Check my topology!

[bigredshark]

Fair enough, I was meaning 72xx series routers as I've never dealt with 7600s.

I'd always use vlan interfaces unless MPLS is configured as it's more flexible if you have some odd requirement appear in future. Each to their own but I'd prefer the extra flexibilit.

 

[Bakedgoods]

Well, i'll be using 6 cores from 5 of the distribution switches. and 4 cores from the other.

Only 4 cores will be patched, with the other two ready for future use. That still means I need to patch 24 single mode fibre cables into the core switch, can you recommend me a layer 3 switch for this kind of task?

 

[bigredshark]

Well, i'll be using 6 cores from 5 of the distribution switches. and 4 cores from the other.

Only 4 cores will be patched, with the other two ready for future use. That still means I need to patch 24 single mode fibre cables into the core switch, can you recommend me a layer 3 switch for this kind of task?

Well probably the cheapest cisco option is a pair of 3750s in a stack. The model you'd want is WS-C3750G-12S-S with 12 single mode SFPs obviously. Two of these stacked will give you the 24 fibre ports you need for a reasonable cost.

Beyond that you're looking at a chassis based switch, if you want redundancy (which the previous stack option will partially give you) then you'd need to get a 4507 with dual supervisors and appropriate line cards - which will cost a lot. Without redundancy you'd get by with a 4503 with a single supervisor and appropriate line cards - which is still a lot but cheaper than a 4507.

I'd recommend the 3750 stack, it'll do all you need, provides some redundancy if you use diverse power for different stack members and spread the connections between stack members. It also gives you expandability both for additional fibre ports (add another switch of the same model) or for copper ports (add a cheaper copper only 3750).

The standard image support basic routing protocols, you should only need advanced if you want to do advanced QOS...

 

[Bakedgoods]

Thanks very much i'll check it out and try spy some prices.

I'm guessing the standard switch software will not be for layer 3 and the correct image will need to be installed?

 

[bigredshark]

Thanks very much i'll check it out and try spy some prices.

I'm guessing the standard switch software will not be for layer 3 and the correct image will need to be installed?

You can buy with either standard or enhanced, both support layer3...enhanced just adds QOS I think. I can't remember as I just put the enhanced image on all our kit by default...

You should only need standard though, so no need to change what's on there, prices wise, you should be able to get each switch for around £2700 ish (ex VAT) plus the SFPs etc...

EDIT: and a quick look at my 4500 price sheet suggest you won't be finding a redundant (2x PSU 2x Supervisor 2x line cards) 4507 for less than 16k or so...

 

[Bakedgoods]

Cheers for the help, it's been sound advice.

I'm still unsure on where to have the firewall sitting in all of this.

My topology now is basically...

ROUTER (WAN LINK)
|
|
|
LAYER 3 SWITCH
|
|
|
DISTRIBUTION SWITCHES

 

[mandelbug]

Router ---- Mini Switch ---- Firewall ---- Layer 3 ---- Distribution

Putting a switch between firewall and router will allow you to prevent collisions. Thats how I have things setup at work

 

[bigredshark]

Router ---- Mini Switch ---- Firewall ---- Layer 3 ---- Distribution

Putting a switch between firewall and router will allow you to prevent collisions. Thats how I have things setup at work

Thats a pretty good plan, I don't buy preventing collisions, setting the speed/duplex correctly will do that but the switch between the WAN router and firewall will let you plug in a laptop to test if you have connectivity issues (confirms it's not the firewall) or collect wireshark captures if you need to.

That said, it's not necessary...

 

[mandelbug]

Thats a pretty good plan, I don't buy preventing collisions, setting the speed/duplex correctly will do that but the switch between the WAN router and firewall will let you plug in a laptop to test if you have connectivity issues (confirms it's not the firewall) or collect wireshark captures if you need to.

That said, it's not necessary...

I have a Cisco 2800 router going into a Pix 515E at work and it was colliding like mad on the external interface even with the speed and duplex set, threw a switch in and all collisions gone . Doesnt need to be anything special (5-port will do) and saves a load of connection issues

 

[Bakedgoods]

Sounds sensible but I will not be doing that with a small switch, it's gone over my head a little bit.

 

[Bakedgoods]

What about using Cisco 2950's for the distribution switches?

I'm not quite sure I need a 3750 because the 2950's are stackable. My distribution switches will all have 4 core single mode fibre heading to the core switch. Ideally they will need to all be 24 port as well.

 

[bigredshark]

2950s are end of life, the replacement is the 2960 series. But neither of these are stackable, the only stackable cisco switch is the 3750. You should be fine with 2960s though for distribution, they are available with up to 48 ports so you shouldn't need to use stacking at the distribution side.

The only consideration is if you want power over ethernet then you need the 3560 series as the 2960s don't have a POE model.

 

[Bakedgoods]

What's wrong with stacking at distribution level?

If you didn't want to stack would you have to do something like this and include edge switches?

CORE SWITCH
|
|
|
EDGE SWITCH
|
|
|
Distribution #1- - - Distribution #2

If I didn't stack and adopted the above I would need to lay another cable to the edge switch. Although I suppose in reality the edge switch would be fairly close to the distribution switches.

Do correct me if i'm thinking wrongly here...

 

[bigredshark]

What's wrong with stacking at distribution level?

If you didn't want to stack would you have to do something like this and include edge switches?

CORE SWITCH
|
|
|
EDGE SWITCH
|
|
|
Distribution #1- - - Distribution #2

If I didn't stack and adopted the above I would need to lay another cable to the edge switch. Although I suppose in reality the edge switch would be fairly close to the distribution switches.

Do correct me if i'm thinking wrongly here...

well what you're referring to as distribution is technically access I'm guessing (the switches individual users plug into). So given 48 port switches you'd need to have a large number of users hanging off each access switch to require more than a single unit.

There's nothing wrong with stacking at the access level but 3750s are very expensive compared to 2960s so it's rarely economical too. If you have a need for more than 48 ports per access switch in a few places I'd simply use a second switch connected back to the core switch (which you have enough fibre spare to do I think).

If you need 48 ports plus in lots of locations then I'd say your architecture is wrong and you'd be better off adding a distribution layer between the core switchs and access switches. So essentially you'd have the core switch linked to a distribution switch in each location and then your access switches hanging off the distribution switch. At present you've got a collapsed core and distribution layer (the core switches essentially performing both functions). If you did add a distribution layer then traditionally you'd route at this level so there would be no vlans or layer2 traffic going through the core at all (in basic terms the distribution switch would be the users gateway rather than the core switch).

If you do think you need distribution switches then you might want to consider getting a contractor in for a couple of days to go over it all. If you're having distribution boxes you'd likely want to run some kind of dynamic routing protocol (I'd recommend OSPF but cisco people would recommend EIGRP) rather than just static routes.

That said, you could just use stacks for the access switches, there's nothing wrong with it at all except the cost!

 

[Bakedgoods]

Sorry I understand thast I just made a mistake with the terminology. Thanks for your advice it's proving very useful.

The reason I spoke about stacking is that I was unsure how much it was cost to lay and terminate a new fibre to a new access switch compare to adding a new switch in a stack. Obviously you can't keep stacking if you don't have enough bandwidth to support the extra users.

So distribution switches operate on layer 3? When this happens i'm guessing the purpose of the core switch is basically to link the distribution switches?

And an un-related question...

As I understand it's at distribution switch level where you would be looking to create resilience initially? For example having two core switches and each distribution switch has a link to both cores?

Thanks again!

 

[bigredshark]

Sorry I understand thast I just made a mistake with the terminology. Thanks for your advice it's proving very useful.

The reason I spoke about stacking is that I was unsure how much it was cost to lay and terminate a new fibre to a new access switch compare to adding a new switch in a stack. Obviously you can't keep stacking if you don't have enough bandwidth to support the extra users.

So distribution switches operate on layer 3? When this happens i'm guessing the purpose of the core switch is basically to link the distribution switches?

And an un-related question...

As I understand it's at distribution switch level where you would be looking to create resilience initially? For example having two core switches and each distribution switch has a link to both cores?

Thanks again!

Yes, if you don't have spare fibre then adding stack members is far more economical. Typically though, people lay a 12 core fibre and only use 2 pairs for it, so the extra fibre is ready to go and costs nothing. Depends on the circumstances...

Yes, with a distribution layer the core becomes strictly a mechanism to route between the distribution switches as efficiently and quickly as possible. The edge (firewall, link to internet) would typically connect to the core directly as well, as would server access switches.

Yes, resiliency is best implemented in core and distribution (users don't generally have a resilient link on their PCs so access layer resiliency is limited at best). Two distribution switches per location and resilient links back to seperate core switches is the norm as you mentioned. The other functions of the distribution would typically by QOS marking (identifying and marking traffic priority so the core switches can route based on the priority).

 

[Bakedgoods]

As it stands I can't really justify having more than 6 cores run as that's easily enough bandwidth for current requirements and any foreseable future requirements. Only 4 cores will be used initially though.

It looks like it will be better to opt for 2960s. If another switch is added it would only have one pair available so I suppose I can justify 8 core for resiliency.

That all makes lots of sense thanks a lot. Now I need to find a firewall/router for the wan connection.

Thanks again!

 

[Bakedgoods]

If I use 8 cores for each fibre link (not all will be patched) i'll potentially need 48 available fibre ports. That would take a 4x3750 switch stack yeah?

Just need that then the gbics!

 

[bigredshark]

If I use 8 cores for each fibre link (not all will be patched) i'll potentially need 48 available fibre ports. That would take a 4x3750 switch stack yeah?

Just need that then the gbics!

Yep, that'd do (though they are a competitor so you might want to loose the link )

I don't actually know how many units you can put in a single stack, I've used 5 previously though so you'll be fine at 4.

To be honest, even 2 pairs to each switch is 2Gbit full duplex and you'll need something really quite special to use all that bandwidth. Also you have the advantage of having single mode fibre in place so if you have a bandwidth problem in the future you could move to 10Gbit connections (prices will be down in a couple of years).

Firewalls wise, it really depends what you know and your internet bandwidth, I like Juniper netscreens personally, an SSG120 should handle most peoples connection bandwidth and is reasonable money but firewalls are a preference thing, if you know something then stick with it... (or you may want to go for a single vendor and get a cisco ASA)

 

[Bakedgoods]

I totally forgot about that! I've removed it lol.

Thanks i'll have a nosey around, thanks for your help it's been really useful and interesting. How did you learn everything? Degree and work experience? Just through work?