Check my topology!

[Bakedgoods]

Not sure if the router with the WAN link should also be connected directly to the core switch?

Feedback is appreciated

 

[atomiser]

topology 2 is the better one of the two.

really depends what your actually doing though...

and what sort of spec of kit are you working with?

why have a router for the wan and then another for the lan? dedicated firewall between the two? bear in mind that if this is soho kit then with that setup you would be translating addresses twice, unless you take the second router out of nat mode that is.

how many clients are you serving by your distribution switches? are you using one flat network? multiple networks utilising subnetting? vlans and trunks to seperate via one router? thought of more internal routers?

i notice you have zero redundancy... multiple routers? vrrp? multiple switches? spanning tree?

just a few things for you to think about.

 

[superplay]

Currently we have the scenaro in Top1

The main router in our case, is our "firewall" then we have a router which points to a remote site. Our clients point to the "Firewall" as thier default gateway which has a static route on it for the remote site.

700 Clients, 15 Servers.
Running in 2 AD forests on a flat network.

We do have some work to do

* Going to add another link to the trunk between the two focal points.

* As we have just upgraded the last of our switches we can now put each forest in a VLAN.

* And a look at the routing!

Comments here also

 

[Bakedgoods]

I have created a redundancy model but given the budget it's a recommendation for future rather than for this phase.

Each of the distribution switches will have their own subnet and the devices above will be contained within one/two subnets (core switches/routers) can't decide.

I'm more concerned at the moment with getting the topology correct rather than protocls etc.

Single mdoe fibre links between all switches and devices.

I wanted to seperate the wan link from the main router incase the router breaks. With topology 1 I would be able to have the WAN router act as backup for the LAN router should the LAN router break.

If I went with topology one and linked both routers couldn't I effectively distribute the load? The WAN link would still go to only one router though.

I might just opt for Top2 initially and use one router at the top. There wil be a firewall between the router and the WAN. As for the kit, I haven't spec'd the kit yet but we are talking typical Cisco mid-level switches, 24 port 3750's? There is only going to be around 67 users initially but obvious potential for expansion.

Any ideas?

 

[Bakedgoods]

Anyone?

 

[oddjob62]

Of the 2 go with Top1. Top2 adds another single point of failure without any added benefit, unless i'm missing something.

 

[IAmATeaf]

I'd go with TOP1, can't see the point of funnelling your local WAN and internet WAN traffic that TOP2 would do but having said the above TOP2 would be easier to as far as DNS and routing is concerned from a client prospective.

 

[Bakedgoods]

I think i'm going to remove one router and just have one router at the top which also has the WAN link.

I have created another topology which offers high resilience but the cost of it can't really be justified at this stage.

 

[bigredshark]

A couple of recommendations...

Firstly I'd minimise the number of devices involved. If you're not building in resiliency then the more devices the more chance of something going wrong. Secondly it's also much easier to manage and lastly it's also cheaper. I'd use 48 port 3750s (or even 2960s if you don't need specialist 3750 features). I'd use layer 3 switches as the core switches (either 3750s with the appropriate image or 4503s) and route between all the distribution switches.

You absolutely want to have your firewall between the core and the WAN links, but there's no point in having another router in there unless it's a firewall (particularly if you choose to do routing in the core)

 

[bigredshark]

A couple of recommendations...

Firstly I'd minimise the number of devices involved. If you're not building in resiliency then the more devices the more chance of something going wrong. Secondly it's also much easier to manage and lastly it's also cheaper. I'd use 48 port 3750s (or even 2960s if you don't need specialist 3750 features). I'd use layer 3 switches as the core switches (either 3750s with the appropriate image or 4503s) and route between all the distribution switches.

You absolutely want to have your firewall between the core and the WAN links, but there's no point in having another router in there unless it's a firewall (particularly if you choose to do routing in the core)

EDIT: Actually I've just looked over it more carefully. I'd have the primary and WAN routers connected to the core seperately, doing otherwise serves no purpose (again, particularly if you route in the core)

 

[Bakedgoods]

I'm not too knowledgeable about layer 3 routing. As I understand you can not 'talk' to another subnetwork unless you pass through a router, i'm guessing switching at layer 3 means the switch will do this routing?

I'm going to go for one router initially.

What do the 3750's offer over the 2960's?

Aill fibre is going to be single mode, all links on that diagram will be single mode. 8 core cabling will be in place but only 2 cores will be patched initially.

Does that sound sensible?

I'm not sure what core switch to use as I will need quite a few fibre slots.

Thanks everyone you are being a big help

 

[bigredshark]

I really wouldn't create such a large campus like design an entirely layer2 network. It's really bad design practice to do so.

The 3750s have 2 major advantages, stacking ports, so you can create one big logical switch out of multiple physical switch units and the fact it's layer3 capable with the right IOS. So it can be a router.

For the core switch, either go for a stack of 3750s (particularly the version with 12 fibre ports) or you may find a 4503 or even 4506 economical (they are powerful chassis based switches though).

Seriously though, you should have routing through the core switches in a netwrok like that. In the long term it may pay to get a consultant in to set it up for you if you're unsure of it.

 

[DJMK4]

Sorry to hijack the thread but what app did you use to create them topology maps? I need to do a few myself and they look a lot easier to use than visio.

Ta

 

[Bakedgoods]

What's the advantages of using a layer 3 switch over a router? I know most networks have layer 3 core switches but i'm not aware why?

Thanks for the help I do appreciate it.

The topology was created in Visio, you have to search for 'router' and 'switch' if you want symbols like that.

 

[V-Spec]

What's the advantages of using a layer 3 switch over a router? I know most networks have layer 3 core switches but i'm not aware why?

Thanks for the help I do appreciate it.

Layer 3 switches basically have the ability to route packets using the same criteria that a router uses, but in hardware so its an awful lot faster than a standard router.
Most people buy a router to connect to a low speed WAN circuit like a 2Mbit Serial link or anything under 10Mbit... Any of the high end routers such as Cisco 7609s GSRs etc, are basically switches labeled as routers as everything is done in hardware.
In the case of your 3750s you can actually configure the interface with an IP address exactly the same was as you can with a router, its basically a router with gigabit ports and loads of them, the principle is the same just many times faster hence why they're used in the core, just treat them like routers.

Normally the access layer of the network <2950s or whatever make> will be layer 2 only and will have Vlans and access ports, with a trunk port connection to the upstream distribution switches, these normally have Vlan interfaces which is a software interface configured with an IP address which will be the default gateway for people on that Vlan at the access layer, the distribution switches will then normally connect to a core layer which runs strict layer 3 routing between the rest of the core and other distribution switches, there are loads of examples of this in on the Cisco site, its a pretty well known base design for most largeish lans,

 

[Bakedgoods]

That makes sense thanks a lot, i've just had a quick further read on them now.

How would a firewall usually fit into a topology in terms of its positioning and the WAN?

You guys have been very helpful, there's a lot of knowledge around these parts

 

[V-Spec]

I've had another quick look at your diagram, as you've only got 700 pcs, which isn't that bad, you could go with the collapsed core design, which basically means you're core and distribution are the same switch, (collapsed) so each of your remote access switches connects directly into the core switch, which is where you have your Vlan interfaces (default gateways) which could be set per building/department/etc, and run a layer 3 routed link between the 2 core switches, which would stop broadcast traffic going between each core switch, you could configure EIGRP between the 2, so that the subnets for all Vlans are reachable from each core switch.

OR

If for example some of your departments end up spanning both core switches, you could run a layer 2 802.1q trunk between each core switch, so that traffic for all Vlans can be carried everywhere, and one or the first core switch has all the Vlan gateways.

In terms of the external links, i'd have the Internet router and the Wan router plugged directly into a firewall on seperate interfaces, with another interface connecting to the LAN, so all traffic is filtered via the firewall.

 

[bigredshark]

The advantages of layer3 in the core are generally...

No large broadcast domain (so the potential for a broadcast storm to stop the entire network - which only requires one patching mistake - is vastly reduced). Any layer2 problems are isolated to the access switch in question.

Greater scalability and redundency. There are far more ways to provide redundency at layer3 as opposed to layer2 so reliability is much better. Also the network should scale much better in future if based on layer3 design, load balencing is more flexible and the network will be less 'chatty'.

Layer 3 switches are really just multi port ethernet routers as far as you need to know (they also do some clever things to make them faster than routers). Essentially though, layer3 switches have ethernet interfaces only, if you want an e1 or DSL interface or any other type of WAN interface then you'll need a router. If you don't need a WAN interface in the core router (which you don't as you're using fibre between core switches) then layer3 switches are much better value and the obvious choice.

 

[bigredshark]

Layer 3 switches basically have the ability to route packets using the same criteria that a router uses, but in hardware so its an awful lot faster than a standard router.
Most people buy a router to connect to a low speed WAN circuit like a 2Mbit Serial link or anything under 10Mbit... Any of the high end routers such as Cisco 7609s GSRs etc, are basically switches labeled as routers as everything is done in hardware.
In the case of your 3750s you can actually configure the interface with an IP address exactly the same was as you can with a router, its basically a router with gigabit ports and loads of them, the principle is the same just many times faster hence why they're used in the core, just treat them like routers.

Normally the access layer of the network <2950s or whatever make> will be layer 2 only and will have Vlans and access ports, with a trunk port connection to the upstream distribution switches, these normally have Vlan interfaces which is a software interface configured with an IP address which will be the default gateway for people on that Vlan at the access layer, the distribution switches will then normally connect to a core layer which runs strict layer 3 routing between the rest of the core and other distribution switches, there are loads of examples of this in on the Cisco site, its a pretty well known base design for most largeish lans,

One big differentiation is that typcially layer3 switches will have IP addresses assigned to vlan interfaces rather than physical ports (cisco don't insist on this but others - foundry for instance - do). I'd disagree about the 7000 series routers though, they are fast but thats because they cost a fortune and even so their throughput doesn't touch a 6500 at the same price point...

Also, I'd steer clear of EIGRP. Stick with open protocols if you're designing a network from scratch. OSPF is just as good in practical use and works with anybodies hardware, which could matter if you go with a Juniper firewall in a years time...

 

[V-Spec]

I'd disagree about the 7000 series routers though, they are fast but thats because they cost a fortune and even so their throughput doesn't touch a 6500 at the same price point...

7600s ARE basically 6509s because they have almost the same architecture and use exactly the same supervisor cards (Sup720 for example) which can be dragged straight from a 6500 and is the main bulk of the cost... The only difference is that 7600s can have high speed WAN line cards like POS/ATM which you can't have in 6500s unless you have a flexiwan module <discontinued> 7609 can manage exactly the same 40GBps per slot, or 720Gbps total across the chassis with a sup720, the same as a 6500 can.

One big differentiation is that typcially layer3 switches will have IP addresses assigned to vlan interfaces rather than physical ports (cisco don't insist on this but others - foundry for instance - do).

Depends where you read I guess, in some cases where you're running layer 3 switching in the core you must use routed links, because Vlan interfaces only come into play where you're routing between Vlans, in a properly designed network with Access, Distribution and Core, the Vlans end at the distribution layer, meaning that your 3700/4500/6500s will need ip addresses assigning to ports to have layer 3 routing, because no Vlans exist at all in the core, and the connections that go from distribution to core must also be strictly layer 3 only..