Core networking best practice?

heath · July 24, 2019, 02:47:32 PM

In a typical Core-Distribution-Access hierarchical configuration, what is the best practice for links between Core routers? L3 routed interfaces, or L2 trunk interfaces with routing through SVIs for vlans allowed on the trunk?

icecream-guy · July 25, 2019, 06:09:28 AM

There are pros and cons for both. really would depend on your architecture and potential growth. What type of hardware do you have in the core. 6K 9K, something else? Question back at you regard routed core vs. switched core. Which is easier to troubleshoot?
A. Spanning Tree B. IP routing

heath · July 25, 2019, 09:26:34 AM

The cores are currently two 6Ks and a single ancient 4K I'm working on simply eliminating. I personally find routing easier to troubleshoot, but that's probably because I haven't had any STP problems to need to troubleshoot.

I'm personally leaning toward switched core because I do make use of VRFs to segment some end user traffic to be handled differently at the firewall. My boss is worried about the overall impact on performance from that. But a lot of our Distribution<->Core links are 10G and are under 10% utilization. Even our remaining 1G links are below 25% utilization.

icecream-guy · July 25, 2019, 10:43:28 AM

we do a lot of VRFs here, mostly so we can put users in say the accounting group, that reside in different buildings, in the same network behind one firewall. kind of an odd setup. we user a lot of transit networks BTW welcome the site.

wintermute000 · July 28, 2019, 04:58:27 AM

L3 routed. No SVI autostate dependency, faster convergence, zero layer-2 issues to consider.

heath · August 13, 2019, 10:48:57 PM

Quote from: wintermute000 on July 28, 2019, 04:58:27 AM
L3 routed. No SVI autostate dependency, faster convergence, zero layer-2 issues to consider.

Then how do you handle the need for a vlan to be extended across the cores?
You don't, L2 belongs at the edge.
Unless you're talking about collapsed core, but still that just means you have a trunk between the 2 cores, no biggie. Honestly there's not a lot to small-midsize 'traditional' campus design despite what vendors try to flog, just do the sensible things and KISS and it will work perfectly.

Otanx · August 14, 2019, 09:14:49 AM

For our access we went full L3. We then use 802.1x to auth systems, and apply a downloaded ACL for limiting access. These are limited ACLs because you need to keep them small, but it works pretty well. I am lucky in that we don't have any legacy stuff that requires layer 2. In the data center we do L2 everywhere for now. I would like to get to a full routed network eventually, but that is a long way off.

-Otanx

icecream-guy · August 14, 2019, 10:53:08 AM

OTV