Network Design Questions

Similar Messages

• Wireless authentication network design questions... best practices... etc...

  Working on a wireless deployment for a client... wanted to get updated on what the latest best practices are for enterprise wireless.
  Right now, I've got the corporate SSID integeatred with AD authentication on the back end via RADIUS.
  Would like to implement certificates in addition to the user based authentcation so we have some level of dual factor authentcation.
  If a machine is lost, I don't want a certificate to allow an unauthorized user access to a wireless network.  I also don't want poorly managed AD credentials (written on a sticky note, for example) opening up the network to an unathorized user either... is it possible to do an AND condition, so that both are required to get access to a wireless network?

  There really isn't a true two factor authentication you can just do with radius unless its ISE and your doing EAP Chaining.  One way that is a workaround and works with ACS or ISE is to use "Was machine authenticated".  This again only works for Domain Computers.  How Microsoft works:) is you have a setting for user or computer... this does not mean user AND computer.  So when a windows machine boots up, it will sen its system name first and then the user credentials.  System name or machine authentication only happens once and that is during the boot up.  User happens every time there is a full authentication that has to happen.
  Check out these threads and it explains it pretty well.
  https://supportforums.cisco.com/message/3525085#3525085
  https://supportforums.cisco.com/thread/2166573
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• MPLS network design questions

  we have in our company 230 remote sites, and we are changing all of our circuits to MPLS. wondering if i need to get a high end router in our Data Center? currently we have 3925. also what is the best routing protocol to use in this kind of network? Eigrp or ospf? MPLS will be hosted by the service provider

  I have found that the provider typically wants to know exactly what routes you will be advertising when using EIGRP or OSPF. This is something they will have to configure on their network to allow. For example EIGRP routes flow from Site A to Site B and you have a new subnet to use for an application. You put the proper network statements in EIGRP and are not learning routes on the other side. You would then have to fill out a form or call a support number to get your new network to the other side.
  With BGP there is much more control over what you can advertise with adding networks. With 230 sites you will feel the benefit quickly if you start growing and adding subnets in data centers or additional sites.

• Ask the Expert: Hierarchical Network Design, Includes Core, Distribution, and Access

  Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about hierarchical network design. 
  Recommending a network topology is required for meeting a customer's corporate network design  needs in their business and technical goals and often consists of many interrelated components. The hierarchical design made this easier like "divide and conquer" the job and develop the design in layers.
  Network design experts have developed the hierarchical network design model to help to develop a topology in discrete layers. Each layer can be focused on specific functions, to select the right systems and features for the layer.
  A typical hierarchical topology is
  A core layer of high-end routers and switches that are optimized for availability and performance.
  A distribution layer of routers and switches that implement policies.
  An access layer that connects users via lower-end switches and wireless access points.
  Ahmad Manzoor is a Senior Pre-Sales Engineer at AGCN, Pakistan. He has more than 10 years of experience in first-rate management, commercial and technical skills in the field of data communication and services lifecycle—from solution design through sales pitch, designing RFPs, architecture, and solution—all with the goal toward winning projects (creating win/win situations) of obsolete solutions.  Ahmad also has vast experience in designing end-to-end data centers, from building infrastructure design to data communication and network Infrastructure design. He has worked for several large companies in Pakistan and United Arab Emirates markets; for example, National Engineer, WATEEN Telecom, Emircom, Infotech, Global Solutions, NETS International, Al-Aberah, and AGCN, also known as Getronics, Pakistan.
  Remember to use the rating system to let Ahmad know if he has given you an adequate response. 
  Because of the volume expected during this event, Ahmad might not be able to answer every question. Remember that you can continue the conversation in the  Solutions and Architectures under the sub-community Data Center & Virtualization, shortly after the event. This event lasts through August 15, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Dear Leo,
  We are discussing the following without any product line, discussing the concept of hierarchical design, which will help you to take decision which model is better for you Two Layer or Three Layer hierarchical model.  
  Two-Layer Hierarchy
  In many networks, you need only two layers to fulfill all of the layer functions—core and aggregation
  Only one zone exists within the core, and many zones are in the aggregation layer. Examine each of the layer functions to see where it occurs in a two-layer design:
  Traffic forwarding—Ideally, all interzone traffic forwarding occurs in the core. Traffic flows from each zone within the aggregation layer up the hierarchy into the network core and then back down the hierarchy into other aggregation zones.
  Aggregation—Aggregation occurs along the core/aggregation layer border, allowing only interzone traffic to pass between the aggregation and core layers. This also provides an edge for traffic engineering services to be deployed along.
  Routing policy—Routing policy is deployed along the edge of the core and the aggregation layers, generally as routes are advertised from the aggregation layer into the core.
  User attachment—User devices and servers are attached to zones within the aggregation layer. This separation of end devices into the aggregation permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, it is best not to mix transit and destination traffic in the same area of the network.
  Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the aggregation layer. You can also place traffic admittance controls at the aggregation points exiting from the aggregation layer into the core of the network, but this is not common.
  You can see, then, how dividing the network into layers enables you to make each layer specialized and to hide information between the layers. For instance, the traffic admittance policy implemented along the edge of the aggregation layer is entirely hidden from the network core.
  You also use the core/aggregation layer edge to hide information about the topology of routing zones from each other, through summarization. Each zone within the aggregation layer should have minimal routing information, possibly just how to make it to the network core through a default route, and no information about the topology of the network core. At the same time, the zones within the aggregation layer should summarize their reachability information into as few routing advertisements as possible at their edge with the core and hide their topology information from the network core.
  Three-Layer Hierarchy
  A three-layer hierarchy divides these same responsibilities through zones in three vertical network layers,
  Traffic Forwarding—As with a two-layer hierarchy, all interzone traffic within a three- layer hierarchy should flow up the hierarchy, through the layers, and back down the hierarchy.
  Aggregation—A three-layer hierarchy has two aggregation points:
  At the edge of the access layer going into the distribution layer
  At the edge of the distribution layer going into the core
  At the edge of the access layer, you aggregate traffic in two places: within each access zone and flowing into the distribution layer. In the same way, you aggregate interzone traffic at the distribution layer and traffic leaving the distribution layer toward the network core. The distribution layer and core are ideal places to deploy traffic engineering within a network.
  Routing policy—The routing policy is deployed within the distribution layer in a three- layer design and along the distribution/core edge. You can also deploy routing policies along the access/distribution edge, particularly route and topology summarization, to hide information from other zones that are attached to the same distribution layer zone.
  User attachment—User devices and servers are attached to zones within the access layer. This separation of end devices into the access layer permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, you do not want to mix transit and destination traffic in the same area of the network.
  Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the access layer. You can also place traffic admittance controls at the aggregation points along the aggregation/core edge.
  As you can see, the concepts that are applied to two- and three-layer designs are similar, but you have more application points in a three-layer design.
  Now the confusion takes place in our minds where do we use Two Layer and where the Three layer hierarchical model.
  Now we are discussing that How Many Layers to Use in Network Design?
  Which network design is better: two layers or three layers? As with almost all things in network design, it all depends. Examine some of the following factors involved in deciding whether to build a two- or three-layer network:
  Network geography—Networks that cover a smaller geographic space, such as a single campus or a small number of interconnected campuses, tend to work well as two-layer designs. Networks spanning large geographic areas, such as a country, continent, or even the entire globe, often work better as three layer designs.
  Network topology depth—Networks with a compressed, or flattened, topology tend to work better as two-layer hierarchies. For instance, service provider networks cover large geographic areas, but reducing number of hops through the network is critical in providing the services they sell; therefore, they are often built on a two-layer design. Networks with substantial depth in their topologies, however, tend to work better as three-layer designs.
  Network topology design—Highly meshed networks, with many requirements for interzone traffic flows, tend to work better as two-layer designs. Simplifying the hierarchy to two levels tends to focus the design elements into meshier zones. Networks that focus traffic flows on well-placed distributed resources, or centralized resources, such as a network with a large number of remote sites connecting to a number of centralized Data Centers, tend to work better as three-layer designs.
  Policy implementation—If policies of a network tend to focus on traffic engineering, two-layer designs tend to work better. Networks that attempt to limit access to resources attached to the network and other types of policies tend to work better as three-layer designs.
  Again, however, these are simple rules of thumb. No definitive way exists to decide whether a network should have two or three layers. Likewise, you cannot point to a single factor and say, “Because of this, the network we are working on should have three layers instead of two.”
  I hope that this helps you to understand the purposes of Two Layer & Three layer Hierarchical Model.
  Best regards,
  Ahmad Manzoor

• Centralized WLC Design Question

  Dears,
  In my scenario, i am designing CEntralized WLC deployment. I have 30 AP in Buidling X(200 Users) and 20 AP in Buidling Y(150 Users). I am planning to install HA WLC CLuster where Pimary & Secondary WLC will reside in physically different Data Centers A & B. 
  I have a wireless Design Question and i am not able to get clear answers. Please refer to the attached drawing and answer the following queries:
  If Buidling X users want to talk to building Y Users, then how Control & Data Traffic flow will happen between Buidling X & Y. Would all the traffic will go to Primary WLC from Bldg X APs first and then it will be Re Routed back to Buidling Y APs? Can i achieve direct switching between Bldg X&Y APs without going toward WLC?
  If Building X & Y Users want to access the internet, how would be traffic flow? Would the traffic from X&Y AP will go tunnel all the traffic towards WLC and then it will be routed to internet gateway?is it possible for Bldg X&Y AP to directly send traffic towards Internet Gateway without going to controllers?
  I have planned to put WLC at physically different locations in different DC A & B. Is it recommended to have such a design? What would be the Failver traffic volume if Primary WLC goes down and secondary controller takes over?
  My Reason to go for Centralized deployment is that i want to achieve Centralized Authentication with Local Switching. Please give your recommendations and feedback
  Regards,
  Rameez

  If Buidling X users want to talk to building Y Users, then how Control & Data Traffic flow will happen between Buidling X & Y. Would all the traffic will go to Primary WLC from Bldg X APs first and then it will be Re Routed back to Buidling Y APs? Can i achieve direct switching between Bldg X&Y APs without going toward WLC?
            Traffic flows to the WLC that is the primary for the AP's, then its routed over your network.
  If Building X & Y Users want to access the Internet, how would be traffic flow? Would the traffic from X&Y AP will go tunnel all the traffic towards WLC and then it will be routed to Internet gateway?is it possible for Bldg X&Y AP to directly send traffic towards Internet Gateway without going to controllers?
            The WLC isn't a router, so you would have to put the Internet traffic an a subnet and route.
  I have planned to put WLC at physically different locations in different DC A & B. Is it recommended to have such a design? What would be the Failover traffic volume if Primary WLC goes down and secondary controller takes over?
  Like I mentioned... earlier, the two HA WLC has to be on the same layer 2 subnet in order for you to use HA.  The guide mentions an Ethernet cable to connect both the HA ports on the WLC.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• ISE Design Question

  I have few design questions regarding ISE v.1.0.4.573
  Do ISE 3395 gigabit ports support Link aggregation?  how can i utilize all 4 ports for uplink ?
  When doing a standalone HA setup of 2x3395, Is there a heartbeat link between the two ISE or they will use the same uplink to the network for heartbeat and synchronizing?
  I am designing ISE with WLC. My WLC (5508) setup is like 5 floors having different Vlans but same SSID. How can i make ISE authenticate in this scenario since WGB AP is not supported in ISE v.1.0. Is there a work around for this type of WiFi setup in ISE?
  Continuing from the above setup, while roaming from one floor to another floor after changing Vlan, the user will re-authenticate or use the same session?
  Thanks for the help.
  Regards,
  Zohaib

  1. The current version does not support Link aggregation..
  2. They will use the same uplink to the network for heartbeat and synchronizing.
  3. My suggestion is to assign your SSID an interface group, containing all interfaces belonging to your VLANs, on your WLC and set AAA override. Then, in ISE, create authorization profiles which include the appropriate VLAN. use RADIUS attribute Called-Station-ID with your AP MAC address as condition.
  4. They will use the same session.

• Network Design Pointers...

  Hey everyone, I am not too sure if this is the correct location to be posting this, but I have some questions regarding networking design.
  I have created a test network within Packet Tracer, which I have added as an attachment. I just wanted some pointers on how I could have changed things, just regarding the topology. My main arean of concern is with the printers, could they have been better located.
  I have uploaded a screen shoot, and the Packet Tracer file of my design, please let me know what you guys think. This is my first time creating a network, this helps me study for my exams, as I just finished my CCENT, and now working on CCNA.
  Thanks so much for your time everyone.
  Paul St.Onge                 

  >
  Threaded interfaces - do you mean user
  interfaces?Not quite, and it possibly comes as part of the other questions, but a description (or an attempt at) is, imagine that you have one application on a server and some small applications in a series of pcs connected with the server. This applications,when started, send a command to te server which creates a thread that interfaces with the client app so that the processing can be spread more or less evenly. <hope to make sense>
  >
  Detection of java/javaw - what do you mean by that?The System.getProperties(... was what i was looking for

• Network Designs

  Hi all
  I wanted to know if someone can give me some adivce,I've started my own consulting company and I have a client who wants a network redesign and a
  Core network design.Both of these are for different sites and I wanted to know what questions should I ask the client and is there some books that I can
  read upon about network design that will give me a good feel on how to proceed. I have a good ideal already about the hardware that is needed at each layer, but the network I learned on was a large enterprise network and these are smaller networks and I really want to do a good job for this user so that
  I can get repeat business.Thanks in advance and have a great day and I look forward to your replies.

  1) you should ask is why does the client want a network redesign and what are they looking to achieve by doing this ie. no one does a network redesign just for the fun of it
  2)  based on the answers to the first question you need to see the existing network design and then work out why it does not meet the clients needs.
  3) probably as important as anything else is what budget is available for the redesign ie. consultancy for you and hardware budget.
  4)  what inhouse experience the client has. You can setup the loveliest shiny network but if the customer cannot then support it it is not particularly useful to them.
  5) future plans for expansion for the client
  6) the hardest part - application, traffic patterns, bandwidth requirements of the network. Make sure you at least identify the apps that the client makes their money from and design accordingly.
  Don't decide on hardware before the design. The design dictates the hardware design and not the other way around. If you already have an idea of the hardware you are going to use you either have answers to all the above or you are getting ahead of yourself
  A good place for design info are Cisco's design papers -
  www.cisco.com/go/srnd
  Jon

• Network Design Review - Best Practices

  Looking to start a discussion around best practices for inbound network design at the core. 
  The planned devices are as followings:
  Edge Routing / DMVPN - Cisco 2951
  Cisco UCM / IP Phone VPN Concentrator - Cisco ASA 5512-X
  Cisco AnyConnect SSL Client Concentrator - Cisco ASA 5515-X
  Cisco FirePower / IPS Device - Cisco ASA 5515-X
  The plan is as follows:
  All traffic enters through the 2951. 
  DMVPN traffic will go directly to the FirePower Device and then to the core network.
  IP Phones will pass-through 2951, enter 5512-X for VPN, go to FirePower and then to the core network.
  AnyConnect Clients will pass-through 2951, enter 5515-X for VPN, go to FirePower and then to the core network. 
  Wondering if anyone else has completed a similar setup and any issues you may have fun into. 
  Basic diagram attached. 
  Thanks!

  There really isn't a true two factor authentication you can just do with radius unless its ISE and your doing EAP Chaining.  One way that is a workaround and works with ACS or ISE is to use "Was machine authenticated".  This again only works for Domain Computers.  How Microsoft works:) is you have a setting for user or computer... this does not mean user AND computer.  So when a windows machine boots up, it will sen its system name first and then the user credentials.  System name or machine authentication only happens once and that is during the boot up.  User happens every time there is a full authentication that has to happen.
  Check out these threads and it explains it pretty well.
  https://supportforums.cisco.com/message/3525085#3525085
  https://supportforums.cisco.com/thread/2166573
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Design question about instant download a patch

  Hi All,
  Here is a design question for you:
  Background:
  The application we built is being upgraded from time to time and we send it to our users.
  our users use it on a network so there is only one file to upgrade (and being done by the sys admin)
  We send them a �patch�; actually, it�s a new version of the application they place it in the relevant folder and continue to work with a new version.
  Problems:
  1. We send them the patch via email - sometimes it takes a while until they read their email and at they are using an �old version of the system�.
  2. Some of them are not computer savvy (when it�s not the sys admin) and we need to guide them as where exactly to place the file (there are 3 files)
  Our (conceptual never build yet) Solution:
  Build a program just like Norton antivirus (or other) that prompts the user from the task bar (next to the clock) that a new version is available and by
  clicking once it will automatically download the file and store it in the correct folder.
  Question:
  1. Did anyone try anything like this before (or something like) who can tell me about it?
  2. Do you think this kind of system will work for us?
  3. Does anyone have a better solution?
  Thanks
  Peter

  thanks, I posted it there.No, he meant that Webstart is the mechanism you should use. It supports net-based distribution and automatic centralized updates of apps. Exactly what you want.

• Design question about instant download from

  Hi All,
  Here is a design question for you:
  Background:
  The application we built is being upgraded from time to time and we send it to our users.
  our users use it on a network so there is only one file to upgrade (and being done by the sys admin)
  We send them a �patch�; actually, it�s a new version of the application they place it in the relevant folder and continue to work with a new version.
  Problems:
  1. We send them the patch via email - sometimes it takes a while until they read their email and at they are using an �old version of the system�.
  2. Some of them are not computer savvy (when it�s not the sys admin) and we need to guide them as where exactly to place the file (there are 3 files)
  Our (conceptual never build yet) Solution:
  Build a program just like Norton antivirus (or other) that prompts the user from the task bar (next to the clock) that a new version is available and by
  clicking once it will automatically download the file and store it in the correct folder.
  Question:
  1. Did anyone try anything like this before (or something like) who can tell me about it?
  2. Do you think this kind of system will work for us?
  3. Does anyone have a better solution?
  Thanks
  Peter

  Java WebStart is the deployment technique suited for your purposes.
  The deployment will be done via a webserver running a jnlp servlet (provided).
  The applications may either run offline, or check online for automatic updates.
  You have several configuration options.
  ArgoUML and jEdit are two open source apps delivered this way.
  Your app will need to be adapted though.
  And your customers need an online browser with installed jvm.

• Design question: Scheduling a Variable-timeslot Resource

  I originally posted this in general java programming, because this seemed like a more high-level design descussion. But now I see some class design questions. Please excuse me if this thread does not belong here (this is my first time using the forum, save answering a couple questions).
  Forum,
  I am having trouble determining a data structure and applicable algorithm (actually, even more general than the data structure -- the general design to use) for holding a modifiable (but more heavily read/queried than updated), variable-timeslot schedule for a given resource. Here's the situation:
  Let's, for explanation purposes, say we're scheduling a school. The school has many resources. A resource is anything that can be reserved for a given event: classroom, gym, basketball, teacher, janitor, etc.
  Ok, so maybe the school deal isn't the best example. Let's assume, for the sake of explanation, that classes can be any amount of time in length: 50 minutes, 127 minutes, 4 hours, 3 seconds, etc.
  Now, the school has a base operation schedule, e.g. they're open from 8am to 5pm MTWRF and 10am to 2pm on saturday and sunday. Events in the school can only occur during these times, obviously.
  Then, each resource has its own base operation schedule, e.g. the gym is open from noon to 5pm MTWRF and noon to 2pm on sat. and sun. The default base operation schedule for any resource is the school which "owns" the resource.
  But then there are exceptions to the base operation schedule. The school (and therefore all its resources) are closed on holidays. The gym is closed on the third friday of every month for maintenance, or something like that. There are also exceptions to the available schedule due to reservations. I've implemented reservations as exceptions with a different status code to simplify things a little bit: because the basic idea is that an exception is either an addition to or removal from the scheduleable times of that resource. Each exception (reservation, closed for maintenance, etc) can be an (effectively) unrestricted amount of time.
  Ok, enough set up. Somehow I need to be able to "flatten" all this information into a schedule that I can display to the user, query against, and update.
  The issue is complicated more by recurring events, but I think I have that handled already and can make a recurring event be transparent from the application point of view. I just need to figure out how to represent this.
  This is my current idea, and I don't like it at all:
  A TimeSlot object, holding a beginning date and ending date. A data structure that holds list of TimeSlot objects in order by date. I'd probably also hold an index of some sort that maps some constant span of time to a general area in the data structure where times around there can be found, so I avoid O(n) time searching for a given time to find whether or not it is open.
  I don't like this idea, because it requires me to call getBeginningDate() and getEndDate() for every single time slot I search.
  Anyone have any ideas?

  If I am correct, your requirement is to display a schedule, showing the occupancy of a resource (open/closed/used/free and other kind of information) on a time line.
  I do not say that your design is incorrect. What I state below is strictly my views and should be treated that way.
  I would not go by time-slot, instead, I would go by resource, for instance the gym, the class rooms (identified accordingly), the swimming pool etc. are all resources. Therefore (for the requirements you have specified), I would create a class, lets say "Resource" to represent all the resources. I would recommend two attributes at this stage ("name" & "identifier").
  The primary attribute of interest in this case would be a date (starting at 00:00hrs and ending at 24:00hrs.), a span of 24hrs broken to the smallest unit of a minute (seconds really are not very practical here).
  I would next encapsulate the availability factor, which represents the concept of availability in a class, for instance "AvailabilityStatus". The recommended attributes would be "date" and "status".
  You have mentioned different status, for instance, available, booked, closed, under-maintainance etc. Each of these is a category. Let us say, numbered from 0 to n (where n<128).
  The "date" attribute could be a java.util.Date object, representing a date. The "status", is byte array of 1440 elements (one element for each minute of the day). Each element of the byte array is populated by the number designation of the status (i.e, 0,1,2...n etc.), where the numbers represent the status of the minute.
  The "Resource" class would carry an attribute of "resourceStatus", an ordered vector of "ResourceStatus" objects.
  The object (all the objects) could be populated manually at any time, or the entire process could be automated (that is a separate area).
  The problem of representation is over. You could add any number of resources as well as any number of status categories.
  This is a simple solution, I do not address the issues of querying this information and rendering the actual schedule, which I believe is straight forward enough.
  It is recognized that there are scope for optimizations/design rationalization here, however, this is a simple and effective enough solution.
  regards
  [email protected]

• Office network design ideas..

  Hey all, we are upgrading to a Cisco network and wanted some input on our possible network design...
  Currently we have:
  A Juniper SSG 140 and IDP for our firewall and IDS
  3com (layer2/3) switches for our desktops
  2 Dell PowerConnect 5424 switches for our servers and firewalls
  2 Dell PowerConnect 5424 switches (separate network) for our SAN/VM hosts
  This is what we are thinking of for our next solution
  ASA 5512 for our firewall (I read we could possibly get a 25% performance speed improvement for user VPN connections?)
  2 WS-C3750x-48t-e (I think this does Layer 2/3) for our desktops
  2 WS-C3750x-48t-e for our firewalls/servers
  2 WS-C3750x-24P-L for our SAN/VM hosts
  The problem is different network services providers who are going to implement this for us are giving us different solutions
  Some desktop 3560X for desktops and 4948 for servers and others are telling me 3750x for desktops and Nexus 3048 switches for SAN
  Some are telling me we can keep SAN+VM+core traffic on the same switches and just separate them with VLANs while others are telling me we should get separate switches for them
  Basically, we just want a improved improvement with better PERFORMANCE and REDUNDANCY (esp with our core + SAN/VM traffic) without going overboard and spending a ton of money
  More thoughts:
  We need Layer 2/3 switches for core + SAN
  Do we need 10G ports?
  Let me know your thoughts...

  Hi There,
  the hardware selection actually depends on the network/site topology, number of users, traffic load and more other factors
  this is for IP network, for SAN do you mean iscsi, FCoE or pure FC SAN because these are different things and may change the HW selection,
  in general 3560 are good fro access switches and 3750 provide same capabilities with improved performance and support for swtckwise ( 3750 is a good option especially if you planing to stack them )
  for L3 it is supported on both but consider the license/image you buy with regard to the features you need
  nexus for Data center switch are the best as they are design for data center switching however you need to know, port density, 1G or 10G, do you need any FC SAN, DC load/capacity, any L3 function is required and future growth then you can decide if Nexus 3K or 5K is good for you or not
  N5K
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/data_sheet_c78-618603.html
  N3K
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps11541/at_a_glance_c45-648255.pdf
  if yo have a network topology with more details of what you need, post it here for more discussions
  hope this help
  if helpful rate

• Need help on network design

  Hi guys.
  Looking for some advice on a network design.
  Please tell me what you think may or may not be wrong or missing.
  Here are the details:
  The user count is approximately 600 (desktops, laptops and Cisco IP phones) with two locations (office and data center) connected via 100Mbps guaranteed MAN line with site-to-site VPN as backup.
  Servers will all be in the Data Center.
  Edge routers to be used as site-to-site VPN connection point between office and data center.
  Edge router at data center also to be used to connect to 4 other remote sites.
  Edge networks (router and ASA) will be used to provide internet access to equipment at their respective locations. (No routing across MAN for internet access)
  Cisco 4510 to be used as user switches.
  Supervisor engines will be connected via 10G fiber to core switches.
  There will be 2x 10G connection for each supervisor module.
  Core switches are 4500x to be stacked via VSS using 10G Twinax cables.
  Core switch will also have 1G copper sfp to connect to MAN line hand-off.
  There will also be a physically (for the most part) segregated network using 3750x 
  switches that connect back to the core. We will use 1G Fiber connections.
  Here is the current kit list:
  Office Network Edge
  1x Cisco 3925 Router to connect to internet and vpn tunnel endpoint (CISCO3925-HSEC+/K9)
  1x 2GB RAM upgrade for Cisco Router (MEM-3900-1GU2GB)
  1x 1GB Compact Flash for Cisco Router (MEM-CF-256U1GB)
  1x ASA Firewall w/ IPS  (ASA5525-IPS-K9)
  Office Network Core
  2x 4500X 32 Port Switches (WS-C4500X-32SFP+) w/ IP Enterprise License
  2x 1GB Fiber SFP module per 4500X switch to connect to 3750x  (GLC-SX-MMD)
  2x 10GB TwinAX cables to stack 4500x switches together (SFP-H10GB-CU1M)
  8x 10GB Fiber SFP+ module to connect to 4510 Sup Engines (SFP-10G-SR))
  1x 1GB Copper SFP to connect to MAN circuit hand-off (GLC-T)
  1x 1GB Copper SFP to connect to ASA firewal (GLC-T)
  Distribution
  4x Catalyst 4510R+E Switches (WS-C4510R+E) w/ IP Base License
  2x Supervisor 8-E per 4510 switch (WS-X45-SUP8-E)
  8x 48-port PoE module per 4510 switch (WS-X4748-UPOE+E)
  4x 10G Fiber SFP+ module per 4510 switch (SFP-10G-SR)
  1x 2GB SD Memory card per Supervisor Engine (SD-X45-2GB-E)
  Office Network Segregated
  4x 3750X 48-port PoE Switches (WS-C3750X-48P-L) LAN Base License
  1x 1G Fiber SFP module per 3750x switch (GLC-SX-MMD)
  1x Slot module per 3750x to connect 1GB SFP modules (C3KX-NM-1G)
  Data Center Edge
  1x Cisco 3925 Router to connect to internet and vpn tunnel endpoint (CISCO3925-HSEC+/K9)
  1x 2GB RAM upgrade for Cisco Router (MEM-3900-1GU2GB)
  1x 1GB Compact Flash for Cisco Router (MEM-CF-256U1GB)
  1x ASA Firewall w/ IPS  (ASA5525-IPS-K9)
  Data Center Core
  2x 4500X 32 Port Switches (WS-C4500X-32SFP+) w/ IP Enterprise License
  2x 10GB TwinAX cables to stack 4500x switches together (SFP-H10GB-CU1M)
  3x 10GB Fiber SFP+ modules per 4500X switch to connect to 3850 switches (SFP-10G-SR)
  1x 1GB Copper SFP to connect to MAN circuit hand-off (GLC-T)
  1x 1GB Copper SFP to connect to ASA firewall (GLC-T)
  1x 1GB Copper SFP to connect to segregated ASA (GLC-T)
  Data Center Distribution
  6x 3850 24-port PoE Switches (WS-C3850-24T-S) IP Base License
  1x Slot module per 3850 switch to connect 10GB SFP+ modules (C3850-NM-2-10G)
  1x 10G Fiber SFP+ module per 3850 switch (SFP-10G-SR)
  Data Center Segregated
  1x Cisco 2951 Router to connect to internet and vpn tunnel endpoint (CISCO2951/K9)
  1x ASA 5512-X (ASA5515-K9)
  Attached diagram is just a draft.

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  A 39xx is underpowered if you want to support gig VPN tunnel.
  If your MAN is 100 Mbps (possibly "light" for 600 users), I would suggest running your port at 100 Mbps, not gig.  (This because LAN switches don't shape, and may not be able to "see" congestion or drops within the MAN.)
  You user edge (the 4500s) will be L2 or L3.  If the latter, I would recommend not using a VSS core.
  I would recommend not using the same Internet connection for both general Internet access and VPN.

• LDAP design question for multiple sites

  LDAP design question for multiple sites
  I'm planning to implement the Sun Java System Directory Server 5.2 2005Q1 for replacing the NIS.
  Currently we have 3 sites with different NIS domains.
  Since the NFS over the WAN connection is very unreliable, I would like to implement as follows:
  1. 3 LDAP servers + replica for each sites.
  2. Single username and password for every end user cross those 3 sites.
  3. Different auto_master, auto_home and auto_local maps for three sites. So when user login to different site, the password is the same but the home directory is different (local).
  So the questions are
  1. Should I need to have 3 domains for LDAP?
  2. If yes for question 1, then how can I keep the username password sync for three domains? If no for question 1, then what is the DIT (Directory Infrastructure Tree) or directory structure I should use?
  3. How to make auto map work on LDAP as well as mount local home directory?
  I really appreciate that some LDAP experta can light me up on this project.

  Thanks for your information.
  My current environment has 3 sites with 3 different NIS domainname: SiteA: A.com, SiteB:B.A.com, SiteC:C.A.com (A.com is our company domainname).
  So everytime I add a new user account and I need to create on three NIS domains separately. Also, the password is out of sync if user change the password on one site.
  I would like to migrate NIS to LDAP.
  I want to have single username and password for each user on 3 sites. However, the home directory is on local NFS filer.
  Say for userA, his home directory is /user/userA in passwd file/map. On location X, his home directory will mount FilerX:/vol/user/userA,
  On location Y, userA's home directory will mount FilerY:/vol/user/userA.
  So the mount drive is determined by auto_user map in NIS.
  In other words, there will be 3 different auto_user maps in 3 different LDAP servers.
  So userA login hostX in location X will mount home directory on local FilerX, and login hostY in location Y will mount home directory on local FilerY.
  But the username and password will be the same on three sites.
  That'd my goal.
  Some LDAP expert suggest me the MMR (Multiple-Master-Replication). But I still no quite sure how to do MMR.
  It would be appreciated if some LDAP guru can give me some guideline at start point.
  Best wishes