Cisco LAN :: 3560 Network Design
Apr 1, 2012
I'm working on a new network design for my company. We're expanding and opening some more offices and satalite sites. We're a UK based company but opening some US sites.We have a main UK office (Office A on the diagram) a call centre (Office B) and then two buildings on another site (Office C). The USA offices will be very small and only require a couple of computers, hence the small IP allocation. I have marked the IP addresses of the links on the diagram, I intend to use 3560 switches for all the switches marked and all links will be layer 3 to route multiple VLANs from each site to each site (where permitted). question is this: How do I achieve this in the switches? I'm thinking that OSPF is the way forward, is this right? I want to do as little configuration on the switches as possible to allow for dynamic updates of the network (i.e. I don't want to add static routes for everything).
View 7 Replies
ADVERTISEMENT
Apr 15, 2012
I recently ran into some problems concerning the use of a Cisco layer 3 switch (3560) as an Internet edge device to perform a simple static route between the customers network and the ISP POP router. Although this device can perform the routing at the edge for Internet traffic, I am concerned that this device has limitations when it comes to functions such as traffic shaping to the subscribed bandwidth of the Metro Ethernet access to the Internet. Since the 3560 could not conform to the 20 Mbps of subscribed bandwidth, any traffic beyond 20 Mbps was dropped causing performance issues with applications that use TCP. I am trying to find design documents or white papers that would either support or not support using a layer 3 switch as an Internet perimeter device instead of a router. I would like to know if Cisco has a specific perspective on this subject and whether or not they would ever recommend actually using a layer 3 switch model that is a 37XX or below?
View 3 Replies
View Related
Sep 16, 2012
We have our network setup as displayed in the attached. We have 2 HQ offices and 1 branch office. The branch office needs to connect to resources located at both HQs but taking the most effecient path. We have ethernet circuits connecting from each HQ to 2 x Cisco 3560 switches in the branch. HSRP has been configured on the 3560 switches with SW1 as active and SW2 as standby. OSFP has been configured in a single area 0 and the path cost on the link between HQs has been increase to allow 3560 SW1 to route to HQ1 directly and HQ2 via 3560 SW2.The 3560s are connected with a trunk with a L3 SVI for OSPF. This seems to work ok but I have noticed that the branch could become transit if the HQ1 to HQ2 link breaks. How can this be avoided? I realise that if we configure the branch subnets and SW1 to SW2 link in a stub area (area1) then all traffic will route from SW1 to HQ1 and will never share over SW2. I'm assuming that this is because OSPF chooses inter-area routes over intra-area.
View 4 Replies
View Related
Apr 19, 2011
My objective is to analyze company network and enhance it.So I went to this company and ask them to give their network design.
View 2 Replies
View Related
Sep 30, 2012
and this router will connect to 18 access point.and each access point need 30 usable host...how to design this netwotk, what subnet should i use...there is only 1 router, so just have only 1 default gateway,it is if the network have too many host, the speed will slow down, because they need wait others host to broadcast?
View 11 Replies
View Related
Mar 5, 2013
I have gotten the assignment of constructing a fictional network for my school.. and i cannot quite agree with myself upon which equipment i should choose.. its supposed to be all cisco. i need to supply 5000 users all in all, but only 300 on this site. i need to know which connections would be the most reasonable to use and of course which routers "if any" and switches i need.. (+ additional modules if needed) i have tried to make a visio representation, but i just think something is way off.
View 6 Replies
View Related
Jul 5, 2011
I have a new project coming up that will require more IPs added to an already quite full class C network. My other issue stems from foolishly putting all hosts in the crowded C network onto the management VLAN. In turn, I have to make each port a trunk.Moving forward I'm wondering what's best for design.or if I should just attempt to change the subnet mask across the board.?
View 5 Replies
View Related
Aug 22, 2011
I am in the process of planning our new network. Our business is changing from hosting its own data centre, to moving it to a professional facility. We have 120 users, over 100 servers (physical and virtual) and three sites (main premise, data centre, dr site). The new network will connect all three. Our new WAN links are almost ordered. We will be making use of a managed MPLS IP VPN, with a 100M access rate at each site. I am currently focusing on the desing of the network at the main business premise. We have a significant investment in Cisco 2960 & 3750 switches and Fortinet firewall appliances. I plan to re-use these in the design.
Our current LAN is very flat and I want to segment the network. My plan is to create a number of VLANs, enable the Inter VLAN routing on the 3750 and then attach the 3750 to the Fortinet appliance which will provide stateful firewalling and traffic policin based on the VLAN (subnet) addresses. It is important that the traffic be routed as quickly as possible from this site to our prod and dr data centres.The 2960's act as the access layer, the 3750 as the distribution layer. The 2960's will connect via port channels (layer 2) to the 3750's and the VLAN interfaces will be configured on the 3750.
I was then planning on creating a VLAN on the 3750 to connect to the Fortigate appliance with a /29 address to limit the addresses used whilst also providing some flexibility for any future design changes.I want to implement a little security between the VLANs on the 3750 switches. I have a question about this coming up.I then plan to use the Fortigate appliance to do basic traffic policing based on source/destination addresses.
The WAN routers will connect to the Fortinet appliance on a Gigabit copper interface. The WAN routers will run HSRP between themselves and only one router will be active at any one time. The failover will be managed by the Fortigate and Cisco routers.I plan to define those addresses hosted at the other data centres and associate them with the interface associated with the WAN.I will then define the routing on the firewall for the two other data centres through summary routes for each of the sites. We will run static routing from the Cisco 3750 to the Fortigate and Fortigate to WAN router. We have no other networks/sites and won't have any others in the future.
View 25 Replies
View Related
Dec 26, 2011
How to design network with two buildings. each buildings five- storey buildings.buildings 1 has 200 computer and buildings 1 has 150 computer. which topology and cabling to use
View 2 Replies
View Related
Jul 13, 2011
I am going to design a network of an University.I want solution completely on cisco
View 2 Replies
View Related
Mar 6, 2013
I've been tasked with designing a network consisting of 3 separate broadcast domains with each one representing a separate business accross 3 separate floors. None of the companies should be able to communicate with each other.I've been told that the design should only represent the first 3 layers of the OSI model so I'm only looking at Cabling, Switching and Routing.
I don't expect you all to tell me exactly how I should do this, however I just need a starting point. My main issue is with routing. I'm aware that each port on a router represents a broadcast domain so if I use one router, 3 broadcast domains, does that means that none of the domains will be able to communicate with each other? Should I use more than one router or can i get away with one? Also just so you are aware I've been told not to use VLans and each broadcast domain must have its own ip address schema.
View 19 Replies
View Related
Mar 1, 2012
The following diagram is showing what I "Plan" on doing or "Hope" I can do. This is the most complicated deployment I have taken on in my profession, and Honestly it is very exciting, but had some questions.
1. The network between the ASA's and Routers, is that suppose to be a Private network or Public Network? I have to assume Public because I want my ASA's to take care of the NAT.
2. ASA's are runing single context Active/Standby so what way will the ASA push out going traffic?
3. The routers need to know about each other in a BGP configuration, correct? We accomplish this using iBGP so will that traffic need to be allowed through my firewall to allow the routers to share that information, or should these routers be talking to each other outside the firewalls?
Is this design possible? I am sure there are limitations as always, just trying to wrap my head around the flow of traffic and where to start.
Additional Details/Requirements -
BGP routers are 2921's that I have control of. Both routers have 4 port GigEtherswitches in them.
ASA's are Active/Passive and cannot be Active/Active due the limitations of the Active/Active Design (VPN limitations)
Both ISP's must be used for outbound traffic, I would like to be able to load balance, but can send some traffic one way and the rest of the traffic the other way based on Routes.
ISP's are not Symentrical, one is 50mbps and the other is 250mbps.
All NAT should take place at the ASA's
Additional Questions:
The routers that have gig etherswitches, can they run HSRP?
Should I be putting Layer 3 switches between the routers and the ASA's instead?
Where should I run my iBGP communication for the routers?
View 8 Replies
View Related
Jan 17, 2013
1.create a drawing showing a private routed network.
2. On this drawing you will show your placement of the following,why they were placed there (you can use one or more of the servers/router listed in your drawing):
View 1 Replies
View Related
Jun 1, 2012
I'm looking for feedback and constructive criticism on our network redesign project for our company.We are currently on a 192.168.1.x/24 and running out of addresses. We are looking to move to the following design and implement VLANs as well for segregation and security. We are probably going to use a few SG300s for switches. [code]
View 4 Replies
View Related
Jun 14, 2012
I have been recently asked to design a network. What I have for equipment is four 2960G's and one 1941 router. One switch is a root switch and the other three will have end devices on them.I have decided on three V lans to go with: VLAN20 Data, VLAN30 ISCSI, and VLAN99 Management each with seperate trunk links and redundancy (see picture below).
I have a seperate trunks for each V lan using the switch port trunk allowed. With exception to the Data V lan.My design has the Data V lan as the native because it is going to be receiving untagged traffic from the external network. I have set up inter v lan routing on the 1941 via sub-interfaces to allow them to talk to each other (or because of allowed they cannot?). I have one port coming from my router to my switch via Ethernet cable which is my bridge out. I have my external port doing a NAT translation for my inside addresses and a Default route set up ip route 0.0.0.0 0.0.0.0 gig0/0. I am using rapid- PVST to prevent loops and provide my zero downtime convergence when a link goes down. As it stands right now I cannot talk out of my network or inside of my network.
You can see it is highly redundant and I do not want to change it. This network is going to be deployed but there will never be anybody physically there to manage it which is why I made it as redundant as humanly possible.
View 10 Replies
View Related
Mar 19, 2013
I'm currently working on setting up 2 ASA 5510's with redundancy/failover. I'm not an expert when it comes to the ASA's so I'm not 100% sure if I can do what I need to.I have 2 inside networks that need to remain separate, a DMZ network,and an outside network. Since each network connects via ethernet to one of the 4 ethernet ports on the ASA 5510's, all 4 ethernet ports on the ASA 5510 will be in use. If I wanted to setup one firewall as Active and the other as standby, how would I go about doing that? Do I need a direct ethernet connection between the 2 firewalls to use something such as HSRP? Or would the Standby firewall be able to tell if the Active firewall is OK since they would both be connected on each of their interfaces to the same networks?
View 1 Replies
View Related
Apr 11, 2013
remote location on MPLS circuit terminated on a Cisco router that has Internet connectivity through Central Site router. We are installing a cable modem at the remote location that is to be used as the Primary Internet Connection but still be able to use Internet through MPLS if the cable Internet goes down. We want the failover/fallback to be handled automatically.
We have an ASA5505 for the cable Internet which then feeds into the ISPs modem.
At first I was thinking about getting a module for the remote router so the cable Internet could be terminated on the remote router as well but that introduces a single point of failure. I would also like to firewall both the MPLS and the cable Internet but if I do so on the ASA there is another single point of failure.
View 2 Replies
View Related
Jan 5, 2012
One of our clients is replacing some of their aging network components with 4 Cisco 2960S switches. Unfortunately in this case, my skills of switch configuration are greater than my skills of network design. I have a really crude network diagram of their basic network layout (4 servers, 4 switches, and a number of endpoints).
How would you experts design the physical connections in such a way as to facilitate some redundancy?
View 18 Replies
View Related
Jan 25, 2011
I am just browsing and looking for a solution to converge my multi-vendor switched network and bring some redundancy to it as recently
we managed to get a redundant links. I have a need to change core switch to Cat3750G, which has Per-V LAN-RSTP+ on board, but tests have shown that it won't be compatible with some other proprietary per-V LAN RSTP solution other vendor's switches use currently.
So, I thought maybe standard-based MSTP design might do the trick. I've made some tests and got some weird and unstable switching result. I have two topology rings with a core switch in the center. Every ring has about 10 switches, so practically network diameter may vary from 5 switches (when spanning-tree converges in the center and I have a blocking port somewhere int the middle of the ring) to about 10-11 switches (if a I have link failure on any of ports right at the core switch). I disconnected one port from core switch to eliminate a possible switching loop while I will be configuring new MSTP design. Then I started enabling MSTP on all the switches staring from core Cat3750G to MSTP, one by one, placing all switches to the same MSTP region, and placing all V LAN's to default MSTI0(CIST) cause I don't need to organize any separate MSTP instances for every V LAN or for group of V LAN s. When I turned MSTP on on 7th or 8th switch in the chain (cause I had a physical chain when I disconnected one port out of redundant ring) I got all switches "flapping", storming and flooding the network with broadcasts. Even when I had one redundant port disabled.
I have no idea what I am doing wrong. I noticed that Cat3750G has an option that defines a possible network diameter which actually automatically changes some hello, max age etc. attributes according to diameter specified. When I defined a maximum network diameter of 7, if didn't change anything: I still have hello timer of 2 sec etc. I've been wondering if the maximum network diameter has something more than just a "variable" to fine tune hello timers etc? Maybe I won't be able to use MSTP in my network which might have diameter more that 7 switches. Or maybe it was a mistake of placing all the switches to the same region and all the v LAN s to the default MSTI0 (CIST) and I should configure one MSTI per V LAN or per some group of V LANs and subdivide my switches to few MSTP regions?
My topology briefly looks like this:
+--SW1----SW2----SW3---CORE---SW4---SW5--SW6---+
| | | |
+---SWxx---SWxx-----------+ +------SWxx-----SWxx----+
As I said, each "ring" has about 10 switches connected side by side.
View 4 Replies
View Related
Oct 7, 2011
I have a Canon ScanFront 220 network scanner that seems to have a problem with our network. It's plugged into a Cisco 3560. The network is operational, just chatty.
A wireshark session for just a few seconds looks like this: (192.168.81.42 is the scanner)
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.89 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.90 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.91 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.92 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.93 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.94 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.95 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.96 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.97 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.98 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.99 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.101 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.102 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.103 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.104 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.106 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.108 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.109 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.110 Vlan81
1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.111 Vlan81
I can't find anything on the scanner that would cause this.
View 3 Replies
View Related
Dec 7, 2011
I want to give a breif overview of the current setup and what I had planned to do in the future. This is also where a few questions come into play. Currently we have 3 10.x.x.x subnets between three buildings with a wan connection. This connection is invisible to us so it can be seen as just a lan. The speed is 100mb. We have a 2811 router sitting at each building translating their traffic back to 10.3.1.1. We then have a router in the main building which ships the 10.3.x.x traffic to a ASA and then out the door to a ISP.
My plan was to upgrade this 100mb WAN connection to 10g fiber between our buildings as they are in extremely close range of each other. I would need a equipment upgrade as a 2811 won't support 10g traffic. Rather than replacing 3 routers in each of the buildings it seemed logical that I could get something like a catalyst 4500 or 6500 and do int vlan routing making it all one huge campus lan. Creating a vlan for each building to segment the traffic between them. My understanding was that a cat 3500/4500/6500 did not need a router with sub interfaces in a one arm setup to bridge this traffic. This is where the problem comes in.I tested with a cat 3560 and was unable to get the vlans to route correctly. Do I have to have a router to get int vlan routing to work? If so then I might as well get a Router which can handle multiple 10g fiber for the core instead of a cat 4500/6500 since I'd need the router to do the int vlan routing anyway?
View 17 Replies
View Related
Sep 11, 2012
creating an Access List on my Intervlan network.how I create my network.I've managed to get the Inter-vlan working and my problem now is to restrict some vlan from accessing one another.
- I've enabled IP Routing on 3560 switch.
- All vlans can PING each other.
- All vlans can access the internet (172.16.1.2)
View 8 Replies
View Related
Nov 21, 2012
Looking for input/thoughts on the upgrade of our 3560's and 3750's while on production network.
While we could remotely send the IOS over the network to the device, I'm concerned about errors and the lack of physical control of the device. So, the thought is to just go to the comm closet, plug in with laptop to the console port, and upgrade the IOS over the console port. But this would require xmodem, correct? I know the fastest way would be to a. configure an empty fa0/0 port to no switchport, add an IP address, and use tftp. BUT, we would have to isolate the switch from the production network while connected to it with our laptop. Otherwise, our laptop would be seen on the network as an unknown device, and there would be repercussions...
So, we console into the device, and u/l the IOS that way. Is there a way to increase the baud rate on the switch to 115200, change putty to 115200, then do the x modem? I just say we should shut all the ports to isolate the switch from the network, then tftp the IOS to the switch. Unplug, reopen the ports, then reboot the switch.
View 11 Replies
View Related
Jun 2, 2013
How many secondary network config possible???
Switch - Cat3560
IOS Ver 12.2(50)se5
View 6 Replies
View Related
Jan 16, 2013
I am implementing QoS on our MPLS network. Our environment exists of a mix of Cisco 2960 and 3560 switches. The IPT system is Avaya CM with Avaya phones.The WAN network is a MPLS network.Ports are configured for access and voice vlan (no trunking), one vlan for voice, one for data (vlan 1 is disabled).I dont have Qos coonfigured on LAN just wanted to configure on WAN Router where my Mpls link is connected.I have 45 Mb Mpls links on all sites connected to each other.
I have multiple sites connected via MPLS and i have control at both sides.Current config is mentioned below in which DSCP marking is not done for signaling. What is the best config with example.Current Config on all Cisco Router where MPLS link is terminated at all sites. [code]
View 10 Replies
View Related
Dec 1, 2011
I have a CAT 3560 connected to a ISR 2911 The 3560 has 2 subnets ( 192.168.1.0 /24 and 10.10.10.0 /24) The 2911 has interface GigabitEthernet0/1 on the 192.168.1.0 /24 and another GigabitEthernet0/0 on a WAN connection 172.16.7.246 I need to NAT both the 192.168.1.0 /24 and the 10.10.10.0 /24 to the single address 172.16.7.246 I have to use route-maps . I have IPSec VPN's and ZBF on the 2911 My problem is the NAT does not work for the 10.10.10.0 /24 network!Why?is my only option to use trunking between the 3560 and 2911 and subinterfaces on the 2911? I want to avoid sub-interfacing.
=============================================================
On the Cat 3560=====================!vlan 40name the 192.168.1.0 /24 subnet!vlan 60name the 10.10.10.0 /24 subnet!interface FastEthernet0/7description Connection to Router Gig0/1switchport access vlan 40!interface FastEthernet0/16description Connection pc host on the 10.10.10.0 /24 subnetswitchport access vlan 60!interface Vlan1no ip address!interface Vlan40ip address 192.168.1.4 255.255.255.0!interface Vlan60ip address 10.10.10.10 255.255.255.0!ip classlessip route 0.0.0.0 0.0.0.0 192.168.1.1
=========================
The host on the 10.10.10.0 /24 network has the 10.10.10.10 address as it's default gateway The host can not access the WAN thru NAT....
View 3 Replies
View Related
Feb 6, 2013
I have 5 linux and 3 Microsoft 2008 Servers, each connected to 2 Cisco 3560 Switches. The 2 Cisco 3560 switches are connected to 2 different Cisco 515e Pix. Is it possible that if i enable Port SPAN in any of the switchport and send a copy of traffic to any of the windows 2008 server, will i be able to monitor the bandwidth of the servers (Here I am only looking for traffic going from servers to PIX and then to internet, also vice versa).
Also will wireshark be able to differentiate specify the bandwidth of each servers seperately ?
View 3 Replies
View Related
Jan 21, 2013
i have 300 user in network in 2 building and firist buiding 5 flors.i use subnet /22.i have core switch 3500xl fiber and 8 swith 3560 and my network have 2 router one for adsl and other for mpls so i want upgrade it to make voip network and wireless
so if i need replace switch what i model and how many?
View 5 Replies
View Related
Jan 31, 2012
Our network feels slow and trying to find the best way to investigate this properly. We have Cisco chassis 4500 with mix of 3560/2950 Edge switches 1GB backbones and WLC/WCS in place. The network is broken into multiple V LANS and IOS on our switches haven't been updated in 3-4 years.
On a wireless laptop (G) with get throughput of 1-2MB/s transfer speed with usually 10 clients per AP and LAN we get anywhere between 7-15 MB/s transfer. Using wire shark on a wireless laptop we see a lot broadcast traffic from other clients and the same for LAN. What is the best way to troubleshoot performance issues on the network and where do I start?
View 1 Replies
View Related
Nov 24, 2011
Is GET VPN be a better choice than DMVPN in order to support VoIP, Video over IP, Advanced QoS and Multicast? I think it should be the better choice based on what is described as the benefits and how it works but I just want an expert opinion.
Can separate groups be created using the same key serves? I need to protect two functionally separate WAN segments that terminate on the same DC core routers. However I want the separate WAN segments to have different encryption policies. Is this possible?
It is stated in the deployment guide for GET VPN that "Network Address Translation (NAT) is not supported by GETVPN. NAT must be performed before encryption or after decryption when GET is used." However the NAT capability is required on all the routers.
The 2900 series routers has embedded hardware encryption but according to the router perfomance guide, with a mix of traffic such as NAT, QoS and IPSec VPN they are unable to provide 100 mbps of throughput. Does the new ISM VPN modules would allow the routers to achieve 100 mbps of throughput with the services mentioned above?
View 5 Replies
View Related
May 29, 2012
we have anew office and have a 2800 router as a WAN router it has a 3G card and a DSL link. We have a ASA which has to be configured to 2800 router. we want that ASA shd have a VPN link with pirmary site over DSL if DSL fails it shd automatically fall to 3G....what we really need and how it would be done interims of IP addressing do we need any special IP from service provider.?
View 2 Replies
View Related
Jan 31, 2013
I have a customer with a unique configuration. They have two point to point connections - one using a laser link between buildings, and a backup fiber connection running ospf. Issue is when the laser link goes down, there is loss/no forwarding during the reconvergence, causing issues with transffering video feeds.
View 7 Replies
View Related
Jan 10, 2011
Local LAN is connected with cisco 2800 router and SRX 210 Firewall, currently all LAN segment will go to my Data Center via ISP A and all internet traffic from LAN segment will go to internet via SRX firewall, there is no relation/connection between cisco router and SRX firewall. I have separate AS no. s for both the ISP
I am having attached scenario. based on current one I would like to do following.
1. I need to use PBR at LAN Switch ( its L3 Switch) such that in normal scenario - local VLAN traffic is equally distributed on both ISP.
2. dedicated internet traffic will flow through ISP B only and if WAN link of ISP B goes down, the internet traffic will pass through ISP A.
( in normal scenario, ISP A will utilized 100 % for LAN traffic to reach it to DC but once ISP B link goes down, the b/w of ISP A will be divided to route 50% traffic for LAN segment to DC and rest 50% traffic of LAN segment to internet)
View 2 Replies
View Related
