Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1166
Views
5
Helpful
4
Replies

Layer 2 multi switch design

Go to solution
Nicholas Beard
Level 1
Level 1

‎04-11-2011 02:58 AM - edited ‎03-06-2019 04:32 PM

Hi All,

Just like to run a quick design through you.  Please feel free to pick holes into it.  I have the following equipment which I plan to implement as follows -

2 x Cisco 2960G (24)

1 x Cisco 2960 FE (48)

1 x Cisco ASA 5505 (Security Plus)

1 x Cisco Wireless Access Point

3 x Servers (2 possibly virtual, unconfirmed as yet)

1 x SAN

My design is to implement a collapsed core at Layer 2, with the 2 Cisco 2960G switches acting in the distribution layer and the single 2960FE switch providing the access layer.  The access switch will uplink via 2 Etherchannels (2 x GB to Cisco 2960G#1 and 2xGB to Cisco 2960G#2)  the two core/distribution switches will then connect via a single 4GB etherchannel all operating at Layer 2.  There are approximately 5 VLANs being implemented therefore I plan to load balance these VLANs across the two Cisco 2960G switches, with VLAN 10,20,30 passed to 2960G#1 and VLANs 40,50 to 2960G#2 to fully utilize the spanning tree.  The SAN will connect directly to the core/distribution layer, as will the servers using etherchannel load balancing across both switches (I have not settled on whether two of the servers will yet be virtualised) and will use jumbo frames.  The Cisco Wireless Access point will connect to the access layer due to its port density being 100MB and will provide guest services.  Finally the Cisco ASA has a security plus license and will therefore use Redundant LAN interfaces connected to each of the core/distro switches.  The Cisco ASA will provide all NAT/PAT facilities and govern all outbound to inbound and vice versa connections.

Can anybody suggest any improvements or "constructive" criticism for this design?

Many Thanks

Nick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip Ratzsch
Level 1
Level 1
In response to Nicholas Beard

‎04-11-2011 03:29 AM

Nick,

One thing to note is that jumbo frames aren't supported on the ASA 5505; I forget off-hand if they'll be fragmented or dropped, but if they're passing through the firewall they won't be forwarded intact.  If memory serves, jumbo frames aren't supported until you get into the much higher-end ASAs.

View solution in original post

4 Replies 4

Go to solution
Nicholas Beard
Level 1
Level 1

‎04-11-2011 03:15 AM

Ok, having thought about this in greater detail I have now realised a bottleneck within the design.  The Cisco ASA is going to need to route traffic between VLAN's at layer 3 due to the limitation of the switches.  This now means the Cisco ASA will need an interface present in each of the VLANs and traffic will be limited to 100MB due to the Cisco ASA only supporting this speed.

Can anybody suggest a possible workaround for this, with cost being the greatest factor in limiting the design (obviously Layer 3 switches would be the best alternative, but this is a non starter due to cost)?

Thanks

Nick

0 Helpful

Go to solution
Philip Ratzsch
Level 1
Level 1
In response to Nicholas Beard

‎04-11-2011 03:29 AM

Nick,

One thing to note is that jumbo frames aren't supported on the ASA 5505; I forget off-hand if they'll be fragmented or dropped, but if they're passing through the firewall they won't be forwarded intact.  If memory serves, jumbo frames aren't supported until you get into the much higher-end ASAs.

Go to solution
Nicholas Beard
Level 1
Level 1
In response to Philip Ratzsch

‎04-11-2011 03:34 AM

Thats a great point, thanks.  It would seem that due to the limitation of the switches the ASA is going to be the centre of all traffic.  At 100MB and only 150Mbps firewall throughput i think an alternative solution is going to be required.  Perhaps a reduction in the number of VLANs required; I could probably get away with 3 VLANs with servers and desktops being present on on single VLAN with Guest and Management being the others.  The traffic flow for guest would be directly outbound to the internet, and management would be minimal.  Although, that would really negate the requirement for such a design and I could probably just use two switches with no tiered setup.

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎04-11-2011 04:00 PM

If your 2960/2960G are going to the same cabinet then I'd recommend the 2960S with stacking module.  If you choose the "D" option, each unit can support two 10Gb SFP+ OR two 1Gb SFP or a combination of one 10Gb and one 1Gb.

If you stack them together you can form one logical switch.

For Wireless Access Point, the cheapest you can find right now is the 1040.  It's a/b/g/n but it's has some limitations such as 2 x 2 MIMO instead of 2 x 3 MIMO found with the rest of the autonomous acess points (1140, 1250 and 1260).   Take note that if you choose th 1250 or the 1260 you'll need to purchase antennas as options.  Depending on what type of antennas it could be between two (one of each radio) or six (three for each radio).  Because you will need only one AP then you need to purchase the PWR-INJ4 to provide power to the AP.  Are you sure one is enough?

I'm not recommending 3500i or 3500e because you need a WLC for that.

0 Helpful
Customers Also Viewed These Support Documents