Solved

Location of Servers in Network Design

Posted on 2016-08-20
14
49 Views
Last Modified: 2016-08-22
When doing Network design by Block as follows:

Each Block has few Access Switches connected to higher end distributed switches
Each High end Distributed switches connected to the Core Switches

let's say we have 5 Blocks.

If I understand User PCs will connect to Access Switches
What about the Servers ? they can connect to Access Switches , but if I understand when clients send requests, the traffic will go through Access switches to Distribution Switches to the Core Switches to reach the Servers.
Now it sounds like VLANs where the Servers are Should not be reached directly by Clients through Access Switches , but through the Itinerary (Access Switches(where Clients are connected) to DIstribution Switches to Core Switches then Back to DIstribution Switches then to Access Switches where the Servers are connected)

Hope my question is Clear

Thank you
0
Comment
Question by:jskfan
  • 8
  • 5
14 Comments
 
LVL 9

Expert Comment

by:bas2754
ID: 41763836
The question is not exactly clear.  My understanding is you have something like this:



Core---->Distribution--------->Access----->Clients
                                     --------->Access----->Clients
       
       ----->Distribution--------->Access----->Clients
                                     --------->Access----->Clients

And you would like to know where to connect the servers.  My advice would be either at the Core or distribution level depending on what traffic they will receive.  Another thought would be put put another switch at the "distribution" level for all your servers as such:

Core---->Distribution--------->Access----->Clients
                                     --------->Access----->Clients
       
       ----->Distribution--------->Access----->Clients
                                     --------->Access----->Clients

      ------>Distribution--------->Servers

In network design, particularly when talking about a system with lots of nodes and traffic it is important to try to keep as much traffic isolated to as small a footprint as possible.  So if a group of clients on an access switch are the only ones that will ever access a particular server then it may be a good idea to put that server on that same access switch.

Now, this is assuming that you are NOT using VLANs.  If you are going to use VLANs and Layer 3 switches to handle traffic routing, shaping, and VLAN isolation then that design can change a bit since traffic will be isolated only to the VLANs each group is assigned.

Hope this helps some.  If you can take the above and clarify maybe a bit more about what you are looking for I am sure we can help.
0
 

Author Comment

by:jskfan
ID: 41764044
Well Since the environment is Big,  it has Branches connected to the Data Center through WAN Connections, so Access Switches will  have VLANs.
All the Servers are in the Data Center.

I was thinking :

Each Branch will locally have  :
Clients Connected to Access Switches and Access Switches will Connect to L3 Switches(Distribution).
L3 Switches (Distribution) will Trunk the VLANs on each Branch to the Core Switches in the Data Center.

The Data Center.
Will have Access Switches where Servers are plugged to , then Access Switches will connect to Core Switches.

Kind of:

Clients-->Access--->Distrib-->Core-->Access-->Servers
0
 

Author Comment

by:jskfan
ID: 41764045
Clients-->Access--->Distrib-->Core<--Access<----Servers
0
 

Author Comment

by:jskfan
ID: 41764046
Probably this is more correct:

Clients-->Access--->Distrib-->Core<---Distrib<--Access<----Servers
0
 

Author Comment

by:jskfan
ID: 41764047
des
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41764083
Both solutions
Distribution switch - Access switch - Servers

Distribution switch - Servers
are possible just because some distribution switches have a lot of ports for access devices and can connect all servers to distribution switches (4500E with 8-E supervisor can scale up to 384 Gigabit copper ports, 200 Gigabit fiber ports, or 104 10-Gigabit ports in non-virtual switching system (VSS) mode). I have seen both implementations, however, typical design is to connect servers to access switches.
0
 

Author Comment

by:jskfan
ID: 41764228
For the above Network Design , Where do you apply the STP Tools ( all the Guards)  to prevent the Loops.? Assuming VLANs are local to each Block (on the picture each Block has 4 Access Switches connected to 2 DIstribution Switches).
will the STP Guards be applied on all Distribution Switches where Access Switches are connected to?
OR
the STP Guards will  be applied to both Distribution and Core Switches ?

Thank you
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41764332
This is minimum what I would basically do regarding STP (and little more than just STP):
Use RSTP, configure low priority on VTP primary (0) and secondary root bridge (4K) (different vaules for root bridges can be applied and root bridges should be configured as VTP servers - distribution switches), configure edge ports as portfast with BPDU guard. You said 5 locations, so at least 5 VTP domains (separate VTP domain for core - if you use L2 in core). Additionally also minimum for this topology would be HSRP (VTP root bridge and HSRP active should match, also HSRP is not needed if you use VSS on distribution switches). IP DHCP snooping (if supported on switches) should be configured on at least access switches, access ports should be untrusted (and also should be configured to limit number of DHCP requests), and all uplinks should be configured as ip dhcp snooping trusted ports (this is the must if you will use DHCP snooping, otherwise DHCP will not function properly). Also, there could be some variations regarding non specific port configurations, but that is bare minimum in my opinion.

BareMinimumSTP config
Sure, depending on client needs additional configuration details can be added (root guard, udld, loopguard etc), but if switches are locked in switch rooms and all ports to end devices are configured as access port with portfast and bpdu guard most likely everything should work properly.
0
 

Author Comment

by:jskfan
ID: 41764363
Predrag Jovic

- I see you recommended To configure Core Switches, one as Root setting priority to Zero the other Core switch as Secondary Root by setting priority to 4000

-Both core Switches set to Transparent VTP Mode

-Regarding the Separate VTP domains, do you mean for instance One core Switch will be in VTP Domain DomA and the other Core Switch in VTP Domain DomB ?
Doing so , will they propagate VLANs to other Switches in Distribution and Access Layer? seeing that Core switches are in Transparent mode ?

-I see you recommend Portfast with bpduguard on Access Switches. is that going to be on Access switches where clients are connected as well as on Access Switches where Servers are connected. ?


-Also to Confirm ,All Switches will be in Locked Rooms.
Looking at the Diagram , if a Loop occurs on any of the Blocks will that loop Traverse to other Blocks ?

Thank you
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41764377
instance One core Switch will be in VTP Domain DomA and the other Core Switch in VTP Domain DomB
No need for that, you can even configure VTP client - server, but typically you will rarelly change VLANs on cores.
I see you recommended To configure Core Switches, one as Root setting priority to Zero the other Core switch as Secondary Root by setting priority to 4000
Also different priority values can be applied.
will they propagate VLANs to other Switches in Distribution and Access Layer
They will not. each VTP domain should be separated VTP domain. Typically end-to-end VLAN are considered obsolete.
Doing so , will they propagate VLANs to other Switches in Distribution and Access Layer?
No, but the point is to use distribution switches as VTP servers for each location.
Location 1 - vtp domain location1
Location 2 - vtp domain location2
etc...
if a Loop occurs on any of the Blocks will that loop Traverse to other Blocks ?
Not if you configure dynamic routing (EIGRP, OSPF) between core and distribution switches. That is also Cisco's design recommendation. In that case between core and distribution both links will be in use.
I see you recommend Portfast with bpduguard on Access Switches. is that going to be on Access switches where clients are connected as well as on Access Switches where Servers are connected. ?
That can depend on server configuration (VMware can have also virtual switch, so that should be coordinated with server team), but for workstations ports that is obligatory.

Please read Cisco campus LAN Design guidelines for more details. Plan network redesign to be in fazes and that should be planed carefully you do not want to make errors since all your location can be affected during bad redesign implementation.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41764396
Remember:
Even poor working network is better than non working one!

So, if you do not know how to redesign or to create proper steps to redesigned network - don't do it!
Too many errors can mean that you lose your job, so again...
Redesign should be carefully planned and implemented, do not rush it, there should be no unknown situations. If you do not know what can happen when you remove VTP server, or is some command causes downtime - do not do it.
0
 

Author Comment

by:jskfan
ID: 41764401
The Notes on the Diagram in the Core Switch Area
 are not really clear .

Well, after reading your recent comments, what I understood is :

- Core Switches can be in Transparent  Mode
- Make one Core Switch as Root the Other as secondary Root
- Configure VTP Domains on Distribution Switches at each Location
- Configure Access Switches for Servers and Clients with Portfast and BPDU Guard.
BTW, I do not think VMware Virtual Switches send BPDUs.
-You mentioned Dynamic Routing between Distribution Switches and Core Switches. That's clear.
However there are still Redundant Trunking Links between Access Switches and Distribution Switches as well as between Distribution Switches and Core Switches as shown in the Diagram.
So based on the Diagram, what configuration in regards to preventing STP Loops will you put on each Distribution Switch and on each Core Switch  ?
0
 
LVL 26

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 41764413
- Make one Core Switch as Root the Other as secondary Root
Distribution switches should be Root bridges, not core switches. If core switches are in transparent mode and in separate VTP domain than you can basically ignore priority since by design you should use routing in core, not switching.
BTW, I do not think VMware Virtual Switches send BPDUs.
Typically not my problem. Once I had request to filter BPDU packets, so it is... whatever customer wants...  :)
So based on the Diagram, what configuration in regards to preventing STP Loops will you put on each Distribution Switch and on each Core Switch  ?
STP should do its job properly without any specific configuration details beside basic config above in most of the situations (if STP diameter is no more 7 switches). If you use optic for interconnection between access and distribution you can configure UDLD on those ports, but rules for everything are simple. If BPDU guard is configured on every port to host typically there no need on those ports for rootguard since port will be automatically err-disabled as soon as the first packet enters on port. If you need more than basic configuration you can do it. I wrote above that it is minimum that should be configured.
0
 

Author Closing Comment

by:jskfan
ID: 41765087
Thank you I got enough information to open new Question on this topic
This thread is getting too long..
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now