a layered campus network design, we usually refer to three layers, the core, distribution, and access layer. The access layer is logically equivalent to the "edge."
Here's a PPT that covers the principles of Multilayer Campus design.
http://www.cisco.com/application/vnd.ms-powerpoint/en/us/guest/netsol/ns432/c649/cdccont_0900aecd802e9b1a.ppt
HTH,
Bobby

Catalyst 3750 Ingress SPQ/SRR behavior

Do Cisco engineers review this community at all?
I am working on the latest version of QoS standard for our Enterprise and noticed the following conflicting information officially provided by Cisco.
My question relates to ingress/pre-ring Strict Priority Queue (SPQ) logic.
Cisco Catalyst 3750 QoS Configuration Examples document states that SPQ on ingress is configured and serviced as follows
mls qos srr-queue input priority-queue 2 bandwidth 10
mls qos srr-queue input bandwidth 90 10
SPQ services Q2 up to the configured 10% of ingress bandwidth
Any excessive traffic in Q2 is not dropped, but is serviced by SRR in accordance with the configured weights
For example, a momentary 5Gbps of aggregated ingress EF traffic will be serviced in the following way
SQP services 10% of total ring's bandwidth, or 3.2Gbp, leaving 1.8Gbps for SRR processing
SRR services excessive 1.8Gbps in accordance w/ weights Q1 - 90 and Q2 - 10, such as Q1 gets 25.92Gbps and Q2 get 2.88Gbps more.
The following pictures provides in-depth look into Ingress queuing logic.
Alternatively, Cisco Medianet Campus Design v4.0 provides the following example w/ comments
C3750-E(config)#mls qos srr-queue input priority-queue 2 bandwidth 30
! Q2 is enabled as a strict-priority ingress queue with 30% BW
C3750-E(config)#mls qos srr-queue input bandwidth 70 30
! Q1 is assigned 70% BW via SRR shared weights
! Q2 SRR shared weight is ignored (as it has been configured as a PQ)
Basically, they now say Q2 bandwidth weight is ignore because it is configured as Strict Priority Queue. Doesn't it look contradictory?
In my humble opinion Medianet (or SRND v4.0!!!) provides an incorrect information re ingress queuing on Catalyst 3750 platform.
I am not sure I can easily test it, providing that an internal ring must experience a congestion. I don't think I can send more than 32Gbps of traffic into any of my lab 3750 switches.
Also, I don't think this mistake can be critical in my environment as I don't expect to have momentary full capacity load on those... but it can be critical for others.
Much appreciate
Tim

VLANs for the WiSM

Hi Everybody,
we followed the cisco layered model in our campus design where we have 6500 switch at the core, 4500 at the distribution and 3750 at the access layer.
The connectivity between the core and the distribution is layer 3, the connectivity between the distribution and access layer is layer 2.we have all the intervlan routing on the distribution switches.we have recently installed two WiSM controllers in our core and planning to deploy light weight access points.
we want to use the exiting VLANS that we created for the wired users on the distribution switch for Wireless LAN users . I wanted to know if this is possible because as the dynamic interfaces for the Wireless VLANS would be created on the WiSM that is on the core switch and as the dynamic interface are like SVIs for the Wireless VLANS.
Secondly i wanted to know what does it mean to assign a VLAN to the WiSM
Regards,
Ahmed Zubedi

I would recommend keeping the wired vlan separate from the wireless vlan.
You need to assign a vlan for the service port of the controllers. This is local to the 6500 and is not routeable. This is how the controllers talk to the 6500. I normally do like a 192.168.1.x

Load balancers vs. Gigabit switches + SSL decryptors

Please I would need your suggestions on how best to solve some pressing IDS re-implementation issues. Here is the problem:
We are planning on introducing the next generation IDS. This will replace the current
RealSecure 7.0 sensor deployments. At present, we are using Toplayer load balancers. But with aggregated traffic from the different sources hardly exceeding
470Mb, we think that we are not getting much value with the expensive load balancers. We are in effect, trying to explore the options of using gigabit switches to span
the traffic from different sources; and then feed the sensors with the spanned output.
The questions are?
1. What are the options are available to dispense with the load balancers?
2. If we have to use Cisco gigabit switches, which is the effective type, do we have to use IOS or how do we implement it, i.e. architecture; and do you think it is going to be a good replacement of the load balancers?
3. Is there a middle ground architecture?
4. Also, we are trying to introduce SSL decryptors for Web bound SSL traffic. There are different options out there including using sensors with embedded decryptors (such as McAfee's), using a plugin decryptor like breachview and doing termination. What do you think is the best option or are there some other alternatives?
Regards,
Charles Iheagwara

The document Gigabit Campus Design, Configuration, & Recovery Analysis has more information on Cisco gigabit switches that can replace the top layer load balancers.
http://www.cisco.com/en/US/netsol/ns340/ns394/ns147/ns17/networking_solutions_white_paper09186a00800a3e0b.shtml

Restrict management vlan

Hi,
I've been looking around the forums and cisco documents for an answer to my question, and get close but cannot quite seem to find an answer i understand.
I am looking to create a managemenet vlan (vlan 100) on which all the switches have their management ip address and also allow me to place management ports for certain servers.
Currently on my 3750 i can ssh/http to the ip address of any of the vlan interfaces set up on it and log in.
I only want to be able to do this from the ip address set up for vlan 100.
I can then set up ACLs to restrict where i can access vlan 100 from.
Is this possible? If so, how?

Just to try and present a different angle here as the use of a network-wide Management VLAN is simply not a good idea.
Spanning VLANs over your entire network introduces STP loops and instability that (IMO) should be avoided at all possible costs. If you have a typical structured network with Core, Distribution & Access or for smaller networks just a Core & Access then you should really be keeping access VLANs local to switches (or stacks if you have 3750's) using trunks with only the allowed VLANs enabled or better still Layer-3 routed uplinks. This way all uplinks will always be in a forwarding state and you will get better utilisation of your infrastructure links, plus any STP instability issues are removed. Have a read of the campus design SRND at the SRND site (http://www.cisco.com/go/srnd).
Based on your comments (Currently on my 3750 i can ssh/http to the ip address of any of the vlan interfaces) you are running these switches as Layer-3 devices (routers) so the concept of a management VLAN does dwindle a bit anyway. What i would suggest is using /32 loopback interfaces to manage these devices and lock the VTY lines (& HTTP/HTTPS if you use it?) down with access-classes restricting access to certain networks (typically where your management hosts are). You can also configure control-plane policing as an extra level of defence to deny or rate limit access to control-plane protocols (routing, management etc). Be careful with control-plane policing though as I have got myself into some odd situations with it.
HTH
Andy

Management VLAN RV042

I have both RV042 V1 and V3. It appears that the VLAN setup is expanded on the V3. On the V1, the Multiple Subnet Setting says "take the *existing* address allocation and split it up into multiple networks. This implies that the subnet on the Device IP Address would be further subnetted - which I rather doubt but figured it worth asking.
Then it appears that management access is NOT available on any of the added subnets. Is that right?
If so, then it appears that one would want to assign subnets that are NOT intended to be used for the management interface and keep the management interface subnet as the "primary" "Device IP Address". Is that right?
This done then how do the VLANs interact with the management interface?
How do the IP addresses interact with the VLANs?

Current design practises is NOT to use a network wide Management VLAN due to the STP topology that it creates. If you have a small network then it shouldn't be too much of a problem but will result in STP loops in the network that are generally undesirable.
Best practise is generally to have unique VLAN's per switch, terminating your Layer-2 on Distribution/Core switches and then routing (layer-3) from here on in. If you trunk a single management VLAN everywhere it means all links must be trunks and this introduces too many STP loops.
Have a search on CCO for HIERARCHICAL CAMPUS DESIGN, or Campus Design.
HTH
Andy

Webauth url redirection fail with firewall between host and switch

Hi All,
I noticed some old posts (2012) on this specific issue (thanks Tarik) - this is exactly our problem. Web auth redirect URL gets dropped if stateful firewall is between webauth host and switch management interface. Aaron at Cisco live london kinda hinted about maybe Cisco working on this ? We can't disable stateful inspection
Is there any other solutions or workarounds ?
"Although this approach introduces additional hops in the return path from the switch to the host, it produces negligible load on the default router and intervening infrastructure since only the WebAuth traffic from the switch to the host follows this path. In campus designs that do not use SVIs on the data VLAN,6 a default route is typically already configured. In this case, no additional configuration is required to support WebAuth. However, problems may arise in the case in which traffic to the default router is bridged through a stateful firewall. The original SYN packet in the TCP handshake is consumed by the access switch, so the first packet that the firewall sees is the SYN-ACK packet from the access switch. Stateful firewalls typically drop SYN-ACK packets if they have not seen the original SYN packet.
In this case, you will need to turn off stateful inspection for ports 80 and 443 on the firewall."
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577494.html
Cheers
Peter.

There is workaround i haven't tested which is available from 15.0 i think, which is the option to create svi's on your access layer switches for the guest/user vlans, without actually enabling routing between them, it sounds weird, but i have been told that this combined is a possible woraround, that will cause the switch to use the svi interfaces when responding with the SYN-ACK, thus not being sent to its ip default-gateway.

Newbie... menu problem :) Lit'l help plez

I'm trying to create a menu, that uses css and a bit of java, of which both my knowledge is minimal to say the least.
but... Im making slow progress. Basically my problem is the submenu components, when you mouse over the items that have a sub menu, show behind the main menu. I need the sub menu items to show on top of the main menu, so that I can see the sub menu items. I know this is some code in the java page, but do to my lack of java script, I'm a bit lost. Could anyone out there please help me fix this. Any and all suggestions are greatly appreciated!
below is the code to each defined document.
horizontal.htm
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><title>Horizontal Drop Down Menus</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script type="text/javascript" src="horizontal2_files/drop_down"></script>
<style type="text/css">
@import "style2.css";
</style></head>
<body>
<ul id="nav">
<li><a href="#">Home</a></li>
<li><a href="#">Shade Sail Technology</a></li>
<li><a href="#">Shade Sail Fabrics</a>
    <ul>
      <li><a href="#">High Density Polyethylene(HDPE)</a></li>
      <li><a href="#">Fire Retardant High Density Polyethylene(FR/HDPE)</a></li>
      <li><a href="#">PVC Composite Fabrics</a></li>
       <li><a href="#">Warranties</a></li>
    </ul>
</li>
<li><a href="#">Dangers of UV</a></li>
<li><a href="#">Architects / Designers</a></li>
<li><a href="#">Application Gallery</a>
    <ul>
      <li><a href="#">Residential</a></li>
      <li><a href="#">Commercial</a></li>
      <li><a href="#">Schools</a></li>
      <li><a href="#">Playgrounds</a></li>
      <li><a href="#">Restaurants</a></li>
       <li><a href="#">Sports Venue</a></li>
      <li><a href="#">Auto Dealerships</a></li>
      <li><a href="#">Parking Areas</a></li>
      <li><a href="#">Resorts</a></li>
      <li><a href="#">Campus Designs</a></li>
       <li><a href="#">Parks & Recreation</a></li>
      <li><a href="#">Kiosks</a></li>
    </ul>
</li>
<li><a href="#">External Links</a>
    <ul>
      <li><a href="#">SunWise Program</a></li>
      <li><a href="#">SkyShades USA</a></li>
      <li><a href="#">Skin Cancer Foundation</a></li>
      <li><a href="#">WeatherStopper </a></li>
    </ul>
</li>
<li><a href="#">Contact Us</a></li>
</ul>
</body></html> --------------------------------------------------------
the css document: style2.css
body {
     font: normal 10px verdana;
ul {
     margin: 0;
     padding: 0;
     list-style: none;
     width: 258px; /* Width of Menu Items */
     border-bottom: 1px solid #ccc;
ul li {
     position: relative;
li ul {
     position: absolute;
     width: 137px;
     left: 130px;
     top: 0;
     display: none;
/* Styles for Menu Items */
ul li a {
     display: block;
     text-decoration: none;
     color: #333366;
     background: #fff; /* IE6 Bug */
     padding: 5px;
     border: 1px solid #ccc;
     border-bottom: 0;
/* Fix IE. Hide from IE Mac \*/
* html ul li { float: left; height: 1%; }
* html ul li a { height: 1%; }
/* End */
ul li a:hover { color: #21536A; background: #DDEEFF; } /* Hover Styles */
li ul li a { padding: 2px 5px; } /* Sub Menu Styles */
li:hover ul, li.over ul { display: block; }---------------------------------------------------------------------------
and finally the js file: drop_down.js
// JavaScript Document
startList = function() {
if (document.all&&document.getElementById) {
navRoot = document.getElementById("nav");
for (i=0; i<navRoot.childNodes.length; i++) {
node = navRoot.childNodes;
if (node.nodeName=="LI") {
node.onmouseover=function() {
this.className+=" over";
node.onmouseout=function() {
this.className=this.className.replace(" over", "");
window.onload=startList;
thanx again,
Kim

Java and Javascript are different languages. This forum is about Java. You are asking about Javascript.

Campus design

Similar Messages

Maybe you are looking for