Network Upgrade

Unanswered Question
Aug 17th, 2007

I have attached a pdf file of our current network diagram and a proposed network upgrade layout. We currently have a site with less than 50 workstations, a few servers and networked printers that are all hanging off of 2950T switches and all on the same /24 network. I would like to add a 48 port 3560G for the core switch, move the existing 24 port 2950T at the core to a "dirty switch" outside the firewall and add a 2811 router to setup a few vlans to start organizing the network better. I have a config I can use for reference for the ACL's and VLAN setup. We would probably only need 6-7 VLANs to start with. Are there any problems with this layout?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sundar.palaniappan Fri, 08/17/2007 - 07:31

Nice Diagram.

There's nothing wrong with the layout. As you know the 3560 is a layer 3 switch therefore you don't even need the 1821 router. You can connect the 3560 directly to the PIX inside interface for design simplicity. However, it would work fine even with 1821 in place as long as your routing on the inside is setup correct.

Why are you putting the 2924 switch on the outside, between the PIX and DSL modem, are there going to be some other devices connected to the so called dirty switch.



jim.billings Fri, 08/17/2007 - 08:30

Yes, We have some outside entities that need public addresses to devices inside the facility. Currently they are configured on the PIX and by doing this we would be able to keep our network seperate from these outside users.

So would the ACL's go on the 3560 to be able to route between the VLANS? Admin and staff vlans would need to get to the server and internet vlans etc.


Jon Marshall Fri, 08/17/2007 - 08:28

Hi Jim

I agree with Sundar on this. First thing that struck me when looking at proposed upgrade was what you needed the router for ?.

The 3560G is more than capable of doing the inter-vlan routing and to be honest it would make your layout a lot simpler.

But again, as Sundar says, using the 1800 router will not break the design.

Do you propose to have any remote-access or site-to-site VPN's coming into your network ?



jim.billings Fri, 08/17/2007 - 08:44

I have one VPN tunnel from this PIX 501 to a PIX 515. I guess I didn't realize the 3560 would do this. I knew we would need a router to make the different vlans talk to each other or not and that is where I came up with the router in the diagram. So all we would need then is a new 3560 and keep the PIX basically configured as it is now?


Jon Marshall Fri, 08/17/2007 - 08:52


Yes the 3560G will allow your vlans to talk to each other. If you want to restrict the vlan traffic you can apply your acl's onto the L3 vlan interfaces (SVI's) on the 3560G.

The IPBase image on the 3560G will support static routing and RIP which would be all you would need.

The IPServices image will also support other routing protocols such as EIGRP/OSPF etc and has multicast routing functionality.

Either image would meet your requirements but have a quick look at the 3560 Q&A sheet to see if there are any features in the IPServices you might need.

Depending on which model of the 3560G you purchase it may already come with IPServices. Again have a look at the link for more details.



jim.billings Fri, 08/17/2007 - 12:56


I have a spare 2950T and 3560G already and will try and get a basic setup going. I will post back if I run into any problems. Thanks for your help.



This Discussion