Suggestions on Network operations
Dear Experts, I need suggestions on this network design. Is there anything we need to consider for improving HA, security, performance? Could you please help? Many thanks!
Core SW1, SW2: Cisco 3850 IP service
Access SW1, SW2: Cisco 2960 LANBase
- Between C1 and C2: EtherChannel Trunking native vlan 88
- Between C1 and C2, C1 and A1, A2, C2 and A1, A2: trunking interfaces native vlan 88
- C1: VTP Servers, other switches are VTP clients, version2
- VLAN 10 (LAN), 11 (LAN), 88 (management) synchronize between switches
- C1:
STP root primary for VLAN10, secodary for VLAN11
HSRP Active for VLAN10, HSRP Standby for VLAN11 (standby .254)
DHCP pool VLAN10A, VLAN11A, default GW is .254, exclude address .1 - .50 and .53 - .254 (so 2 addresses .51, .52 are available, just for test)
- C2:
STP root primary for VLAN11, secodary for VLAN10
HSRP Active for VLAN11, HSRP Standby for VLAN10
DHCP pool VLAN10B, VLAN11B, default GW is .254, exclude address .1 - .250 and .253 - .254 (so 2 addresses .251, .252 are available, just for test)
- Access switches: sw mode access / define VLAN on interfaces connected to PCs
Core SW1, SW2: Cisco 3850 IP service
Access SW1, SW2: Cisco 2960 LANBase
- Between C1 and C2: EtherChannel Trunking native vlan 88
- Between C1 and C2, C1 and A1, A2, C2 and A1, A2: trunking interfaces native vlan 88
- C1: VTP Servers, other switches are VTP clients, version2
- VLAN 10 (LAN), 11 (LAN), 88 (management) synchronize between switches
- C1:
STP root primary for VLAN10, secodary for VLAN11
HSRP Active for VLAN10, HSRP Standby for VLAN11 (standby .254)
DHCP pool VLAN10A, VLAN11A, default GW is .254, exclude address .1 - .50 and .53 - .254 (so 2 addresses .51, .52 are available, just for test)
- C2:
STP root primary for VLAN11, secodary for VLAN10
HSRP Active for VLAN11, HSRP Standby for VLAN10
DHCP pool VLAN10B, VLAN11B, default GW is .254, exclude address .1 - .250 and .253 - .254 (so 2 addresses .251, .252 are available, just for test)
- Access switches: sw mode access / define VLAN on interfaces connected to PCs
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Incorrect Hemil. VTP 3 is the way to go. There's not much more configuration than VTP 2. VTP is better as you can't accidently delete vlans. You have to promote VTP servers to primary in order to make vlan changes. Also extended and private vlans are supported.
@soulja
Hi, I never said V3 was not a good option. All I mean to say was keep "things easy". If you have DHCP snoopy in place and all the port configuration for security you don't need that extra layer of authentication.
Now, I think you haven't seen problems with VTP. VTP is the most beautiful thing to propagate VLANS but it has downside. I don't know if you are familiar with the sequence numbers but if you install or format a switch and that switch is not in transparent mode could kill the rest of of the VLANS in your server VTP.
I seen this in large environment organizations. Like I've said it's just my opinion he can use VTP just be careful.
Hi, I never said V3 was not a good option. All I mean to say was keep "things easy". If you have DHCP snoopy in place and all the port configuration for security you don't need that extra layer of authentication.
Now, I think you haven't seen problems with VTP. VTP is the most beautiful thing to propagate VLANS but it has downside. I don't know if you are familiar with the sequence numbers but if you install or format a switch and that switch is not in transparent mode could kill the rest of of the VLANS in your server VTP.
I seen this in large environment organizations. Like I've said it's just my opinion he can use VTP just be careful.
@hemil
You obviously haven't used VTP v3 before cause everything you just mentioned is avoided with VTP v3. It also is not any more complex to configure.
What do you keep talking about regarding VTP authentication in VTP v3??? It's the same steps to configure at VTPv2? Maybe you are confusing it with SNMP v3.
You obviously haven't used VTP v3 before cause everything you just mentioned is avoided with VTP v3. It also is not any more complex to configure.
What do you keep talking about regarding VTP authentication in VTP v3??? It's the same steps to configure at VTPv2? Maybe you are confusing it with SNMP v3.
2. Configure trunks as port-channels between all the switches.
3. Assume you are using Rapid Spanning tree, if not, use it.
4. Portfast with bpdu guard on all access/host ports.
Nothing else I can think of. Pretty simple design.