Out-of-band LAN for backup traffic, lowest end Cisco switch gigabit RJ45 ports, Cisco 29xx support link aggregation?

Posted on 2009-02-08
Last Modified: 2012-05-06

What's the lowest end gigabit Cisco switch that comes with gigabit network ports (RJ45)?
Any non-chassis (such as 3xxx series) models ?  6xxx  & 4xxx models are the chassis
type : we don't want those if possible.  Looking for something that's 2U dimension type
(so Alcatel models are fine too as long as they support gigabit)

BTW, can Layer 2 switches namely the 29xx series support link aggregation (ie
2 NIC ports on a server) connects to it & get the bandwidth of 2xGigabit ports?

We have several LANs/VLANs including two DMZs.

We're planning to set up a backup LAN dedicated to central backup traffic (Data
Protector, Netbackup).

So the central backup server needs a spare NIC port (or would it help if we used
two NIC ports to aggregate them to get faster bandwidth/backup when backing up
from multiple clients concurrently??)

So we'll need a spare NIC port on each client to be backed up, spare switches
 (as our current switch is running out of ports) and a firewall?  Is the policy for
setting up a backup LAN to connect to DMZ requires a firewall?  

if we don't get a firewall (due to budget constraints), any way to perform central
backup of the servers in DMZ?  Is it acceptable from security point of view to use
a Cisco Layer 3 switch with ACLs to segregate between the Backup LAN & DMZ
Question by:sunhux
    LVL 23

    Accepted Solution

    Q1: WS-C3560G-24TS-E

    Q2: This is a very vague question, some of them can, with the right image.
    2950s  are capable of up to 6 Etherchannels.

    Q3: With interface teaming, you could increase the available throughput to the server,  provided you have enough bandwidth usage for it to be an advantage, and you have sufficient bandwidth between the switch and your other switches with servers you're backing up.

    Q4: If you isolate your "backup LAN"  entirely, you won't necessarily need a firewall, as there's simply no connection.  You might use one backup server for internal LAN and one backup server for DMZ.

    You must have a massive amount of backup traffic that would be a disruption to normal activities to justify the extra spend for additional hardware to have a separate LAN for backup activity already...

    Q5: A layer 3 switch makes sense.    You could block all traffic _except_  backup traffic.   And you could restrict the backup traffic allowed to pass to the IP of your backup server.

    If the backup VLAN is isolated from the internal VLAN other than having internal PCs connecting to it, then security is fairly strong.

    The primary risk is compromise of the backup server itself,  which you partly mitigate by only allowing backup traffic ports.

    Make sure the switch management is only available outside the backup or DMZ VLAN, however,  and no access to VLAN 1 or trunk mode is possible on any DMZ or backup VLAN port.

    If you aren't careful, the switch could be a weak point in your security design.

    In this case a firewall can't really do any more than your ACLs can.

    Author Comment


    How many RJ45 Gigabit ports does WS-C3560G-24TS-E  has ?  24?
    Is this a layer 3 or layer 2 switch ?  If it's Layer 2 switch, possibly we
    can't have ACL, is that right?

    To save us from spending on a firewall to segregate the DMZ LANs/VLANs from
    the backup LAN, I thought if the backup server has multiple NIC ports, one NIC port to
    DMZ1 LAN and a 2nd NIC port to DMZ2 LAN  and this backup server has some sort
    of software firewall running on it to prevent attacks via this backup server.  Or is this
    software firewall still needed if there's no routes being defined to permit routing
    between DMZ1, DMZ2 and other LANs/VLANs?

    Author Comment

    For WS-C3560G-24TS-E, if there's not enough ports, can I cascade  (using a cross
    Utp RJ45 cable) or should I trunked a few of these switches together ?

    On 2nd thought, perhaps this backup server (which are buying a fresh hardware as
    existing hardware is going to be end of life / end of support), ought to come with
    as many NIC ports : we want this dedicated backup LAN to backup servers in
    DMZ1, DMZ2, Production VLAN (hosting production servers), UAT VLAN (hosting
    UAT servers), our outsourced vendors VLANs, VMWare blade VLANs etc.

    Or only the secure LANs/VLANs such as the DMZs need a separate physical NIC ports
    while all other LANs (Prod, Uat, vendors, etc) can have their 2nd spare NIC ports connected
    up to the Cisco switches to form one subnet (purely for backup traffic)?
    LVL 23

    Assisted Solution

    The most common 3560G  24-port switches have  4  ports that can accept SFPs.

    I would suggest trunking the two switches together, and connecting them together using 4 SFPs and 2 fiber patch cables  between them,  multi-mode optics and multi-mode fiber should be fine if the switches are placed fairly close together.

    Two links config'ed as a port channel,  for increased throughput and for redundancy, using port channels.

    If you want to use UTP cross-over cables between the two switches, that should also be an option,  the ports connected between switches should be config'ed as trunk on both sides regardless of connection method, with the normal features and settings for trunks, because you are essentially using the port as trunk...

    Author Comment


    Is 3560G a Layer 3 switch (to allow us to configure ACLs)?

    Is there a 48 port Gigabit Cisco switch - what's the model?
    LVL 23

    Expert Comment

    3560Gs  are layer 3 switches.
    Search for:

    They should be 48 port 10/100/1000

    Originally S/E  indicated which image the device shipped with.
    'E'  was for EMI  (Enhanced multilayer image)  which has many more layer 3
    features, and functions suitable for enterprises. Supports things like advanced routing protocols (OSPF, etc)

    The 'S' one is   IP Base  (formerly SMI)  for  "simple" multi-layer image  (i.e. very limited  layer 3 features)  The SMI images don't support many routing protocols, and have a few bothersome restrictions,  that will hit you if you need to do any advanced routing on your switch.


    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now