I have the following equipment in a 3 floor building:
Cat 4506 w/ Sup IV - floor 3
Cat 4506 w/ Sup IV - floor 2
Cat 4507R w/ Sup IV - floor 1
PIX 515 - GW to Internet - floor 1
WAN router 2621 - floor 1
I was thinking of the following setup:
VLAN1 - Management VLAN
VLAN2 - Floor 1 - Servers and tech
VLAN3 - Floor 2 - General users
VLAN4 - Floor 3 - General users
The 4506s on floors 2 and 3 will each connect one of their 1000BaseX ports on the Sup IV to the 2 1000BaseX ports on the 4507R Sup IV via SMF. I would then connect both 4506s via gigabit over CAT6 from RJ45 10/100/1000 ports to 2 different RJ45 10/100/1000 ports on the 4507R. This is for redundant layer 2 connectivity and achieved by assigning a higher STP port cost for the RJ45 ports. This should keep them in a blocking state until one of the fiber links fail.
Next I will have layer 3 switching implemented on the 4507R between the 3 vlans using logical vlan interfaces to do the routing via the backplane. If I understand correctly, the 2621 routes up to 20 Kpps and the 4507R can do hardware layer 3 switching at 48 Mpps. So a layer 3 switch is definitely a much better choice than an external router.
1. I understand VLANS are good for control of broadcast traffic and security. If security is not an issue and with this amount of bandwidth and high end switches, is there even a reason to use separate VLANs other than one for management and one for users/servers? All the traffic will be between users and the servers on floor 1 (email, file sharing, printing, etc).
2. Is this a good setup for redundant layer 2 connectivity?
3. When would there be a need to setup a physical layer 3 interface on a 4507R vs a logical layer 3 interface? If the default gateway is the PIX in this scenario, as long as the inside interface of the PIX is plugged into a switchport on the 4507R and routing is in place, all the VLANs of the switch can reach the Internet. There is not a perfomance difference, is there?
4. With the Netflow daughter card, is it possible to analyze Internet traffic (bandwidth usage) by source IP?
1. I think your idea to put each floor on a separate vlan is a good idea. If you want more reasons as why segmenting management traffic and user traffic is a great idea, see the Catalyst Switch Best Practises document on cisco.com. http://www.cisco.com/warp/customer/473/185.html#cg18
One of the main reasons I would put switch and router management interfaces on one lan and users on another, is the management interfaces are not as vunerable to problems on the user vlan when a Ddos attack happens or a broadcast storm occurs on the user vlan. You will most likely have the capability to telnet to the switches and troubleshoot the user vlan problems because the management interfaces are not on the same lan.
3. In the case where the PIX directly connects to the cat4500 and there is a /30 network between the PIX an d the 4500, then it makes sense to configure the switch port with the IP address as opposed to the using a vlan interface. It really doesn't make any difference whether you put the IP address on the switch port or configuring an interface vlan. There is no performance difference.
4. The netflow daughter card can be used to analyse tcp and udp sessions in your network. You would need to have Netflow collector software on a PC. More details on how Netflow works on the card is found at
What do you think about the layer 2 redundancy setup that I mentioned? Should I use that using STP or just disable STP on the entire switch? Is there another way to have redundant links between the 3 4500's?
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...