Infrastructure questions

Discussion in 'Cisco' started by kammy_boy186@hotmail.com, Nov 4, 2006.

  1. Guest

    Hi

    We are an office of 30, spread over 2 floors. Currently, we have the
    following network;

    Cisco 2501 router (ISP managed) - Cisco 506e PIX - 4 x 3COM 10/100 Mbs
    switches/hubs - servers/PC's/laptops

    The 3COM switch on the 2nd floor is connected to the 3COM on the first
    via standard 100Mbs ethernet.

    The 3COM equipment is causing a few problems (ports dying etc) and I'd
    like to get it replaced. This would be a good opportunity to implement
    VLANs as well, plus possible gigabit connection to the servers and also
    between the various switches. Whilst I can see a security need for the
    VLAN's (we have a lot of visitors and I'm hoping to segregate them onto
    their own VLAN), there's no point moving to Gigabit if we don't need
    it. We don't use any bandwidth intensive packages here, and most of the
    traffic is file transfer. Can anyone recommend any tools which I can
    use to measure data flow to the servers and also between the switches
    to see if there's a real advantage to investing in 1000Mbs?

    Secondly, we have a PIX-PIX VPN with our head office who are now using
    Cisco VoIP. To reduce phone bills, they will be sending us a small
    amount of VoIP phones to plug into our network to connect with them
    until we introduce our own VoIP system. As a result, I'd like to have
    QoS capable switches that will give precedence to VoIP traffic. Will
    QoS capable Cisco 2950 switches suffice?

    Last question, as mentioned above, we do not plan on any intervlan
    routing for the time being. Hence, am I correct in thinking that there
    is no need for any L3 switch, such as the 3560, here? Or can anyone see
    any features the 3550/3560 has that may benefit me?

    Many thanks in advance.
    , Nov 4, 2006
    #1
    1. Advertising

  2. <> wrote in message
    news:...
    > Hi
    >
    > We are an office of 30, spread over 2 floors. Currently, we have the
    > following network;
    >
    > Cisco 2501 router (ISP managed) - Cisco 506e PIX - 4 x 3COM 10/100 Mbs
    > switches/hubs - servers/PC's/laptops
    >
    > The 3COM switch on the 2nd floor is connected to the 3COM on the first
    > via standard 100Mbs ethernet.
    >
    > The 3COM equipment is causing a few problems (ports dying etc) and I'd
    > like to get it replaced. This would be a good opportunity to implement
    > VLANs as well, plus possible gigabit connection to the servers and also
    > between the various switches. Whilst I can see a security need for the
    > VLAN's (we have a lot of visitors and I'm hoping to segregate them onto
    > their own VLAN), there's no point moving to Gigabit if we don't need
    > it. We don't use any bandwidth intensive packages here, and most of the
    > traffic is file transfer. Can anyone recommend any tools which I can
    > use to measure data flow to the servers and also between the switches
    > to see if there's a real advantage to investing in 1000Mbs?
    >
    > Secondly, we have a PIX-PIX VPN with our head office who are now using
    > Cisco VoIP. To reduce phone bills, they will be sending us a small
    > amount of VoIP phones to plug into our network to connect with them
    > until we introduce our own VoIP system. As a result, I'd like to have
    > QoS capable switches that will give precedence to VoIP traffic. Will
    > QoS capable Cisco 2950 switches suffice?
    >
    > Last question, as mentioned above, we do not plan on any intervlan
    > routing for the time being. Hence, am I correct in thinking that there
    > is no need for any L3 switch, such as the 3560, here? Or can anyone see
    > any features the 3550/3560 has that may benefit me?
    >


    Get the C3560G-48PS, which is 10/100/1000 ports with PowerOverEthernet to
    apply power to your Cisco IP Phones.
    and some SPF if you need fibers betwwen your floors.

    http://www.cisco.com/en/US/products/hw/switches/ps5528/index.html

    HTH
    Martin

    > Many thanks in advance.
    >
    Martin Bilgrav, Nov 4, 2006
    #2
    1. Advertising

  3. In article <>,
    <> wrote:

    >We are an office of 30, spread over 2 floors. Currently, we have the
    >following network;


    >Cisco 2501 router (ISP managed) - Cisco 506e PIX - 4 x 3COM 10/100 Mbs
    >switches/hubs - servers/PC's/laptops


    >Secondly, we have a PIX-PIX VPN with our head office who are now using
    >Cisco VoIP. To reduce phone bills, they will be sending us a small
    >amount of VoIP phones to plug into our network to connect with them
    >until we introduce our own VoIP system. As a result, I'd like to have
    >QoS capable switches that will give precedence to VoIP traffic. Will
    >QoS capable Cisco 2950 switches suffice?


    Not really. In order for QoS to be meaningful, you need QoS end to end.
    The PIX 506e is not capable of handling QoS, so you will not be
    able to prioritize the VOIP over the VPN.

    PIX 7.x software supports QoS; it is supported on the Cisco ASA line,
    and on the Cisco PIX 515/515E, 525, and 535.

    If you have some VOIP phones plugged into switches that connect
    to another switch that then connects to the PIX, then you might
    still get some benefit from QoS, as it would prioritize the traffic
    within your LAN. (If you went gigabit, you would probably find
    the flow fast enough that QoS did not make any noticable difference,
    not until you started filling up the gigabit bandwidth.)

    I don't know if the VOIP phones set the IP ToS (Type of Service) bits;
    if they do not, then the QoS for them would have to be based upon
    DSCP which is carried in VLAN tagging, so you would need at least
    two VLANs, one for data and one for voice. I believe I've read that
    the 2950 type devices support auto-QoS, which is automatic detection
    that a device is an IP phone and automatic placement of that device
    into an appropriate VLAN. In this scenario, you would need to trunk
    the VLAN between the switches, but you would not need to route between
    those VLANs as the VOIP VLAN would essentially be a port-based VLAN.


    >Last question, as mentioned above, we do not plan on any intervlan
    >routing for the time being. Hence, am I correct in thinking that there
    >is no need for any L3 switch, such as the 3560, here? Or can anyone see
    >any features the 3550/3560 has that may benefit me?


    Once your start going gigabit, it is common to start thinking about
    redundancy and automatic failover and dual server with HSRP and so on.
    Not that there is a "hard link" between gigabit and these items, more
    a matter of "by the time you need gigabit bandwidth, your network
    has usually evolved to the point where people's personal expectations
    of reliability are getting higher (and, not uncommonly, unrealistic!);
    that and by the time you are moving that much data around, the
    business-impact of network failures start to become rather important.

    And if you are moving lots of data around then it is also often time
    to reconsider your backups -- autochangers, newer drives with higher
    storage capacity per tape, newer backup management and catalog programs
    to keep track of everything. Simultaneously, if your disks are getting
    into the 100+ gigabyte range (and whose are not these days?) then you
    need to think about the consequences of failure of any one of those disks,
    and about how even if you have good backups that the time to restore
    might start to become an important business factor, so you start worrying
    about RAID, or doing backups to disk (sort of like RAID 1)...

    The theme here being that if LAN data has grown large enough to make
    gigabit speeds important, than business-risk assessment must be done
    to ensure that the storage and management of the data and the disaster
    recovery plans are suited to that much data.

    Tying this directly back to your 3550/3560 question: the 3550 are
    pretty much out, replaced by the 3560 or 3750 (but watch out for
    latency in the 3750 according to some reports). The 3750 in particular
    has more advanced fault recovery possibilities than the 2950 (because
    of the stacking). But you need more complicated wiring to avoid
    single point of failures anyhow -- e.g., if you have a critical server
    then you don't want that server to be connected to only a single switch,
    because then the switch is a single-point failure. (So you do some
    really fancy wiring, or you duplicate the critical server and HSRP / VRRP
    it...)


    >Whilst I can see a security need for the
    >VLAN's (we have a lot of visitors and I'm hoping to segregate them onto
    >their own VLAN)


    You will need -some- layer 3 device to route between those VLANs.
    The 506E with 6.3.(3) or later software can support up to two VLANs
    in addition to the two physical interfaces; these VLANs show up
    on the PIX as "logical interfaces", complete with their own IP address
    and their own security level, so you can use the 506E as the L3 device
    while imposing strict controls over what the guests can access. The
    3550/3560/3750 do *not* support Advanced IP Security (also know as
    Firewall Feature Set) as best I recall. Some of the models do, though,
    support port controls (I don't recall the proper term right now)
    that can strictly block particular ports from talking directly to other
    ports (except by going through an approved port), which can thus be used
    to impose that the other ports go through a traffic control device --
    even just to talk amongst themselves (e.g., a guest on one port
    would not be able to communicate with a guest on the same vlan on another
    port except by going through your control point, so you can prevent
    your guests from snooping the drives of other guests.) I do not recall
    whether the 2950/2960 supports this feature.
    Walter Roberson, Nov 4, 2006
    #3
  4. Guest

    Walter Roberson wrote:
    > In article <>,
    > <> wrote:
    >
    > >We are an office of 30, spread over 2 floors. Currently, we have the
    > >following network;

    >
    > >Cisco 2501 router (ISP managed) - Cisco 506e PIX - 4 x 3COM 10/100 Mbs
    > >switches/hubs - servers/PC's/laptops

    >
    > >Secondly, we have a PIX-PIX VPN with our head office who are now using
    > >Cisco VoIP. To reduce phone bills, they will be sending us a small
    > >amount of VoIP phones to plug into our network to connect with them
    > >until we introduce our own VoIP system. As a result, I'd like to have
    > >QoS capable switches that will give precedence to VoIP traffic. Will
    > >QoS capable Cisco 2950 switches suffice?

    >
    > Not really. In order for QoS to be meaningful, you need QoS end to end.
    > The PIX 506e is not capable of handling QoS, so you will not be
    > able to prioritize the VOIP over the VPN.
    >
    > PIX 7.x software supports QoS; it is supported on the Cisco ASA line,
    > and on the Cisco PIX 515/515E, 525, and 535.


    Good point. From what I know, Cisco has no plans to introduce 7.x onto
    the 506E range, therefore it maybe time to invest in a new firewall.
    However, the remote end uses a 506E as well, in which case there would
    be no real point upgrading until they do too, would you say? I'm
    looking at it from the point of view that we would send out prioritised
    VoIP traffic to them, but when we're receiving the traffic, it will
    arrive mixed with everything else? I suppose there would be a marginal
    improvement, but not much?

    > If you have some VOIP phones plugged into switches that connect
    > to another switch that then connects to the PIX, then you might
    > still get some benefit from QoS, as it would prioritize the traffic
    > within your LAN. (If you went gigabit, you would probably find
    > the flow fast enough that QoS did not make any noticable difference,
    > not until you started filling up the gigabit bandwidth.)
    >
    > I don't know if the VOIP phones set the IP ToS (Type of Service) bits;
    > if they do not, then the QoS for them would have to be based upon
    > DSCP which is carried in VLAN tagging, so you would need at least
    > two VLANs, one for data and one for voice. I believe I've read that
    > the 2950 type devices support auto-QoS, which is automatic detection
    > that a device is an IP phone and automatic placement of that device
    > into an appropriate VLAN. In this scenario, you would need to trunk
    > the VLAN between the switches, but you would not need to route between
    > those VLANs as the VOIP VLAN would essentially be a port-based VLAN.


    Head office has a spare 3550 which they can provide us, so we'd use
    this for the VOIP phones with the benefit that it can provide POE as
    Martin mentioned above (I've checked, and this model has the
    functionality). If we took the auto-QoS route, then that would involve
    3 VLAN's; data VLAN, voice VLAN, and also the guest VLAN I previously
    mentioned, so the PIX would have to be upgraded anyway since the 506E
    can only handle two logical interfaces. Or can we use IP precedence in
    this case on the 3550 using a class-map type command? I'd be interested
    to know if you have any knowledge of VOIP using Precedence as opposed
    to Voice VLANs, or indeed if this was possible.

    > >Last question, as mentioned above, we do not plan on any intervlan
    > >routing for the time being. Hence, am I correct in thinking that there
    > >is no need for any L3 switch, such as the 3560, here? Or can anyone see
    > >any features the 3550/3560 has that may benefit me?

    >
    > Once your start going gigabit, it is common to start thinking about
    > redundancy and automatic failover and dual server with HSRP and so on.
    > Not that there is a "hard link" between gigabit and these items, more
    > a matter of "by the time you need gigabit bandwidth, your network
    > has usually evolved to the point where people's personal expectations
    > of reliability are getting higher (and, not uncommonly, unrealistic!);
    > that and by the time you are moving that much data around, the
    > business-impact of network failures start to become rather important.
    >
    > And if you are moving lots of data around then it is also often time
    > to reconsider your backups -- autochangers, newer drives with higher
    > storage capacity per tape, newer backup management and catalog programs
    > to keep track of everything. Simultaneously, if your disks are getting
    > into the 100+ gigabyte range (and whose are not these days?) then you
    > need to think about the consequences of failure of any one of those disks,
    > and about how even if you have good backups that the time to restore
    > might start to become an important business factor, so you start worrying
    > about RAID, or doing backups to disk (sort of like RAID 1)...
    >
    > The theme here being that if LAN data has grown large enough to make
    > gigabit speeds important, than business-risk assessment must be done
    > to ensure that the storage and management of the data and the disaster
    > recovery plans are suited to that much data.
    >
    > Tying this directly back to your 3550/3560 question: the 3550 are
    > pretty much out, replaced by the 3560 or 3750 (but watch out for
    > latency in the 3750 according to some reports). The 3750 in particular
    > has more advanced fault recovery possibilities than the 2950 (because
    > of the stacking). But you need more complicated wiring to avoid
    > single point of failures anyhow -- e.g., if you have a critical server
    > then you don't want that server to be connected to only a single switch,
    > because then the switch is a single-point failure. (So you do some
    > really fancy wiring, or you duplicate the critical server and HSRP / VRRP
    > it...)


    Given that it's a relatively small office (approx 30 users), I'm still
    not sure if Gigabit ethernet is actually required. Are you aware of any
    tools that will measure bandwidth usage across certain points in the
    LAN as opposed to just network sniffers? I completely agree with the
    users' expectations rising comment though, and the need for this to be
    tied in with the backup system, HSRP etc

    > >Whilst I can see a security need for the
    > >VLAN's (we have a lot of visitors and I'm hoping to segregate them onto
    > >their own VLAN)

    >
    > You will need -some- layer 3 device to route between those VLANs.
    > The 506E with 6.3.(3) or later software can support up to two VLANs
    > in addition to the two physical interfaces; these VLANs show up
    > on the PIX as "logical interfaces", complete with their own IP address
    > and their own security level, so you can use the 506E as the L3 device
    > while imposing strict controls over what the guests can access.


    I wasn't planning on intervlan routing to be honest. The guests would
    use the second logical interface on the PIX for internet use only, I
    cannot see a need for them to access files or any other resources on
    our network. DHCP for this interface can be handled by the PIX, and we
    can set up a single machine to use as a print server along with a
    colour printer.

    Thanks for the input.
    , Nov 4, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    7
    Views:
    1,943
    Eric Yun
    Aug 23, 2004
  2. =?Utf-8?B?TWl0c3VlSFM=?=

    USB flash drive - wireless networking (infrastructure)

    =?Utf-8?B?TWl0c3VlSFM=?=, May 21, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    473
    =?Utf-8?B?TWl0c3VlSFM=?=
    May 21, 2005
  3. Public Key Infrastructure

    , Sep 12, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    416
  4. Ticking Timebomb

    ISP changing frame infrastructure to ATM

    Ticking Timebomb, Apr 27, 2004, in forum: Cisco
    Replies:
    1
    Views:
    440
    shope
    Apr 27, 2004
  5. Niche
    Replies:
    1
    Views:
    1,466
    Walter Roberson
    Jan 12, 2005
Loading...

Share This Page