Cisco WAN :: 3560 Internet Edge Design On Metro E
Apr 15, 2012
I recently ran into some problems concerning the use of a Cisco layer 3 switch (3560) as an Internet edge device to perform a simple static route between the customers network and the ISP POP router. Although this device can perform the routing at the edge for Internet traffic, I am concerned that this device has limitations when it comes to functions such as traffic shaping to the subscribed bandwidth of the Metro Ethernet access to the Internet. Since the 3560 could not conform to the 20 Mbps of subscribed bandwidth, any traffic beyond 20 Mbps was dropped causing performance issues with applications that use TCP. I am trying to find design documents or white papers that would either support or not support using a layer 3 switch as an Internet perimeter device instead of a router. I would like to know if Cisco has a specific perspective on this subject and whether or not they would ever recommend actually using a layer 3 switch model that is a 37XX or below?
View 3 Replies
ADVERTISEMENT
Nov 12, 2012
I have been reading for awhile now on all the Cisco forums on the 3560 and shaping egress traffic but I wanted to verify my thoughts on this. I have 3560 that connects to the ISP that is policing at 10Megs, I want to shape my egress traffic going to the ISP, I do not want to provided QOS to any specific traffic type but only shape all traffic outbound. Will my config below shape "all" egress traffic going to the ISP on the 3560, on a port that is physically connect at 100Meg Full duplex?
int gi0/1
srr-queue bandwidth shape 40 40 40 40
I gathered these numbers using the formula of 100* 1/weight, which would equal 2.5 and if each queue has 2.5 meg that would = 10Meg. However another concern is that I don't think I have the full 100Meg on the interface to use (correct?)
View 3 Replies
View Related
Dec 9, 2010
I am planning on implementing a metro ethernet circuit to replace a more expensive circuit to connect my office and data center. This circuit will be configured by the provider in a 'transparent' manner, which will allow us to pass vlans freely over the circuit without having to create a QinQ tunnel. This is a layer 2 only metro ethernet circuit.Planning on connecting the office end to a 3750 (switch A) and the data center end to a 2960 (switch B). The data center end will have a couple of other 2960s hanging off of it for server connectivity (switches C & D). I plan to use a 2811 (router A)for layer 3 connectivity in the data center. Switch B will plug into router A and switches C & D will plug into switch B using two port-channelled links. I can post a diagram if needed.I will use rpvst here and configure switch B as the root bridge.There are about 10 vlans that I use between the office and data center. Router A is also used to connect to other environments such as staging, production and also to the internet. I think this should be a straight-forward configuration since it is mostly layer 2. Should switch B be the root bridge?
View 3 Replies
View Related
Nov 27, 2011
I have a cisco 3560 switch set up as my edge router. It is working as my external demarc switch and edge router. It is sitting between the ISP's switch and my ASA firewall. It's a very basic configuration with port 1 set up with a fixed ip and switchport turned off which is connected to the ISP switch. VLAN2 is configured with an IP address and 3 ports, two of which go to different firewalls.
I found that I cannot ping a specific address from the inside interface (VLAN2), but I can from the outside interface Gig0/1. I have a few deny commands in an access list, but they don't apply to the network i'm trying to access, and I haven't had any other inaccessible networks otherwise.
Here's my config minus passwords and full IP ranges. There are two ranges, one with xxx and one with xx. The xxx is set as secondary, but is the one we really use.
Current configuration : 4808 bytes!version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname my-rtr-ext!boot-start-markerboot-end-marker!enable secret 5 !
!!no aaa new-modelsystem mtu routing 1500ip routing!
[Code] ............
View 4 Replies
View Related
Apr 1, 2012
I'm working on a new network design for my company. We're expanding and opening some more offices and satalite sites. We're a UK based company but opening some US sites.We have a main UK office (Office A on the diagram) a call centre (Office B) and then two buildings on another site (Office C). The USA offices will be very small and only require a couple of computers, hence the small IP allocation. I have marked the IP addresses of the links on the diagram, I intend to use 3560 switches for all the switches marked and all links will be layer 3 to route multiple VLANs from each site to each site (where permitted). question is this: How do I achieve this in the switches? I'm thinking that OSPF is the way forward, is this right? I want to do as little configuration on the switches as possible to allow for dynamic updates of the network (i.e. I don't want to add static routes for everything).
View 7 Replies
View Related
Jan 10, 2013
I've been fighting what seems to be an increased number of outqueue drops on our core stack and edge switches for the last 3 or 4 weeks.(The core consists of a stack of 5 3750s in 32-gig stack mode. The wkgrp switches are 3560s. all are at 12.2.52) The wkgrp switches are directly connected to users. We use Nortel IP phones with the phone inline with the user PC. auto-neg to 100/full. [code] However I have tried turning off QOS on a couple of workgroup switches (no mls qos, but left individual port configurations the same) but am still seeing drops.Since I have disabled qos on the switches in question (no mls qos) (not the core tho) I am presuming these commands have no affect on the switch operation and therefore cannot be related to the problem. With QOS turned off one would presume that it is general congestion - especially at the user edge where busy PC issues might contribute. So I wanted to see if I could see any instances of packets in the output queues building up.
I wrote some scripts and macros that essentially did a snapshot of 'show int' every 20 seconds or so, and looked for instances of 'Queue: x/' where x was greater than zero.What I found after several days of watching the core stack, and a few of the workgroup switches that are most often displaying the behavior, was that I NEVER saw ANY packets in output queues. I often saw packets in Input queues for VLAN1, once in a great while I would see packets on input queues for fa or Gi interfaces, but NEVER on output queues. [ code] Additionally, when I look (via snmp) at interface utilization on interfaces showing queue drops (both core and wkgroup), they are occurring at ridiculously low utilization levels (as low as 4 to 8%). I've tried to look for microbursts between the core and a wkgroup switch where the core interface was experiencing drops, but haven't seen any (using observer suite). [code] While the queue-drop counts aren't critically high at this point, they are happening more frequently than in the past and I would like to understand what is going on... In most cases, no error counters are incrementing for these interfaces. Is there some mechanism besides congestion that could cause output queue drops?
View 4 Replies
View Related
Sep 16, 2012
We have our network setup as displayed in the attached. We have 2 HQ offices and 1 branch office. The branch office needs to connect to resources located at both HQs but taking the most effecient path. We have ethernet circuits connecting from each HQ to 2 x Cisco 3560 switches in the branch. HSRP has been configured on the 3560 switches with SW1 as active and SW2 as standby. OSFP has been configured in a single area 0 and the path cost on the link between HQs has been increase to allow 3560 SW1 to route to HQ1 directly and HQ2 via 3560 SW2.The 3560s are connected with a trunk with a L3 SVI for OSPF. This seems to work ok but I have noticed that the branch could become transit if the HQ1 to HQ2 link breaks. How can this be avoided? I realise that if we configure the branch subnets and SW1 to SW2 link in a stub area (area1) then all traffic will route from SW1 to HQ1 and will never share over SW2. I'm assuming that this is because OSPF chooses inter-area routes over intra-area.
View 4 Replies
View Related
Feb 20, 2012
setup the Physical connectively of IPS 4240 on the Internet edge with the ASA 5520, how the topology will be
f this a good design with IPS Appliance at nternet Edge
View 9 Replies
View Related
Aug 21, 2011
Apart from the ability to participate in BGP, is there any reason you should use a router on an internet edge rather than the SG-300 switch?
View 4 Replies
View Related
Jul 26, 2012
Any router (I'm considering ASR 1002 with 10GE SPAs) that can support the following:
-10GE interfaces
-can handle 1.5Gbps but scales up to 5-6Gbps different seasons
-take on full internet routes from 2-3 providers
-will live on the internet edge
View 7 Replies
View Related
Nov 8, 2011
Used a pair of ASA 5520s in HA to firewall the internet edge and to firewall traffic between internal security zones such as web and application layers? If so, is this best done using different security levels or contexts?
I'm thinking of using a routed context for securing the internet edge and then using seperate contexts for the web and application networks. Contexts will route via a L3 switch.
View 3 Replies
View Related
May 8, 2013
What is the best way to monitor an Internet Edge router from the Internal network behind the Firewall?We want to pull more information from the edge router like netflow. We can use SNMPv3 and ACLs to keep the router secure.
But I am looking for the best config to keep both the router and firewall as secure as possible while still allowing us to monitor performance and faults.I am running an ASA and a 2821.
View 2 Replies
View Related
Jan 18, 2013
From My Router that connects to Cable modem i am unable to ping website 4.2.2.2I am able to ping all other websites fines.Same website i can ping from my pc and all other switches fine.Router has only 1 ACL thats for NAT.
View 25 Replies
View Related
May 1, 2013
My company uses a Sonicwall NSA 3500 as it's Firewall/WLAN controller and lightweight Sonicpoints for the private/public WIFI access. We are getting ready to implement wireless at one of our branch locations a few blocks away(We use Metro Ethernet to connect the 2).I know with the current firmware the Sonicpoints can't provision to the Sonicwall NSA over the Metro Ethernet like Cisco lightweight AP's can because the Metro Ethernet strips their VLAN Tags and obviously the Sonicpoints don't support REAP.what other options (short of installing another WLAN controller at the remote site) do I have to connect the AP's at the WLAN controller at our main location.
View 5 Replies
View Related
Jan 22, 2012
We are in the process of upgrading the bandwidth at a few offices. Each currently have a 2xT-1 connection but have high utilization on the circuit which is why they are being upgraded. We are trying to decide b/t either a partial DS3 or metro ethernet connection. Are there pros/cons b/t the two in order to decide which to go with? Cost is not an issue. Some say going with a partial DS3 circuit offers benefits over metro ethernet such as network-based failover, end-to-end availability is better with DS-3 and QoS.
View 3 Replies
View Related
Apr 21, 2011
my company will change WAN connection from HDSL (2Mb/2Mb) to Metro Ethernet (10Mb/10Mb). Now, I have CISCO 1841 (12.4(15)T12 ) with 2 FE and HWIC-1T. Can i configure my Metro Ethernet (WAN Connection) on one FE or i need of "external wic" such as hwic-1FE ?
View 1 Replies
View Related
Sep 19, 2011
I have a 50 Mbps metro ethernet connection between our main office, and our collocation site, where we store web servers, DR equipment and VPN access gateways. I have two Cisco 3845 ISR's connected to the metro E circuit. The interfaces on each router are configured as 100/full as requested by my ISP. We are connected via ethernet to a fiber media converter.
As I understand, CBFWQ will not kick in until congestion occurs on an interface. I also understand that the bandwidth command on an interface is to provide bandwidth related information to upper level protocols (like EIGRP, etc).
My question is that since the interface where I have CBWFQ configured on is at 100 Mbps, but my circuit is at 50Mbps, how can I get my routers to kick CBWFQ in when traffic demand exceeds 50Mbps+? Does the bandwidth command on the interface control that as well?
View 6 Replies
View Related
Apr 7, 2013
I am trying to configure a new metro ethernet and have some questions about the configuration. The physical layout is a main office and two remote locations. The remote sites are point-to-point connections to the main office, tagged by the ISP with VLAN 130 and VLAN 140. The connections aggregate into one handoff at the main office, and are plugged into Catalyst 3750-X switches at all three sites.
View 8 Replies
View Related
Nov 19, 2012
I am running LMS 3.2 and can not see the Nexus 5596 / ME-3600X-24FS-M Cisco switches on Cisco works LMS 3.2. Where I need them most is DFM the devices come up as unknown. An example below 10.125.202.1 is NExus 5596 and the rest are ME3600.
208.10.125.202.1UnknownN/AN/A209.10.115.1.4UnknownN/AN/A210.10.115.1.3UnknownN/AN/A211.10.115.1.2UnknownN/AN/A212.10.115.1.1UnknownN/AN/A
going through the article below looks like its not supported
[URL]
What are the options I have next ? Can I upgrade to LMS 3.3 or only do an upgrade for DFM ?
Want to avoid LMS 4 as that's an installation from scratch.
View 2 Replies
View Related
Jan 18, 2012
I have a cisco 1841 running on a 10Mbps Metro-E connection. I recently signed an agreement for a 100Mbps Metro-E. I am wondering if I will need to purchase a new router to support this new connection or will my 1841 be able to handle the traffic.
View 5 Replies
View Related
Jan 31, 2012
I am preparing to move two branch offices from a point to point T1 connection to Century Link Metro Ethernet.Currently my branch locations connect to my HQ 7204 router via a channelized DS3. I have a 4507R at HQ that I will connect the ME circuit to.We will also be moving our Internet connection on the ME circuit.Our service provider Clink will hand me a single Ethernet handoff for the Internet and branch office connections. For the first phase I will connect one branch office using ME. Once that is in place and tested we will move another office and so on. Then our final step is to move our web connection to the ME circuit.Each branch office has their own unique voice and data subnet. They each have a 2801 router and a 3560 switch. The routers are MGCP gateways with only one PSTN connection, a POTs 911 line on a FXO port.
So my questions are;
1 - Should I connect the ME directly in to the 3560 at the branch offices or use the Fa0/1 on the 2801? Fa0/0 is currently connected to the 3560.
2 - On my 4507R at HQ how will I configure the ME switch port? As a dot1q trunk port?
3 - Given that ME is basically a LAN connection will I have to re IP the branch office? HQ is 10.10.1.x/24. Branch is 10.10.166.x/24 (data) 192.168.166.x/24 (voice).
4 - On the 4507R will I need to configure a vlan interface for each branch subnet?
I attached two network diagrams. One represents our current topology (MEexisting) and the second represents the new ME circuit changes (MEprojected).
View 5 Replies
View Related
Jan 30, 2012
Today my sw upgrade procedure failed on a ME3600 Series switch.
From the past with LAN switches i thought that we need to set IP settings manually in ROMMON and then load remotely an IOS via TFTP.
But it seems that this is not supported there.So now i would like to ask how can i bring a bootable IOS to the ME3600 switch. and at least: how can i bring back my switch to life.
I could imagine that there is a missing default gateway.But what is the syntax for default gateway? And after I have connectivity i need to work for the process of loading a bootable image to the switch.
View 3 Replies
View Related
Jul 10, 2012
I have the possibility of upgrading a DS3 to Metro Ethernet, Gigabit connection. My dilemma is I have two VTP domains in my network. How can I get two VTP domains over one trunk to a remote site ?
View 0 Replies
View Related
May 24, 2012
we are setting up our first ATT metro ethernet connection. I have a Cisco 2960S at the remote site and I placed a Cisco 2960 on the Host site to test and had no issues. When I moved the Host site to our Nexus 7000, I can not get a link.. both sides are set as trunks,
View 6 Replies
View Related
Sep 10, 2012
I think choose this SWITCH 4506-E and I need running only features L2 Metro, but Idont known what IOS for this!
View 1 Replies
View Related
Mar 6, 2012
our customer has a server farm in a data center.At the moment the farm has connectivity with only one ISP but sometimes it has service discontinuity.Customer wants to become AS and having two ISP connectivity for backup purposes.He needs to evaluete two cisco routers to use at AS edge with BGP.At the moment he says that the throughputh with the server farm is max 15Mbps and in the future he thinks that it will not increase.We think about cisco2951 routers with 2GB ram.Is cisco 2951 adeguate for this task ?
View 3 Replies
View Related
Sep 15, 2011
If my ISP brings ethernet into the building via duplex LC multimode fiber can I use the ASA5550 as the first device from the WAN or do I need some type of router for this? I realize I'll need an SFP to get to duplex LC, but I'm not sure if I need a router, or if the ASA can function as a router for this application.
View 3 Replies
View Related
Dec 18, 2011
If my ISP brings ethernet into the building via duplex LC multimode fiber can I use the ASA5550 as the first device from the WAN or do I need some type of router for this? I realize I'll need an SFP to get to duplex LC, but I'm not sure if I need a router, or if the ASA can function as a router for this application.
View 9 Replies
View Related
Oct 7, 2011
My company's spent the last few weeks struggling with an issue with their VPN backups where select packets were being lost.
View 7 Replies
View Related
Apr 9, 2011
How to configure an Asa that will have a default gateway to an edge router that will be doing PBR? We would like Internet surfing to go out one ISP while internally hosted services in the Asa DMZ would go through the other ISP. configuration examples for both the edge router and the Asa?
View 3 Replies
View Related
Nov 26, 2011
I'm trying to figure out the best design for my network. I currently have a setup like this:Internet - Cable Modem - Pix 515E (doing NAT) - 2621 - Internal Network.Now, should I have the 2621 as my edge device or the Pix?
View 6 Replies
View Related
Jan 21, 2013
I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch. I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.
Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.
I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.
I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access. Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?
View 5 Replies
View Related
Nov 19, 2012
We have two 6509 will active/passive sup 720-3BXL cards in each and 1GB DRAM. Each handles full bgp routing table with 4-5 ISP(eBGP) connections. The problem we are facing is.. 6509 were meant for core/aggregation and seam to be wasted are edge devices. With each ISP added the DRAM creeps up to a point were is it 80% utilized.
I am looking to replace both 6509's with routers which were meant to work on the edge. As mentioned earlier, it will have 4-6 external bgp peers per router. Handle full bgp tables. Should be capable of policy based routing.
View 4 Replies
View Related
