The 3COM switch on the 2nd floor is connected to the 3COM on the first via standard 100Mbs ethernet.
The 3COM equipment is causing a few problems (ports dying etc) and I'd like to get it replaced. This would be a good opportunity to implement VLANs as well, plus possible gigabit connection to the servers and also between the various switches. Whilst I can see a security need for the VLAN's (we have a lot of visitors and I'm hoping to segregate them onto their own VLAN), there's no point moving to Gigabit if we don't need it. We don't use any bandwidth intensive packages here, and most of the traffic is file transfer. Can anyone recommend any tools which I can use to measure data flow to the servers and also between the switches to see if there's a real advantage to investing in 1000Mbs?
Secondly, we have a PIX-PIX VPN with our head office who are now using Cisco VoIP. To reduce phone bills, they will be sending us a small amount of VoIP phones to plug into our network to connect with them until we introduce our own VoIP system. As a result, I'd like to have QoS capable switches that will give precedence to VoIP traffic. Will QoS capable Cisco 2950 switches suffice?
Last question, as mentioned above, we do not plan on any intervlan routing for the time being. Hence, am I correct in thinking that there is no need for any L3 switch, such as the 3560, here? Or can anyone see any features the 3550/3560 has that may benefit me?
Get the C3560G-48PS, which is 10/100/1000 ports with PowerOverEthernet to apply power to your Cisco IP Phones. and some SPF if you need fibers betwwen your floors.
Not really. In order for QoS to be meaningful, you need QoS end to end. The PIX 506e is not capable of handling QoS, so you will not be able to prioritize the VOIP over the VPN.
PIX 7.x software supports QoS; it is supported on the Cisco ASA line, and on the Cisco PIX 515/515E, 525, and 535.
If you have some VOIP phones plugged into switches that connect to another switch that then connects to the PIX, then you might still get some benefit from QoS, as it would prioritize the traffic within your LAN. (If you went gigabit, you would probably find the flow fast enough that QoS did not make any noticable difference, not until you started filling up the gigabit bandwidth.)
I don't know if the VOIP phones set the IP ToS (Type of Service) bits; if they do not, then the QoS for them would have to be based upon DSCP which is carried in VLAN tagging, so you would need at least two VLANs, one for data and one for voice. I believe I've read that the 2950 type devices support auto-QoS, which is automatic detection that a device is an IP phone and automatic placement of that device into an appropriate VLAN. In this scenario, you would need to trunk the VLAN between the switches, but you would not need to route between those VLANs as the VOIP VLAN would essentially be a port-based VLAN.
Once your start going gigabit, it is common to start thinking about redundancy and automatic failover and dual server with HSRP and so on. Not that there is a "hard link" between gigabit and these items, more a matter of "by the time you need gigabit bandwidth, your network has usually evolved to the point where people's personal expectations of reliability are getting higher (and, not uncommonly, unrealistic!); that and by the time you are moving that much data around, the business-impact of network failures start to become rather important.
And if you are moving lots of data around then it is also often time to reconsider your backups -- autochangers, newer drives with higher storage capacity per tape, newer backup management and catalog programs to keep track of everything. Simultaneously, if your disks are getting into the 100+ gigabyte range (and whose are not these days?) then you need to think about the consequences of failure of any one of those disks, and about how even if you have good backups that the time to restore might start to become an important business factor, so you start worrying about RAID, or doing backups to disk (sort of like RAID 1)...
The theme here being that if LAN data has grown large enough to make gigabit speeds important, than business-risk assessment must be done to ensure that the storage and management of the data and the disaster recovery plans are suited to that much data.
Tying this directly back to your 3550/3560 question: the 3550 are pretty much out, replaced by the 3560 or 3750 (but watch out for latency in the 3750 according to some reports). The 3750 in particular has more advanced fault recovery possibilities than the 2950 (because of the stacking). But you need more complicated wiring to avoid single point of failures anyhow -- e.g., if you have a critical server then you don't want that server to be connected to only a single switch, because then the switch is a single-point failure. (So you do some really fancy wiring, or you duplicate the critical server and HSRP / VRRP it...)
You will need -some- layer 3 device to route between those VLANs. The 506E with 6.3.(3) or later software can support up to two VLANs in addition to the two physical interfaces; these VLANs show up on the PIX as "logical interfaces", complete with their own IP address and their own security level, so you can use the 506E as the L3 device while imposing strict controls over what the guests can access. The
3550/3560/3750 do *not* support Advanced IP Security (also know as Firewall Feature Set) as best I recall. Some of the models do, though, support port controls (I don't recall the proper term right now) that can strictly block particular ports from talking directly to other ports (except by going through an approved port), which can thus be used to impose that the other ports go through a traffic control device -- even just to talk amongst themselves (e.g., a guest on one port would not be able to communicate with a guest on the same vlan on another port except by going through your control point, so you can prevent your guests from snooping the drives of other guests.) I do not recall whether the 2950/2960 supports this feature.
Good point. From what I know, Cisco has no plans to introduce 7.x onto the 506E range, therefore it maybe time to invest in a new firewall. However, the remote end uses a 506E as well, in which case there would be no real point upgrading until they do too, would you say? I'm looking at it from the point of view that we would send out prioritised VoIP traffic to them, but when we're receiving the traffic, it will arrive mixed with everything else? I suppose there would be a marginal improvement, but not much?
Head office has a spare 3550 which they can provide us, so we'd use this for the VOIP phones with the benefit that it can provide POE as Martin mentioned above (I've checked, and this model has the functionality). If we took the auto-QoS route, then that would involve
3 VLAN's; data VLAN, voice VLAN, and also the guest VLAN I previously mentioned, so the PIX would have to be upgraded anyway since the 506E can only handle two logical interfaces. Or can we use IP precedence in this case on the 3550 using a class-map type command? I'd be interested to know if you have any knowledge of VOIP using Precedence as opposed to Voice VLANs, or indeed if this was possible.
Given that it's a relatively small office (approx 30 users), I'm still not sure if Gigabit ethernet is actually required. Are you aware of any tools that will measure bandwidth usage across certain points in the LAN as opposed to just network sniffers? I completely agree with the users' expectations rising comment though, and the need for this to be tied in with the backup system, HSRP etc
I wasn't planning on intervlan routing to be honest. The guests would use the second logical interface on the PIX for internet use only, I cannot see a need for them to access files or any other resources on our network. DHCP for this interface can be handled by the PIX, and we can set up a single machine to use as a print server along with a colour printer.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.