I'm designing the network infrastructure for a new installation that is an extension of an existing company. The specs are:
Approx 400 users over 4 levels in a building (L1, L3, L4 & L5 - I don't know what happened to L2, but I'm told it's not being used).
Wall cabling from L3, L4 & L5 is all terminated in wiring closet on L4. L4 to be location of server/network room.
L1 has (or will have) fibre run to L4.
Each user will have both PC and IP phone.
IP phone will connect to wall socket, PC will connect to phone. Hence only ONE switch port required per user.
Fibre cable has been sourced from new building back to Head Office (HO) building. This is approx 2km so I'm going to assume it is single-mode fibre as multimode won't go this distance.
Cisco 3750 & 2950 switches will be used.
A private address allocation from the 10.0.0.0 block of a /21 (ie. 8 consecutive Class C's) has been allocated.
What I am thinking of doing is as follows:
1 x Cisco 3750 as main switch (24-port 10/100/1000 w/ 4-SFP).
6 x Cisco 2950 (48-port 10/100 w/ 1000BaseT uplink), connected to 3750 by copper for L3, L4 & L5.
1 x Cisco 2950 (24-port 10/100 w/ 1000BaseSX uplink), connected to 3750 for L1.
1 or 2 x Cisco 2950 (48-port 10/100) cascaded from above switch on L1.
now the questions...
The 3750 will have an LX fibre module to connect it back to the main office building. It will be the main "router" for the site and handle all the L3 routing. It will be doing really simple stuff, routing between VLAN's and a single default route for everything else to go back to HO. This new building will NOT have it's own Internet access, that will be via Internet connection at HO. Can anyone see a problem with using it for this purpose ?
On the HO end, the routing will be handled by another 3750 switch. Again, any reason not to do this ?
To make sure that communication happens as effiently as possible, the default gateway for both the HO network & new building will be the 3750 switch at either end. The theory behind this, is that if you set the GW to be a normal router and the router is only connected at 100Mbps (which they are), then the traffic from one building to the other has to go over a 100Mbps link to/from the router which will slow it down. By making the default GW the switch, the communication will be Gbps all the way (between buildings). Is this a reasonable conclsusion to make and sensible design ?
Some servers will be local (DC, maybe file/print server), but a lot of the servers will be located at HO. On the HO end, all of the important servers are connected via Gb to other 3750 switches. The thought is that as it will be Gb from one building to the other and a reasonably short distance it won't really make any difference where the servers are located. Is this reasonable ?
On L1, at this stage it looks like there will only be a single fibre drop which means that only one switch can be connected to the fibre back to L4 at any point in time. The 2950's are fixed module switches which means that the ones that have 1000BaseSX only have two 1000BaseSX ports and 10/100 ports (either 24 or 48). To cascade another switch off it means purchasing another switch that also has 1000BaseSX ports or using a transciever. The reason for not cascading using 1000BaseSX is price. The prices work out as follows ($AU RRP):
WS-C2950T-48-SI (48 10/100 + 2 1000BaseT) = $5021
WS-C2950SX-48-SI (48 10/100 + 2 1000BaseSX) = $8039
WS-C2950SX-24 (24 10/100 + 2 1000BaseSX) = $3612
So you can see there is a huge price discrepancy between getting the two SX uplinks on the 48 port switch as opposed to two T uplinks. The way around this would be either to cascade 100BaseT (yes - 100) from a 24-port SX uplinked switch (as discussed above originally) or to use the same switch with a Fibre-to-Copper transciever to allow the cascading of the 1000BaseT ports from the second 1000BaseSX port on the switch connected to the fibre run. Following me ? What would people recommend ? Do you think it is worthwhile to try and keep all of the switches interconnected at 1Gbps ?
It is my understanding that the 2950 switches support enough QoS for the VoIP phones, correct ?
Next big question is VLAN's. The VLAN implementation will be based around the simple fact of splitting the network space up into smaller broadcast domains. There is no need for VLAN's from a security perspective. From the security viewpoint, they WOULD like to implement security whereby unauthorised devices can't connect to the network. The most obvious answer to both these questions is to use dynamic VLAN's. I've been reading stuff about the new User Registration Tool (URT - www.cisco.com/go/urt
) and 1102 VLAN Policy Server (VPS), which appear to do along the lines of what I want. The problem I have is that I can't seem to work out whether you can have the VPS without the URT ? We don't need any of the other stuff, like authenticating users or other fancy tools. Essentially all we want to do is have a list of permitted MAC addresses and dynamically assign them to a VLAN as they connect. Any MAC address that isn't listed will be denied access. What do I need to implement this (as a minimum) ?
Any other suggestions/ideas in general ?
There are a lot of questions here, so I'm happy to assign more points and split them around as necessary (let me know).