Infrastructure questions
 

Hi

We are an office of 30, spread over 2 floors. Currently, we have the
following network;

Cisco 2501 router (ISP managed) - Cisco 506e PIX - 4 x 3COM 10/100 Mbs
switches/hubs - servers/PC's/laptops

The 3COM switch on the 2nd floor is connected to the 3COM on the first
via standard 100Mbs ethernet.

The 3COM equipment is causing a few problems (ports dying etc) and I'd
like to get it replaced. This would be a good opportunity to implement
VLANs as well, plus possible gigabit connection to the servers and also
between the various switches. Whilst I can see a security need for the
VLAN's (we have a lot of visitors and I'm hoping to segregate them onto
their own VLAN), there's no point moving to Gigabit if we don't need
it. We don't use any bandwidth intensive packages here, and most of the
traffic is file transfer. Can anyone recommend any tools which I can
use to measure data flow to the servers and also between the switches
to see if there's a real advantage to investing in 1000Mbs?

Secondly, we have a PIX-PIX VPN with our head office who are now using
Cisco VoIP. To reduce phone bills, they will be sending us a small
amount of VoIP phones to plug into our network to connect with them
until we introduce our own VoIP system. As a result, I'd like to have
QoS capable switches that will give precedence to VoIP traffic. Will
QoS capable Cisco 2950 switches suffice?

Last question, as mentioned above, we do not plan on any intervlan
routing for the time being. Hence, am I correct in thinking that there
is no need for any L3 switch, such as the 3560, here? Or can anyone see
any features the 3550/3560 has that may benefit me?

Many thanks in advance.

Re: Infrastructure questions
 

<kammy_boy186@hotmail.com> wrote in message
news:1162656099.575534.316010@i42g2000cwa.googlegr oups.com...
> Hi
>
> We are an office of 30, spread over 2 floors. Currently, we have the
> following network;
>
> Cisco 2501 router (ISP managed) - Cisco 506e PIX - 4 x 3COM 10/100 Mbs
> switches/hubs - servers/PC's/laptops
>
> The 3COM switch on the 2nd floor is connected to the 3COM on the first
> via standard 100Mbs ethernet.
>
> The 3COM equipment is causing a few problems (ports dying etc) and I'd
> like to get it replaced. This would be a good opportunity to implement
> VLANs as well, plus possible gigabit connection to the servers and also
> between the various switches. Whilst I can see a security need for the
> VLAN's (we have a lot of visitors and I'm hoping to segregate them onto
> their own VLAN), there's no point moving to Gigabit if we don't need
> it. We don't use any bandwidth intensive packages here, and most of the
> traffic is file transfer. Can anyone recommend any tools which I can
> use to measure data flow to the servers and also between the switches
> to see if there's a real advantage to investing in 1000Mbs?
>
> Secondly, we have a PIX-PIX VPN with our head office who are now using
> Cisco VoIP. To reduce phone bills, they will be sending us a small
> amount of VoIP phones to plug into our network to connect with them
> until we introduce our own VoIP system. As a result, I'd like to have
> QoS capable switches that will give precedence to VoIP traffic. Will
> QoS capable Cisco 2950 switches suffice?
>
> Last question, as mentioned above, we do not plan on any intervlan
> routing for the time being. Hence, am I correct in thinking that there
> is no need for any L3 switch, such as the 3560, here? Or can anyone see
> any features the 3550/3560 has that may benefit me?
>

Get the C3560G-48PS, which is 10/100/1000 ports with PowerOverEthernet to
apply power to your Cisco IP Phones.
and some SPF if you need fibers betwwen your floors.

http://www.cisco.com/en/US/products/...528/index.html

HTH
Martin

> Many thanks in advance.
>

Re: Infrastructure questions
 

In article <1162656099.575534.316010@i42g2000cwa.googlegroups .com>,
<kammy_boy186@hotmail.com> wrote:

>We are an office of 30, spread over 2 floors. Currently, we have the
>following network;

>Cisco 2501 router (ISP managed) - Cisco 506e PIX - 4 x 3COM 10/100 Mbs
>switches/hubs - servers/PC's/laptops

>Secondly, we have a PIX-PIX VPN with our head office who are now using
>Cisco VoIP. To reduce phone bills, they will be sending us a small
>amount of VoIP phones to plug into our network to connect with them
>until we introduce our own VoIP system. As a result, I'd like to have
>QoS capable switches that will give precedence to VoIP traffic. Will
>QoS capable Cisco 2950 switches suffice?

Not really. In order for QoS to be meaningful, you need QoS end to end.
The PIX 506e is not capable of handling QoS, so you will not be
able to prioritize the VOIP over the VPN.

PIX 7.x software supports QoS; it is supported on the Cisco ASA line,
and on the Cisco PIX 515/515E, 525, and 535.

If you have some VOIP phones plugged into switches that connect
to another switch that then connects to the PIX, then you might
still get some benefit from QoS, as it would prioritize the traffic
within your LAN. (If you went gigabit, you would probably find
the flow fast enough that QoS did not make any noticable difference,
not until you started filling up the gigabit bandwidth.)

I don't know if the VOIP phones set the IP ToS (Type of Service) bits;
if they do not, then the QoS for them would have to be based upon
DSCP which is carried in VLAN tagging, so you would need at least
two VLANs, one for data and one for voice. I believe I've read that
the 2950 type devices support auto-QoS, which is automatic detection
that a device is an IP phone and automatic placement of that device
into an appropriate VLAN. In this scenario, you would need to trunk
the VLAN between the switches, but you would not need to route between
those VLANs as the VOIP VLAN would essentially be a port-based VLAN.


>Last question, as mentioned above, we do not plan on any intervlan
>routing for the time being. Hence, am I correct in thinking that there
>is no need for any L3 switch, such as the 3560, here? Or can anyone see
>any features the 3550/3560 has that may benefit me?

Once your start going gigabit, it is common to start thinking about
redundancy and automatic failover and dual server with HSRP and so on.
Not that there is a "hard link" between gigabit and these items, more
a matter of "by the time you need gigabit bandwidth, your network
has usually evolved to the point where people's personal expectations
of reliability are getting higher (and, not uncommonly, unrealistic!);
that and by the time you are moving that much data around, the
business-impact of network failures start to become rather important.

And if you are moving lots of data around then it is also often time
to reconsider your backups -- autochangers, newer drives with higher
storage capacity per tape, newer backup management and catalog programs
to keep track of everything. Simultaneously, if your disks are getting
into the 100+ gigabyte range (and whose are not these days?) then you
need to think about the consequences of failure of any one of those disks,
and about how even if you have good backups that the time to restore
might start to become an important business factor, so you start worrying
about RAID, or doing backups to disk (sort of like RAID 1)...

The theme here being that if LAN data has grown large enough to make
gigabit speeds important, than business-risk assessment must be done
to ensure that the storage and management of the data and the disaster
recovery plans are suited to that much data.

Tying this directly back to your 3550/3560 question: the 3550 are
pretty much out, replaced by the 3560 or 3750 (but watch out for
latency in the 3750 according to some reports). The 3750 in particular
has more advanced fault recovery possibilities than the 2950 (because
of the stacking). But you need more complicated wiring to avoid
single point of failures anyhow -- e.g., if you have a critical server
then you don't want that server to be connected to only a single switch,
because then the switch is a single-point failure. (So you do some
really fancy wiring, or you duplicate the critical server and HSRP / VRRP
it...)


>Whilst I can see a security need for the
>VLAN's (we have a lot of visitors and I'm hoping to segregate them onto
>their own VLAN)

You will need -some- layer 3 device to route between those VLANs.
The 506E with 6.3.(3) or later software can support up to two VLANs
in addition to the two physical interfaces; these VLANs show up
on the PIX as "logical interfaces", complete with their own IP address
and their own security level, so you can use the 506E as the L3 device
while imposing strict controls over what the guests can access. The
3550/3560/3750 do *not* support Advanced IP Security (also know as
Firewall Feature Set) as best I recall. Some of the models do, though,
support port controls (I don't recall the proper term right now)
that can strictly block particular ports from talking directly to other
ports (except by going through an approved port), which can thus be used
to impose that the other ports go through a traffic control device --
even just to talk amongst themselves (e.g., a guest on one port
would not be able to communicate with a guest on the same vlan on another
port except by going through your control point, so you can prevent
your guests from snooping the drives of other guests.) I do not recall
whether the 2950/2960 supports this feature.

Re: Infrastructure questions
 

Walter Roberson wrote:
> In article <1162656099.575534.316010@i42g2000cwa.googlegroups .com>,
> <kammy_boy186@hotmail.com> wrote:
>
> >We are an office of 30, spread over 2 floors. Currently, we have the
> >following network;
>
> >Cisco 2501 router (ISP managed) - Cisco 506e PIX - 4 x 3COM 10/100 Mbs
> >switches/hubs - servers/PC's/laptops
>
> >Secondly, we have a PIX-PIX VPN with our head office who are now using
> >Cisco VoIP. To reduce phone bills, they will be sending us a small
> >amount of VoIP phones to plug into our network to connect with them
> >until we introduce our own VoIP system. As a result, I'd like to have
> >QoS capable switches that will give precedence to VoIP traffic. Will
> >QoS capable Cisco 2950 switches suffice?
>
> Not really. In order for QoS to be meaningful, you need QoS end to end.
> The PIX 506e is not capable of handling QoS, so you will not be
> able to prioritize the VOIP over the VPN.
>
> PIX 7.x software supports QoS; it is supported on the Cisco ASA line,
> and on the Cisco PIX 515/515E, 525, and 535.

Good point. From what I know, Cisco has no plans to introduce 7.x onto
the 506E range, therefore it maybe time to invest in a new firewall.
However, the remote end uses a 506E as well, in which case there would
be no real point upgrading until they do too, would you say? I'm
looking at it from the point of view that we would send out prioritised
VoIP traffic to them, but when we're receiving the traffic, it will
arrive mixed with everything else? I suppose there would be a marginal
improvement, but not much?

> If you have some VOIP phones plugged into switches that connect
> to another switch that then connects to the PIX, then you might
> still get some benefit from QoS, as it would prioritize the traffic
> within your LAN. (If you went gigabit, you would probably find
> the flow fast enough that QoS did not make any noticable difference,
> not until you started filling up the gigabit bandwidth.)
>
> I don't know if the VOIP phones set the IP ToS (Type of Service) bits;
> if they do not, then the QoS for them would have to be based upon
> DSCP which is carried in VLAN tagging, so you would need at least
> two VLANs, one for data and one for voice. I believe I've read that
> the 2950 type devices support auto-QoS, which is automatic detection
> that a device is an IP phone and automatic placement of that device
> into an appropriate VLAN. In this scenario, you would need to trunk
> the VLAN between the switches, but you would not need to route between
> those VLANs as the VOIP VLAN would essentially be a port-based VLAN.

Head office has a spare 3550 which they can provide us, so we'd use
this for the VOIP phones with the benefit that it can provide POE as
Martin mentioned above (I've checked, and this model has the
functionality). If we took the auto-QoS route, then that would involve
3 VLAN's; data VLAN, voice VLAN, and also the guest VLAN I previously
mentioned, so the PIX would have to be upgraded anyway since the 506E
can only handle two logical interfaces. Or can we use IP precedence in
this case on the 3550 using a class-map type command? I'd be interested
to know if you have any knowledge of VOIP using Precedence as opposed
to Voice VLANs, or indeed if this was possible.

> >Last question, as mentioned above, we do not plan on any intervlan
> >routing for the time being. Hence, am I correct in thinking that there
> >is no need for any L3 switch, such as the 3560, here? Or can anyone see
> >any features the 3550/3560 has that may benefit me?
>
> Once your start going gigabit, it is common to start thinking about
> redundancy and automatic failover and dual server with HSRP and so on.
> Not that there is a "hard link" between gigabit and these items, more
> a matter of "by the time you need gigabit bandwidth, your network
> has usually evolved to the point where people's personal expectations
> of reliability are getting higher (and, not uncommonly, unrealistic!);
> that and by the time you are moving that much data around, the
> business-impact of network failures start to become rather important.
>
> And if you are moving lots of data around then it is also often time
> to reconsider your backups -- autochangers, newer drives with higher
> storage capacity per tape, newer backup management and catalog programs
> to keep track of everything. Simultaneously, if your disks are getting
> into the 100+ gigabyte range (and whose are not these days?) then you
> need to think about the consequences of failure of any one of those disks,
> and about how even if you have good backups that the time to restore
> might start to become an important business factor, so you start worrying
> about RAID, or doing backups to disk (sort of like RAID 1)...
>
> The theme here being that if LAN data has grown large enough to make
> gigabit speeds important, than business-risk assessment must be done
> to ensure that the storage and management of the data and the disaster
> recovery plans are suited to that much data.
>
> Tying this directly back to your 3550/3560 question: the 3550 are
> pretty much out, replaced by the 3560 or 3750 (but watch out for
> latency in the 3750 according to some reports). The 3750 in particular
> has more advanced fault recovery possibilities than the 2950 (because
> of the stacking). But you need more complicated wiring to avoid
> single point of failures anyhow -- e.g., if you have a critical server
> then you don't want that server to be connected to only a single switch,
> because then the switch is a single-point failure. (So you do some
> really fancy wiring, or you duplicate the critical server and HSRP / VRRP
> it...)

Given that it's a relatively small office (approx 30 users), I'm still
not sure if Gigabit ethernet is actually required. Are you aware of any
tools that will measure bandwidth usage across certain points in the
LAN as opposed to just network sniffers? I completely agree with the
users' expectations rising comment though, and the need for this to be
tied in with the backup system, HSRP etc

> >Whilst I can see a security need for the
> >VLAN's (we have a lot of visitors and I'm hoping to segregate them onto
> >their own VLAN)
>
> You will need -some- layer 3 device to route between those VLANs.
> The 506E with 6.3.(3) or later software can support up to two VLANs
> in addition to the two physical interfaces; these VLANs show up
> on the PIX as "logical interfaces", complete with their own IP address
> and their own security level, so you can use the 506E as the L3 device
> while imposing strict controls over what the guests can access.

I wasn't planning on intervlan routing to be honest. The guests would
use the second logical interface on the PIX for internet use only, I
cannot see a need for them to access files or any other resources on
our network. DHCP for this interface can be handled by the PIX, and we
can set up a single machine to use as a print server along with a
colour printer.

Thanks for the input.