The question about 2960 vlan implementation

Published on January 11 2014 by dellpe

Question:

A company with a flat network has an estate of 2960 switches. They also have Sophos UTM 425 devices with 4 spare ports.

They need to implement VLANs with ACLs to segment the network. Is it possible to implement the ACLs on the switches? Or would the VLANs need to be trunked and the Firewall provide the access control implementation?

Or will they need to upgrade the switch estate to L3 switches?

Answer:

Without wishing to overload you with information there is quite a bit to cover.

The 3750X series provides 12 or 24 ports SFP switches. These also take the SFP modules, so you can add another 4 SFP ports (or 2 SFP and 1 SFP+ or 2 SFP+). Those models should provide sufficient ports so you could attach all your existing switches to them. A dual stack would allow hardware redundancy, for your collapsed core, and downlink redundancy if you use dual Etherchannel.

StackWisePlus offers dual 16 Gbps, so if you don't use 10g, for a dual stack, there's no ring oversubscription to 2:1 oversubscription.

There are other advantages to having a stack, as Jon notes. The disadvantage of the 3750X series, they are getting "old", and the newer 3650s or 3850s offer improvements, but as Jon also noted, they don't (yet?) offer any SFP models.

One common issue with 3750X series, they don't provide a lot of memory for port buffering. But aside from that, then can do VLANs, ACLs and routing.

You certainly do not need to get rid of all your 2960s. Even if you purchase some L3 switches your 2960s,for example, WS-C2960-24TC-L ,could be used as access switches uplinked to the L3 switches. Unless you have 2960-S switches you cannot stack the 2960s so if you wanted to do inter vlan routing on your existing switches you would use the 2960Gs and connect them with a L2 trunk, configure the L2 vlans and L3 vlan interfaces on each switch and then run HSRP between them for the end clients. To be honest i do not know how far these switches will go though in terms of L3 features ie. i dont know whether they even support HSRP so it would need testing.

If you did the above the other 2960s would be uplinked to both switches and end devices should really only be connected to the access switches because if you connected them to the 2960 pair doing inter vlan routing (distro switches) they lose the benefit of HSRP.

The cons to the above, apart from potentially not supporting HSRP,, is that the distro pair might become overloaded depending on traffic and each access switch can only use one of it's uplinks per vlan. You can load balance the vlans across each uplinks and I can help with that if you decide that is the way you want to go. That said it sounds like the 2960Gs are uplinked to all the other switches anyway so this may be worth trying out.

In terms of routing, because all the vlans would be local to the distro pair the routing table would be automatically populated with connected routes. You would probably only need a default route pointing to the firewall for internet and routes on the firewall for the vlans/IP subnets on the 2960 switch.

If you decided to go with L3 switches for the inter vlan routing then i would recommend a pair of stackable switches. The advantage of this is that you can uplink your access switches to both members of the stack and then both uplinks can be used for each vlan so you get double the throughput compared to the 2960 solution. In addition there is no need to configure HSRP as you only configure the stack master and the config is available to both members of the stack. The only downside to stacks is when you need to upgrade the IOS it can take out the entire stack but this is not a major issue in my opinion as you don't upgrade that often.

Note that with your setup in terms of dynamic vs static routing you won't see much benefit, it is more to do with the advantages outlined above.

The next thing to consider is uplinks. Stackable switches such as the 3750/3850s have primarily copper ports. 4500/6500 switches running VSS can have a much larger set of fibre ports. Fibre ports are generally used to uplink switches and this is one of the reasons Cisco position the 4500/6500s as distribution switches and the 3750/3850 stackable switches as access switches. But there are people using 3750/3850s as a small distro set of switches. The main things to consider are -

1) the fibre uplink ports on switches are generally designed to run at wire speed ie. no oversubscription. The copper port for end device may not support wire speed so if you are using copper to uplink to other switches this may introduce oversubscription.

2) distance limitations with copper vs fibre. It depends on how far away your switches as to whether or not you can use copper ports.

So with 7 2960s each with 2 Gbps uplinks you would need 14 available fibre ports on the stackable switches, 7 on each. There are certain 3750s that support come only with 12 or 24 fibre ports but with the introduction of the 3850s the 3750s may not be the best future proofing. The 3850s only have 4 x 1Gbps fibre ports as far as i can see which isn't enough.

Ideally you would want to use the fibre uplinks from the 2960s and not copper so it would be better if the stack supported enough fibre ports or supported a convertor from fibre to copper. This is one area i am not that familiar with but i know a couple of people in these forums who know a fair bit about this so i'll drop them a line and see what they recommend.

So in summary a lot does depends on the amount of traffic you have. Currently your 2960G switches are uplinked to all the others so you might be able to get away with simply interconnecting those switches with a L2 trunk and using these to route between the vlans. As i say though having clients directly connected to these switches means HSRP will not supply a redundant gateway for those clients.