Cisco WAN :: 2811 / Metro Ethernet Design Considerations?
Dec 9, 2010
I am planning on implementing a metro ethernet circuit to replace a more expensive circuit to connect my office and data center. This circuit will be configured by the provider in a 'transparent' manner, which will allow us to pass vlans freely over the circuit without having to create a QinQ tunnel. This is a layer 2 only metro ethernet circuit.Planning on connecting the office end to a 3750 (switch A) and the data center end to a 2960 (switch B). The data center end will have a couple of other 2960s hanging off of it for server connectivity (switches C & D). I plan to use a 2811 (router A)for layer 3 connectivity in the data center. Switch B will plug into router A and switches C & D will plug into switch B using two port-channelled links. I can post a diagram if needed.I will use rpvst here and configure switch B as the root bridge.There are about 10 vlans that I use between the office and data center. Router A is also used to connect to other environments such as staging, production and also to the internet. I think this should be a straight-forward configuration since it is mostly layer 2. Should switch B be the root bridge?
We are about to install a new network consisting of Cat 4500s with Sup7E at the Access Layer, with Nexus 7000 at the Distribution and Core layers. We have 14 floors with at least three 4500s on each floor. Within the office block where the Access Layer and Distribution Layer reside we need to support secure borderless networking using 802.1x to place users from different parts of the business into segregated networks at layer 3.All switches will have the feature sets to support MPLS/ VRF / OSPF / EIGRP / BGP etc.We quickly dismissed the idea of using VRF-Lite due to the sheer number of Vlans we would need to managage and maintain, the point to point links alone just to get one additional VRF on each floor required far too many Vlans.As a result we are now considering deploying MPLS. The obvious benefits include scalability and manageability, the fact that all switch to switch links can now be routed, instead of having to using SVIs.
I recently ran into some problems concerning the use of a Cisco layer 3 switch (3560) as an Internet edge device to perform a simple static route between the customers network and the ISP POP router. Although this device can perform the routing at the edge for Internet traffic, I am concerned that this device has limitations when it comes to functions such as traffic shaping to the subscribed bandwidth of the Metro Ethernet access to the Internet. Since the 3560 could not conform to the 20 Mbps of subscribed bandwidth, any traffic beyond 20 Mbps was dropped causing performance issues with applications that use TCP. I am trying to find design documents or white papers that would either support or not support using a layer 3 switch as an Internet perimeter device instead of a router. I would like to know if Cisco has a specific perspective on this subject and whether or not they would ever recommend actually using a layer 3 switch model that is a 37XX or below?
I curently have 2 Data centers connected with a Metro Ethernet Connection. Each Data Center has 6500 with Sup720s. The Metro Ethernet connection is currently conected by a L3 routed interface. I now need to enable VRFs between the locations and want to determine the best way to adjust the Mero. I was considering adjusting the routed interface to use Ethernet sub-interfaces. Each VRF would be given a different subinterface over the Metro Ethernet connection. I have done this on internal LAN connections but am concerned about exteding across data centers over Metro E.
My company uses a Sonicwall NSA 3500 as it's Firewall/WLAN controller and lightweight Sonicpoints for the private/public WIFI access. We are getting ready to implement wireless at one of our branch locations a few blocks away(We use Metro Ethernet to connect the 2).I know with the current firmware the Sonicpoints can't provision to the Sonicwall NSA over the Metro Ethernet like Cisco lightweight AP's can because the Metro Ethernet strips their VLAN Tags and obviously the Sonicpoints don't support REAP.what other options (short of installing another WLAN controller at the remote site) do I have to connect the AP's at the WLAN controller at our main location.
We are in the process of upgrading the bandwidth at a few offices. Each currently have a 2xT-1 connection but have high utilization on the circuit which is why they are being upgraded. We are trying to decide b/t either a partial DS3 or metro ethernet connection. Are there pros/cons b/t the two in order to decide which to go with? Cost is not an issue. Some say going with a partial DS3 circuit offers benefits over metro ethernet such as network-based failover, end-to-end availability is better with DS-3 and QoS.
my company will change WAN connection from HDSL (2Mb/2Mb) to Metro Ethernet (10Mb/10Mb). Now, I have CISCO 1841 (12.4(15)T12 ) with 2 FE and HWIC-1T. Can i configure my Metro Ethernet (WAN Connection) on one FE or i need of "external wic" such as hwic-1FE ?
I am trying to configure a new metro ethernet and have some questions about the configuration. The physical layout is a main office and two remote locations. The remote sites are point-to-point connections to the main office, tagged by the ISP with VLAN 130 and VLAN 140. The connections aggregate into one handoff at the main office, and are plugged into Catalyst 3750-X switches at all three sites.
I am preparing to move two branch offices from a point to point T1 connection to Century Link Metro Ethernet.Currently my branch locations connect to my HQ 7204 router via a channelized DS3. I have a 4507R at HQ that I will connect the ME circuit to.We will also be moving our Internet connection on the ME circuit.Our service provider Clink will hand me a single Ethernet handoff for the Internet and branch office connections. For the first phase I will connect one branch office using ME. Once that is in place and tested we will move another office and so on. Then our final step is to move our web connection to the ME circuit.Each branch office has their own unique voice and data subnet. They each have a 2801 router and a 3560 switch. The routers are MGCP gateways with only one PSTN connection, a POTs 911 line on a FXO port.
So my questions are;
1 - Should I connect the ME directly in to the 3560 at the branch offices or use the Fa0/1 on the 2801? Fa0/0 is currently connected to the 3560.
2 - On my 4507R at HQ how will I configure the ME switch port? As a dot1q trunk port?
3 - Given that ME is basically a LAN connection will I have to re IP the branch office? HQ is 10.10.1.x/24. Branch is 10.10.166.x/24 (data) 192.168.166.x/24 (voice).
4 - On the 4507R will I need to configure a vlan interface for each branch subnet?
I attached two network diagrams. One represents our current topology (MEexisting) and the second represents the new ME circuit changes (MEprojected).
Today my sw upgrade procedure failed on a ME3600 Series switch.
From the past with LAN switches i thought that we need to set IP settings manually in ROMMON and then load remotely an IOS via TFTP.
But it seems that this is not supported there.So now i would like to ask how can i bring a bootable IOS to the ME3600 switch. and at least: how can i bring back my switch to life.
I could imagine that there is a missing default gateway.But what is the syntax for default gateway? And after I have connectivity i need to work for the process of loading a bootable image to the switch.
I have the possibility of upgrading a DS3 to Metro Ethernet, Gigabit connection. My dilemma is I have two VTP domains in my network. How can I get two VTP domains over one trunk to a remote site ?
we are setting up our first ATT metro ethernet connection. I have a Cisco 2960S at the remote site and I placed a Cisco 2960 on the Host site to test and had no issues. When I moved the Host site to our Nexus 7000, I can not get a link.. both sides are set as trunks,
I am currently finalising my project in Uni and in the project planning section is asks if there are any ethical considerations to be made in my project. I am conducting penetration testing on a VIRTUAL network simulator (GNS3) using Metasploit toolkit. I am guessing I will need permission to download these tools onto the university network, would that count as an ethical consideration? If not, what would I say in this section? note, all of the data I am using in the project was created by myself, and there is no other human participation.
I had a question regarding the Cisco 2811. I tried fitting an NM 2FE-2W card and the fast Ethernet interfaces of the module never get recognized. Is there a special command to enable it or isn't the module supported at all by the router. If not , is there a way to have the router possess more than the 2 Fast Ethernet interfaces it already has? Let me know if any more info is needed from my end.
Another question I have out of curiosity. Is it possible to make the controller T1 port of a VWIC 1MFT-T1 or a VWIC 2MFT-T1 act as a fast Ethernet.
I have a 50 Mbps metro ethernet connection between our main office, and our collocation site, where we store web servers, DR equipment and VPN access gateways. I have two Cisco 3845 ISR's connected to the metro E circuit. The interfaces on each router are configured as 100/full as requested by my ISP. We are connected via ethernet to a fiber media converter.
As I understand, CBFWQ will not kick in until congestion occurs on an interface. I also understand that the bandwidth command on an interface is to provide bandwidth related information to upper level protocols (like EIGRP, etc).
My question is that since the interface where I have CBWFQ configured on is at 100 Mbps, but my circuit is at 50Mbps, how can I get my routers to kick CBWFQ in when traffic demand exceeds 50Mbps+? Does the bandwidth command on the interface control that as well?
I am running LMS 3.2 and can not see the Nexus 5596 / ME-3600X-24FS-M Cisco switches on Cisco works LMS 3.2. Where I need them most is DFM the devices come up as unknown. An example below 10.125.202.1 is NExus 5596 and the rest are ME3600.
I have a cisco 1841 running on a 10Mbps Metro-E connection. I recently signed an agreement for a 100Mbps Metro-E. I am wondering if I will need to purchase a new router to support this new connection or will my 1841 be able to handle the traffic.
I have been reading for awhile now on all the Cisco forums on the 3560 and shaping egress traffic but I wanted to verify my thoughts on this. I have 3560 that connects to the ISP that is policing at 10Megs, I want to shape my egress traffic going to the ISP, I do not want to provided QOS to any specific traffic type but only shape all traffic outbound. Will my config below shape "all" egress traffic going to the ISP on the 3560, on a port that is physically connect at 100Meg Full duplex?
int gi0/1 srr-queue bandwidth shape 40 40 40 40
I gathered these numbers using the formula of 100* 1/weight, which would equal 2.5 and if each queue has 2.5 meg that would = 10Meg. However another concern is that I don't think I have the full 100Meg on the interface to use (correct?)
I have not done much with business routers, but we have a 1700 series with a WAN WIC-1ENET card with a RJ45 connection. We had a T1 line and will be moving to ehternet. We are going to be moving to a 20MB line, and i just wanted to make sure I have the right connections before installing. We also have a T1 line in another loaton and would be moving to this same 2811 router there as well.We would also like to copy over the configuration from 1700 series router to the 2811 router. Would it be easier to do it by hyper-terminal? Also if we keep the 1700 routers are they capable of using layer-3?
Is GET VPN be a better choice than DMVPN in order to support VoIP, Video over IP, Advanced QoS and Multicast? I think it should be the better choice based on what is described as the benefits and how it works but I just want an expert opinion.
Can separate groups be created using the same key serves? I need to protect two functionally separate WAN segments that terminate on the same DC core routers. However I want the separate WAN segments to have different encryption policies. Is this possible?
It is stated in the deployment guide for GET VPN that "Network Address Translation (NAT) is not supported by GETVPN. NAT must be performed before encryption or after decryption when GET is used." However the NAT capability is required on all the routers.
The 2900 series routers has embedded hardware encryption but according to the router perfomance guide, with a mix of traffic such as NAT, QoS and IPSec VPN they are unable to provide 100 mbps of throughput. Does the new ISM VPN modules would allow the routers to achieve 100 mbps of throughput with the services mentioned above?
we have anew office and have a 2800 router as a WAN router it has a 3G card and a DSL link. We have a ASA which has to be configured to 2800 router. we want that ASA shd have a VPN link with pirmary site over DSL if DSL fails it shd automatically fall to 3G....what we really need and how it would be done interims of IP addressing do we need any special IP from service provider.?
and this router will connect to 18 access point.and each access point need 30 usable host...how to design this netwotk, what subnet should i use...there is only 1 router, so just have only 1 default gateway,it is if the network have too many host, the speed will slow down, because they need wait others host to broadcast?
I have a customer with a unique configuration. They have two point to point connections - one using a laser link between buildings, and a backup fiber connection running ospf. Issue is when the laser link goes down, there is loss/no forwarding during the reconvergence, causing issues with transffering video feeds.
I'm working on a new network design for my company. We're expanding and opening some more offices and satalite sites. We're a UK based company but opening some US sites.We have a main UK office (Office A on the diagram) a call centre (Office B) and then two buildings on another site (Office C). The USA offices will be very small and only require a couple of computers, hence the small IP allocation. I have marked the IP addresses of the links on the diagram, I intend to use 3560 switches for all the switches marked and all links will be layer 3 to route multiple VLANs from each site to each site (where permitted). question is this: How do I achieve this in the switches? I'm thinking that OSPF is the way forward, is this right? I want to do as little configuration on the switches as possible to allow for dynamic updates of the network (i.e. I don't want to add static routes for everything).
Local LAN is connected with cisco 2800 router and SRX 210 Firewall, currently all LAN segment will go to my Data Center via ISP A and all internet traffic from LAN segment will go to internet via SRX firewall, there is no relation/connection between cisco router and SRX firewall. I have separate AS no. s for both the ISP
I am having attached scenario. based on current one I would like to do following.
1. I need to use PBR at LAN Switch ( its L3 Switch) such that in normal scenario - local VLAN traffic is equally distributed on both ISP. 2. dedicated internet traffic will flow through ISP B only and if WAN link of ISP B goes down, the internet traffic will pass through ISP A.
( in normal scenario, ISP A will utilized 100 % for LAN traffic to reach it to DC but once ISP B link goes down, the b/w of ISP A will be divided to route 50% traffic for LAN segment to DC and rest 50% traffic of LAN segment to internet)
i need to design a site-to-site VPN and VPN for remote users. I have attach a drawing, need to know if this is good setup. Mostly my concern is security. Im using ASA5520 for edge firewall and Linux firewalls are for additional security.I have to create 5 site-to-site VPN using IPSEC and 5 remote VPN clients. Site-to-site VPN are for trusted Office and remote VPN clients are only for our staff use.
From the diagram ASA5520 is configured as followed
outside interface is set to security 0 and connected to boder router to internet, inside interface is set to security 100 which is connected to a linux firewall which then goes to our internal lan.DMZ interface is set to security 50 which is connected to DMZ segment ,I decided to use the 4th interface for all VPNs which is set to security 100, and for this 4th interface i have created two sub interfaces vlan 400 (for site-tosite VPN) and vlan 500 (for remote access VPN). I did this because i have to use two separate linux firewall box. Linux firewall box for Site to Site VPN is configured with NAT but Linux firewall box for remote access VPN users are configured without NAT. I also want to know do i need to create a CA server or can i use pre-shared key with XAuth for remote access VPN users?
I have gotten the assignment of constructing a fictional network for my school.. and i cannot quite agree with myself upon which equipment i should choose.. its supposed to be all cisco. i need to supply 5000 users all in all, but only 300 on this site. i need to know which connections would be the most reasonable to use and of course which routers "if any" and switches i need.. (+ additional modules if needed) i have tried to make a visio representation, but i just think something is way off.
I have a new project coming up that will require more IPs added to an already quite full class C network. My other issue stems from foolishly putting all hosts in the crowded C network onto the management VLAN. In turn, I have to make each port a trunk.Moving forward I'm wondering what's best for design.or if I should just attempt to change the subnet mask across the board.?
I am in the process of planning our new network. Our business is changing from hosting its own data centre, to moving it to a professional facility. We have 120 users, over 100 servers (physical and virtual) and three sites (main premise, data centre, dr site). The new network will connect all three. Our new WAN links are almost ordered. We will be making use of a managed MPLS IP VPN, with a 100M access rate at each site. I am currently focusing on the desing of the network at the main business premise. We have a significant investment in Cisco 2960 & 3750 switches and Fortinet firewall appliances. I plan to re-use these in the design.
Our current LAN is very flat and I want to segment the network. My plan is to create a number of VLANs, enable the Inter VLAN routing on the 3750 and then attach the 3750 to the Fortinet appliance which will provide stateful firewalling and traffic policin based on the VLAN (subnet) addresses. It is important that the traffic be routed as quickly as possible from this site to our prod and dr data centres.The 2960's act as the access layer, the 3750 as the distribution layer. The 2960's will connect via port channels (layer 2) to the 3750's and the VLAN interfaces will be configured on the 3750.
I was then planning on creating a VLAN on the 3750 to connect to the Fortigate appliance with a /29 address to limit the addresses used whilst also providing some flexibility for any future design changes.I want to implement a little security between the VLANs on the 3750 switches. I have a question about this coming up.I then plan to use the Fortigate appliance to do basic traffic policing based on source/destination addresses.
The WAN routers will connect to the Fortinet appliance on a Gigabit copper interface. The WAN routers will run HSRP between themselves and only one router will be active at any one time. The failover will be managed by the Fortigate and Cisco routers.I plan to define those addresses hosted at the other data centres and associate them with the interface associated with the WAN.I will then define the routing on the firewall for the two other data centres through summary routes for each of the sites. We will run static routing from the Cisco 3750 to the Fortigate and Fortigate to WAN router. We have no other networks/sites and won't have any others in the future.
