Inter-VLAN Routing Cisco 3550 SMI

Discussion in 'Cisco' started by SmilerNet, Sep 26, 2004.

  1. SmilerNet

    SmilerNet Guest

    Hello,

    We are considering using the above for our shared services backbone switch
    within the building approx. 100 low key users (not all the same compnay
    though)

    The proposed config will be:

    VLAN1 - Shared central server running Microsoft Small Business Server for
    file store & email & other servers

    VLAN2 - Telephone voicemail system & PABX logging

    VLAN3 - Building managment system

    VLAN4 onwards - each company within building will have their own VLAN.

    There will be a default gateway setup for shared internet access.

    Bearing the proposed config will the 3550 suffice doing the routing between
    VLANs with sufficient bandwidth?

    There will be various tennants within the building all will be sharing the
    server & internet facilities, basically the VLAN's are there to seperate
    everyone obviously for secruity reasons.

    Any other suggestions or things I should be aware of??

    Thanks

    Craig
     
    SmilerNet, Sep 26, 2004
    #1
    1. Advertising

  2. SmilerNet wrote:

    > We are considering using the above for our shared services backbone switch
    > within the building approx. 100 low key users (not all the same compnay
    > though)


    > Bearing the proposed config will the 3550 suffice doing the routing between
    > VLANs with sufficient bandwidth?


    3550 will route wire-speed, but with SMI image, You'll have only static and
    RIP dynamic routing. It should suffice, as all logical interfaces (VLANs)
    will be added to route table when You define them ("connected" in Cisco
    terminology), and You'll need only to add a static default route.

    > Any other suggestions or things I should be aware of??


    Establish good security policy, add ACLs filtering all typical trash
    at the borders of the VLANs, maybe rate-limit ICMP (possibly UDP also)
    to some real numbers (1/2/3Mbit/s should sound sane for typical
    Internet access).

    --
    this space was intentionally left blank | £ukasz Bromirski
    you can insert your favourite quote here | lukasz:bromirski,net
     
    =?ISO-8859-2?Q?=A3ukasz_Bromirski?=, Sep 26, 2004
    #2
    1. Advertising

  3. SmilerNet

    Sam Wilson Guest

    In article <cj78k3$6gd$>, £ukasz Bromirski
    <> wrote:

    > SmilerNet wrote:
    >
    > [snip]
    > > Any other suggestions or things I should be aware of??

    >
    > Establish good security policy, add ACLs filtering all typical trash
    > at the borders of the VLANs, maybe rate-limit ICMP (possibly UDP also)
    > to some real numbers (1/2/3Mbit/s should sound sane for typical
    > Internet access).


    A 3550 is quirky for ACLs - the hardware fitering space (in TCAM) is
    limited, individual access terms use unpredictable amounts of space and
    when the TCAM overflows it happens asynchonously - you apply an ACL and
    then you have to wait a few and look in the log to see if it
    overflowed. I've only used the EMI version so I don't know if there
    are other issues with the SMI in this area.

    Sam
     
    Sam Wilson, Sep 29, 2004
    #3
  4. Sam Wilson wrote:

    > A 3550 is quirky for ACLs - the hardware fitering space (in TCAM) is
    > limited, individual access terms use unpredictable amounts of space and
    > when the TCAM overflows it happens asynchonously - you apply an ACL and
    > then you have to wait a few and look in the log to see if it
    > overflowed.


    Yes, as always, to be fully prepared, You have to read and understand:
    http://www.cisco.com/warp/public/473/145.pdf

    > I've only used the EMI version so I don't know if there are other
    > issues with the SMI in this area.


    Apart from 3550-12G/3550-12T, all other models can run both SMI and EMI,
    and they share the same hardware. EMI just adds some features, but doesn't
    remove any hardware limitations.

    --
    this space was intentionally left blank | £ukasz Bromirski
    you can insert your favourite quote here | lukasz:bromirski,net
     
    =?ISO-8859-2?Q?=A3ukasz_Bromirski?=, Sep 29, 2004
    #4
  5. SmilerNet

    Jo Knight Guest

    > > I've only used the EMI version so I don't know if there are other
    > > issues with the SMI in this area.

    >
    > Apart from 3550-12G/3550-12T, all other models can run both SMI and EMI,
    > and they share the same hardware. EMI just adds some features, but doesn't
    > remove any hardware limitations.



    I also think that the SMI software doesnt have access to the
    'access-group' command, so you cannot apply the access-list to an
    interface.

    I had to get round it by using vlan-maps to control access between
    VLANs on the 3550.
     
    Jo Knight, Sep 30, 2004
    #5
  6. SmilerNet

    Sam Wilson Guest

    In article <cjf66s$h1n$>, £ukasz Bromirski
    <> wrote:

    > Sam Wilson wrote:
    >
    > > A 3550 is quirky for ACLs - ...

    >
    > Yes, as always, to be fully prepared, You have to read and understand:
    > http://www.cisco.com/warp/public/473/145.pdf


    That document will tell you in principle why your ACL isn't compiling
    but doesn't give very much advice except "make your ACL smaller". At
    one point colleagues here using the pre-12.1(9)EA1 merge algorithm
    (sorry folks, if you don't understand you'll have to read the document)
    had a one-line ACL that overflowed the TCAM. It seems to be almost
    impossible to give any useful advice to avoid that kind of thing
    happening.

    Sam
     
    Sam Wilson, Sep 30, 2004
    #6
  7. SmilerNet

    brambi Guest

    Sam Wilson wrote:

    > In article <cj78k3$6gd$>, £ukasz Bromirski
    > <> wrote:
    >
    >> SmilerNet wrote:
    >>
    >> [snip]
    >> > Any other suggestions or things I should be aware of??

    >>
    >> Establish good security policy, add ACLs filtering all typical trash
    >> at the borders of the VLANs, maybe rate-limit ICMP (possibly UDP also)
    >> to some real numbers (1/2/3Mbit/s should sound sane for typical
    >> Internet access).

    >
    > A 3550 is quirky for ACLs - the hardware fitering space (in TCAM) is
    > limited, individual access terms use unpredictable amounts of space and
    > when the TCAM overflows it happens asynchonously - you apply an ACL and
    > then you have to wait a few and look in the log to see if it
    > overflowed. I've only used the EMI version so I don't know if there
    > are other issues with the SMI in this area.


    I never managed to get ACL's working correctly on a 3550. YMMV.

    Bram.
     
    brambi, Sep 30, 2004
    #7
  8. SmilerNet

    Sam Wilson Guest

    In article <X_%6d.262206$-ops.be>, brambi
    <> wrote:

    > Sam Wilson wrote:
    >
    > > A 3550 is quirky for ACLs ...

    >
    > I never managed to get ACL's working correctly on a 3550. YMMV.


    Another datapoint - one of our Schools uses a 3550-12something as their
    central routing hub and firewall. They needed the performance and the
    ACL support is, um, sufficient. It can be done.

    Sam
     
    Sam Wilson, Oct 1, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. desdronox
    Replies:
    1
    Views:
    2,914
    Terry Baranski
    Jul 10, 2003
  2. JohnNews
    Replies:
    10
    Views:
    6,732
    One Step Beyond
    Oct 20, 2003
  3. Steinar Haug
    Replies:
    0
    Views:
    702
    Steinar Haug
    Oct 20, 2003
  4. RJH
    Replies:
    0
    Views:
    6,564
  5. Replies:
    2
    Views:
    707
    flamer
    Mar 19, 2007
Loading...

Share This Page