Cisco Switches, Cisco Firewall

Friday 23 march 2012 5 23 /03 /Mar /2012 10:37

Creating network designs for people is not an easy task, for many factors and requirements need considering. It’s the fact that most organizations do not upgrade their LAN to prepare for the future – most of them don’t touch the network as long as it is running properly and supporting the user’s applications. When starting the planning process for putting a secure voice system on the network, which takes the network requirements to another level.

Core-distribution-Access.jpg

There is a lot more to consider than QoS for putting voice on the LAN, although that is what the discussion is usually centered around. The LAN also has to have a number of other attributes:

  1. Secure - with voice on the LAN, the switches must have security features that can prevent them from getting attacked with MAC address floods, rogue DHCP servers, gratuitous ARP’s changing the default gateway, and other attacks that can be launched by malware.
  2. Fast - If voice goes through multiple switches, each hop can add latency. Instead of store and forward of the ethernet frames, switches should use cut-through to move things along. Server and uplink speeds should be gigabit, while for most organizations 10/100 Mbsp to the desktop is just fine.
  3. QoS - As discussed above. This comes into play mostly in uplinks. When remote access layer closets are connected back to the distribution layer, there is a choke point in the LAN. Any choke points require queuing to prioritize the voice.
  4. Reliable - Long Mean Time Between Failure, well tested code to limit bugs, good support from the manufacturer in case there is a software or hardware issue.
  5. Managable - The switches have to be able to be managed remotely, have SNMP information, be able to log, and be configurable. GUI interfaces are ok, but there is nothing like a solid command line interface for rapid configuration, troubleshooting, and repair.
  6. Power Density- Switches have to be able to support the power density of the planned devices. Most switches cannot power all ports at the highest levels.
  7. Power and Cooling – Since IP phones are powered from the switches, all access layer switches will require properly sized UPS’s. A basic switch consumes about 60 Watts. A 48 port switch with 15 Watt phones plugged into every port will require at least 600 Watts. Put a few of those switches in the closet an you are looking at not only a much bigger UPS, but also better cooling.
  8. Redundant Design – The only place that there should be a single point of failure is at the access layer in the closets. If a switch fails, only the devices connected to that switch should lose connectivity – all others should work around the issue. In most cases that means dual uplinks from each closet to a redundant distribution layer at the core.

An excellent reference to everything discussed above is the Cisco Campus Network for High Availability Design Guide. This drawing shows both redundant uplinks and the single points of failure that are acceptable:

redundant-uplinks-and-the-single-points-of-failure-that-are.jpg

When all the requirements for a good LAN that can support voice are evaluated, it turns out that it prepares the network for future requirements as well, like IP security cameras, wireless access points, and other devices that may hang off the LAN.

It is certainly possible to build out a LAN with non-Cisco switches, but there are so many little things that are useful with Cisco switches, and they tend to be price competitive, that it is usually best to go with them. For example, one of the most useful tools is Cisco Discovery Protocol, which lets you see what other CDP devices are connected to an individual switch. I use this all the time to work my way through a network and find out where devices are located.

Having set a baseline for what we are looking for in a LAN switch, we can overview a variety of Cisco switches that are available and largely required by small to large businesses. And most of them serve a useful purpose for different situations.

Cisco Catalyst 2960 Series – a type of useful, versatile switch. It is layer 2 only, so no routing. The 24 port 10/100 POE version is great. It includes two gigabit dual-personality uplink ports, so a stack can be linked together, and then the top and bottom of the stack can be connected by fiber to the distribution switches. This switch is good and popular.

Cisco 3560 Series Similar to the 2960, but has a few more features. This is a layer 3 switch, and has three different classes of IOS. The IP base includes static routing, EIGRP stub, but no multicast routing. IP services includes the full routing features set. IP Advanced Services includes IPV6 on top of everything else. The SFP ports have to be populated with either copper or fiber gig SFP’s to uplink.

Cisco 3750 – This is just like the 3560, but with one big difference. The 3750 includes two Stackwise connectors on the back of the switch, allowing up to nine switches to be stacked together using a 32 Gbps backplane speed. The stack is managed as a single switch, and uplink ports on different switches can be connected together with EtherChannel so that multi-gigabit closet uplinks can be obtained. For an inexpensive distribution layer, a small stack of 3750 switches is ideal. The entire stack is limited to 32 Gbps of throughput, so this is not a good server switch for more than about 20 servers.

Cisco 4500 – This is a chassis switch that is designed to be used in the access layer.  The internal design is optimized for connecting a bunch of users and uplinking out of the closet, since the internal connections the different thirds of each blade is limited to 2 Gbps in most of the linecards. The latest version of the blades and supervisor are faster, but are still oversubscribed, so this should not be used for a distribution or server switch. It is a great access layer closet switch for high density (>200 users) gigabit POE to the desktop.

Cisco 3560E Series The E version of the 3560 switches are gigabit to the desktop and 10 gigabit uplink and aggregation. They also have modular power supplies so that every port on a 48 port switch can be powered to the highes level if required.

Cisco 3750E – gigabit speed, 10 Gbps uplinks, and Stackwise+ for switch interconnection. Stackwise+ is twice the speed of Stackwise at 64 Gbps, but has a much higher comparative speed since all traffic that is on one switch can stay on the switch, whereas with Stackwise on the 3750′s all traffic traverses the Stackwise link.

Cisco Catalyst 6500 Swithces Excellent switch, very useful as a distribution and server switch. The switch has three backplanes, and it is worthwhile looking at the connection speed of the supervisor engines and blades before making a decision. The legacy backplane is still available using the Sup720; it is a 32 Gbps shared backplane. New blades use either CEF256, which is a 8 Gbps connection, or CEF720, which uses dual 20Gbps connections.

  • The Cisco 6500 blades can have distributed routing features, or dCEF. These are typically not required except for the most challenging networks.
  • The most cost-effective and reliable method for setting up a 6500 is to use a single chassis6509  with redundant power supplies, redundant supervisor engines, dual 6748 gigabit blades for server connectivity, and dual 6748 fiber uplink blades for connecting remote wiring closets.
  • The Cisco 6509 has no limitations – any blade can go into any slot. The Catalyst 6513 has more slots, but only the bottom four can accept the CEF720 blades, the top seven slots connect at CEF256 or slower.
  • My preference is to usually use this box as just a switch, and put routing, firewall, wireless control and other functions in dedicated boxes, but there are certain situations where the ability to put services modules like the ACE module, IPS modules, or Firewall services module in the 6500 solve a specific technical problem.

 

So, some examples of good designs:

  1. If there are between 500 and 2000 hosts on a LAN, then single or dual 6500′s at the core/distribution layer are appropriate. Stacks of 3750′s or 2960′s in the closet with gigabit uplinks back to the distribution layer are appropriate.
  2. For between 100 and 500 hosts on a LAN, then a stack of 3750E or 3750 switches at the core/distribution layer and a stack of 2960′s in the closets would be a good design for most organizations.
  3. For <100 hosts, a good design is dual 3750′s at the distribution layer with 2960′s for access layer. If price is the deciding factor then a stack of 2960′s is appropriate.

 

Examples of non-optimal designs that I have seen:

  1. Putting a single Cisco 3750 in an access layer closet. There is no reason for this, as the primary benefit of the 3750 is its Stackwise system. If there is only one, then no stacking is required.
  2. Adding dCEF capability to a 6500 when there is very little routing to be done in the system, and the 6500 is nowhere near hitting its performance limit with all routing being done in the supervisor engine.
  3. Having a mismatch between power draw and power supply on the switch. This can happen from having power supplies that are too small, or loading too many POE devices onto an underpowered 48 port switch.

One of the most useful devices to increase reliability of the switching infrastructure is a backup power supply. One of my rules of thumb is that moving parts break first, so the most likely item to fail in the switch is the power supply and/or cooling fans. Every Cisco switch and most of the smaller routers have a DC port in the back. That is for backup power.

The Cisco RPS675 can be used as backup power. It has dual power supplies, and can connect to six different devices. If those devices ever lose their power supply, then the RPS box will provide power via the DC power port, and everything will contine to run. The only tricky thing is ordering the correct cables. There is one set of cables for E versions of switches, and another set for all other devices.

Putting together a LAN upgrade design is a relatively straightforward process. The difference between a good design and a poor one really come down to the details. No one wants to get a cheap network that will not handle the needs of the organization in the next few years and have to be replaced, and converseley most organizations would not want to pay for an oversized network that is too expensive.

It is best to get a design done from a reseller that regularly sells deploys the products they are recommending. Good VAR’s will stay on top of the new products that are out, and will change their recommendations are based on the customer’s needs and budget. I would argue that a good VAR can put together a better design than a sales engineer from a manufacturer. The VAR is responsible for making it work within budget, whereas the manufacturer will not do the installation, and is compensated for selling as much equipment as possible.

 

More Cisco hardware guide and info you can visit: http://www.router-switch.com/Price-cisco-switches-cisco-switch-catalyst-3560_c22?page=3

By Cisco & Cisco Router, Network Switch - Posted in: Cisco Switches, Cisco Firewall
Enter comment - View the 0 comments
Monday 12 march 2012 1 12 /03 /Mar /2012 08:47

The Cisco Catalyst 2960 switch is a small switch that runs the same Cisco IOS that the larger switches do, and has most of the same features. This article describes several ways you can pull information from the switch, such as the chassis temperature. These methods should work on most Cisco switches. Computer with terminal emulation software prepared before you start.

Cisco-Catalyst-2960-Series.jpg

 

Command Line Interface (CLI)

1. Establish a terminal console connection by entering the IP address of the switch into the "Host Name (or IP Address)" section of the terminal emulation software. Select "SSH" or "Telnet" as the "Connection Type" and click "Open."

 

2. Verify you are in the "Privilege Exec" mode, which uses a "#" at the end of the prompt. Enter the command "enable" to move out of the "Exec" mode and into the "Privilege Exec" mode. (The "Exec" mode uses a ">" at the end of the prompt.)

 

3. Enter the command "show env all" to see all the environment information. The "Temperature is" section will be at "OK" and the "Temperature State" will be "Green" if the "Temperature Value" is below the "Yellow Threshold" value.

 

4. Modify the "Yellow Threshold" with the command "system env temperature threshold" followed by a number. This command must be issued from the "config" mode, which has "(config)" at the end of the prompt. To move from the "Privilege Exec" mode to the "config" mode, issue the command "configure terminal."

 

Web Browser

5. Check if the web service is running on your switch by issuing the command "show ip http server status" from the "Privileged Exec" mode. See Section 1 for details on how to get there.

 

6. Verify that "HTTP server status" and/or "HTTP secure server status" is set to "Enabled." Issue the command "ip http server" from the "configuration" mode to enable the web services. To disable the HTTP service, issue the command "no ip http server."

 

7. Open a browser, type the IP address of your switch into the address bar and hit enter.

 

8. Check the far right section titled "Temp" for the temperature of the switch.

 

Tips & Warnings

You can also use SNMP traps to monitor the switch temperature, but the process is not very intuitive and requires knowledge of SNMP MIBs, traps and monitoring software.

Enabling the HTTP service on your switch introduces a security risk.


Reference from Cisco.com

Catalyst 2960 Switch Software Configuration Guide

Cisco Catalyst 2960-S and 2960 Series Switches with LAN Base Software

Cisco IOS Commands Master List

By Cisco & Cisco Router, Network Switch - Posted in: Cisco Switches, Cisco Firewall
Enter comment - View the 0 comments
Wednesday 7 march 2012 3 07 /03 /Mar /2012 09:58

The different licensing “levels” available on the Cisco Adaptive Security Appliances allow an organization to buy only what they need while retaining the option to upgrade in the future, if necessary.

For example, a small business with 15 employees may start out with a Cisco ASA 5505 with a 25-user (or, more correctly, 25-host) license. As new employees are hired — or existing employees begin using Wi-Fi on more devices — they may approach the limit and find it necessary to upgrade to a 50- or unlimited-user license.

Cisco-asa-5510-copy-1.jpg

Once you have obtained a new “activation key”, the process of upgrading the license on a Cisco ASA is among one of the simplest tasks you can perform, although it often times will require a reload of the device to take effect.

 

You can see what license you currently have installed using the show activation-key command:

ciscoasa# show activation-key

Serial Number: JMX1316M41H

Running Activation Key: 0x2174cf47 0x945b4c3a 0x74159120 0xba2ca848 0x8f602feb

 

Licensed features for this platform:

Maximum Physical Interfaces: 8

VLANs: 3, DMZ Restricted

Inside Hosts: 10

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

VPN Peers: 10

WebVPN Peers: 2

Dual ISPs: Disabled

VLAN Trunk Ports: 0

AnyConnect for Mobile: Disabled

AnyConnect for Linksys phone: Disabled

Advanced Endpoint Assessment: Disabled

UC Proxy Sessions: 2

 

This platform has a Base license.

The flash activation key is the SAME as the running key.

 

Upgrading to our new license is simply a matter of going into global configuration mode and using theactivation-key command to provide the new license key to the ASA:

ciscoasa# configure terminal

ciscoasa(config)# activation-key 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8

Failover is different.

   flash activation key: Restricted(R)

   new activation key: Unrestricted(UR)

Proceed with update flash activation key? [confirm]

 

Our new activation key was accepted. The above output shows that the activation key saved in flash memory is “Restricted” while the new one we’ve just supplied is “Unrestricted”. The ASA asks us to confirm that we want to update the key? Go ahead and press ENTER.

Failover is different.

   running activation key: Restricted(R)

   new activation key: Unrestricted(UR)

WARNING: The running activation key was not updated with the requested key.

The flash activation key was updated with the requested key, and will become active after the next reload.

ciscoasa(config)#

 

The ASA tells us that the activation key stored in flash was updated (and will take effect upon the next reload), but the running activation key was not changed. When you see this, the ASA is telling you that you need to perform a reload for the new features to take effect.

 

I’ll go ahead and do that, though you might need to wait for a maintenance window or planned downtime.

ciscoasa(config)# end

ciscoasa# reload

Proceed with reload? [confirm]

Once the ASA has reloaded, we can log back in and verify that our new license — and new features — are active:

ciscoasa# show activation-key

Serial Number:  JMX1316M41H

Running Activation Key: 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8

 

Licensed features for this platform:

Maximum Physical Interfaces: 8

VLANs: 20, DMZ Unrestricted

Inside Hosts: Unlimited

Failover: Active/Standby

VPN-DES: Enabled

VPN-3DES-AES: Enabled

VPN Peers: 25

WebVPN Peers: 2

Dual ISPs: Enabled

VLAN Trunk Ports: 8

AnyConnect for Mobile: Disabled

AnyConnect for Linksys phone: Disabled

Advanced Endpoint Assessment: Disabled

UC Proxy Sessions: 2        

 

This platform has an ASA 5505 Security Plus license.

The flash activation key is the SAME as the running key.

ciscoasa#

 

The ASA is back up and running and you can start using the additional features that your new license provides.

 

More info and tutorials of Cisco and Cisco firewall you can visit: http://blog.router-switch.com/

By Cisco & Cisco Router, Network Switch - Posted in: Cisco Switches, Cisco Firewall
Enter comment - View the 0 comments
Tuesday 6 march 2012 2 06 /03 /Mar /2012 09:51

Transform your branch-office experience with the new Cisco Integrated Services Routers Generation 2 (ISR G2) Family, Cisco’s latest addition to the tremendously successful integrated services router portfolio. The Cisco ISR G2s are part of the Cisco Borderless Network Architecture that enables business innovation and growth across all remote sites. The next-generation architecture delivers a new workspace experience by meeting the performance requirements for the next generation of WAN and network services, enabling the cost-effective delivery of high-definition collaboration at the branch office and providing the secure transition to the next generation of cloud and virtualized network services. Designed for optimal service delivery on a single platform, the new Cisco ISR G2 routers give businesses greater power to deliver a superior customer experience and deploy services “on demand” as business needs dictate—while reducing overall operating costs.

 

What Problems Do Cisco ISR G2s Help Solve?

With the number of employees growing at the branch office, IT teams are challenged to securely and efficiently connect remote locations at minimal cost. The Cisco ISR G2 not only addresses critical branch-office challenges like the first generation, it also introduces revolutionary ways to make the remote office more productive, more collaborative, and more operationally efficient. These new innovations enable branch offices to:

Deliver next-generation WAN and network service requirements

Become more productive through increased videobased collaboration and rich-media services

Securely transition to cloud and virtualized network services

Minimize energy consumption and costs to support corporate sustainability

Enable small IT teams to scale services worldwide

 

Cisco ISR G2Positioning

The Cisco ISR G2 provides a highly secure and reliable platform for scalable multiservice integration at enterprise and commercial branch offices of all sizes and small-to-medium sized businesses (Figure 1). The excellent service delivery on a single platform, now up to 8x greater performance, offers the ultimate user experience with the architectural scalability and investment protection needed to minimize overall deployment costs.

 

Figure 1 Cisco Integrated Services Routers Generation 2

cisco-isr-g2.jpg

 

What’s new on Cisco ISR G2?

Table 1 compares the features of the first and second generations of Cisco Integrated Services Routers.

WhatsNew.JPg

 

Why Upgrade Your Existing Access Router to a Cisco ISR G2 Router?

The Cisco ISR G2 portfolio builds upon the market success of the first generation of integrated services routers with new enhancements that deliver greater value to your business with new enhancements for service virtualization, video-ready capabilities, and operational excellence. Our exciting new innovations deliver:

Video-ready branch office for a superior customer experience with new services that transform the branch-office workspace:

Media engines that enable business-grade video applications based on high-density video-ready DSPs that deliver the media net high-definition experience

Bandwidth-optimized and scalable video services, including media-rich video conferencing, video surveillance, video streaming, and digital signage

High-performance (up to 8x), nonstop branch office experience to meet your future WAN and services requirements

TelePresence capability to your midsize branch offices with T1/E1 links

Service virtualization to deliver highly effective business innovation that achieves unparalleled service:

Cloud extensibility and services virtualization for mission-critical application survivability to remote sites

Broadest services offering to all branch-office sites, including security, unified communications, WANoptimization, application integration, and customizable virtual services

A revolutionary “on-demand” services delivery model enabled by the innovative Cisco Services Ready Engine (SRE)

Operational excellence providing the lowest total cost of ownership (TCO) with scalability, operational flexibility, and simplicity based on best-in-class service integration, innovative pay-as-you-grow model, and optimized energy efficiency:

Superior business flexibility for on-demand service delivery with minimal system upgrades

Increased branch-office uptime with enhanced availability features

Greater energy efficiency with slot-based controls to decrease costs and support sustainability

Simplified deployment with a single Cisco IOS Software image

Investment protection with support for most of the prior generation of integrated services router interfaces

 

Cisco Services for the Branch Office

Services from Cisco and our certified partners can help you transform the branch-office experience and accelerate business innovation and growth with Borderless Networks. We have the depth and breadth of expertise to create a clear, replicable, optimized branch office footprint across technologies that will help you:

Increase the accuracy, speed, and efficiency of deployment

Improve operational efficiency, save money, and mitigate risk

Continuously improve performance

 

Why Cisco?

Built on 25 years of innovation and product leadership along with broad market acceptance, the new generation of access routers continues to optimize service integration to transform the branch-office experience with the speed, scale, and flexibility to deliver tomorrow’s services transparently at a low cost of ownership. For more information, please visit: www.cisco.com/go/isrg2.

 

Table 2 compares the models of the Cisco ISR G2 portfolio.

cisco-isr-g2-comparison.jpg

More Cisco ISR G2 Files: Cisco ISR G2 Management Overview

By Cisco & Cisco Router, Network Switch - Posted in: Cisco Switches, Cisco Firewall
Enter comment - View the 0 comments
Wednesday 29 february 2012 3 29 /02 /Feb /2012 09:49

Ethernet Switch

A switch is something that is used to turn various electronic devices on or off. However, in computer networking, a switch is used to connect multiple computers with each other. Since it is an external device it becomes part of the hardware peripherals used in the operation of a computer system. This connection is done within an existing Local Area network (LAN) only and is identical to an Ethernet hub in terms of appearance except with more intelligence. These switches not only receive data packets, but also have the ability to inspect them before passing them on to the next computer. That is, they can figure out the source, the contents of the data, and identify the destination as well. As a result of this uniqueness, it sends the data to the relevant connected system only, thereby using less bandwidth at high performance rates.ethernet-switches-copy-1.jpg

 

Ethernet Switches and Crossover Cables

The wires in a crossover cable are “crossed” so that output signals from the transmitting device are properly sent as input signals to the receiving end. An Ethernet switch can be thought of as a device that makes temporary crossover cable connections between computers that want to communicate. Just like crossover cables, switches do not suffer from collision problems.

However, it should be noted that the actual cables used are “straight through.” The crossover function is done inside of the switch.

 

Since separate wires are used for sending and receiving, switches support operation in full duplex mode. This mode allows devices to send and receive data at the same time.

 

Advantages over Hubs

As mentioned above, switches are intelligent devices that can read the data packets that pass through them. By storing each host’s MAC address and its corresponding port in a table, switches ensure that bandwidth is not wasted by intelligently directing traffic. Hubs are dumb devices that do not do any processing.

 

Unlike hubs, switches are modern, fast, and support full duplex operation. In short, they are much better.

 

...To be continued...

 

By Cisco & Cisco Router, Network Switch - Posted in: Cisco Switches, Cisco Firewall
Enter comment - View the 2 comments

Présentation

  • : Cisco & Cisco Network Hardware News and Technology
  • Cisco & Cisco Network Hardware News and Technology
  • : Hardware Cisco news Cisco network technology Networking solution Cisco Internet
  • : There are all kinds of news and information related to Cisco and Cisco network equipment, such as release of Cisco equipment, news of Cisco's new networking solution, and Cisco hardware and software upgrading...
  • Share this blog
  • Back to homepage
  • Contact

Calendrier

July 2014
M T W T F S S
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      
<< < > >>
Create your blog for free on over-blog.com - Contact - Terms of Service - Earn Royalties - Report abuse - Most commented articles