Out-of-band LAN for backup traffic, lowest end Cisco switch gigabit RJ45 ports, Cisco 29xx support link aggregation?

Posted on 2009-02-08
Medium Priority
Last Modified: 2012-05-06

What's the lowest end gigabit Cisco switch that comes with gigabit network ports (RJ45)?
Any non-chassis (such as 3xxx series) models ?  6xxx  & 4xxx models are the chassis
type : we don't want those if possible.  Looking for something that's 2U dimension type
(so Alcatel models are fine too as long as they support gigabit)

BTW, can Layer 2 switches namely the 29xx series support link aggregation (ie
2 NIC ports on a server) connects to it & get the bandwidth of 2xGigabit ports?

We have several LANs/VLANs including two DMZs.

We're planning to set up a backup LAN dedicated to central backup traffic (Data
Protector, Netbackup).

So the central backup server needs a spare NIC port (or would it help if we used
two NIC ports to aggregate them to get faster bandwidth/backup when backing up
from multiple clients concurrently??)

So we'll need a spare NIC port on each client to be backed up, spare switches
 (as our current switch is running out of ports) and a firewall?  Is the policy for
setting up a backup LAN to connect to DMZ requires a firewall?  

if we don't get a firewall (due to budget constraints), any way to perform central
backup of the servers in DMZ?  Is it acceptable from security point of view to use
a Cisco Layer 3 switch with ACLs to segregate between the Backup LAN & DMZ
Question by:sunhux
  • 3
  • 3
LVL 23

Accepted Solution

Mysidia earned 2000 total points
ID: 23582836
Q1: WS-C3560G-24TS-E

Q2: This is a very vague question, some of them can, with the right image.
2950s  are capable of up to 6 Etherchannels.

Q3: With interface teaming, you could increase the available throughput to the server,  provided you have enough bandwidth usage for it to be an advantage, and you have sufficient bandwidth between the switch and your other switches with servers you're backing up.

Q4: If you isolate your "backup LAN"  entirely, you won't necessarily need a firewall, as there's simply no connection.  You might use one backup server for internal LAN and one backup server for DMZ.

You must have a massive amount of backup traffic that would be a disruption to normal activities to justify the extra spend for additional hardware to have a separate LAN for backup activity already...

Q5: A layer 3 switch makes sense.    You could block all traffic _except_  backup traffic.   And you could restrict the backup traffic allowed to pass to the IP of your backup server.

If the backup VLAN is isolated from the internal VLAN other than having internal PCs connecting to it, then security is fairly strong.

The primary risk is compromise of the backup server itself,  which you partly mitigate by only allowing backup traffic ports.

Make sure the switch management is only available outside the backup or DMZ VLAN, however,  and no access to VLAN 1 or trunk mode is possible on any DMZ or backup VLAN port.

If you aren't careful, the switch could be a weak point in your security design.

In this case a firewall can't really do any more than your ACLs can.

Author Comment

ID: 23584078

How many RJ45 Gigabit ports does WS-C3560G-24TS-E  has ?  24?
Is this a layer 3 or layer 2 switch ?  If it's Layer 2 switch, possibly we
can't have ACL, is that right?

To save us from spending on a firewall to segregate the DMZ LANs/VLANs from
the backup LAN, I thought if the backup server has multiple NIC ports, one NIC port to
DMZ1 LAN and a 2nd NIC port to DMZ2 LAN  and this backup server has some sort
of software firewall running on it to prevent attacks via this backup server.  Or is this
software firewall still needed if there's no routes being defined to permit routing
between DMZ1, DMZ2 and other LANs/VLANs?

Author Comment

ID: 23584116
For WS-C3560G-24TS-E, if there's not enough ports, can I cascade  (using a cross
Utp RJ45 cable) or should I trunked a few of these switches together ?

On 2nd thought, perhaps this backup server (which are buying a fresh hardware as
existing hardware is going to be end of life / end of support), ought to come with
as many NIC ports : we want this dedicated backup LAN to backup servers in
DMZ1, DMZ2, Production VLAN (hosting production servers), UAT VLAN (hosting
UAT servers), our outsourced vendors VLANs, VMWare blade VLANs etc.

Or only the secure LANs/VLANs such as the DMZs need a separate physical NIC ports
while all other LANs (Prod, Uat, vendors, etc) can have their 2nd spare NIC ports connected
up to the Cisco switches to form one subnet (purely for backup traffic)?

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 23

Assisted Solution

Mysidia earned 2000 total points
ID: 23585130
The most common 3560G  24-port switches have  4  ports that can accept SFPs.

I would suggest trunking the two switches together, and connecting them together using 4 SFPs and 2 fiber patch cables  between them,  multi-mode optics and multi-mode fiber should be fine if the switches are placed fairly close together.

Two links config'ed as a port channel,  for increased throughput and for redundancy, using port channels.

If you want to use UTP cross-over cables between the two switches, that should also be an option,  the ports connected between switches should be config'ed as trunk on both sides regardless of connection method, with the normal features and settings for trunks, because you are essentially using the port as trunk...

Author Comment

ID: 23587713

Is 3560G a Layer 3 switch (to allow us to configure ACLs)?

Is there a 48 port Gigabit Cisco switch - what's the model?
LVL 23

Expert Comment

ID: 23802404
3560Gs  are layer 3 switches.
Search for:

They should be 48 port 10/100/1000

Originally S/E  indicated which image the device shipped with.
'E'  was for EMI  (Enhanced multilayer image)  which has many more layer 3
features, and functions suitable for enterprises. Supports things like advanced routing protocols (OSPF, etc)

The 'S' one is   IP Base  (formerly SMI)  for  "simple" multi-layer image  (i.e. very limited  layer 3 features)  The SMI images don't support many routing protocols, and have a few bothersome restrictions,  that will hit you if you need to do any advanced routing on your switch.


Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft will be releasing the Windows 10 Creators Update in just a matter of weeks. Are you prepared? Follow these steps to ensure everything goes smoothly and you don't lose valuable data on your PC.
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question