Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.
Course Of The Month
9 days, 9 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
L2/L3 Switch configuration
Posted on 2016-08-25
Excluding STP configuration on this Question, as it has been covered in previous questions.
I need some guidance on what to configure on Access/Distrib/Core Switches in order to get the traffic flowing to and from both sides of the core switches
** For Instance on the Core switches
I will create VTP domains
Create VLAN interfaces
configure IP default gateway for each Vlan
Configure IP Routing
Access-List
Configure HSRP or VSS or Vcp
Configure Ip-DHCP Helper
etc..
** On Distribution Swicthes
???
???
***On access Switch
assign ports to VLAN
etc..
- on the diagram, each block has access switches connected to Distribution Switches
that 's for Clients as well as Servers..I mean servers are not all in one data center (Room).. I mean there are some servers located in the same physical location as the Clients
Any help will be very much appreciated
I need just to know what to configure, not the details of the configuration.
Thank you
I need some guidance on what to configure on Access/Distrib/Core Switches in order to get the traffic flowing to and from both sides of the core switches
** For Instance on the Core switches
I will create VTP domains
Create VLAN interfaces
configure IP default gateway for each Vlan
Configure IP Routing
Access-List
Configure HSRP or VSS or Vcp
Configure Ip-DHCP Helper
etc..
** On Distribution Swicthes
???
???
***On access Switch
assign ports to VLAN
etc..
- on the diagram, each block has access switches connected to Distribution Switches
that 's for Clients as well as Servers..I mean servers are not all in one data center (Room).. I mean there are some servers located in the same physical location as the Clients
Any help will be very much appreciated
I need just to know what to configure, not the details of the configuration.
Thank you
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4 Comments
Distribution switches have a simple configuration, they need mgmt IP, VLAN info, and spanning tree settings.
Access layer switches need the same info as the distribution switches, plus the commands for each individual port config.
Servers would usually connect to dedicated data center switches. These switches would also have the storage connections.
Access layer switches need the same info as the distribution switches, plus the commands for each individual port config.
Servers would usually connect to dedicated data center switches. These switches would also have the storage connections.
I will create VTP domains
Create VLAN interfaces
configure IP default gateway for each Vlan
Configure IP Routing
Access-List
Configure HSRP or VSS or Vcp
Configure Ip-DHCP Helper
I just realized that the other switches are distribution switches.
In this case, you want the distribution switch that host the interface vlan to be the root bridge for that vlan
Hence you RPVST is your best bet for your topology. Using the core as roots would make all traffic between vlans go through the core. This would cause increased bandwidth and unnecessary processor burden on the core switches. By making the distribution switches the roots, traffic crossing the core or exiting the network would be the ones that pass through the core.
You can make your core switches VTP server, all other switches should be VTP client.
VLAN Interfaces would be configured on your distribution switches
The IP assigned to the interface vlan is your gateway for each vlan
IP DHCP Helper Address would be configured under the interface vlan you created (on the distribution switch)
IP routing would be configured on both distribution and the core
It is best to configure access list as close to the source as possible - In this case, on the access switches. Depending on traffic you need to block or allow, you may ACLs on distribution and Core as well
Configure your VSS on the Core switches, HSRP on the distribution switches for default gateway failover
Create VLAN interfaces
configure IP default gateway for each Vlan
Configure IP Routing
Access-List
Configure HSRP or VSS or Vcp
Configure Ip-DHCP Helper
I just realized that the other switches are distribution switches.
In this case, you want the distribution switch that host the interface vlan to be the root bridge for that vlan
Hence you RPVST is your best bet for your topology. Using the core as roots would make all traffic between vlans go through the core. This would cause increased bandwidth and unnecessary processor burden on the core switches. By making the distribution switches the roots, traffic crossing the core or exiting the network would be the ones that pass through the core.
You can make your core switches VTP server, all other switches should be VTP client.
VLAN Interfaces would be configured on your distribution switches
The IP assigned to the interface vlan is your gateway for each vlan
IP DHCP Helper Address would be configured under the interface vlan you created (on the distribution switch)
IP routing would be configured on both distribution and the core
It is best to configure access list as close to the source as possible - In this case, on the access switches. Depending on traffic you need to block or allow, you may ACLs on distribution and Core as well
Configure your VSS on the Core switches, HSRP on the distribution switches for default gateway failover
Active today
With a core/dist/access topology you don't want to be using VTP across all of your switches. In fact, you shouldn't be creating many VLANs at the core at all. VLANs will be created at the distribution layers, and SVIs will be attached to those VLANs in order to provide L3 functions, but at the access switches you just need VLANs; no SVIs. VTP is bad. Don't use it. Set all of the switches to VTP Transparent mode and manually create VLANs. The core will be used purely to transit traffic between each distribution zone, so VLANs aren't required there.
Between cores you should decide how they'll function. Will you use VSS (if they're Cisco) or will they run separately? If they run separate, will you use L2 links or L3 links between them? That will dictate which FHRP protocols you could use. If you use L2 between cores you'd want to use HSRP, while L3 links would require GLBP, for example. VSS would massively simplify the topology.
From core to distribution you'd want to run pure L3 links. They could be L3 at individual interfaces if you're not running VSS, or L3 Port-channels if you do VSS, so you can use multichassis-etherchannel (MEC). Distribution switches should also run VSS where possible, or be stacked, again so you can leverage MEC. It'll make routing simpler if you use less L3 interfaces.
IP routing should be dynamic. OSPF is usually the preference in a campus, while you could use EIGRP if it's all Cisco kit. OSPF would require a good design, so I'd advise the use of totally stubby areas for each distribution block where access switches are connected, and NSSA at the internet distribution block. Each L3 device should have a Loopback interface configured where OSPF is used and that should be configured as the router-id in the OSPF process for each switch.
SVIs at the distribution layer is where you're going to need to put ACLs and IP helpers. Also, turn off things like Proxy-ARP on SVIs if you want people to require a default gateway on their devices.
At the dist to access layer, try not to stretch VLANs across switches. Where an access switch or stack has VLANs for each service, the next stack should have different VLANs for the same services. That'll help reduce the reliance on STP. Akinsd is correct in saying that Rapid-STP is what you're after here. Using L3 between core and distribution cuts out STP completely.
Access switches should have things like BPDU Guard, Loop Guard and Portfast enabled by default. Also you should use DHCP snooping, Dynamic ARP Inspection and IP Source Guard where possible to mitigate ARP poisoning, rogue DHCP servers, etc.
Between cores you should decide how they'll function. Will you use VSS (if they're Cisco) or will they run separately? If they run separate, will you use L2 links or L3 links between them? That will dictate which FHRP protocols you could use. If you use L2 between cores you'd want to use HSRP, while L3 links would require GLBP, for example. VSS would massively simplify the topology.
From core to distribution you'd want to run pure L3 links. They could be L3 at individual interfaces if you're not running VSS, or L3 Port-channels if you do VSS, so you can use multichassis-etherchannel (MEC). Distribution switches should also run VSS where possible, or be stacked, again so you can leverage MEC. It'll make routing simpler if you use less L3 interfaces.
IP routing should be dynamic. OSPF is usually the preference in a campus, while you could use EIGRP if it's all Cisco kit. OSPF would require a good design, so I'd advise the use of totally stubby areas for each distribution block where access switches are connected, and NSSA at the internet distribution block. Each L3 device should have a Loopback interface configured where OSPF is used and that should be configured as the router-id in the OSPF process for each switch.
SVIs at the distribution layer is where you're going to need to put ACLs and IP helpers. Also, turn off things like Proxy-ARP on SVIs if you want people to require a default gateway on their devices.
At the dist to access layer, try not to stretch VLANs across switches. Where an access switch or stack has VLANs for each service, the next stack should have different VLANs for the same services. That'll help reduce the reliance on STP. Akinsd is correct in saying that Rapid-STP is what you're after here. Using L3 between core and distribution cuts out STP completely.
Access switches should have things like BPDU Guard, Loop Guard and Portfast enabled by default. Also you should use DHCP snooping, Dynamic ARP Inspection and IP Source Guard where possible to mitigate ARP poisoning, rogue DHCP servers, etc.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud (http://www.concertocloud.com/about/in-the-news/2017/02/0…
- Storage
- Concerto Cloud Services
- Cisco
- Analytics
- Cloud Computing
- Cloud Services, *CRM, *Virtual Private Cloud (VPC)
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:
• Key questions to ask when considering a partnership to accelerate your business into the cloud
• Pitfalls and mistakes other partners…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month9 days, 9 hours left to enroll
Earn Certification
Cisco CCNA R&S: ICND2 v3
$197.00$177.30
Earn Certification
Cisco CCNA Collaboration: CIVND2
$197.00$177.30
624 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.