• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1070
  • Last Modified:

Out-of-band LAN for backup traffic, lowest end Cisco switch gigabit RJ45 ports, Cisco 29xx support link aggregation?

Hi,

Q1:
What's the lowest end gigabit Cisco switch that comes with gigabit network ports (RJ45)?
Any non-chassis (such as 3xxx series) models ?  6xxx  & 4xxx models are the chassis
type : we don't want those if possible.  Looking for something that's 2U dimension type
(so Alcatel models are fine too as long as they support gigabit)

Q2:
BTW, can Layer 2 switches namely the 29xx series support link aggregation (ie
2 NIC ports on a server) connects to it & get the bandwidth of 2xGigabit ports?



We have several LANs/VLANs including two DMZs.

We're planning to set up a backup LAN dedicated to central backup traffic (Data
Protector, Netbackup).

Q3:
So the central backup server needs a spare NIC port (or would it help if we used
two NIC ports to aggregate them to get faster bandwidth/backup when backing up
from multiple clients concurrently??)

Q4:
So we'll need a spare NIC port on each client to be backed up, spare switches
 (as our current switch is running out of ports) and a firewall?  Is the policy for
setting up a backup LAN to connect to DMZ requires a firewall?  

Q5:
if we don't get a firewall (due to budget constraints), any way to perform central
backup of the servers in DMZ?  Is it acceptable from security point of view to use
a Cisco Layer 3 switch with ACLs to segregate between the Backup LAN & DMZ
LAN?  
0
sunhux
Asked:
sunhux
  • 3
  • 3
2 Solutions
 
MysidiaCommented:
Q1: WS-C3560G-24TS-E

Q2: This is a very vague question, some of them can, with the right image.
2950s  are capable of up to 6 Etherchannels.

Q3: With interface teaming, you could increase the available throughput to the server,  provided you have enough bandwidth usage for it to be an advantage, and you have sufficient bandwidth between the switch and your other switches with servers you're backing up.

Q4: If you isolate your "backup LAN"  entirely, you won't necessarily need a firewall, as there's simply no connection.  You might use one backup server for internal LAN and one backup server for DMZ.

You must have a massive amount of backup traffic that would be a disruption to normal activities to justify the extra spend for additional hardware to have a separate LAN for backup activity already...


Q5: A layer 3 switch makes sense.    You could block all traffic _except_  backup traffic.   And you could restrict the backup traffic allowed to pass to the IP of your backup server.

If the backup VLAN is isolated from the internal VLAN other than having internal PCs connecting to it, then security is fairly strong.

The primary risk is compromise of the backup server itself,  which you partly mitigate by only allowing backup traffic ports.

Make sure the switch management is only available outside the backup or DMZ VLAN, however,  and no access to VLAN 1 or trunk mode is possible on any DMZ or backup VLAN port.

If you aren't careful, the switch could be a weak point in your security design.


In this case a firewall can't really do any more than your ACLs can.
0
 
sunhuxAuthor Commented:
Hi,

How many RJ45 Gigabit ports does WS-C3560G-24TS-E  has ?  24?
Is this a layer 3 or layer 2 switch ?  If it's Layer 2 switch, possibly we
can't have ACL, is that right?


To save us from spending on a firewall to segregate the DMZ LANs/VLANs from
the backup LAN, I thought if the backup server has multiple NIC ports, one NIC port to
DMZ1 LAN and a 2nd NIC port to DMZ2 LAN  and this backup server has some sort
of software firewall running on it to prevent attacks via this backup server.  Or is this
software firewall still needed if there's no routes being defined to permit routing
between DMZ1, DMZ2 and other LANs/VLANs?
0
 
sunhuxAuthor Commented:
For WS-C3560G-24TS-E, if there's not enough ports, can I cascade  (using a cross
Utp RJ45 cable) or should I trunked a few of these switches together ?

On 2nd thought, perhaps this backup server (which are buying a fresh hardware as
existing hardware is going to be end of life / end of support), ought to come with
as many NIC ports : we want this dedicated backup LAN to backup servers in
DMZ1, DMZ2, Production VLAN (hosting production servers), UAT VLAN (hosting
UAT servers), our outsourced vendors VLANs, VMWare blade VLANs etc.

Or only the secure LANs/VLANs such as the DMZs need a separate physical NIC ports
while all other LANs (Prod, Uat, vendors, etc) can have their 2nd spare NIC ports connected
up to the Cisco switches to form one subnet (purely for backup traffic)?
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
MysidiaCommented:
The most common 3560G  24-port switches have  4  ports that can accept SFPs.

I would suggest trunking the two switches together, and connecting them together using 4 SFPs and 2 fiber patch cables  between them,  multi-mode optics and multi-mode fiber should be fine if the switches are placed fairly close together.

Two links config'ed as a port channel,  for increased throughput and for redundancy, using port channels.


If you want to use UTP cross-over cables between the two switches, that should also be an option,  the ports connected between switches should be config'ed as trunk on both sides regardless of connection method, with the normal features and settings for trunks, because you are essentially using the port as trunk...
0
 
sunhuxAuthor Commented:

Is 3560G a Layer 3 switch (to allow us to configure ACLs)?

Is there a 48 port Gigabit Cisco switch - what's the model?
0
 
MysidiaCommented:
3560Gs  are layer 3 switches.
Search for:
 WS-C3560G-48TS-E
and
 WS-C3560G-48TS-S

They should be 48 port 10/100/1000

Originally S/E  indicated which image the device shipped with.
'E'  was for EMI  (Enhanced multilayer image)  which has many more layer 3
features, and functions suitable for enterprises. Supports things like advanced routing protocols (OSPF, etc)

The 'S' one is   IP Base  (formerly SMI)  for  "simple" multi-layer image  (i.e. very limited  layer 3 features)  The SMI images don't support many routing protocols, and have a few bothersome restrictions,  that will hit you if you need to do any advanced routing on your switch.


0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now