Skip to main content

Nexus 7000 as a Collapsed Core/Distribution Switch


I work for a mid-sized business that continues to grow and utilizes a lot of bandwidth.  While we had a 6513 in our core that continued to operate just fine, it was beginning to show it's age.  We had maxed out the 10Gig capacity and really had need of chassis redundancy in our core.  We already had Nexus 5000's in our Data Center as well as Nexus 1000v in our virtual environments, however using Nexus as your core routers is a completely new challenge.  I had spent several weeks reading up on vPC limitations and the advantages Nexus 7000 has with certain FHRPs but actually doing it, after more than a decade of installing only Catalyst switches into the core of networks, was a new challenge.  This is my first, and perhaps last post but I think that an actual working design and configs may bring some value to those of you out there who, like me, have a little network know-how but little or no experience with Nexus.

The image above is the actual design of our network (PDF link below.)  I've also attached a PDF document of the config of each Nexus 7Ks below.

The final design of our network is 2 Nexus 7009's with Sup 2s and F2 (1/10Gb cards) in the core of our network.  Connected to them we have the following:
1x 5508 Wireless Controller
2x 5585X ASA Firewalls (connected with a port channel to each and Static Routes which is necessary)
6x Stacks of 3750X access switches in different building IDFs
1x Stack of 3750X switches, connected via routed links in another building
2x Nexus 5010s (along with a hand full of FEXs) in our Data Center
2x MPLS Routers for WAN Sites sharing EIGRP routes with the Nexus' (These are also running CUBE for our SIP trunks)

Here is a link to the PDF version of the design diagram.

Network Diagram PDF

Here is the link to the annotated configuration file.

Nexus 7000 Configuration PDF



Labels:

Comments

  1. CSMarch 27, 2014 at 5:44 AM

    This comment has been removed by the author.

    ReplyDelete
    Replies
    1. CSMarch 27, 2014 at 5:46 AM

      Not sure what you are/were doing with your 3750s but I did the same thing with stacks of 2960Xs in campus closets. Also put the default gateways for the closet voice and data vlans on the 7K since 100% of the traffic is going to route there anyway. This also removed L3 requirements (cost and routing config) from the closet gear and allowed the QOS and ACLs to be placed in just one place.

      5 years later with 2 data centers, 35,000 ports, 5000+ staff and 8,000 wifi users with 4 UCS clusters and 4 different Voip products ... working great.

      Delete
    2. Nathan R. CowgerMarch 27, 2014 at 9:31 AM

      I have the same architecture. It is layer 2 to the edge but when I began to roll out the access closets (with 3750Gs) the 29xx didn't have a stacking capability. Later when upgrading to 3750X, the 29xx series had no 10Gig uplink options.

      Delete
  2. UnknownApril 1, 2014 at 1:30 PM

    very interesting stuff, except i wonder can i do the same design and get away with out using mpls routers using layer 3 module on 5K? I have BGP requirement to be located on the actual 5k.

    ReplyDelete
  3. Nathan R. CowgerApril 1, 2014 at 2:01 PM

    A Nexus can run BGP, if you have the Layer 3 module. I'm interested to hear why you would have to run MPLS into your 5Ks. Also, if you use VPCs you will want that to be two connections, not just one.

    ReplyDelete
  4. digitalhtsJanuary 12, 2021 at 12:48 AM

    Outstanding post. I am grateful for this blog to distribute knowledge about this significant topic. Otherwise if any one who want to do a diploma or master in web design at High Technologies Solutions (HTS). Contact us on 9311002620 or visit:- https://htsindia.com/Courses/web-and-graphic-designing/web-designing-training-course

    ReplyDelete

Post a Comment

Popular posts from this blog

Firepower Threat Defense HA Upgrade

Upgrading an HA Pair of Firepower 2110s in FTD mode ~~~~~~~~~ UPDATE!!  ~~~~~~~~  As of FMC and FTD 7.0 this process is much more straightforward.  Readiness Check is now enabled for an HA pair of firewalls.  After pushing the update to the appliances, you can go into the upgrade screen and select both and do the "Check Readiness" button on both and wait for the results prior to doing the install.  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you are like me you don't upgrade an FTD appliance often enough to remember the procedure. Today I installed the 6.3.0.1 update to an HA pair of FTD 6.3.0 2110s. This document assumes you have already updated the Firepower Management Center (FMC). Download Updates to the FMC From the FMC click on "System" then the "Updates" tab. If the update desired is not listed, click the "Download Updates" button. Push the update to the HA pair of devices Click the button on the far right marked "Push or Stag...
13 comments
Read more

Let's Encrypt for IIS with Win Acme

  I finally think I have my arms around using Win Acme for IIS to generate and renew site certificates for "Let's Encrypt."   I know this should be simple, but for some reason, I continue to mess it up by trying to make it more complicated than it is.   There are a lot of options in Win Acme, but I do not need to deal with most of them.     Win Acme can be found at:   https://www.win-acme.com/   More on Let's Encrypt:   https://letsencrypt.org/   Edit Site bindings in IIS.   Add both internal and external DNS names and ports.     Add the DNS Name in the hostname field.     Run Win Acme as administrator.     Work through the prompts for IIS (most of the default options should be fine).       Win Acme should create the certificates and replace the existing certificates in IIS with the  new...
Post a Comment
Read more