I recently started to look into the configuration of the 6 2950 switches that have been setup "forever" and need help understanding something. Is there a specific uplink port or does the switch automagically know?
Here's our setup:
Internet -> PIX 506e -> Catalyst 2950 (1) _ Port 23
Catalyst 2950 (1) _ Port 24 -> Catalyst 2950 (2) _ Port 23
Catalyst 2950 (2) _ Port 24 -> Catalyst 2950 (3) _ Port 23
Does it need to be like that? Could it been any ports as long as they were connected via a crossover cable?
I'm in the process of setting up a redundant cluster with the switches, shouldn't the command and standby command switches be connected to multiple other switches?
It could be any port but it is very common to uplink the switches together using ports with higher speed. For example if you have a 48 port 2950G switch,(WS-C2950G-48-EI) you use the 48 copper 10/100 ports for workstations, printers,etc.. and use the 2 1Gig fiber ports for your uplinks.
If you see my original post I think I cover why I'm confused, but let me re-word it to help:
To begin, we have 6 Catalyst C2950 switches that are set up like the following:
Swtich 1: Port 23 -> Switch 2: Port 24
Switch 2: Port 23 -> Switch 3: Port 24
Switch 3: Port 23 -> Switch 4: Port 24
Switch 4: Port 23 -> Switch 5: Port 24
Switch 5: Port 23 -> Switch 6: Port 24
Switch 6: Port 23 -> Cisco Pix 506e
I was looking into setting up a redundant cluster and know that both the command switch and standby command switch need to be connected to more than 1 switch to provide redundancy.
My confusion comes from the current setup and trying to figure out why it was setup that way, when a redundant cluster is the ideal way to do things. I'm not sure I'll ever find the answer of why it's setup like it is now, but it looks like I'll be changing things soon to set it up in a more secure way.
Whom so ever has done this connectivity i try to explain why he might have done this
Earlier days there were HUBS or repeater used to connect either for extending the LAN or uplink. Traditionally it's was cascade to each other. By looking at the connectivity you can see the similar thought given which is not correct in today's world.
You definately should change this connectivity arrangement to two tier architecture which will provides better resilience. For example you can identify two switches connected to each other with mupliple links (Etherchannel). Then these switches to connected to each of the switch with two uplink (one will go to one central sw and other will go to other sw).
The only link which goes to Firewall will be single point of failure
Hope this tried to clear confusion you have.
He's right. That is really a legacy setup. The cascading, or daisy-chaining, is realy not preferable.
I'm assuming, from the sounds of it, that these switches handle both servers and end users. You have a number of limitations here but it can definitely be improved with your existing equipment. Assuming that we are not dealing with any limitations based on physical proximity of the switches to each other you could do something like follows as long as you have the port capacity.
506E --> Sw6 fa0/24
(Since the 506E only has one "inside" port you can't redundantly connect it but you can reserve another port on another switch to manually change to in the event of a failure.)
Manual 506E reserve backup --> Sw5 fa0/24
Sw5 fa0/23 --> Sw6 fa0/23
If you can afford the ports for etherchannel then:
Sw5 fa0/22 --> Sw6 fa0/22
and set up the etherchannel link.
If you have servers then try and redundantly link them to Switches 5 and 6 at the top of the heirarchy.
Sw4 fa0/24 --> Sw6 fa0/21
Sw4 fa0/23 --> Sw5 fa0/21
Sw3 fa0/24 --> Sw6 fa0/20
Sw3 fa0/23 --> Sw5 fa0/20
Sw2 fa0/24 --> Sw6 fa0/19
Sw2 fa0/23 --> Sw5 fa0/19
Sw1 fa0/24 --> Sw6 fa0/18
Sw1 fa0/24 --> Sw5 fa0/18
Now since this is still a flat network but with heirarchical architecture and redundant connections you need to pay attention to your spanning-tree configuration. In this case make sure and enable Rapid PVST+ and manually set Sw6 to be the primary root for the one VLAN I assume you have and make Sw5 the secondary root. Make sure and take advantage of other features to guard against other devices trying to become root or otherwise upset your spanning-tree topology.
By far the best investment you could make here is a couple of small L3 switches such as a 3560 and use them at the top of your heirarchy instead. You could then eliminate the flat network, separate your users into one or more VLANs, put your servers on a VLAN by themselves, and even put the inside interface of your firewall on its own VLAN.
Good luck with it. Sounds like you may have a little reading to do.
Tyler West, CCNP
First of all, thank you so much for the helpful information. At the end of the previous post VLANs were noted. It's my understanding that a 2950 can create/manage VLANs. Is that not correct? I was planning on setting up (at least) 3 VLANs once everything's reconfigured with our existing hardware.
Yes you can create and manage the VLANs but the hardware you listed doesn't have the ability to route between the VLANs. That would be where the L3 switch would come in. However, what you choose to use as a L3 device depends on what you are trying to accomplish.
I'm typing on a Blackberry right now so I might be able to get into more detail later.
Sr. Network Engineer
Camping World, Inc.
The question there would then be does he have the security plus license for the 506E. Without it the 506E won't do 802.1q trunking. I'm not 100% sure it will anyway. Trunking might not have been available except on 515s and above. I'd have to go back and do some reading.