Solved: Add 2960 switches to a 6500 access port

SwitchRoute · ‎01-01-2010

My network architecture is a campus 3-layer hierarchical design. We have 6500 switches deployed throughout the entire network at the access layer with NAC layer 2 OOB in place. Several end users have multiple nodes that require access to the network and the physical cabling to each space is limited. To accommodate these users some Engineers have suggested to deploy 2960 switches in the office space and share a connection to an access port on the 6500 access switch in the building floor network room. Is this a recommended solution? How will this solution affect CEF and hardware switching in the 6500? Is security an issue? What about Spanning Tree? This solution seems silly to me. Can someone provide a technical response to this solution?

Jon Marshall · ‎01-02-2010

SwitchRoute wrote:

We have wireless in place as a DMZ for guests now. This may be an option for additional access?

I will try to simplify my concerns.

I have a typical Core, Distribution, Access topolgy throughout my campus. Every access switch is trunked to distribution. We have Engineers that propose to add 2960 switches to acces ports in the access layer. This clearly disrupts all best practices. WTF? Why not install one cable to every office and connect to a 2960 with a access link to a L2 access port on another access switch? Cheap and easy? I am talking about daisy-chaining a 2960 access port with a 6500 acess port. Is this picture clear? Does this justify a hub? How does my network benefit by using a 6500 Sup720 in the access layer? We have no QoS in place.

You seem to have come to this forum looking for a specific answer and are unhappy that you are not hearing what you want.

Where does it say that you cannot have multiple switches in the access-layer. If the engineers were proposing to connect the 2960 directly to your core then yes that does not make sense. But i haven't heard of not being able to have multiple switches in the access-layer.

I am talking about daisy-chaining a 2960 access port with a 6500 acess port. Is this picture clear?

Crystal clear, as it has been since the first post. The simple facts are these -

1) You have a need for more ports than you can currently supply

2) You have 6500 in the access-layer which so far you have not actually specified what benefit they give you. Just having 6500 switches in the access-layer does not preclude having other switches in the access-layer as well.

3) Adding a 2960 switch will only affect those users connected to it so clearly you still get all the benefits for all the other users directly connected to the 6500 switches, although i say again, you haven't actually specified any benefits.

 Why not install one cable to every office and connect to a 2960 with a access link to a L2 access port on another access switch?

Because that's not a scalable design and it clearly would be an administrative nightmare.

How does my network benefit by using a 6500 Sup720 in the access layer? We have no QoS in place.

I don't know and more to the point you can't tell me.

I am not trying to be unhelpful really, i try my best to help people on these forums but you are not giving any solid reasons as to why it is such a bad idea. You have a fixed idea that it is a bad thing to do but you cannot provide any real technical reasons why it is. Personally if given the choice i would have more cable runs as you would but that's not really the point. If there are benefits to the users being directly connected to the 6500s then spell them out, make it clear to the users who would go via the 2960 that they may lose some of these benefits and that is the compromise they must make.

The business doesn't care about Cisco's 3 tier architecture. All they want is to be able to do their primary work.

If you can show that introducing a 2960 compromises the stability of your network and that this could then lead to lost business you have your case for more cable drops.

If you can specify the benefits lost by adding a 2960 to the access-layer ditto

The hardest thing about designing networks is knowing when to give and when not to give. If you give all the time you end up with a mess as you rightly point out. If you never give you have the most lovely textbook 3 tier Cisco network design, regardless of whether it actually meets the companies needs.

Jon

View solution in original post

Jon Marshall · ‎01-01-2010

SwitchRoute wrote:

My network architecture is a campus 3-layer hierarchical design. We have 6500 switches deployed throughout the entire network at the access layer with NAC layer 2 OOB in place. Several end users have multiple nodes that require access to the network and the physical cabling to each space is limited. To accommodate these users some Engineers have suggested to deploy 2960 switches in the office space and share a connection to an access port on the 6500 access switch in the building floor network room. Is this a recommended solution? How will this solution affect CEF and hardware switching in the 6500? Is security an issue? What about Spanning Tree? This solution seems silly to me. Can someone provide a technical response to this solution?

Will the 2960 still be under your control ? That is one of the key issues with this. If you enable all the ports and allow the users to connect whatever they want then yes that does have security issues. You can use BPDUGuard etc.. for STP but a better solution would be to manage the switch and only enable ports when needed. Use port security on the 2960 and only allow one mac-address per port which should stop them attaching hubs etc.

The other thing to be said, and this is by no means a crticism, is that if the solution sounds silly to you then you need to be prepared to back that up with technical reasons and even more importantly come up with a different but workable solution. If the business cannot do it's work efficiently because they need these ports then you have to provide a workable solution for them.

Jon

SwitchRoute · ‎01-01-2010

A workable solution would be to add more physical cable drops. I guess hanging several 2960s off access ports on a 6500 will solve the adding cable issue? Why even deploy 6500s? How do I benefit from a 6500 in the access layer?

Jon Marshall · ‎01-01-2010

SwitchRoute wrote:

A workable solution would be to add more physical cable drops. I guess hanging several 2960s off access ports on a 6500 will solve the adding cable issue? Why even deploy 6500s? How do I benefit from a 6500 in the access layer?

A workable solution would be to add more physical cable drops

Agreed, and if you have the budget and the time to do that then by all means propose that. But adding more cabling etc. is usually much more expensive and time consuming than adding another switch.

Why deploy 6500s in the access-layer ? Maybe for port density, maybe QOS capabilities, maybe for redundancy etc.. It's really difficult to say because i didn't design the network so i don't know what the reasoning behind purchasing the 6500 switches was originally. What do you think you are getting from the 6500 switches that you will lose by adding 2960 switches ? If you can specify this then this could be a very good basis for arguing for adding extra cable drops.

I'm not saying that you are right or wrong. What i am saying is that without knowing the reasons behind the existing design and the choice of switches it's difficult to say which solution is the best.

Jon

SwitchRoute · ‎01-01-2010

The reason behind this design to add layer 2 devices to end users is probably more political than technical? The initial addition of a low end switch appears to be low cost? What about the support and maintenance? The cable install is a one time cost and is considered permanent infrastructure.

The design of the network is to provide non stop access to all things allowed. Normal? I don't know if I will lose benefits by adding 2960s. That is my main concern.

Jon Marshall · ‎01-01-2010

SwitchRoute wrote:

The reason behind this design to add layer 2 devices to end users is probably more political than technical? The initial addition of a low end switch appears to be low cost? What about the support and maintenance? The cable install is a one time cost and is considered permanent infrastructure.

The design of the network is to provide non stop access to all things allowed. Normal? I don't know if I will lose benefits by adding 2906s. That is my main concern.

I sympathise. As a network designer i have been in these positions many times where the initial cost of doing something is low ie. adding another switch, compared to a more permanent solution. Support and maintenance are always difficult to cost but in this instance they probably aren't that great considering it is a Cisco switch and runs a familiar IOS interface.

If you have control of budgets you could perhaps cost up adding more cable runs and put this in next years budget. That way you have made a specific statement that makes very clear that adding switches to provide more ports is only a short term solution. In addition make it clear that this is an exception and not the rule and that in future more notice is required.

The key thing is that you must maintain control of the switch wherever it is placed. Use all available security measures eg. port security, shutdown ports, DHCP snooping etc. to secure the network against malicious or accidental usage.

And then make a decision as to how to expand your network in future. If it is by adding cable runs then see above. If it is by allowing L2 switches to be used to expand your access-layer then work on a secure configuration to allow you to do this.

When it comes to political vs technical it is sad to say that political often wins out in the short term and it is the network designer that needs to adapt

Jon

Reza Sharifi · ‎01-01-2010

SwitchRoute wrote:

The reason behind this design to add layer 2 devices to end users is probably more political than technical? The initial addition of a low end switch appears to be low cost? What about the support and maintenance? The cable install is a one time cost and is considered permanent infrastructure.

The design of the network is to provide non stop access to all things allowed. Normal? I don't know if I will lose benefits by adding 2906s. That is my main concern.

In addition to extra cost for malignance and support and since we are talking about Cisco devices here, there is one more thing to remember and that is the more different type of switch you add the more different type of IOS you need. We all know what happens if you load a 3750 image on a 2960.

Also, one other reason for using 6500 in the access closets is security. Some customers do not use cooper to their desktops, they only use fiber and as far as I know there aren't any fixed small switches with 48 port Gig fiber.

Reza

Reza Sharifi · ‎01-01-2010

Is wireless on option for you?

Reza

SwitchRoute · ‎01-01-2010

We have wireless in place as a DMZ for guests now. This may be an option for additional access?

I will try to simplify my concerns.

I have a typical Core, Distribution, Access topolgy throughout my campus. Every access switch is trunked to distribution. We have Engineers that propose to add 2960 switches to acces ports in the access layer. This clearly disrupts all best practices. WTF? Why not install one cable to every office and connect to a 2960 with a access link to a L2 access port on another access switch? Cheap and easy? I am talking about daisy-chaining a 2960 access port with a 6500 acess port. Is this picture clear? Does this justify a hub? How does my network benefit by using a 6500 Sup720 in the access layer? We have no QoS in place.

Jon Marshall · ‎01-02-2010

SwitchRoute wrote:

We have wireless in place as a DMZ for guests now. This may be an option for additional access?

I will try to simplify my concerns.

I have a typical Core, Distribution, Access topolgy throughout my campus. Every access switch is trunked to distribution. We have Engineers that propose to add 2960 switches to acces ports in the access layer. This clearly disrupts all best practices. WTF? Why not install one cable to every office and connect to a 2960 with a access link to a L2 access port on another access switch? Cheap and easy? I am talking about daisy-chaining a 2960 access port with a 6500 acess port. Is this picture clear? Does this justify a hub? How does my network benefit by using a 6500 Sup720 in the access layer? We have no QoS in place.

You seem to have come to this forum looking for a specific answer and are unhappy that you are not hearing what you want.

Where does it say that you cannot have multiple switches in the access-layer. If the engineers were proposing to connect the 2960 directly to your core then yes that does not make sense. But i haven't heard of not being able to have multiple switches in the access-layer.

I am talking about daisy-chaining a 2960 access port with a 6500 acess port. Is this picture clear?

Crystal clear, as it has been since the first post. The simple facts are these -

1) You have a need for more ports than you can currently supply

2) You have 6500 in the access-layer which so far you have not actually specified what benefit they give you. Just having 6500 switches in the access-layer does not preclude having other switches in the access-layer as well.

3) Adding a 2960 switch will only affect those users connected to it so clearly you still get all the benefits for all the other users directly connected to the 6500 switches, although i say again, you haven't actually specified any benefits.

 Why not install one cable to every office and connect to a 2960 with a access link to a L2 access port on another access switch?

Because that's not a scalable design and it clearly would be an administrative nightmare.

How does my network benefit by using a 6500 Sup720 in the access layer? We have no QoS in place.

I don't know and more to the point you can't tell me.

I am not trying to be unhelpful really, i try my best to help people on these forums but you are not giving any solid reasons as to why it is such a bad idea. You have a fixed idea that it is a bad thing to do but you cannot provide any real technical reasons why it is. Personally if given the choice i would have more cable runs as you would but that's not really the point. If there are benefits to the users being directly connected to the 6500s then spell them out, make it clear to the users who would go via the 2960 that they may lose some of these benefits and that is the compromise they must make.

The business doesn't care about Cisco's 3 tier architecture. All they want is to be able to do their primary work.

If you can show that introducing a 2960 compromises the stability of your network and that this could then lead to lost business you have your case for more cable drops.

If you can specify the benefits lost by adding a 2960 to the access-layer ditto

The hardest thing about designing networks is knowing when to give and when not to give. If you give all the time you end up with a mess as you rightly point out. If you never give you have the most lovely textbook 3 tier Cisco network design, regardless of whether it actually meets the companies needs.

Jon

SwitchRoute · ‎01-02-2010

Jon,

Thank you for all the help!! I do appreciate it.

I will post again with follow up after a few weeks of these 2960s in place.

Thanks again!!