Solved

Network design questions

Posted on 2004-04-26
9
2,069 Views
Last Modified: 2013-11-15
I'm designing the network infrastructure for a new installation that is an extension of an existing company. The specs are:

Approx 400 users over 4 levels in a building (L1, L3, L4 & L5 - I don't know what happened to L2, but I'm told it's not being used).
Wall cabling from L3, L4 & L5 is all terminated in wiring closet on L4. L4 to be location of server/network room.
L1 has (or will have) fibre run to L4.
Each user will have both PC and IP phone.
IP phone will connect to wall socket, PC will connect to phone. Hence only ONE switch port required per user.
Fibre cable has been sourced from new building back to Head Office (HO) building. This is approx 2km so I'm going to assume it is single-mode fibre as multimode won't go this distance.
Cisco 3750 & 2950 switches will be used.
A private address allocation from the 10.0.0.0 block of a /21 (ie. 8 consecutive Class C's) has been allocated.

What I am thinking of doing is as follows:

1 x Cisco 3750 as main switch (24-port 10/100/1000 w/ 4-SFP).
6 x Cisco 2950 (48-port 10/100 w/ 1000BaseT uplink), connected to 3750 by copper for L3, L4 & L5.
1 x Cisco 2950 (24-port 10/100 w/ 1000BaseSX uplink), connected to 3750 for L1.
1 or 2 x Cisco 2950 (48-port 10/100) cascaded from above switch on L1.

now the questions...

The 3750 will have an LX fibre module to connect it back to the main office building. It will be the main "router" for the site and handle all the L3 routing. It will be doing really simple stuff, routing between VLAN's and a single default route for everything else to go back to HO. This new building will NOT have it's own Internet access, that will be via Internet connection at HO. Can anyone see a problem with using it for this purpose ?

On the HO end, the routing will be handled by another 3750 switch. Again, any reason not to do this ?

To make sure that communication happens as effiently as possible, the default gateway for both the HO network & new building will be the 3750 switch at either end. The theory behind this, is that if you set the GW to be a normal router and the router is only connected at 100Mbps (which they are), then the traffic from one building to the other has to go over a 100Mbps link to/from the router which will slow it down. By making the default GW the switch, the communication will be Gbps all the way (between buildings). Is this a reasonable conclsusion to make and sensible design ?

Some servers will be local (DC, maybe file/print server), but a lot of the servers will be located at HO. On the HO end, all of the important servers are connected via Gb to other 3750 switches. The thought is that as it will be Gb from one building to the other and a reasonably short distance it won't really make any difference where the servers are located. Is this reasonable ?

On L1, at this stage it looks like there will only be a single fibre drop which means that only one switch can be connected to the fibre back to L4 at any point in time. The 2950's are fixed module switches which means that the ones that have 1000BaseSX only have two 1000BaseSX ports and 10/100 ports (either 24 or 48). To cascade another switch off it means purchasing another switch that also has 1000BaseSX ports or using a transciever. The reason for not cascading using 1000BaseSX is price. The prices work out as follows ($AU RRP):

WS-C2950T-48-SI (48 10/100 + 2 1000BaseT) = $5021
WS-C2950SX-48-SI (48 10/100 + 2 1000BaseSX) = $8039
WS-C2950SX-24 (24 10/100 + 2 1000BaseSX) = $3612

So you can see there is a huge price discrepancy between getting the two SX uplinks on the 48 port switch as opposed to two T uplinks. The way around this would be either to cascade 100BaseT (yes - 100) from a 24-port SX uplinked switch (as discussed above originally) or to use the same switch with a Fibre-to-Copper transciever to allow the cascading of the 1000BaseT ports from the second 1000BaseSX port on the switch connected to the fibre run. Following me ? What would people recommend ? Do you think it is worthwhile to try and keep all of the switches interconnected at 1Gbps ?

It is my understanding that the 2950 switches support enough QoS for the VoIP phones, correct ?

Next big question is VLAN's. The VLAN implementation will be based around the simple fact of splitting the network space up into smaller broadcast domains. There is no need for VLAN's from a security perspective. From the security viewpoint, they WOULD like to implement security whereby unauthorised devices can't connect to the network. The most obvious answer to both these questions is to use dynamic VLAN's. I've been reading stuff about the new User Registration Tool (URT - www.cisco.com/go/urt ) and 1102 VLAN Policy Server (VPS), which appear to do along the lines of what I want. The problem I have is that I can't seem to work out whether you can have the VPS without the URT ? We don't need any of the other stuff, like authenticating users or other fancy tools. Essentially all we want to do is have a list of permitted MAC addresses and dynamically assign them to a VLAN as they connect. Any MAC address that isn't listed will be denied access. What do I need to implement this (as a minimum) ?

Any other suggestions/ideas in general ?

There are a lot of questions here, so I'm happy to assign more points and split them around as necessary (let me know).
Thanks.
0
Comment
Question by:td_miles
  • 4
  • 3
  • 2
9 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
Comment Utility
One hitch that I can see in your equipment plan:
>1 x Cisco 3750 as main switch (24-port 10/100/1000 w/ 4-SFP).
>6 x Cisco 2950 (48-port 10/100 w/ 1000BaseT uplink), connected to 3750 by copper for L3, L4 & L5.
By daisy-chaining all 7 switches, you limit the uplink speeds. If you were to use all 3750's, you can use the stackwise cable for a full 32Gig backplane. This is the only stackable that gives you that capability.

No problems using the 3750 for all the L3 routing. That's what it was designed for and much faster than a router.

Q: what are you using for PoE for the phones? You might want to look at the new 3560 switches.
http://www.cisco.com/en/US/products/hw/switches/ps5528/index.html

URT is a VERY expensive toy. You might look into enabling security on the switchport with 802.1x and a TACACS+/Radius server. You can do VPMS without the URT:
http://www.cisco.com/en/US/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007f03c.html

0
 
LVL 11

Assisted Solution

by:PennGwyn
PennGwyn earned 100 total points
Comment Utility
What about making all of the 2950s the 48-port model with 1000-BaseT copper.  On L1, equip one with a transceiver to get to the 3750, and cascade the other off of it -- skip the 24-port entirely.

If the VLANs aren't needed for security, it doesn't matter which VLAN a given user winds up in.  So port security may be sufficient to keep unauthorised devices out without URT etc.



0
 
LVL 13

Author Comment

by:td_miles
Comment Utility
Thanks for the responses.

>By daisy-chaining all 7 switches, you limit the uplink speeds.
>If you were to use all 3750's, you can use the stackwise cable for a full 32Gig backplane.
>This is the only stackable that gives you that capability.

Yes, I do realise that using a "proper" stacking method gives better bandwidth between switches. My rationale for not doing so in this case is two fold:
1. WS-3750-48TS-S (48 10/100 ports + 4 SFP) is $14077 v's only $5021 for the 2950, multiply by 6 switches = $54000 extra for a 32Gbps interconnect. Is this value for money ?
2. Most of the servers will still reside on the remote end of the Gb fibre link between the buildings, so I'm not sure if a faster interconnect between the switches would be of much benefit. There is talk of moving everyone to the new building in 2-3 years time, so this idea may be worth some thought if only for this reason alone.


>Q: what are you using for PoE for the phones? You might want to look at the new 3560 switches.

I have been told that they are using NEC phones and will be using PoE injection modules on the patch. They are aware this will add more cabling and more rackspace, but had already made the decision to do this before I even had my first meeting with them. I'll raise this again, but don't like my chances...

>URT is a VERY expensive toy. You might look into enabling security on the switchport with
>802.1x and a TACACS+/Radius server. You can do VPMS without the URT.

I had a read of the link and have looked at this before and realise the switches can use VMPS to do this. My problem being that you need something to act as a VPMS "server". In the link that you gave, they were using a Catalyst 5000 switch to do this. From the info I've been able to find, that is the lowest/smallest switch that can be a VMPS server is a Catalyst 4500. Is there anything else that can be the VMPS server ???

When you say URT is expensive, how expensive are we talking (I can't really find any real prices for it) ?

--------------------

>What about making all of the 2950s the 48-port model with 1000-BaseT copper.  
>On L1, equip one with a transceiver to get to the 3750, and cascade the other off of it -- skip the 24-port entirely.

Strangely, the exact same thought occurred to me while I was driving in to work this morning :)
Again, it comes down to using a transceiver. Ever had any problems with Gb transceivers ?

>If the VLANs aren't needed for security, it doesn't matter which VLAN a given user winds up in.
>So port security may be sufficient to keep unauthorised devices out without URT etc.

You're correct in that it doesn't matter which VLAN a user ends up in (as long as there is a roughly equal distribution). From all I've read, port security is a manual configuration option (if I'm wrong, I'm happy to be corrected, point me to a link). We need to avoid the overhead of manually configuring the MAC address allowed on each port of each switch. In addition, this would make people moving around (eg. those who have notebooks) a nightmare. Hence why I'm looking at options where a centrally located DB is used for MAC security. MAC security IS required. The parent company has dicatted that this MUST be implemented.

----------------------
FYI - in case you're wondering about the prices, they are all RRP in $AU inc GST.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
URT Starter Kit = $24,995 USD
It's an appliance HW+SW Redundant HW configuration is suggested for another $14,995 USD

I didn't realize that only the 4500 and 6500 switches can be VMPS servers...ouch..
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 13

Author Comment

by:td_miles
Comment Utility
OK, how about another option for access control. What if I create a single ACL on the 3750 main switch that has permit statements for each of the known MAC addresses. This way if someone off the street plugs into a 2950 switch port, they will be able to connect to any other devices on that switch, but nothing else, as once the traffic tries to get past the 3750, it will get blocked. Would it be better to implement this on every switch or would just the central one be enough ? Can the switches handle an ACL that might have approx 400-500 lines in it ? Would this cause performance problems ? In the case of having the same ACL on all switches, this might be slightly more manageable, as it could be stored centrally and just cut/paste or tftp'ed to the switches.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If users don't move around, you can enable port security and list the accepted MAC address(s) that can connect to that port...
The cluster manager GUI has a pretty slick security wizards.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12218se/3750scg/sw8021x.htm
You can enable user-based port security with nothing but a Radius server (free with Win2k server)
0
 
LVL 13

Author Comment

by:td_miles
Comment Utility
I guess it all hinges on whether people move around much and how much manual administration they want to do. The 802.1x probably isn't viable, as it is only supported on WinXP clients. I've got a suspicion that the phones won't support it, but I could be wrong, I'm also not sure how much they have moved to XP clients.

It looks like VMPS might be an option. I can get a Cat 4503 with 24 10/100/1000 ports & 6 GBIC (ie. pretty much equivalent to the specs on the 3750) for about $32000 (with no spare slots though). If this is used instead of the 3750 (which it would be), then this is only $18000 more expensive. The supervisor 2+ engine seems to support pretty much all of the same stuff the 3750 does, it does L3 routing & VMPS (provided SW requirements are met) which is about all I need. Is there anything that the 3750 WILL do better than the 4503 ?

Can you see any problem with putting the VMPS server on one side of the fibre link that will be between the buildings (which side doesn't really matter) and using it to service both networks ?

This gives me some options anyway, I guess they'll have to make the choice between ease of use and cost...

Thanks for the help thus far, I don't have anyone in the office with the relevant level of switching/routing knowledge to bounce ideas off, so this really helps.
0
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
If mobility were not an issue, then it would be simple to configure port security -- the first MAC address learned on eac port becomes *the* MAC address permitted on that port.

Obviously that breaks if laptops are allowed to be shuffled at random.  Perhaps it would be better to authenticate the user than the NIC.

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
VM backups can be lost due to a number of reasons: accidental backup deletion, backup file corruption, disk failure, lost or stolen hardware, malicious attack, or due to some other undesired and unpredicted event. Thus, having more than one copy of …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now