[c-nsp] Campus Network Design advice

chris at lavin-llc.com chris at lavin-llc.com
Wed Jan 28 08:22:48 EST 2009 

On Tue Jan 27 20:50 , Marc Archer  sent:

>Hi Guys,
>
>I'm looking for some advice on redesigning our campus network.
>
>
>We have around 2500 devices on our site which are spread across multiple
>
>buildings. At present the network runs on a (legacy) single flat VLAN which
>
>has caused us more than our fair share of headaches of late. 


You'll definately benefit from getting away from the flat network.

There are several ways to alter the connectivity. Much of the design will come down to what the goals are: how much budget you have, how much gear can 
be replaced vs. how much needs to be reused, the capabilities of the equipment in place, how many users you are supporting, how much bandwidth you need 
and how much added flexibility you'd like and to have additional security measures.

Working from the remote site towards the core:
Remote Site
I've had great success with 35xx/450x in the IDF (users closets) that have two uplinks to a pair of 4506s in an MDF. The 4506s provide the Layer 3 SVIs 
for all VLANs w/in the building. Regarding the Layer 3 4506s; for me, box redundancy has served better than same-box sup redundancy. Provide each IDF 
w/one or two /24 subnets to support the desktops and phones. Tweak the HSRP timers on the 4506s down to subsecond. Line up the STP and HSRP for each 
VLAN to be hosted by the same 4506. For example, 4506#1 is STP root and HSRP Active for odd numbered VLANS and 4506#2 is STP root and HSRP Active for 
even numbered VLANs. Let spanning tree do its thing and block one of the IDF's uplink to one of the MDF 4506s. If additional bandwidth is needed add 
fiber or copper links and port channel them together. By assigning the VLANs to the closets you will immediately know the association of a user to an 
IDF based on their IP address.

Remote Site uplink to Distro/Core
Yes, /30s work great. I like running OSPF on the uplinks and on a link between the MDF 4506s. Each 4506 would have an uplink to a Distro/Core device. 
The MDF 4506s therefore have a Layer 2 port-channel between them for the IDF VLANs as well as a Layer 3 port-channel for the OSPF path redundancy.

I like the Layer 3 running between the Remote site and the Distro/Core because it provides a convenient place to put in ACLs and QoS if you need it. 
You can also get fancy with summarization or even sprinkle in BGP if the network is big enough to call for the additional nerd knobs that BGP affords 
you. 

Hopefully this spawns some ideas,

-chris

More information about the cisco-nsp mailing list