cisco router/swtich recomendation ?

Discussion in 'Cisco' started by raptor, Jan 6, 2005.

  1. raptor

    raptor Guest

    hi,

    Could u point me about the exact "number/series" of router.
    I want a router+switch combo that support :
    - MPLS
    - statesfull firewalling
    - BGP

    then about it i want to know aprox :

    - how many 100Mb and 1Gb ports
    - what layer3 troughput can be acheived
    - what layer2 troughput can be acheived
    - which IOS version is required to support these features.

    tia

    PS. main software requirement for me is to be able
    to pass traffic to specific boxes over layer2 instead
    of trought routing engine, so that i can achieve
    better troughput.
    raptor, Jan 6, 2005
    #1
    1. Advertising

  2. In article <>,
    raptor <> wrote:
    :Could u point me about the exact "number/series" of router.
    :I want a router+switch combo that support :
    :- MPLS
    :- statesfull firewalling
    :- BGP

    According to the Feature Navigator (which usually has incomplete
    information):

    models: 2691, 2811, 2821, 2851, 3640, 3660, 3725, 3825, 3845,
    7301, 7304-NPE-G100, 8850RPM-PR

    series: 7100, 7200, 7400, 7500,
    7600-SUP720/MSFC3, CAT5000+RSM, CAT6000+MSFC2,
    CAT6000/SUP1+MSFC2, CAT6000/SUP2+MSFC2, CAT6000/SUP720+MSFC3


    :then about it i want to know aprox :

    :- how many 100Mb and 1Gb ports

    Well, let's see... on a fully populated CAT6500, you could have
    up to 576 gigabit ports, and up to 1152 100 Mb ports. Is that enough?

    :- what layer3 troughput can be acheived

    Some of those devices are wire speed when appropriately configured.

    :- what layer2 troughput can be acheived

    Some of those devices are wire speed when appropriately configured.

    :- which IOS version is required to support these features.

    12.0(1)T and later on the 3640. 12.3(11)XL or 12.3(11)T for the 3845.


    :then about it i want to know aprox :

    That's a dozen different individual models plus 10 different series
    each with several different models. And the throughputs of the modular
    devices are going to depend upon the details of the configuration.
    For many of the devices I listed, the firewalling part could slow down
    the throughput noticably, especially if you have a lot of
    NBAR inspection. The 28xx and 38xx series are supposed to be able
    to handle many combinations of features without slowing down.


    For more information... please feel free to read the
    datasheets on cisco.com, cuz looking up all that information
    would take a few days work.

    Did I mention that Cisco lists a couple of dozen different
    MLPS features, not all of which are supported on all platforms?
    But you neglected to tell us what you want out of MLPS.


    Why am I getting the feeling that these are homework questions rather
    than questions about being real investigations into which model would
    suit a real or proposed network? Could it have something to do with the
    fact that a serious designer of a network with that kind of complexity
    would know to list detailed requirements instead of asking such
    open-ended questions? How fast do you *need*? How many ports do you
    *need* ? What is the expected traffic patterns that we should take into
    account? What kind of budget does this have? How much expandability do
    you need? VOIP requirements? If you are planning a network with those
    kind of capabilities, why didn't you list as requirements some of the
    important features such as hardware-level redundancies; software level
    redundancies; accounting tools required; QoS features needed; WAN
    interface types; requirements for 2 Gb, 10 Gb? Or even something simple
    such as whether those gigabit interfaces should be SX multimode, LX/LH,
    ZX single mode extended distance, RJ45 copper, GBICs, SFPs, HSSDC ?


    I almost said that I can't believe that someone would specify a
    critical network device by such meager criteria, but then I
    remembered having encountered an even more vague but
    serious specification.
    --
    Aleph sub {Aleph sub null} little, Aleph sub {Aleph sub one} little,
    Aleph sub {Aleph sub two} little infinities...
    Walter Roberson, Jan 6, 2005
    #2
    1. Advertising

  3. raptor

    Mark Lar Guest

    raptor wrote:
    > hi,
    >
    > Could u point me about the exact "number/series" of router.
    > I want a router+switch combo that support :
    > - MPLS
    > - statesfull firewalling
    > - BGP
    >
    > then about it i want to know aprox :
    >
    > - how many 100Mb and 1Gb ports
    > - what layer3 troughput can be acheived
    > - what layer2 troughput can be acheived
    > - which IOS version is required to support these features.
    >
    > tia
    >
    > PS. main software requirement for me is to be able
    > to pass traffic to specific boxes over layer2 instead
    > of trought routing engine, so that i can achieve
    > better troughput.
    >



    If you want stateful firewalling, you're looking at (probably) a
    6509+FWSM, for MPLS you'll need better than a Sup2, probably Sup720.
    That will take up 3 modules (4 if you want redundant Supervisors)
    leaving 6 (or 5) for interface blades, (48 port 10/100s or 16 port
    1000s) is about the best you'll do but you'll need to do your sums based
    on module and chassis ratings to work out how oversubscribed you are in
    bandwidth (ie. you can't drive 6 blades of 16 gigabit ports at full
    gigabit speed, you want to get closer to that you need to ditch Cisco
    and go Juniper or Nortel). Throughput depends on an awful lot of
    variables, difficult to estimate without more details.

    Basic BGP should be fine with this setup, but if you're getting a full
    Internet BGP table you'll need a metric arse-load of RAM in the
    Supervisor module to cope. Might be better off pushing the BGP to a
    dedicated router in this case.

    M.
    Mark Lar, Jan 6, 2005
    #3
  4. raptor

    Mark Lar Guest

    Walter Roberson wrote:

    > In article <>,
    > raptor <> wrote:
    > :Could u point me about the exact "number/series" of router.
    > :I want a router+switch combo that support :
    > :- MPLS
    > :- statesfull firewalling
    > :- BGP
    >
    > According to the Feature Navigator (which usually has incomplete
    > information):
    >
    > models: 2691, 2811, 2821, 2851, 3640, 3660, 3725, 3825, 3845,
    > 7301, 7304-NPE-G100, 8850RPM-PR
    >
    > series: 7100, 7200, 7400, 7500,
    > 7600-SUP720/MSFC3, CAT5000+RSM, CAT6000+MSFC2,
    > CAT6000/SUP1+MSFC2, CAT6000/SUP2+MSFC2, CAT6000/SUP720+MSFC3
    >
    >
    > :then about it i want to know aprox :
    >
    > :- how many 100Mb and 1Gb ports
    >
    > Well, let's see... on a fully populated CAT6500, you could have
    > up to 576 gigabit ports, and up to 1152 100 Mb ports. Is that enough?
    >
    > :- what layer3 troughput can be acheived
    >
    > Some of those devices are wire speed when appropriately configured.
    >
    > :- what layer2 troughput can be acheived
    >
    > Some of those devices are wire speed when appropriately configured.
    >
    > :- which IOS version is required to support these features.
    >
    > 12.0(1)T and later on the 3640. 12.3(11)XL or 12.3(11)T for the 3845.
    >
    >
    > :then about it i want to know aprox :
    >
    > That's a dozen different individual models plus 10 different series
    > each with several different models. And the throughputs of the modular
    > devices are going to depend upon the details of the configuration.
    > For many of the devices I listed, the firewalling part could slow down
    > the throughput noticably, especially if you have a lot of
    > NBAR inspection. The 28xx and 38xx series are supposed to be able
    > to handle many combinations of features without slowing down.
    >
    >
    > For more information... please feel free to read the
    > datasheets on cisco.com, cuz looking up all that information
    > would take a few days work.
    >
    > Did I mention that Cisco lists a couple of dozen different
    > MLPS features, not all of which are supported on all platforms?
    > But you neglected to tell us what you want out of MLPS.
    >
    >
    > I almost said that I can't believe that someone would specify a
    > critical network device by such meager criteria, but then I
    > remembered having encountered an even more vague but
    > serious specification.

    Hmmm, seems like you're right, this is carrier-grade stuff we're talking
    about, so surely if you're working for a carrier you have a "serious"
    Cisco contract and have Cisco lakeys on hand to answer these types of
    questions.
    Mark Lar, Jan 6, 2005
    #4
  5. raptor

    raptor Guest

    thanx alot for the info,
    the question was broader so that i can figure out
    what class of router i will need...
    i've browsed the cisco site and what i read was very "vague"
    i.e. it was mentioned that i need a switch + router + some adriotnal
    module on the swich to support mpls, then there is several different
    variation.
    As u said (sorry), now i will try to be more specific :

    On the statesfull firewall part i dont need alot of speed, i think
    ability to scale
    up to ~100Mb, will do it well at the moment.. and probably up to
    100-200 access-lists.
    (i use linux router at the moment but I want to offload firewall
    responsibility
    from it 'cause I use it as shaper, on the other hand I dont want to add
    another hop)

    For the BGP part i need just basic setup.

    About the number of ports currently around 24 x 100mb + 2 1gb, soo9n i
    will need
    some more.

    Now the hardest part, I need MPLS enabled router/switch, so that I can
    redirect
    traffic to specific boxes trought Layer2 i.e i want all traffic from/to
    these boxes not be passed to the GW, but hijacked by the switch/router
    in the middle of the path.
    (simplified picture, sw/router is transparent everything goes trought
    GW, one phisical net many layer3 nets, hmm i can't picture it !!!
    sorry)


    VOIP will be used, but the switch/router is not the bottleneck here.
    this is in short..
    raptor, Jan 6, 2005
    #5
  6. raptor

    raptor Guest

    thanx alot for the info,
    the question was broader so that i can figure out
    what class of router i will need...
    i've browsed the cisco site and what i read was very "vague"
    i.e. it was mentioned that i need a switch + router + some adriotnal
    module on the swich to support mpls, then there is several different
    variation.
    As u said (sorry), now i will try to be more specific :

    On the statesfull firewall part i dont need alot of speed, i think
    ability to scale
    up to ~100Mb, will do it well at the moment.. and probably up to
    100-200 access-lists.
    (i use linux router at the moment but I want to offload firewall
    responsibility
    from it 'cause I use it as shaper, on the other hand I dont want to add
    another hop)

    For the BGP part i need just basic setup.

    About the number of ports currently around 24 x 100mb + 2 1gb, soo9n i
    will need
    some more.

    Now the hardest part, I need MPLS enabled router/switch, so that I can
    redirect
    traffic to specific boxes trought Layer2 i.e i want all traffic from/to
    these boxes not be passed to the GW, but hijacked by the switch/router
    in the middle of the path.
    (simplified picture, sw/router is transparent everything goes trought
    GW, one phisical net many layer3 nets, hmm i can't picture it !!!
    sorry)


    VOIP will be used, but the switch/router is not the bottleneck here.
    this is in short..
    raptor, Jan 6, 2005
    #6
  7. In article <>,
    raptor <> wrote:
    :Now the hardest part, I need MPLS enabled router/switch, so that I can
    :redirect
    :traffic to specific boxes trought Layer2 i.e i want all traffic from/to
    :these boxes not be passed to the GW, but hijacked by the switch/router
    :in the middle of the path.
    :(simplified picture, sw/router is transparent everything goes trought
    :GW, one phisical net many layer3 nets, hmm i can't picture it !!!
    :sorry)

    Hmmm, could you rephrase that? It seems a bit contradictory to me
    as phrased.

    Does selection for redirection have to happen according to the
    MAC address, or could it happen according to the source IP address?

    What should happen to the redirected data? You say that it
    should not be passed to the 'GW', but 'GW' meaning 'gateway'
    is a layer 3 abstraction, not a layer 2. That and your reference
    to 'many layer3 nets' suggests to me that you do not need a layer 2
    redirection but rather a layer 3 redirection. If that's the case
    then you don't need MLPS at all, just plain policy routing
    (PBR, Policy Based Routing)


    :About the number of ports currently around 24 x 100mb + 2 1gb, soo9n i
    :will need some more.

    The 3845 with two 9-port EtherSwitch HWICs comes pretty close
    to your needs, except in not having as many ports as you were
    asking for. Perhaps it would make sense in your architecture to
    put two 3845's in?

    I haven't looked up the specs for HWICs to see whether 9 x 100 would
    be oversubscribing the available bandwidth or not.


    If your requirements are definitely for more then 24 ports in a single
    chassis (instead of spreading the load over multiple chassis)
    then if I recall properly you could meet your specs with
    a refurbished Cat5000 with RSM module and gigabit module. I'm
    not certain, though -- I have not looked up the backplane figures
    on the 5000 recently. The feature navigator says you could
    get PBR, Firewall, and BGP4 in a CAT4000+AGM (that wasn't
    one of the combinations that supported MLPS by the way). I
    have never looked up the specs on the AGM.

    A couple of months ago, I did look through the specs on the
    CAT450x line, and found that it was able to handle gigabit
    wire-rate across the backplane, if you put in a SupIV or SupV
    and watched out that you didn't oversubscribe the backplane.
    The figure that comes to mind is 6 Gbps, which would be a
    4:1 or 8:1 oversubscription if you tried to use all of the 24
    or 48 port gigabit card across the backplane. Even the
    4503 with SupII+TS could handle gigabit , but the backplane of
    the 4503 is relatively limited -- the 4503 chassis forces the
    cards to work quite differently than in any of the other 450x
    series. Not good over the long-term. But in any case, the
    cisco Feature Navigator doesn't list that as one of the
    possibilities. Drawing further on my memories (and keep in
    mind that I've been up close to 24 hours now), the 4000 series
    didn't support the Firewall Feature Set.

    I seem to recall that the End of Sale has been announced
    on the CAT5000 series.

    A CAT6000 with Sup720 would almost certainly be fast enough for your
    stated purposes -- it's fast, but I don't know the extent to which
    firewalling would slow it down [probably not much.]. Watch out for
    the way they calculate the aggregate forwarding rate, though -- you
    can't get their aggregate figure across the backplane simultaneously!
    The problem with the CAT6000+Sup720 is it's price, especially if
    you go redundant power supply and redundant 720 -- the maintainence
    cost alone would be more than the cost of buying a new 3845 ever year
    [excluding the option cards perhaps.] You can get 5 Gbps of
    firewalling per optional Firewall Services Module for the 6500 series...
    a quick glance at prices on the net gives a range of $US21K to $US27K
    for each of those.
    --
    The image data is transmitted back to Earth at the speed of light
    and usually at 12 bits per pixel.
    Walter Roberson, Jan 6, 2005
    #7
  8. raptor

    BradReeseCom Guest

    BradReeseCom, Jan 9, 2005
    #8
  9. raptor

    raptor Guest

    ok let me rephrase it..:")
    My setup is not exactly this, but it will explain what i need.
    Let I have 2 high troughput boxes with addresses (f.e. ftp's)
    10.10.10.1 and 10.10.10.2.
    Then I have 10 x class C networks say from 10.10.20.0 to 10.10.30.0.
    Then I think if all this goes trought routing engine it will bog the
    router down,
    so that I want the traffic to these boxes to go trought Layer2 (i.e.
    mpls)

    as i said this is simplified version, but it explain it.
    Keep in mind i havent used mpls, just judging from what i read that
    this is
    the solutoin.
    raptor, Jan 9, 2005
    #9
  10. In article <>,
    raptor <> wrote:
    :My setup is not exactly this, but it will explain what i need.
    :Let I have 2 high troughput boxes with addresses (f.e. ftp's)
    :10.10.10.1 and 10.10.10.2.
    :Then I have 10 x class C networks say from 10.10.20.0 to 10.10.30.0.
    :Then I think if all this goes trought routing engine it will bog the
    :router down,
    :so that I want the traffic to these boxes to go trought Layer2 (i.e.
    :mpls)

    :as i said this is simplified version, but it explain it.

    I -think- you are saying that you have a local LAN with a number
    of hosts, that all of the devices will [likely] be connected to the same
    device, that you have a number of different networks, and that
    your -functional- requirement is not really "Layer 2" (e.g., you
    aren't concerned about distributing broadcasts or non-routable
    protocols), but rather that you need some method of high-speed
    routing.

    What I have understood from your posting is that you have been
    investigating MLPS based, to a great extent, upon Cisco's marketing
    blurb for MPLS that says,

    "Cisco IOS(R) Multiprotocol Label Switching (MPLS) fuses the
    intelligence of routing with the performance of switching."

    What you have missed in this is that MPLS does not gain switching
    speeds *within one device*. MPLS requires that the edge device (LER)
    classifies each packet with an MPLS tag; then further devices (LES)
    down the path switch based upon the MPLS tag instead of "routing". But the
    devices along the path still need to examine the tag, and still need to
    make conditional forwarding decisions, so the situation is really
    little different than that which is possible to CEF/dCEF, except that
    you can send non-IP data through MPLS, and you can't be sure that
    everything along an internet path is going to use a technology
    equivilent to CEF. But then, you can't be sure that everything
    along an internet path is going to pay attention to the MPLS label
    either.

    If you were running all your hosts on one device, then if each of your
    several networks was coming into a unique port, and you want all data
    for the same network to be treated equivilently, then potentially there
    could be a fast label decision which just assigned a static MPLS label
    based upon the input port number, and then forwarded the packet to a
    fixed egress port. What I gather from your postings, though, is that
    there would be two possible egress ports (the two high-speed boxes)
    that need to be distinguished by destination (you don't want the same
    traffic forwarded to both, though you might want it load-shared between
    the two), so the Layer 3 header at least (and possibly Layer 4 as well)
    would have to be be examined as part of the classification procedure.
    Clearly if any Layer 3 or Layer 4 decision is involved, the process
    will be no faster than the same equipment could make a routing
    decision. Conversely, if the label depends only upon which switch port
    the traffic entered on, then the process will be no faster than the
    same equipment could make an 802.1Q VLAN tag assignment.

    When you go to deliver the traffic to the servers, the MPLS label
    has to be stripped off before delivery, unless the servers are
    MPLS-aware, which is not at all common. It is much more common
    for a server to be 802.1Q VLAN aware.

    Now let us consider the return traffic. As the return traffic
    will originate with only 1 or 2 ports, and might be destined for
    any of the other ports, the return traffic will clearly have to
    undergo Layer 3 or Layer 4 analysis in order to decide which
    MPLS label to assign to it. Again, this process will be no faster
    than the same device could perform a routing decision. The device
    would then distribute the packet to the appropriate egress port queue,
    strip off the MPLS label, and transmit. If the labeling decision comes
    down to a pure layer 3 decision, one subnet <-> 1 destination port,
    then one could have saved the trouble and expense of MPLS by
    going for an 802.1Q aware switch and using an 802.1Q trunk to the
    server and having the server perform the routing decision and put in
    the appropriate 802.1Q VLAN tag.


    I suggest that you have a look at some MPLS tutorials, such as those at
    http://www.convergedigest.com/Bandwidth/archive/010910TUTORIAL-rgallaher1.htm
    You will see that MPLS doesn't really gain you much over simple IP
    ToS-based QoS until you have multiple hops (or until you need
    more than the 8 levels of priority that the the IP ToS field
    can signal... but then there are the priority fields available
    in 802.1Q tags...)


    If it weren't for the Stateful Firewall requirement that you
    indicated earlier, I would suggest that you should simply go
    for a Cisco 3750G MultiLayer Switch: they are rated to handle gigabit
    line rate Layer 3 simultaneously on all ports. The largest
    3750G currently is 24 ports of 10/100/1000 TX, plus 4 SFP ports
    (modular gigabit connectors in the same vein as GBICs),
    but the 3750G/3750G is stackable, with a forwarding bus that runs at
    32 Gbps (shared amongst all the 3750/3750G in the stack.)

    NB: the 3750G series has varying quantities of 10/100/1000 or
    pure gigabit ports; the 3750 non-G series has varying quantities
    of 10/100 and [SFP or GBIC] gigabit ports, and is available in
    up to 48 ports; the 3750 and 3750G can stack together. There are
    also the 2950 (Layer 2) and 3550 (multilayer) series that are
    in the same family. The differences between the 3550 and 3750 non-G
    are fairly subtle; for your purposes, with your BGP requirement,
    I would suggest the WS-C3750G-24TS-E or WS-C3750G-24T-E
    (the 24TS has 4 SFP ports where the 24T has none.)

    But the 2950/3550/3750* series do -not- have stateful firewall
    available, only varying degrees of support for Layer 2 or Layer 3
    ACLs (and varying numbers of QoS classifiers and policers). The
    3750 with Enhanced Image does support BGP; I don't recall for sure
    off the top of my head whether the 3550 with Enhanced Image supports
    BGP, but I believe it does.
    --
    I wrote a hack in microcode,
    with a goto on each line,
    it runs as fast as Superman,
    but not quite every time! -- Don Libes et al.
    Walter Roberson, Jan 9, 2005
    #10
  11. raptor

    raptor Guest

    thanx alot... now i have better picture..
    It seems 3750x will do fine, will have to check
    cisco.com for details..
    Probably i can miss the statefull firewall :")
    (i wanted it primary to offload the shaper anyway
    linux does much better than cisco at this)

    >From what I understand I may not use MPLS,

    but just use routing (and it will handle everything at wire speed)
    Yes I will really use only one router/switch and both the
    highspeed-boxes and the rest of the networks will be connected
    to it.

    My next question is :

    - Can I group several interfaces to act as one logical interface ?
    - What is the maximum number of secondary addresses that can
    be applied to interface ? (logical if possible)

    What I want to do is many networks under many interfaces, but not
    one class-C net behind one phisical-interface i.e. I want all
    ip-networks mixed.
    Ex.:
    10.10.20.5 and 10.10.23.56 can be behind int f5/0, and 10.10.23.13 and
    10.10.20.66 behind int f9/0 !
    If I can create one logical interface that encompaces them (probably
    via VLAN)?!
    raptor, Jan 10, 2005
    #11
  12. In article <>,
    raptor <> wrote:
    :My next question is :

    [on the 3750 series]

    :- Can I group several interfaces to act as one logical interface ?

    Yes. The 3550 and 3750 support EtherChannel, Fast EtherChannel,
    and Gigabit EtherChannel.

    http://www.cisco.com/en/US/tech/tk389/tk213/technologies_configuration_example09186a0080094647.shtml

    Or were you referring to bridging? The 3550/3750 support that too.


    :- What is the maximum number of secondary addresses that can
    :be applied to interface ? (logical if possible)

    Hmmm, I don't know that. It probably depends on the amount of
    available memory you have. If it helps, the configuration guide says,

    There is no defined limit to the number of SVIs and routed ports
    that can be configured in a switch stack. However, the
    interrelationship between the number of SVIs and routed ports and
    the number of other features being configured might have an impact
    on CPU usage because of hardware limitations.


    :What I want to do is many networks under many interfaces, but not
    :eek:ne class-C net behind one phisical-interface i.e. I want all
    :ip-networks mixed.
    :Ex.:
    :10.10.20.5 and 10.10.23.56 can be behind int f5/0, and 10.10.23.13 and
    :10.10.20.66 behind int f9/0 !
    :If I can create one logical interface that encompaces them (probably
    :via VLAN)?!

    I can't think of any reason that couldn't be done. Sounds like
    a normal application of creating a vlan, assigning a bridge-group to
    it and ip address(es) to it, and putting ports into the bridge-group .


    By the way, I thought of something that might influence your
    decision about going with the 3550/3750: neither device supports
    NAT (Network Address Translation.) The 3550 and 3750 with Enhanced
    Image can do a quite a lot, but they don't do NAT and they don't
    do GRE tunnels... I do not recall at the moment if they support loopback
    interfaces.
    --
    Are we *there* yet??
    Walter Roberson, Jan 10, 2005
    #12
  13. raptor

    Guest

    Hello-

    Information Data Products Corp. is a reseller of new & secondary market
    Cisco hardware as well as various other manufactures. I believe we can
    help you with your requirement, and save you a lot of money in the
    process. Please email me or call me when you receive this. Thank you
    again.

    Kevin Wendolowski
    Information Data Products Corp.
    800-362-3770 Ext. 23

    AIM: kwIDPC
    raptor wrote:
    > hi,
    >
    > Could u point me about the exact "number/series" of router.
    > I want a router+switch combo that support :
    > - MPLS
    > - statesfull firewalling
    > - BGP
    >
    > then about it i want to know aprox :
    >
    > - how many 100Mb and 1Gb ports
    > - what layer3 troughput can be acheived
    > - what layer2 troughput can be acheived
    > - which IOS version is required to support these features.
    >
    > tia
    >
    > PS. main software requirement for me is to be able
    > to pass traffic to specific boxes over layer2 instead
    > of trought routing engine, so that i can achieve
    > better troughput.
    , Jan 10, 2005
    #13
  14. raptor

    raptor Guest

    aha.... :") i think bridge-group is what i wanted.. i.e.
    number of ports (of the 3750g) to act as a pseudo bridge/switch
    connected
    to one real 3750g port which have many IP addresses....
    Otherwise I will have to buy separate switch for this..

    I dont need NAT.
    I think 20-30 secondary ip addresses will be ok.

    thanx again.
    raptor, Jan 10, 2005
    #14
  15. In article <>,
    raptor <> wrote:
    :aha.... :") i think bridge-group is what i wanted.. i.e.
    :number of ports (of the 3750g) to act as a pseudo bridge/switch
    :connected
    :to one real 3750g port which have many IP addresses....

    I've just looked at my 3750G configuration (warning: I don't
    have it in testing yet, so some thing might change.) I did
    use a bridge-group but for a different reason entirely.

    What you will want to do for your purposes is just create
    a vlan, then set it's mode to 'active' (default is, as I recall,
    inactive but not 'shutdown'); these are via the 'vlan' command.
    The 'vlan' command will *not* show up in your configuration when
    you 'show run' -- the vlan database is configured a different
    odd way that doesn't show up in the IOS configuration.

    Before or after using the 'vlan' command, you can configure
    the vlan interface at the IOS level, giving it IP characteristics.
    It perhaps makes more logical sense to create the vlan first before
    using the 'interface' command to give it characteristics, but in
    my experience you can do it in either order.

    Once you have created the vlan and given characteristics to the
    vlan interface, you can assign ports to be part of the vlan.
    I do not recall the exact command for that a the moment [it was
    another long night.] I see from my configuration that I have, e.g.,
    switchport mode access vlan 104
    in my 'interface' configuration, but I seem to recall it being
    more complicated than that. For a trunk, you would have
    switchport trunk encapsulation dot1q
    and the membership within the vlans does -not- show up at the
    "show run" level. The mojo goes on at with the 'vlan' command
    if I recall correctly.

    All the ports that you assign into a vlan are implicitly switched
    together for the purposes of that vlan. If you assigned an IP
    address to the vlan then the vlan will take part in routing.

    There is a role for bridge-groups, but that role has to do with
    "fallback" switching. If the switch receives non-IP layer 2 traffic
    [such as IPX] then you need to be able to specify which ports or
    vlans the traffic should be distributed to; you do that by
    putting the ports and/or vlans into the same bridge-group.

    In my particular case, I have some vlans coming off Nortel
    switches, which are able to place traffic from the same
    port in different vlans according to protocol. I have separate
    vlans for IPX 802.2, IPX 802.3, and various IP based vlans.
    There is no point in allowing the IPX traffic to be sent to
    ports which have attached devices that can't run IPX, and at the
    same time IPX ignores layer 3 boundaries so IPX traffic from one
    port might need to go to another even though they are in different
    IP vlans. [I'm using vlans for efficiency in this case, not for
    security.] Anyhow, these vlans are non-IP vlans, but they can
    be received on the trunks from the Nortel switches even if
    the 3750 doesn't have equivilent ways of classifying according
    to protocol [I think... maybe using layer 2 acls...] so I use
    bridge-group statements to do fallback-bridging to send the
    traffic to the appropriate places. The 'bridge-group' statement
    is not meant to take the place of VLANs: bridge-group applies
    to non-IP traffic only.


    One tidbit: on the 3550 and 3750, you can effectively segment
    vlans to specify which ones will route with which other ones;
    for example, you might want to do that if you had different
    customers on the same switch who were using the same interior
    IP address ranges. I haven't played with this feature at all yet.

    --
    millihamlet: the average coherency of prose created by a single monkey
    typing randomly on a keyboard. Usenet postings may be rated in mHl.
    -- Walter Roberson
    Walter Roberson, Jan 10, 2005
    #15
  16. raptor

    Hansang Bae Guest

    On 10 Jan 2005 14:05:15 -0800, "raptor" <> wrote:

    >aha.... :") i think bridge-group is what i wanted.. i.e.
    >number of ports (of the 3750g) to act as a pseudo bridge/switch
    >connected
    >to one real 3750g port which have many IP addresses....
    >Otherwise I will have to buy separate switch for this..
    >
    >I dont need NAT.
    >I think 20-30 secondary ip addresses will be ok.
    >


    Why use bridge-groups? Can't you just use VLANs with dot1q
    subinterfaces?



    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Jan 11, 2005
    #16
  17. In article <>,
    Hansang Bae <> wrote:
    :Why use bridge-groups? Can't you just use VLANs with dot1q
    :subinterfaces?

    Cuz I offered him incorrect advice a couple of postings up
    that mentioned bridge-groups. I haven't had much chance to play with
    my 3750 yet, remembered that I'd put in a bridge-group, and then
    my brain farted over to the old days of C2948G-L3 configuring
    with srb.

    --
    When your posts are all alone / and a user's on the phone/
    there's one place to check -- / Upstream!
    When you're in a hurry / and propagation is a worry/
    there's a place you can post -- / Upstream!
    Walter Roberson, Jan 11, 2005
    #17
  18. raptor

    raptor Guest

    one last question, I hope :")
    Is there ability to route traffic (l3) based on incoming interface.
    I want to have different default gw depending from which
    interface the traffic is coming or i'm asking too much.

    (probably i will be able to workaround this, but it will be good
    to have it)
    raptor, Jan 11, 2005
    #18
  19. In article <>,
    raptor <> wrote:
    :eek:ne last question, I hope :")
    :Is there ability to route traffic (l3) based on incoming interface.
    :I want to have different default gw depending from which
    :interface the traffic is coming or i'm asking too much.

    It appears not, at least not in 12.2(18)SE [there have been a couple
    of releases since then.]

    http://www.cisco.com/en/US/products...on_guide_chapter09186a00801f615b.html#1228588

    The important point there are that policy routing has to be
    enabled on a Layer 3 interface, which means aither an interface
    that has been given a direct IP address, or else on a vlan as
    a whole that has been given an IP address. There is no way to
    put in different route maps for ports which are members of
    the same vlan, and the conditions that you can match against
    in creating a route-map do not include testing which interface
    the packet was received upon.

    The closest you could come to this would be if you were able to
    distinguish the interfaces by the IP source addresses.
    For example if you knew that 10.12.50.17 was on the interfaces
    you were interested in changing the routing behaviour for,
    but you did not want the same gateway-changing for other interfaces
    in the same vlan, then you could create an access list that matched
    that ip and set the next hop, and apply the route map to the entire vlan.


    Also note this point:

    To use PBR, you must first enable the routing template by using the
    sdm prefer routing global configuration command. PBR is not
    supported with the VLAN or default template.

    The table at
    http://www.cisco.com/en/US/products...tion_guide_chapter09186a00801f6160.html#88774
    lists the hardware limits of the various templates. As a brief
    summary, with the 'routing' template, you give up about 3 K MAC
    address entries (leaving 3 K) in favour of more potential routes
    and in favour of allowing policy-based routing Access Control Entries.
    The hardware limit is 512 entries total over all access-lists used
    to select differing routes.

    --
    I don't know if there's destiny,
    but there's a decision! -- Wim Wenders (WoD)
    Walter Roberson, Jan 11, 2005
    #19
  20. raptor

    raptor Guest

    Hmm.. in this case what i really need is probably to route not
    nececary by incoming interface but in this case by the vlan
    from which the packet is comming..
    I can do this by normal access-list but the networks
    that i want to describe will grow, currently ~30
    That is why I'm searching for solution not based on the
    source ip-address but incoming vlan and/or interface
    raptor, Jan 14, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hari
    Replies:
    8
    Views:
    1,693
  2. KP C
    Replies:
    3
    Views:
    503
  3. Bill Schowengerdt

    Game recomendation?

    Bill Schowengerdt, Jul 26, 2003, in forum: Computer Support
    Replies:
    14
    Views:
    616
    slumpy
    Jul 28, 2003
  4. billbo68

    pc video editor recomendation please

    billbo68, Aug 18, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    340
    xman Charlie
    Aug 18, 2003
  5. Les Stewart

    USB Network Card Recomendation?

    Les Stewart, Sep 23, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    367
    Les Stewart
    Sep 23, 2003
Loading...

Share This Page