Solved

Redundant Cisco 4948E network design

Posted on 2013-05-10
9
1,188 Views
Last Modified: 2013-05-13
Hello,
I have two racks in a dc, the first (old) rack has a Cisco 4948E switch with an 10gig uplink to the DC Cisco switch (managed by them, I don't remember the exact model but it's something new and takes about 4-8U).

All the servers in the first rack are connected to the Cisco 4948E gigabit ports. This switch is operating as Layer3 switch with vlans and vlan interfaces. Each customer has it's own vlan and the Cisco 4948E is his gateway. The uplink port sits inside Vlan1 which has /29 IP configured and a default route to the DC's Cisco.

The new rack installed with a new Cisco 4948E switch. Currently there are no servers (yet) connected to him and his uplink is to the same DC's Cisco. This switch also use 10gig port for the uplink connection.
I asked the DC to put both switches in the same Vlan (from their side) so the new Cisco 4949E has an IP from the same /29.

The desired goal is to achieve redundancy, I would like to interconnect those two racks, using another 10gig connection between the Cisco 4948E switches.
The purpose is to eliminate single point of failure of one of the uplinks so I will have a redundant network path in case one of the uplinks goes down, and also to have load balancing and/or an ability to use the same IPs on both switches so that I can connect  2 HA x F5 LTMS with a floating IP each of them to other Cisco 4948E switch.
Thus i would like to connect a server to 2 F5 LTMs and gain a redundant highly available solution.

Both switches IOS support IP routing  and all features.

I am not sure how to do it and what is the correct design topology.

I thought to create a trunk between the switches but probably STP will kill one of them.
DC team are ready to perform any needed changes or configurations on their switch.
I also thought about etherchannel but in my case I have two physical switches which are not stack-able (as far as I know). I ready about VSS technology which is also, unfortunately, not supported at those switches.

So I am not sure what is the correct way to do what I want.
Perhaps Layer 3 redundancy.... or some game play with L2 and STP.
All links must be active, both switches and f5 ltms have to be active-active, the ltms have a floating IP.

I need help to understand what are the recommended designs, which are available. If I a doing a mistake then I am ready to change the topology and rebuild it the right way.

Thank you very much.
0
Comment
Question by:m4dd0g
  • 4
  • 4
9 Comments
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39155593
First question, is the new 4948E uplink will be connected to the same DC cisco switch?(where old one is connected)

If yes, then no point of discussing because it will fail the main concept of redundancy.

If no, then let's first get the cabling done. If DC1 and DC2 are cisco switches and your switches are Sw1(old 4948) and Sw2(new 4948), then the cabling should be,

DC1 --->sw1 (1 uplink)
DC1 --->Sw2 (1 uplink)
DC2 --> Sw1 (1 uplink)
Dc2 ---> Sw2 (1 uplink)

Above should be the standard implementation. You can view it as a criss-cross kind of a thing.

Once it's done we have the option of implementing HSRP/VRRP/GLBP (4948E supports all).

Which is your priority? Load balancing or redundancy?

Best,
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39155632
Please note, load balancing works well in intranet, not on internet. You will have the option of load balancing only for the outgoing traffic, not the incoming one. This might cause issues in some cases. For load balancing to work perfectly both source and destination network should be controlled  by you.

If you want to load balance between only between 2 racks, can be done.

Best,
0
 

Author Comment

by:m4dd0g
ID: 39156012
Thanks for reminding me about HSRP/VRRP/GLBP I totally forgot about this features.
The servers actually server so 90% of the traffic goes out but incoming traffic should be also balanced in case of DDOS attack i want each uplink receive half portion of incoming flood to each F5 ASM.
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39156088
it's a bad thinking that you will divert certain % of traffic  to one ASM and rest to the other. The ASM's should be in a redundant configuration so that if one fails, the other takes over.

Switch should divert traffic to ASM,(which is in redundant config)  which in turn will protect  your applications.

Best,
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:m4dd0g
ID: 39156302
I view F5 as a single device since F5 supports clustering ha with a virtual floating ip in a master master configuration. Which can advertise its VIP dynamically , each time, from one of the siblings.

I understand somewhere in the redundant design there must be a layer 2 pair, stacked or virtualized ?

I need both load balancing and redundancy.
0
 
LVL 17

Accepted Solution

by:
surbabu140977 earned 500 total points
ID: 39157759
I am not sure how 4948 will throw 50% incoming traffic to each F5. Traffic policing is an option but looks like not the very best design. Did you speak with F5 guys?

You already have 96 ports in 2x4948, you still need more L2 ports?

Best,
0
 
LVL 7

Expert Comment

by:diepes
ID: 39158061
On the uplinks and F5's are you using private or public IP's ?
0
 

Author Comment

by:m4dd0g
ID: 39158090
public ips
0
 

Author Comment

by:m4dd0g
ID: 39160890
thanks guys,
I am going to resolve it with new pair of 4500-x aggregation switches using VSS.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now