Aug 11th, 2008

Hi all, I have been working on a project to redesign our work network and am a little low on experience of speccing suitable capacity routers/switches and hope you may be able to help me.

I am planning to use a layer 3 switch (possibly the Catalyst 3560) to aggregate our different WAN connections, which are all ethernet. The main link is 100Mb and their are approximately 6 other 10Mb links to other areas currently. The banbwidth we work to at the moment is an average of about 25Mbps although this is likely to shoot up to closer to 50Mbps by the end of the year and probably up to 100Mbps within a couple of years.

The links are either from 'trusted' (as much as they can be) networks or are firewalled elsewhere. I am looking to also use the switch to centrally manage ACLs for each of these links, nothing too fancy; simply whether certain hosts can talk to others and in a few places filtering by protocol/port.

My first question would be whether (and I expect is is fine) the Catalyst 3560G-24TS will be able to route between these different subnets and whether it can also cope with the ACLs i am likely to impliment as detailed above?

I do not expect to need the advanced routing protocols, so the basic routing image is likely to suffice i expect. However I don't know if i need a different IOS image to enable the use of extended ACLs?

The switch's uplink will then feed over a 1Gb link to a router which will route traffic to our other three main subnets. One for CCTV, one for our servers and another for our workstations.

We are planning to extend the amount of CCTV and other bandwidth intensive equipment in the next year or so, and i become a little lost when looking at which router is most likely to serve our needs.

I have been looking at the ISR 3845, but cannot find out anywhere a rough idea of how much traffic it is able to route before becoming overcome. I am hoping to use a total of 4 gigabit interfaces which should give us the capacity need for the future.

Other than routing I am again hoping to add some further ACLs here to help filter traffic and also use it to run a DHCP server for one of the subnets.

Once again my question would be whether the 3845 would be able to handle this capacity? It's literature talks about being able to use advanced services at T3/E3 rates, but i do not know whether it could cope with simply routing and ACLs for 2-3Gbps of traffic.

The alternative router to use, should the 3845 not be able to handle this would be the 7200 series. Again, i do not expect to need the flexibility to add many different flavours of interfaces but rather only use ethernet.

This series also have many different options of which processing engine to use, which once again i am not sure which is most likely to be needed given the bandwidth of data. The 7201 offers the smallest package (although not the cheapest) and seems to come with 4 gigabit ports (2x SFP or RJ45 and 2x SFP) and one spare slot for the possibility of another interface in the future.

My question is whether all can be used at the same time?

I don't know what can be plugged where. Will all 4 interfaces need a SFP adapter or will two work natively with RJ45? For the other two, one can be used to interface with the potential 3560 with a SFP port (does this mean fibre or can it take copper?), and the other will need to interface with a linksys switch SRW2048 which has four linksys miniGBIC ports which can be either fibre or copper.

I hope all this makes some sense, and that you maybe able to offer some information which would clear up my remaining problems.

dominic.caron Mon, 08/11/2008 - 10:02


The 3560 can route packet fast, around 6 Millions of packet per second(PPS). You might have more problem with the filtering part. Switch are only filtering packet in the inbound direction. That's a huge limitation.

For the choice of router, look at the PPS stat of all router and compare it with your application need. You need to find out the trafic generated (size of packets and number/second.

mark_shrimpton Mon, 08/11/2008 - 12:52


Thanks for that information. It has given me a good starting point.

What do you mean when you say that the switch can only filter packets in the inbound direction?

Joseph W. Doherty Mon, 08/11/2008 - 16:57

For performance, the 3845 has a forwarding rate of 500 Kpps, which should guarantee about 100 Mbps (duplex). This is likely much below what you'll likely need for a LAN router.

The performance of the 7200 series depends on the NPE, the recent -G2, with a forwarding rate of 2 Mpps, should be able to provide about 500 Mbps (duplex). Again, likely below what you'll want for your LAN router's performance.

The 3560G-24TS, has a forwarding rate of 38.7 Mpps, which is sufficient for all its ports but it's internal fabric is only rated at 32 Gbps (duplex) which won't support more than 16 gig ports before you'll encounter blocking. Even so, probably acceptable for your LAN. (Higher performance can be found in the 3560-E or 4948 series models.)

Generally the small L3 switches don't support all the features of the sofware routers. (Often a trade-off of performance vs. features.)

You might be able to use one 3560G for both your LAN and Ethernet WAN. Or, dual 3570G in a stack, so you can deal with a device failure.


SFP provides choice of, usually, gig connections. Most often different fiber for various distances, although (expensive) copper too. 10/100/1000 copper ports are normally the least expensive for providing copper gig.

mark_shrimpton Tue, 08/12/2008 - 06:19

Given what you've stated I expect that the 3560G-224TS should be adaquate.

As for Cisco's stackwise technology. I have looked though the information about it and i understand that primarily it allows the switches in the stack to pass information between them at a huge speed, and share configuration information with other members automatically.

One question however, should 1 switch die, I assume all the ports on that one switch lose their connection?

If this is the case, when you say i'll be able to deal with device failure, do you mean that only in the sense that when I plug a replacement in, it will automatically recieve the correct configuration?

Being that routers such as the 7201 (with the NPE-G2 - which is relatively expensive compared with L3 switches offereing to process similar numbers of packets) can deal with such small traffic flows how do organisations deal with routing between subnets after the traffic has been aggregated from their access/distribution switches?

Joseph W. Doherty Tue, 08/12/2008 - 08:29

"One question however, should 1 switch die, I assume all the ports on that one switch lose their connection? "

Yes, all ports on that switch die. However, if have a "spare" in the stack it would allow you to immediately repatch the connections from the failed ports. Also, 3750 stacks support cross member Etherchannels, so although you'll lose bandwidth, you don't lose connectivity.

"If this is the case, when you say i'll be able to deal with device failure, do you mean that only in the sense that when I plug a replacement in, it will automatically recieve the correct configuration? "

Yes, normally a replacement switch will pick up the prior config. It also can be placed into the stack without stopping the stack.

". . . how do organisations deal with routing between subnets after the traffic has been aggregated from their access/distribution switches?"

That's where the Cisco 4500 and 6500s are often found. (Of perhaps on some of the high non-chassis L3 switches, e.g. 3650-E, 3750-E, 4948, 4948-10gig, 4900M)

Software router, e.g. 7200 and below, or really oriented for the many features useful for WAN links. The smaller (e.g. 3560/3750/4948) and mid size L3 devices (e.g. 4500 series) provide LAN levels of performance, multi-gigbit speeds. Enterprise high end, is supported with the 6500/7600 series, which not only support multi-10-gigbit speeds, but can support WAN features as well or better than the smaller software routers. (There's also the recent ASR 1000 series.)

mark_shrimpton Tue, 08/12/2008 - 11:59

Excellent. I think then that two stacked 3750G-24T switches should do the job nicely, although given the first responders comments about the lack of outbound ACLs on switches i am going to have to rethink my ACL plans a little.

The fact that i can use LAGs from my linksys switches to each of the switches (so should one fail it will still have connectivity) is a great one - one less potential for it all to go wrong.

I assume that given i will only be using static routes, or at most simply routing protocols, that the 'Standard Multilayer' Image should suffice.

Thanks very much for all your advice.

Joseph W. Doherty Tue, 08/12/2008 - 12:49

If I recall correctly, the basic image does support statics, RIPv2 and EIGRP stubs. For full EIGRP and OSPF, you'll need an uplevel image.


Another nice thing about the non-"-E" 3560/3750, if I also recall correctly, they have a limited lifetime hardware warranty and lifetime free IOS software upgrades.

thedinuka Tue, 08/19/2008 - 06:08


I have also been trying to figure out the usability of a 7201 against a 3560E or 3750E

following is what i noticed.

3560 brings more forwarding capacity and port count.

feature wise there is'nt much difference in both.

but still 7201 is of higher cost than a 3560/3750

Can anyone explain why this is. Definitely there are advantages of going to the 7201. Would anyone be able to point out these please


Joseph W. Doherty Tue, 08/19/2008 - 06:19

"feature wise there is'nt much difference in both."

Perhaps true for just basic LAN routing, but hard to stuff an ATM interface into a 3560E or 3550E, activate NBAR, activate a firewall, activate OER/Pfr, etc. Not sure then I would agree there's little difference at the feature level.

thedinuka Tue, 08/19/2008 - 18:12

hi thanks for the info. But even 7201 doesn't accept an ATM card does it?

True in the case of NBAR and FW. but can can the 7201 still have a 2Mpps forwarding rate with these features enabled ? If not then you would have to put a separate device to do that, and then we are back in square one.


