• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Network Project: Use Cisco 2950-24 or 2950G24/48???

randal

Golden Member
Hey everyone, we're bidding on a network install at a local hotel. 158 drops total, with the condition that no drop should be able to see any other drop. Our primary solution is a lot of switch ports, all with their own VLAN, and then setup the router to not pass traffic between vlans. We're planning on using a Cisco 2620 w/ a T1 WIC.

There are four switches we can use, like so:

2950-24 $676.40 Standard Image -- no uplinks
2950C-24 $1492.60 Enhanced Image -- 2x 100FX uplinks
2950G-24 $1696.00 Enhanced Image -- 2x gbic uplinks
2950G-48 $3,056.60 Enhanced Image -- 2x gbic uplinks

The obvious and best answer is 3x 2950G-48. However, this is an extremely cost sensitive project, and it looks to be cheaper to use 7x 2950x-24s. We have zero use for gigabit uplinks, which makes the 2950-24 look extremely attractive, especially because they're super cheap.

Issue is that this document says that the Standard Image only supports 64 vlans, while enhanced supports 250. Each switch will only be working with 24 vlans max, but the main, aggregate switch will be working with all 158.

Will the 7x 2950-24 Standard Image work in this situation, or should we get 6x 2950-24 Standard Image and then 1x 2950C-24 as the core?

Thanks!
randal
 
why not use 3550-48s and have them all in a single VLAN. That would make it a lot simpler and much easier to support. Plus they can route if you need them too.

Use private VLANs on the 3550s. You can set them up so that one port on the switch can only communicate with certain mac addresses (like say the default gateway and dhcp server).

All done and really simlple setup. I'd seriously recommend against using a single vlan on each port with a router for those vlan's.
 
I am not a switch expert by any means -- but I am going to presume that the 2950 series does not support "private VLANs", or blocking ports off from one another via any method other than VLANing them off (please correct me if this is wrong).

Also, with the 3550-48s being up around $3k, they're on the high end of the cost chart -- especially for a particularly chincy Hilton.

If the 2950's did per-port privacy, that would rock ... I don't see anything in the documentation though.

Ideas? Thanks!
randal
 
I'm not really sure if the 2950 series supports private vlans or not.

But using a vlan per interface and trying to route and manage/troubleshoot that configuration sounds like a nightmare. You'll probably win the contract for using the private vlan suggestion and sell it on security/maintenance/ease of use and features.

I want 23% gross profit of the project (hardware, labor consulting) by the way if you do win. 🙂
 
Just flipping through some documentation, and I see this:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a0080094830.shtml

The PVLAN edge (protected port) is a feature that has only local significance to the switch, and there is no isolation provided between two protected ports located on different switches. A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port in the same switch and hence providing isolation. Traffic cannot be forwarded between protected ports at L2, all traffic passing between protected ports must be forwarded through a Layer 3 (L3) device.

Anybody know if this applies to clustered switches? What about if it's a core setup, with 7 switches uplinked into 1, and then PVLANs turned on everywhere.

I also see that utilizing Private VLANs makes it so that you can't let some hosts talk to other hosts, and change who is talking to who dynamically ... The project calls for the ability to let the 4 conference rooms have any combonation of seeing/not seeing eachother.

Thanks!
randal
 
Just found this document, and it sums up just about everything regarding Protected ports and Secured ports and is a very good read (if you're into this sorta thing)

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12111ea1/scg/swtrafc.htm

From what I'm guessing, since Protected Ports (PVLANs) work on any interface, you should be able to use int vlan x and configure the *vlan* to be a protected port, ensuring that all hosts on that vlan (say, in different conference rooms) can see eachother, but cannot see any of the other interfaces.

Very interesting ... probably have to buy a switch and test this out first :-/

randal
 
Check out the Linksys EF1324 and Allied Telesyn's L3 switches. Set up one VLAN per drop and use IP forwarding between that VLAN and the uplink. You'll burn up IP address space like mad that way but it's about the best way there is to make sure the traffic is really separate.
 
That was also what I was thinking. What are the pro's and con's if you were to set up individual vlans to segregate your traffic rather than using the private vlans?
 
I'm starting to think like Cmetz.

Do it at layer3.

Its a pain, but will offer you much more control. Any kind of layer three switch would work well.

Its messy, but it'd work.
 
Layer 3 = big bucks (if it's cisco). Granted, Layer 3 would make life a lot easier, although I am terribly unfamiliar with Linksys networking products.

JLeon, Setting up VLANs on a per-port basis was the original idea, but the issue is that only "Enhanced Image" IOS (read: expensive) support more than 64 VLANs ... and we've got 158. Also, found out that the 2950 and 3550 series only support Protected-Port Private VLANs, not *actual* PVLANs (which support Isolated/Community/2way Community). And last but not least, setting up and maintaing 158 VLANs is not fun.

Somebody want to do my job for me? It's 158 drops, Gotta cost < $8k, protect every port from each other, while dynamically allowing some ports to talk to other ones.

Meh, I hate budgets.
randal
 
Somebody want to do my job for me? It's 158 drops, Gotta cost < $8k, protect every port from each other, while dynamically allowing some ports to talk to other ones.
Is that including the cable plant?
 
LOL, no it doesn't ... the cabling is already in the proposal through a subcontractor.

Thankfully, I think I got this one hashed out using cheapo 2950-24s:

8x 2950-24
7 switches dedicated to rooms (168 ports, 154 rooms, 7 uplinks = 7 available)
1 switch being the VTP command switch (24 ports, 4 conference rooms, 7 downlinks, 1 router = 12 ports)

Every port will be part of VLAN 1, with all non-uplink ports being in protected mode. The 7 room switches will have one uplink community/promiscuous port, and the Command switch will have the router port be set to community/promiscuous, with all others set to protected. This makes it so that nothing can talk to anything except the router.

There'll be some neato scripting or something that will remove ports from protected mode and add them to a particular VLAN. As VLANs create new broadcast domains, everyone in the VLAN will be able to see everyone else in the VLAN, but the VLAN (and it's ports) will be unable to see the protected ports and vice versa.

fe0/0 on the router will have ... ip deny ip from {client subnet} to {client subnet} to deny any client from talking to any other client via L3 (all protected ports and VLANs will have to go through router to get back to the network, so I stop them at the router)

Benefits: Can use $650 switches. Don't need IP Plus IOS on the router (saves $700). No huge VLAN hassles.
Cons: Must make custom web interface to add/remove interfaces from VLANs that Hotel Clerks can understand.

That should work. Please shoot holes in it / point out flaws for me!

Thanks,
randal
 
LOL, no it doesn't ... the cabling is already in the proposal through a subcontractor.
Whew! You had me a bit worried.............😛
Sounds like a nice solution. I suspect you will have fun setting it up and implementing those network changes with non-network people, though.
 
Well, they're either going to have a nice, fat monthly service contract fee, use the switches' built in http interface (very bad idea), or pay a nice, large website build fee ... having put web interfaces onto cisco routers via PHP+SNMP before, I know it takes a lot of work (MIBs never come back how you want them to) ... especially the whole VLAN management by snmp ... man, talk about the billable hours. hehe.

Thanks for the input -- any more ideas/issues/complaints/etc?
randal
 
If you use an L3 switch, you can put up addresses/subnets per port with a /30 mask (meaning they only get one connection at the user end), and you won't be burning up IP addresses like crazy....

Then if they want more than one connection, you can "rent" 'em a router (or a wireless access point)......

Now you too can be a Network Nazi...😀

FWIW

Scott
 
randal, the solution you propose does not meet your originally stated requirement that "no drop should be able to see any other drop." Anyone who's been "authenticated" can attack the switch and see everyone else's traffic on that VLAN. You also can't prevent ARP stealing attacks unless you have deep ACLs (which would only be on L3 switches anyway).

"Layer 3 = big bucks (if it's cisco)." So don't use Cisco! On the one hand you say you're very cost sensitive, but on the other, you won't look at low-cost solutions like Linksys and D-Link. Can't have it both ways.

You might be able to get ONE L3 switch (gig preferred) and use that as the center, and use the edge aggregation switches as L2 only, one VLAN per physical port, with a tagged uplink carrying all those to the L3 switch for IP forwarding. In which case the L2 switches are just aggregating.
 
If cost is what drives you away from getting L3 switch, look at this one:

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3030052364&category=3706

I 've used the same switch and the cornerstone as the backbone switch, and they are great switch.
Very very easy web based setup, and telnet ,and huge 64GB backbone (should be more than enough to serve 200+ clients). You can setup each port as its own vlan and set routing within every port. I think this is the ceapest solution for U to get what you want.
The only bad thing, you might have to get a few extra switch for backup because there are no warranty with the switch.
 
The original spec calls for each port to be secure from each other. Every Cisco switch, including the lowest-end 2950 supports Protected Ports and Secured Ports; every drop will be a protected/secured port, every uplink will be a community port, then on the core switch, every port that is a downlink to another switch will be protected, and then the router uplink port will be community -- making it so that the only port that each of the drops can talk to is the router. If someone poisons the switches arp cache, it should not matter as we're working with *ports* (that's a WAG at best) -- every port is locked down, except the router port. (did not test arp poisoning today)

Additionally, to get away the more-expensive switches, VLANs will be created and ports assigned on an as-needed basis (we're using protected ports by default, not VLANs)-- this makes the 64 VLAN limit on the WS-C2950-24 more than sufficient.

Tested this out in a lab today with the local Cisco trainer and it works perfectly -- even with low end $675 2950-24s. Only issue is automating creating/removing VLANs via a non-built-in web interface. Not having a L3 switch and not using individual VLANs increases the setup time and reduces flexibility, granted, but it cuts thousands of dollars off the cost of hardware.

Thanks for the input,
randal
 
Back
Top