Route or switch on the core Layer

I am working on a new network design for my company with four buildings, I have used building distribution method for all buildings, my design seems to be functioning properly, I have configured vlans and eigrp routing on the distribution switches as you can see on the diagram, but used the four core layer switches just for switching not routing and I did not configure any routing on them, I would like to know if this is good design or do I need to configure routing on the Core Layer as well

There is no right or wrong answer to this. Originally the recommendation was to switch in the core ie. use only L2 because L2 switching as fast and L3 routing was slow. But then L3 switches appreared and the recommendation was to use L3 to connect to the core.
But both are just recommendations. You don't have to follow the guidelines slavishly.
Having said that, looking at your design there are a lot of redundant paths between switches. This means lots of loops and using L2 will mean blocked paths in the core and potentially blocked paths to and from the core. If you used L3 connections from the distrbution to the core and between the cores you would be able to utilise all the links and hence get more bandwidth.
In addition if a link failed you would not be reliant on STP to bring up a redundant path as all paths would be in use (although you should still run STP).
Couple of other points -
1) you have 4 switches in the core - what is the reasoning behind this ? is it distance limitations between buildings ?
2) your addressing. Ideally you would want to be able to summarise from one building to the other so it would make more sense to have all the 192.168.x.x networks in one building and all the 10.x.x.x networks in the other. Actually it would make more sense to decide on an IP range ie. 10.x.x.x or 192.168.x.x (not both) and then use summarised ranges for each building.
Jon

Similar Messages

In a huge campus network design, should be the Core layer operate on L3 if the Distribution is operating on L3?

Or the routing overhead is less if the Core is operating on L2?
For example:
Wan routers and Dist L3 switches connect to Core switches (L2)
Access layer L2 switches connects to Dist.
So Access layer SW's do Diffserv marking, Dist layer switches do queuing, the inter vlan routing as well as routing and the core only forwards traffic based on L2.
Is it a valid design? Should the core also have QoS?
Thanks!

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Yes, you can have a L2 core, but as Rick has noted, modern designs lean toward L3 cores.
There are, even today, pros and cons to each, but the biggest factor would be a modern L3 core would normally use L3 switches, rather than traditional routers. Generally you want the core to move packets as quickly as possible, and L2 switches were generally better at that than "traditional" routers. L3 switches, though, have nearly L2 switch performance, so the performance difference isn't much of issue any longer (especially with CEF L3 switches and/or MPLS).
BTW, not something you'll see in many current design documents, but modern L3 switches are so powerful and support so many ports, that you might have distribution and access just L2.
If you're doing QoS, yes I would recommend it also be enabled in the core too, L2 or L3.

Router vs switch on the access

We're designing a network for a DR exercise and there's a question as to whether we need to have a router or a switch on the access. The network behind this device a flat network (1 vlan). Upstream from this device is an edge router that will do BGP and ipeFR. Can anybody please render an opinion on this?
Thanks.

I'm of the opinion you meet requirements as simply as possible. With current equipment, for what you described (if I correctly understand), switches at the edge would be "simpler". However, some reasons for edge routing where you're not routing . . .
I've seen 1:1 edge routers used when using flow based hardware. The idea being that the edge router melts down before the next router upstream. Almost an external "control plane" protector.
Another reason, pseudo "distributed" processing. You expect the load imposed by edge QoS classification and marking or ACL processing could not be handled by the upstream router alone.
Some believe that such a design is easier to support with configurations on separate devices for QoS, ACLs and such.
As long as there's reason for using routers where you describe, then do so. Just be cautious of, "we don't know why, just would feel better". With the latter, analyze whether there's real reason for discomfort.

Sinkhole routing rfc1918 on the core/distribution switch (6500)

Hi guys,
I am planning on getting rid of packets going to unrouted nonexistent rfc1918 networks in our DC environment going into internet facing firewall from our core/distribution switch via default route. I am thinking on setting a bunch of rfc1918 static routes to Null0 on the core/distro switches so they will kill all the packets destined to unused rfc1918 networks into Null0. Wondering if that would be a good solution to this.
Thanks!

I am not sure quite what you have in mind when you talk about a bunch of rfc1918 static routes. I could see doing a route for 10.0.0.0 range, for 172.16.0.0 range, and for 192.168.0.0 range. Is 3 a bunch? If you had more in mind what would they be?
If you do static routes to Null0 for the summarized spaces then it would allow routing to any private addresses used inside your network to work since they should have more specific entries in your routing table and it would discard traffic with destination addresses in private address space. Be aware that if you have any site to site VPN tunnels from the firewall or any address translations on the firewall that use private addresses that your plan may very well have negative consequences for them.
HTH
Rick

Switches for Access, Distribution, and Core Layer

I have this case study in school and we are tasked to build a network in a school. So we've decided to use the three layer hierarchical model. I'm not sure about what switch is best for these layers but I've decided that I'll use 3750 for the Access layer, 4500E for the Distribution layer, 6500 for the Core layer. Are these the ideal switches for each layer? If not, could you suggest any switch that is better than the current? Need your suggestions or thoughts about this. Thanks in advance!

Hi Seb, thanks for replying. My groupmates and I have already decided that we're going to have a distribution layer. So basically, is 3750 enough to be the backbone/core of the network? We're configuring the to have a Layer 3 design so that makes me choose on 3750 on distrib and core rathen than 2960 switches cause I think that's better than Layer 2 though I don't know specifically what makes it better. Do you know? So I could have a thorough explanation when I present it to my professor. As for the budget, the case study didn't give us any limit so I think layer 3 would be a better choice than layer 3. Thanks Sib, appreciate it.

Add 3850 Switch to existing Core Stack

Hello,
I need to add a 3850 to our collapsed core Current setup - 5-3850 stack switches with vlans and routing enabled.
We are in need of more ports and I purchased a 3850.
I will add the switch to the core via a trunk port
I will make vtp transparent
I will configure the magt vlan 10 with an IP addess.
QUESTION.
After this is done, do I make the switch VTP client?
Also, do I turn on IP routing? Or, with the trunk send all packets destined for other vlans over the trunk to the core, and the core will hanle routing?
I am talking about routing between vlans, so user vlan 64 can talk to vlan 64.
I have been doing routing on WAN so long I have forgotten best practices on the LAN and L3 Switching.
OR.....
Do I simply add this to the switch stack?
Thank you for any help!
-T
Any help is appreciated.

When you add a switch to an existing stack it gets all of its configuration from the stack master.
Just verify it has the same IOS version installed (and doesn't have switch priority set such that it takes over as master) and plug it in via the stacking cables.
If you're adding it as a new access switch then yes just trunk all the VLANs across the uplink to the core. If you have a VTP server setup then set your VTP domain and come up in client mode. If the routing is active on the core and your VLAN SVIs are all there, there's no need for routing on the access layer and the only SVI you need is for management (or use the dedicated management interface for out of band management in its own VRF).

Nexus 7K Core Layer VDC, does it require a VPC Peer Link

We are going to be using a pair of Cisco Nexus 7010s to act as both our data center aggregation layer and the core layer. We will accomplish this via two VDCs, one for the core layer and one for the aggregation layer.
I know that if we are doing VPCs between the access and aggregation layers that we need a VPC Per Link (and peer keep alive link) between the two aggregation layer contexts, but if the connection between the aggregation and the core is purely layer 3 (OSPF), then I don't think we need a VPC peer link between the two core VDCs, Am I correct?

You are on the right track
You will use VPC if you’re designing include L2 trunk infrastructure. Since your aggregating with L3 core there is no need to add vpc I think.
http://www.cisco.ws/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/DC-3_0_IPInfra.html
Thx,
Eric

Picking when to switch layers on dual layer DVDs

I hope somebody can help.
I'm burning a project that takes up more than a single layer. I've managed to get iDVD to burn it no problem. However, iDVD picks the spot where it switches to the second layer - right at the start of a piece of music. How do I pick the point (between scenes) when it switches. With the current project I only need to bring it forward by a couple of seconds. One option is just to add a 2 second black screen at the start of the film to move everything along slightly. However I'd prefer to be able to pick the place. I have iDVD 08 and Toast 6 titanium. I know I could probably do it with DVD Studio Pro but I'm not ready for the big upgrade to FC studio.
Any pointers or suggestions are welcome.

As you have found, you can not specify the layer break point with iDVD. Sorry.

Is it recommended to use HSRP or multiple default between Core Layer Switch and Customer Edge Router?

My client is asking me for following
Client is using Router as edge device. 2 WAN links from different service provider ( each 20 Mbps) are getting terminated on the router. There are internal servers present in the network. Client want to make setup such that even if one wan link fails internet users should be able to access web server. Moreover if the edge router fails there should be secondary edge device so that there is device redundancy ?
As per my understanding, in this scenario we need to do static one - to - one natting(belonging to WAN interface subnet). If we use two routers as Customer edge ans if we connect core layer switch to these two router, is it recommended to use HSRP/VRRP/GLBP or two default route on core switch pointing to two routers with equal ad value. we will also track the wan link with help of ip sla.
which is recommended solution Router redundancy protocol or Default routes.?

Just had another read of this post and some other points have come up.
1) I assumed your secondary link was for redundancy but you talk about terminating both SP links on the same router in your first paragraph.
Did you mean this or are you going to be terminating a link per router ?
2) are you using the second router purely for backup ?
3) something you didn't ask about but is relevant is the IP addressing. Are you using provider independent addressing or does each SP provide you with an address block.
If it is the second then you are going to have an issue with the web server. The problem is which provider's IP do you use for the web server ie.
if you use the primary provider IP then that will be the DNS record on the internet. If the primary router fails then the IP address will change on the secondary router but DNS will still be handing out the primary IP.
If you enter both IPs (primary and secondary) into DNS then you would get load balancing but this means both links will be used and the secondary would not just be backup.
In addition if one of the links fails then DNS does not know this so it will still be handing out the failed address as well as the address that is still up which means some connections will work and some won't.
Jon

Core layer switches IP address for routing

For routing process I add a IP address of each Vlans subnet that active on each Access and Distribution switches (Have a port with that Vlan on the switch) to the corresponding Vlan Interface of them.
Which IP address should I add to the Core switch for routing?
Should I add a IP of each vlan that in the LAN to each vlan interface of Core layer switch?
I want run OSPF routing protocol on the LAN.

Hello Reza,
>> Which IP address should I add to the Core switch for routing?
if you want to implement a L3 routed core every link betweeen core device and a distribution device is a L3 link with its own IP subnet.
For example if you have 16 distribution pairs and two core switches:
10.10.10.0/30 dis11 to core1
10.10.10.4/30 di12 to core2
10.10.10.8/30 dis21 to core1
10.10.10.12/30 di22 to core2
10.10.10.128/30 disF1 to core1
10.10.10.132/30 disF2 to core2
this under the idea to have not a full mesh between core routers and distribution devices
then you need also a L3 link between the two cores (at least one)
Each L3 device should also have a loopback interface to be used as OSPF router-id and for management purposes (telnet and so on)
you can use /32 loopbacks taken from same block for example
10.255.254.1/32 core1
10.255.254.2/32 core2
10.255.254.3/32 dis11
10.255.254.4/32 dis12
to make the routing function the core switches have to talk OSPF on all links to distribution nodes
router ospf 10
router-id 10.255.254.1
network 10.10.10.0 0.0.0.255 area 0
network 10.255.254.1 0.0.0.0 area 0
network area commands work like ACL statements and first statement starts OSPF on each interface whose ip address belongs to 10.10.10/24 space
Second command is used to advertise its own loopback.
router-id command allows to define the OSPF router-id.
Distribution nodes have to advertise client Vlans and to take part in OSPF communication on point to point link.
if you use a L2 access layer design client vlans are served by distribution nodes.
if you use a L3 access layer design the access layer switches take part in OSPF and have to advertise their own client vlans.
Hope to help
Giuseppe

Connecting core switch to the internet ?

Hi,
We have 2 6506's connected through an ether-channel trunk.
On these 6506's we have configured a vlan, vlan interface and 2 access ports for 2 ASA's.
These ASA's run in failover mode but only one ASA is physically connected at the moment.
We want to be more resilient so our provider has provided us with a redundant setup of routers for our internet connection.
However, for this construction they would need a layer 2 connection on our side to have HSRP running.
There are 2 options in my opinion :
- Buy a set of switches to facilitate the layer-2 connection between te routers and to connect the outside of the ASA's.
- Instead of buying 2 new switches, create a new unrouted vlan on our core 6506's and use access-ports for the routers and the ASA's.
But how safe is it to connected the core switch with an unrouted vlan to the internet router ?
In terms of vlan hopping or other possible attacks ?
I think i have to disable DTP, Spanning-Tree, CDP and maybe a lot more ?

I am as far as applying this to secure the port :
switchport
switchport mode access
switchport access vlan X
switchport nonegotiate
spanning-tree bpdufilter enable
spanning-tree portfast edge
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
no cdp enable
Any additions to this ?

Creating Vlans at Core layer switches ?

Is there a need to create vlans at core layer switches ? If yes what are the pros and cons for this practice ?
Actually i have seen some networks doing that!

Well this is the topology that i'm working on.
we have implemented the 3 layer approach.
1. At access layer: Switches are all L2 (for sure :) )
2. At distribution layer: All switches are L3 are routes for incoming data.
3. At core we have 2 6500 switches. One is configured as L3 and all vlans are created in it. Second is just as regular L2 device.
and ofcourse there are some switch blocks for server farms and the likes.
My issue is
1. why don't we create vlans at distribution layer switches.
2. Why one core switch is acting as L2 and other is acting as L3. What will happen in case of failure to the one acting as L3.
Ps: the second issue just came up in my mind.

OTV vlans routing on the 1 device and switching on the other

Hi there seems to having OTV issues where the odd vlana are on agg1 is showing as routing and even vlan are using the OTV . and on AGG 2 vice versa
my presumption was that using OTV all vlans configured for access would use OTV instead of routing
agg1# show ip route 10.128.105.133
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
10.128.105.128/25, ubest/mbest: 1/0
    *via 192.168.28.50, Po5, [19/51456], 4d00h, eigrp-128, external
     via 10.101.0.25, [200/51712], 4d00h, bgp-65149, internal, tag 65149
agg1# show ip route 10.128.106.133
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
10.128.106.128/25, ubest/mbest: 1/0, attached
    *via 10.128.106.130, Vlan806, [0/0], 4d02h, direct
     via 10.101.0.25, [200/51712], 3d20h, bgp-65149, internal, tag 65149
agg2 show ip route 10.128.106.133
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
10.128.106.128/25, ubest/mbest: 1/0
    *via 192.168.28.49, Po5, [19/51456], 4d00h, eigrp-128, external
     via 10.101.0.25, [200/51712], 3d20h, bgp-65149, internal, tag 65149
agg2# show ip route 10.128.105.133
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
10.128.105.128/25, ubest/mbest: 1/0, attached
    *via 10.128.105.132, Vlan805, [0/0], 4d00h, direct
     via 10.101.0.25, [200/51712], 4d00h, bgp-65149, internal, tag 65149
how otv adjacency
Overlay Adjacency database
Overlay-Interface Overlay1 :
Hostname                         System-ID      Dest Addr       Up Time   State
MCC-N7K2-OTV                     04c5.a4ea.8b42 192.168.26.54   4d12h     UP
                                 04c5.a4ea.93c2 192.168.28.42   4d09h     UP
LDC-N7K2-OTV                     04c5.a4ea.6042 192.168.28.46   1d22h     UP
Does the OTV device need to be physically connected to each other
It seem that vlans at layer 2 do no span across the AGG switches
diagram

You did not configure PBR on the CSS since it does not have this function.
You simply configured static routing.
As so, the CSS will route between the vlans.
If you want a firewall to protect every vlan from the other ones, you should have a one-armed design where the firewall does the routing between the vlans and the CSS is doing the loadbalancing.
ie:
........vlan1
..........|
.vlan2 ---FW----- CSS
..........|
........Vlan2
You'll need to do client nat on the css or implement some form of PBR on the firewall.
PBR means routing based on another factore than the destination ip address. In this case, it is necessary to route based on the source port.
That might be too complex, so an easier choice would be
..vlan1(ext).....vlan2(ext)
....|...............|
....+-------FW------+
.............|
..........+-CSS-+
..........|.....|
........vlan3 vlan4
there is no protection between internal vlan but you don't need policy routing or client nat.
Gilles.

Recommendation for the Core router

Hi all,
we are hosting provider and we are looking to buy additional router. Right now we have Cisco 6500 with SUP720-3BXL supervisor as a core router which sometimes has a problems because of very weak CPU.
Because of that we are searching for the real router, not switch.
Basically our needs are:
- at least 4 x 10Gbps ports
- at least 80Mpps throughput
- capable to deal with 2 Full BGP tables and at least 30 BGP peers
Any recommendation from your side would be appreciated. It could be also Juniper or Brocade.
Thank you very much in advance!
Ismir

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Perhaps an ASR 9001.

Confused the CORE Switch's

HI!
PS Throw Light to the following SCenario:
I Have 5 distribution switchs(6509-sup20) connected to Core switch 6509-sup20.the routing protocole its EIGRP.I SENT THE Following Network as a summary to the CORE:
DS1)10.11.0.0:
DS2)10.12.0.0:
DS3:10.13.0.0:
DS4:10.14.0.0:
DS5:10.15.0.0:
Now maybe these confused the core switch.what is the OPTIMUM Way to uncofused the core?& let the core always function properly as well as very good performance
i waiting ur reply!

Under the EIGRP process, the network statement should only include subnets that you want to advertised FROM the router. Subnets that are learned from other devices need NOT to be listed.
If you issue
'sh ip interface brief'
on the core, you can select what networks you want to advertise FROM the core to all devices sharing the same EIGRP AS.
For instance, if the 'sh ip int bri' includes the following networks:
172.16.1.1
192.168.1.1
10.1.1.1
Then your EIGRP process should be like
router eigrp 10
network 172.16.1.0
network 192.168.1.0
network 10.1.1.0
You can also use another method if you have multiple subnets that are within the major network, for instance:
10.11.0.0
10.12.0.0
10.13.0.0
10.14.0.0
could be represented with a single command
router eigrp 10
network 10.0.0.0
no auto-summary.
It will advertise the subnets listed above and not the 10.0.0.0 network because 'no auto-summary' is also part of the EIGRP process.
now if you have the following connected networks:
10.11.0.0 thru 10.14.0.0 AND 10.50.0.0 thru 10.60.0.0 but only want to advertise the 10.11.0.0 thru 10.14.0.0 network then the EIGRP process would be like
router eigrp 10
network 10.8.0.0 0.0.7.255
no auto-summary
Please rate helpful posts.
Thanks

Route or switch on the core Layer

Similar Messages

Maybe you are looking for