Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)

Hello,
I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
well as the Wireless solution.
At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
between the two switches and their integrated controller.
Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
state of their connections to the WLAN infrastructure.
To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
subnets need to be assigned to the SSIDs.
As such, I have the following questions:
Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
the solution as per the next question. Please advise which is a better option?
Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
Regards,
Amir

Hi Amir,
Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
MO is not required (it is only for very large scale deployments)
Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
Yes, documents are hard to find :(
These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
http://mrncciew.com/2014/05/06/configuring-new-mobility/
http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
HTH
Rasika
*** Pls rate all useful responses ****

Similar Messages

  • Catalyst 3750G and WLC 440x - Port Channel - Configuration - Best Pactice

    What is the best practice to use when configuring port channel between Catalystr 3750G switch stack and WLC 4402 / 4404 Wireless Lan Controllers:
    a) Negotiate to LACP
    b) Negotiate to PAgP
    or
    c) Hard-code to Port Channel without any negotiation.
    Any pointers to any useful links - much appreciated and configuration example as well.

    Answer is 'C'... channel-mode on
    Configuring Neighbor Devices to Support LAG
    The controller's neighbor devices must also be properly configured to support LAG.
    •Each neighbor port to which the controller is connected should be configured as follows:
    interface GigabitEthernet
    switchport
    channel-group mode on
    no shutdown
    •The port channel on the neighbor switch should be configured as follows:
    interface port-channel
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan
    switchport trunk allowed vlan
    switchport mode trunk
    no shutdown
    Here is a link that explains it. Hope this answers your question:
    http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42mint.html#wp1116136
    Here is a Best Practice doc:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080810880.shtml

  • LMS 4.2 and WLC 5508

    Hi all,
    Recently I have replaced 2 4400 WLC by 5508 wlc's.
    I have also replaced both 4400 in LMS by those new 5508. They have the same ip's, so I have removed the old 4400's from LMS and created 2 new devices.
    When checking the device center, LMS tells me Data collection, User tracking, Inventory and Fault discovery has succeeded.
    When I check the Reachability status in device center it is ok for ping, telnet, SSH, SNMPV2 read, SNMPV2 write. However I am not able to open the configuration through Config editor. He gives me the pop-up "CEDT0042: No latest configuration file exists for the device in Archive."
    When I go and check the archive summary report, I can see for both devices the log below:
    NMP: Failed to establish SNMP connection to x.x.x.x - Cause: Device is Unreachable. Check the ReadOnly community string. SNMP: Failed to establish SNMP connection to x.x.x.x - Cause: Device is Unreachable. Check the ReadOnly community string.
    Any ideas,
    Thanks,
    Joris

    Hello,
    I think I have found the problem. WLC 5508 is not compatible with LMS 4.2.2.
    I can find this in the release notes:
    Cisco Unified Wireless Network Solution Components
    The following components are part of the Cisco UWN Solution and are compatible in this release:
    Note For more information on the compatibility of wireless software components across releases, see the Cisco Wireless Solutions Software Compatibility Matrix.
    •Cisco IOS Release 15.2(2)JB
    •Cisco Prime Infrastructure 1.3
    •Mobility Services Engine (MSE) 7.4.100.0 software release and context-aware software
    Apparently only Prime 1.3 can manage this device.
    Joris

  • Design Help - Cartoon Lion and Profile - Opinions and Help Needed

    Hey guys!
       FIrst of all, you rock, like all of you! This is one of the best online communities, I always get great help quickly. Thanks!
    Here is what's up, I am creating a "Children's" book for my wife and my one year aniversary (I know, puke, right?). Anywho, one of the charachters is a Lion (Named Louis, if you are interested). I have a great face and body for him but I am not sure about the profile shot... I can't tell if I am being a perfectionist or if it just sucks... What do you all think, what would you do differently? Thanks!
    Here are the PNG's
    Here are links to full size images and PNG's if you really want to dig in. You will notice that everything is layered, this is because I want to work with these as base sprites and then change facial expressions and what not from page to page.
    Lion.png
    Profile-Lion.png
    Lion.PSD
    Profile-Lion.PSD
    Thanks again!

    Ok... here he is with the snout... it certainly looks more realistic, but I am afraid it does not match the art style of the orrigianl where he is facing us. What do you guys think?

  • Design question about APs and WLC

    We need to know if (and how if possible) a WLC may control several APs, configured in a parallel grid array as bridges:
    CPD---AP(l)------air---------AP(r)---AP(nb)
       |--AP(l)-------air--------AP(r)---AP(nb)
       |--AP(l)-------air--------AP(r)---AP(nb)
    The AP(r) right are non-root, the AP(l) left are the root connected to the CPD, there may be several bridge. We need to control all of them, specially the ones in the right = AP(r) of the bridge. And of course the AP(nb)= non-bridge
    We would want to know if we can regulate how the right antenaes connect to the left. Right antenaes need to be on a moving platform, and there is no possible interconnection among the AP(r).

    We need to know if (and how if possible) a WLC may control several APs, configured in a parallel grid array as bridges:
    CPD---AP(l)------air---------AP(r)---AP(nb)
       |--AP(l)-------air--------AP(r)---AP(nb)
       |--AP(l)-------air--------AP(r)---AP(nb)
    The AP(r) right are non-root, the AP(l) left are the root connected to the CPD, there may be several bridge. We need to control all of them, specially the ones in the right = AP(r) of the bridge. And of course the AP(nb)= non-bridge
    We would want to know if we can regulate how the right antenaes connect to the left. Right antenaes need to be on a moving platform, and there is no possible interconnection among the AP(r).

  • ISE and WLC 5508 IP and MAc address

    Hi!
    Is it possible that we recibe IP address and Mac address Client at the same time in ISE ?
    The wlc permits choose radius Call station ip type MAC or IP, but not both.
    Thanks you,

    If you are using dot1x then no, the mac address is sent since the client does not receive an ip address till authetication succeeds.
    Sent from Cisco Technical Support Android App

  • Has anyone deployed converged access with 3850 switches and 5760 WLCs?

    Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
    Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
    Pros
    With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
    Less hops for voice calls from user A to user B as data control traffic is dropped locally.
    Cons
    Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
    Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
    Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
    Can someone convince me why would a customer choose converged access?
    Sent from Cisco Technical Support iPad App

    They choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
    Sent from Cisco Technical Support iPhone App

  • Converged access

    Hi 
    Im about to set up a converged access solution with WLC 5760 as MC and several 3850 as MA. It is not clear to me what needs to be configured on the MC and what needs to be configured on the MA´s.
    I know that each MA has to be configured with the WLAN configuration , but what about things like security profile, acl ,radius ? Anyone has a good documentation explaining this ?

    Hi
    Below should help you to start with basic peering between MA & MC
    http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
    WLAN configuration to be done on MA
    http://mrncciew.com/2013/12/04/wlan-config-in-3850-part-1/
    http://mrncciew.com/2013/12/06/wlan-config-with-3850-part-2/
    Below post should also helps you on 5760/3850 basic configs
    http://mrncciew.com/2013/12/12/getting-started-with-5760/
    http://mrncciew.com/2013/09/29/getting-started-with-3850/
    http://mrncciew.com/2013/12/16/configuring-radius-on-5760/
    Also this thread listed some useful documentation about CA.
    https://supportforums.cisco.com/discussion/11984726/converged-access-design-information
    HTH
    Rasika
    **** Pls rate all useful responses ***

  • ISE 1.2 / WLC 5508 EAP-TLS expired certificate error, but wireless still working

    Hi I have a customer that we've deployed ISE 1.2 and WLC 5508s at.  Customer is using EAP-TLS with and everything appears to setup properly.  Users are able to login to the network and authenticate, however, frequently, I'm getting the following error in ISE authentication logs:
    12516 EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain
    OpenSSL messages are:
    SSL alert: code=Ox22D=557 : source=local ; type=fatal : message="X509
    certificate ex pi red"'
    4 727850450.3616:error.140890B2: SS L
    rOYbne s: SSL 3_  G ET _CL IE NT  _CE RT IF ICAT E:no ce rtific ate
    relurned: s3_ srvr.c: 272 0
    I'm not sure if this is cosmetic or if this is something that I should be tracking down.  System isn't in full production yet, but every client seems to be working and there is no expired cert in the chain.  Any ideas what to check?

    Hello Dino,
      thanks very much for your reply.
      The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI.   The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
    Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
    EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
    I suspect the cert-setup itself, but don't get a clue where this might stuck...
    Björn

  • Windows Sharing problem from WLC 5508 to wired LAN

    Dear All,
    I'm having problem with windows sharing (file/printer sharing) from Wireless lan client which is connected to AP3500 and
    WLC 5508 then to Nexus 7010. It's already using ip command, for example \\192.168.84.65
    WLC os version 7.0.116.0 (using AP groups)
    Nexus os version 4.2(6)
    The weird thing is i can connect using windows sharing from wired LAN to wireless user however not vice versa.
    for better explanation, here are the scenarios
    1. Wireless lan to wired LAN using windows sharing - failed
    1. Wired LAN to Wireless lan using windows sharing - success.
    I've been analyzing by making sure that all the to end, there would be no firewall within source pc(s) and destination pc(s) and also
    the ACL inside Nexus.
    Been dying here to find solution for this, due to the customer is using it for file and printer sharing service.
    Anyone has idea to solve this problem, i'm looking forward for any suggestion coming.
    Arrai.

    Peer to peer within wlc is using default setting which is allowed and as you may know, peer to peer permission only related between wireless client not wired one. CMIIW.

  • Cisco 3850 and Licences for WLC??

    Hello
    We have a client who needs a new switch which is capable of intervlan routing and also a WLC.
    I am thinking a 48 port 3850 with IP Base which gives intervlan routing and WLC support.
    However I am not sure if we need to purchase additional AP licences or whether they are built in?
    Cheers

    In 3850 WLC functionality, your switch stack could act as MA (Mobiity Agengt) or MC (Mobility Controller). AP license required for your 3850, only if it is acting as MC. (for MA you do not require any AP licenses). Max 50 AP can handle by given 3850 switch stack. For MC functionality minimum you required IPbase image. (not LANbase)
    So it is based on your design you need to purchase 3850 AP license. In your case if it is for a single switch where client want WLC functionality (with no other controller available) then you have to go with AP license depend on how many AP they want to deploy.
    BRKCRS-2889 CiscoLive material will give you good overview of this new Converged Access Deployment model & MA/MC functionalilty & few design options.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • 5508 to 5760 w/3850. Migrating from CUWN to Converged access.

    Hi!
    I have a 5508 WLC managing APs in local and flexconnect mode in the current environment. 
    There's a plan to migrate to converged access using 5760 WLC w/HA as MC, 3850 as MA and keep the 5508 as N+1 controller enabling new mobility. 
    It will look like this:
    1 MC 5760 w/HA
    10 3850 as MA
    1 5508 as N+1 (managing flexconnect APs and backup if the 5760 pair fails)
    The questions I have:
    1. After enabling new mobility in the 5508.
    Will I still be able to use flexconnect mode for the remote locations? I know the 5760 doesn't support flexconnect mode, but I'm not sure if the flexconnect feature is not supported in a converged access deployment.
    2. Will I be able to manage and configure everything in the 5760 (MC) and the WLC will push the configurations, WLANS, settings, etc to the 3850s (MA)? Or do I also need to configure WLANS, etc on each individual 3850?
    3. Current license count in the 5508 is at 350 APs.
    The new deployment will have 10 3850s with 5 AP licenses per switch and the 5760 will come with 25 AP licenses. That's a total 75 AP licenses. 
    I would need to purchase 225 additional licenses on the 5760 to make a total of 350 AP licenses.
    Will I be able to move the switches' AP licenses to the 5760 to make 350 AP licenses? 
    The plan is to keep the 5508 as a staging controller to move the APs in the event of a FW upgrade in the 5760.

    First of all 5760 & 5508 AP firmware are not same. So failing over between these two WLC will be same as doing AP fail over between two 5508 having different software version. (ie AP has to download the image & reboot every time). Also I would suggest you to start this migration step by step as you need to be familiar with this converged access setup (how it works & troubleshoot issues). I would setup 5760 & move one building AP to this CA & monitor it for 2-3 months & them move on.
    Here are the answer to other queries you have.
    1. After enabling new mobility in the 5508.
    Will I still be able to use flexconnect mode for the remote locations? I know the 5760 doesn't support flexconnect mode, but I'm not sure if the flexconnect feature is not supported in a converged access deployment.
    Yes, 5508 support FlexConnect irrespective of "new mobility" feature enable or not. Here is how you configure new mobility & peer a 5760 to a 5508. You need to have 7.6.x or 8.x code on your 5508 to do this.
    http://mrncciew.com/2014/05/06/configuring-new-mobility/
    2. Will I be able to manage and configure everything in the 5760 (MC) and the WLC will push the configurations, WLANS, settings, etc to the 3850s (MA)? Or do I also need to configure WLANS, etc on each individual 3850?
    I do not think you can do this yet, Cisco will make this happen in future. So you have to configure each & every MA identically. If you have prime, then IOS-XE 3.7.x onward it support template configuration. But IOS-XE 3.7 is recently released,so cannot guaranteed the stability. (I am using 3.6.1E in my production). Below post will give you some starting point on this configuration
    http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
    3. Current license count in the 5508 is at 350 APs.
    The new deployment will have 10 3850s with 5 AP licenses per switch and the 5760 will come with 25 AP licenses. That's a total 75 AP licenses.
    I would need to purchase 225 additional licenses on the 5760 to make a total of 350 AP licenses.
    Will I be able to move the switches' AP licenses to the 5760 to make 350 AP licenses?
    In the CA setup, licence only required at MC, not in MAs.It is right to use license model & Cisco trust what you configure is what you purchase (no license key/serial number like in 5508/2504/etc). Refer this for some detail
    http://mrncciew.com/2013/12/12/getting-started-with-5760/
    Like said earlier, start in small scale & get familiar with new setup, my blog may give some other useful posts on this converged access.
    Let us know if you have further queries on this & happy to help
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Converged Access MA and MC licensing

    Hello all,
    one question regarding the licensing for converged access. If I understand it correctly then when I have a deployment in which I already have a WLC (mobility controller) and I deploy a 3650/3850 switch as a mobility agent, then the AP count licensing needs to be maintained on the MC (WLC) and I dont need AP count licences on the MA (3650/3850)?
    Then the only thing I need is to point the MA to the MC IP address and I gain the benefits of converged access architecture (CAPWAP termination ...)?
    Thank you.
    Marek

    I probably found the answer in this document:
    http://www.cisco.com/c/en/us/products/collateral/wireless/5700-series-wireless-lan-controllers/qa_c67-726397.html
    Q. Do I need a wireless access point license on both the mobility agent and the mobility controller?
    A. The license to manage access points is only needed on the mobility controller.
    Marek

  • L3 connections between Access points and WLC

    hi,
    we have a customer asking us to configure wireless system as per attached drawing.
     WLC is in Data Center which is connected to Data Center Switch ( Cisco 3850), then this DC-Switch is connected to DC-Core ( Cisco Nexus-7K).
    this Nexus-7K is connected to many campus Networks. in all campuses there is Cisco 4507 Campus Core which is connected to Nexus-7K.
    then from Campus core many distribution switches are connected.
    all Vlans for data and wifi is created in Distribution Switches. Distribution Switches are VTP Servers and many access switches with connected APs are connected back to this Distribution Switch.
    All Access Points are registered at WLC in Data Center, but wifi clients are not getting ip address from DHCP Server, as well as even if we configured static ip address at wifi clients they are not able to communicate correctly.
    please correct me if there is a mistake in this design , or we have a solution to solve this problem please let me know.
    attached topology diagram 
    thanks,
    anvar

    Hey Anvar,
    Too much details about network, to make it simple:
    1- APs and WLC can be in separate VLANs (Not a problem)
    2- As APs have joined, these two VLANs look fine for me
    If your clients can't communicate probably with static IP address
    1- From the WLC, ping default gateway for that VLAN
    2- If the WLC can reach the gateway, its wired VLAN issue that you need to investigate in the path (maybe using wired device in the same VLAN as the clients in the switch where the APs are connected)
    Now, about why the clients are not taking IP:
    1- What is your DHCP, where its located? Is it the same one for all clients?
    2- Do you have local APs or FlexConnect ?
    3- When you run the debugs for DHCP where the process breaks?
    Cheers,
    Nour

  • Ask the Expert: Hierarchical Network Design, Includes Core, Distribution, and Access

    Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about hierarchical network design. 
    Recommending a network topology is required for meeting a customer's corporate network design  needs in their business and technical goals and often consists of many interrelated components. The hierarchical design made this easier like "divide and conquer" the job and develop the design in layers.
    Network design experts have developed the hierarchical network design model to help to develop a topology in discrete layers. Each layer can be focused on specific functions, to select the right systems and features for the layer.
    A typical hierarchical topology is
    A core layer of high-end routers and switches that are optimized for availability and performance.
    A distribution layer of routers and switches that implement policies.
    An access layer that connects users via lower-end switches and wireless access points.
    Ahmad Manzoor is a Senior Pre-Sales Engineer at AGCN, Pakistan. He has more than 10 years of experience in first-rate management, commercial and technical skills in the field of data communication and services lifecycle—from solution design through sales pitch, designing RFPs, architecture, and solution—all with the goal toward winning projects (creating win/win situations) of obsolete solutions.  Ahmad also has vast experience in designing end-to-end data centers, from building infrastructure design to data communication and network Infrastructure design. He has worked for several large companies in Pakistan and United Arab Emirates markets; for example, National Engineer, WATEEN Telecom, Emircom, Infotech, Global Solutions, NETS International, Al-Aberah, and AGCN, also known as Getronics, Pakistan.
    Remember to use the rating system to let Ahmad know if he has given you an adequate response. 
    Because of the volume expected during this event, Ahmad might not be able to answer every question. Remember that you can continue the conversation in the  Solutions and Architectures under the sub-community Data Center & Virtualization, shortly after the event. This event lasts through August 15, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

    Dear Leo,
    We are discussing the following without any product line, discussing the concept of hierarchical design, which will help you to take decision which model is better for you Two Layer or Three Layer hierarchical model.  
    Two-Layer Hierarchy
    In many networks, you need only two layers to fulfill all of the layer functions—core and aggregation
    Only one zone exists within the core, and many zones are in the aggregation layer. Examine each of the layer functions to see where it occurs in a two-layer design:
    Traffic forwarding—Ideally, all interzone traffic forwarding occurs in the core. Traffic flows from each zone within the aggregation layer up the hierarchy into the network core and then back down the hierarchy into other aggregation zones.
    Aggregation—Aggregation occurs along the core/aggregation layer border, allowing only interzone traffic to pass between the aggregation and core layers. This also provides an edge for traffic engineering services to be deployed along.
    Routing policy—Routing policy is deployed along the edge of the core and the aggregation layers, generally as routes are advertised from the aggregation layer into the core.
    User attachment—User devices and servers are attached to zones within the aggregation layer. This separation of end devices into the aggregation permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, it is best not to mix transit and destination traffic in the same area of the network.
    Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the aggregation layer. You can also place traffic admittance controls at the aggregation points exiting from the aggregation layer into the core of the network, but this is not common.
    You can see, then, how dividing the network into layers enables you to make each layer specialized and to hide information between the layers. For instance, the traffic admittance policy implemented along the edge of the aggregation layer is entirely hidden from the network core.
    You also use the core/aggregation layer edge to hide information about the topology of routing zones from each other, through summarization. Each zone within the aggregation layer should have minimal routing information, possibly just how to make it to the network core through a default route, and no information about the topology of the network core. At the same time, the zones within the aggregation layer should summarize their reachability information into as few routing advertisements as possible at their edge with the core and hide their topology information from the network core.
    Three-Layer Hierarchy
    A three-layer hierarchy divides these same responsibilities through zones in three vertical network layers,
    Traffic Forwarding—As with a two-layer hierarchy, all interzone traffic within a three- layer hierarchy should flow up the hierarchy, through the layers, and back down the hierarchy.
    Aggregation—A three-layer hierarchy has two aggregation points:
    At the edge of the access layer going into the distribution layer
    At the edge of the distribution layer going into the core
    At the edge of the access layer, you aggregate traffic in two places: within each access zone and flowing into the distribution layer. In the same way, you aggregate interzone traffic at the distribution layer and traffic leaving the distribution layer toward the network core. The distribution layer and core are ideal places to deploy traffic engineering within a network.
    Routing policy—The routing policy is deployed within the distribution layer in a three- layer design and along the distribution/core edge. You can also deploy routing policies along the access/distribution edge, particularly route and topology summarization, to hide information from other zones that are attached to the same distribution layer zone.
    User attachment—User devices and servers are attached to zones within the access layer. This separation of end devices into the access layer permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, you do not want to mix transit and destination traffic in the same area of the network.
    Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the access layer. You can also place traffic admittance controls at the aggregation points along the aggregation/core edge.
    As you can see, the concepts that are applied to two- and three-layer designs are similar, but you have more application points in a three-layer design.
    Now the confusion takes place in our minds where do we use Two Layer and where the Three layer hierarchical model.
    Now we are discussing that How Many Layers to Use in Network Design?
    Which network design is better: two layers or three layers? As with almost all things in network design, it all depends. Examine some of the following factors involved in deciding whether to build a two- or three-layer network:
    Network geography—Networks that cover a smaller geographic space, such as a single campus or a small number of interconnected campuses, tend to work well as two-layer designs. Networks spanning large geographic areas, such as a country, continent, or even the entire globe, often work better as three layer designs.
    Network topology depth—Networks with a compressed, or flattened, topology tend to work better as two-layer hierarchies. For instance, service provider networks cover large geographic areas, but reducing number of hops through the network is critical in providing the services they sell; therefore, they are often built on a two-layer design. Networks with substantial depth in their topologies, however, tend to work better as three-layer designs.
    Network topology design—Highly meshed networks, with many requirements for interzone traffic flows, tend to work better as two-layer designs. Simplifying the hierarchy to two levels tends to focus the design elements into meshier zones. Networks that focus traffic flows on well-placed distributed resources, or centralized resources, such as a network with a large number of remote sites connecting to a number of centralized Data Centers, tend to work better as three-layer designs.
    Policy implementation—If policies of a network tend to focus on traffic engineering, two-layer designs tend to work better. Networks that attempt to limit access to resources attached to the network and other types of policies tend to work better as three-layer designs.
    Again, however, these are simple rules of thumb. No definitive way exists to decide whether a network should have two or three layers. Likewise, you cannot point to a single factor and say, “Because of this, the network we are working on should have three layers instead of two.”
    I hope that this helps you to understand the purposes of Two Layer & Three layer Hierarchical Model.
    Best regards,
    Ahmad Manzoor

Maybe you are looking for

  • Report Migration issue

    Hi , When i tried to open a 3.5 workbook in 7.0 a window will pop up and says run time error 'I104'. Discription os the issue is SAPBEX.XLA can not be found and check the spelling of the file name and the location of the file. I know there are issues

  • I can't find my music after upgrading to Lion

    Can anyone help me recover my music?

  • Procedure for SSD boot drive in Mac Pro?

    I just purchased a 115GB SSD that I want to use as the boot drive in my Mac Pro running OS 10.6.8. I've read several articles about how to set this up but none seem to be working for me. On the SSD boot drive I want only the essentials: OS, Home Fold

  • Essbase and planning applications migration from 11.1.2.1 to 11.1.2.4

    Hi Masters, I have few Hyperion 11.1.2.1 running servers for Essbase and planning applications (Essbase alone applications and planning applications are running into different servers). Now we are planning to upgrade 11.1.2.1 directly to new 11.1.2.4

  • My emails are disappearing on me...

    After receiving and reading an email it disappears. My inbox is empty and should have about a hundred emails in it, but when i get an email it stays unread in my inbox until i read it and then it leaves and i have no idea where to, my mailboxes on my