L3 switch - with client isolation - what are the options?

h2009 · 30 May 2011 at 14:06

Hi there,

I'm looking for some advice on switches (24 & 48 ports). At the moment I am using Cisco 2950G-EL switches with the following setup:
Port 1 = truck to router
Port 2 = management pc
Port 3 - 15 = VLAN11 = Wireless Access points (each has wireless isolation on them already)
Port 16 - 48 = VLAN2 & client isolation = Client ports

Ideally I'm looking to move away from Cisco units and go for another brand which I can achieve the same network setup. The main reason to why I don't want to use Cisco is I'd prefer using GUI interface rather than terminal.

The idea of client isolation is to help prevent DHCP backwards requests and also to help against "hackers"

I'd be grateful if someone could recommend switches which would be suitable.

m4cc45 · 30 May 2011 at 15:01

I'd stick with Cisco mate - they're market leaders for a reason.

You can also, if enabled, HTTP to the switches and change the port VLAN's that way. Worth looking into.

M.

Chief Wiggum · 30 May 2011 at 15:29

Stick with cisco, introduce some techniques to protect dhcp, you can setup port protection and trust dhcp offers from certain ports, so if dhcp offer comes from a client port it gets dropped. That kind of thing.

Cisco do some management software, however it's not that great so cli is the best way, it's not going to be very difficult in the environment that you've got.

h2009 · 30 May 2011 at 15:57

Hi guys thanks for your input.

As the 2950's are no longer manufactured, what models would you recommend going forward?

bigredshark · 30 May 2011 at 18:38

Well you mentioned L3 switches, which the 29x0 series aren't. If you don't need L3 then the 2960 is the like for like replacement (for the moment, it's getting superseded slowly). Otherwise, well you could use 3560s for layer3 but the 3750 is the overwhelmingly popular choice for this sort of thing.

A word of warning, current Cisco support of IPV6 on L3 switches is not good, we're ripping out our 3750s for this reason alone.

We're moving to Juniper EX4200s as they are in my view far superior units in virtually every respect at a price point which isn't much more than the 3750. Though if you don't like the Cisco CLI then I'd steer well clear, JUNOS is all powerful but it could take you days to work out how to configure switching if you don't know the platform.

Other options too of course, but I wouldn't buy them and hence won't recommend them. With a minor exception for Brocade, the FCX is a capable platform but not without it's flaws (that is, bugs) still.

h2009 · 30 May 2011 at 19:52

Hi
I'm sure the 2950-el is L3 (or atleast multilayer but restrictive).
The main function I really need is port isolation. Like you would have wireless devices but there it's called client isolation

bigredshark · 30 May 2011 at 19:55

To my knowledge the 2950 with enhanced image can categorise traffic based on L3 but cannot route, you need a 3000 series switch or better for that. Post isolation, expand on exactly what you want, I'd say private vlan is the most obvious feature to meet that description (and I think virtually everything supports it..)

Chief Wiggum · 30 May 2011 at 22:32

isn't client isolation there to stop wireless clients from talking to each other? I think, as Mr BRS says - the closest thing to that is private vlans.

I like my 3750's, just about to replace a load of 3524pwr's with them (it's what we've got knocking around) They're the most popular along with 45k's at the moment (in our network)

I can't see us going ipv6 any time soon, which is odd considering the business that my company is in. Maybe on the provide side, but internally it's like the stone-age

h2009 · 31 May 2011 at 00:39

Hi it's very similar to wireless client isolation, but it's for the switch ports only.
That I'm 100% sure on as it's in my setup now.

I had set these units up so long along I can't remember how I even did it or the cisco commands. I've had no problems with then for years.

Is there a command to display the configuration from CLI then I could post it up here.

Devz · 31 May 2011 at 02:12

Yes it's

Code:

show running-config

h2009 · 31 May 2011 at 08:24

Thanks here is the configuration:

Code:

Building configuration...

Current configuration : 5976 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
ip dhcp snooping vlan 2
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
 description rb450g-e2
 switchport trunk allowed vlan 2,3,11
 switchport mode trunk
 ip dhcp snooping trust
!
interface FastEthernet0/2
 description management
 switchport access vlan 11
 switchport mode access
!
interface FastEthernet0/3
 description EnGenius AP
 switchport trunk allowed vlan 2,11
 switchport mode trunk
!
interface FastEthernet0/4
 description EnGenius AP
 switchport trunk allowed vlan 2,11
 switchport mode trunk
!
interface FastEthernet0/5
 description EnGenius AP
 switchport trunk allowed vlan 2,11
 switchport mode trunk
!
interface FastEthernet0/6
 description EnGenius AP
 switchport trunk allowed vlan 2,11
 switchport mode trunk
!
interface FastEthernet0/7
 description EnGenius AP
 switchport trunk allowed vlan 2,11
 switchport mode trunk
!
interface FastEthernet0/8
 description EnGenius AP
 switchport trunk allowed vlan 2,11
 switchport mode trunk
!
interface FastEthernet0/9
 description EnGenius AP
 switchport trunk allowed vlan 2,11
 switchport mode trunk
!
interface FastEthernet0/10
 description EnGenius AP
 switchport trunk allowed vlan 2,11
 switchport mode trunk
!
interface FastEthernet0/11
 description EnGenius AP
 switchport trunk allowed vlan 2,11
 switchport mode trunk
!
interface FastEthernet0/12
 description EnGenius AP
 switchport trunk allowed vlan 2,11
 switchport mode trunk
!
interface FastEthernet0/13
 description EnGenius AP
 switchport trunk allowed vlan 2,11
 switchport mode trunk
!
interface FastEthernet0/14
 description EnGenius AP
 switchport trunk allowed vlan 2,11
 switchport mode trunk
!
interface FastEthernet0/15
 description EnGenius AP
 switchport trunk allowed vlan 2,11
 switchport mode trunk
!
interface FastEthernet0/16
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/17
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/18
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/19
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/20
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/21
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/22
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/23
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/24
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/25
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/26
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/27
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/28
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/29
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/30
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/31
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/32
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/33
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/34
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/35
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/36
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/37
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/38
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/39
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/40
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/41
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/42
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/43
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/44
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/45
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/46
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/47
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/48
 description  cust eth
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan2
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan11
 ip address 192.168.11.9 255.255.255.0
 no ip route-cache
 shutdown
!
ip default-gateway 192.168.11.1
ip http server
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
!
end

matthab · 31 May 2011 at 12:35

That config is ok could be better.

You should enable Port security at least: http://www.cisco.com/en/US/docs/swi.../12.1_9_ea1/configuration/guide/swtrafc.htmll (Link also is the manual)

Also change the hostname, create some users, lock the vty and con down and if the port is connected to a host enable portfast. Sorry i am at work so dont have time to ammend the config.

Edit: Why is Vlan11 'shutdown' when it appears to be a management link? Id also look at using native vlans?

h2009 · 31 May 2011 at 17:41

To be honest, its was a very long time since I've done the configuration, but I haven't had any issues with it or anyone trying to get into it.

I'm just really trying to find a switch which can do the same thing as this unit. I.e. VLANs and port isolation.

I.e:
Port 1 can talk to Port 2-48
Ports 2-48 can talk to port 1
but ports 2-48 cannot talk to each other

My understanding of port isolation is locking the port by MAC address. Where as in my network users are always changing their equipment so I need to leave it open ended.

GhostlyPea · 31 May 2011 at 20:04

You want Private VLANs which is what you described. 3750 or somesuch from Cisco will do this perfectly but of course it's CLI. To be honest I doubt you'll find a switch worthwhile that isn't CLI

- Pea0n

matthab · 31 May 2011 at 22:01

You want port 1 as a promiscous port and the rest in isloated mode. Cant fault Cisco equipment.

The only way I can see you getting a 2950 to do what you want you will need to give each port its own vlan and use a router to allow communication where you want. But thats a messy and waisteful way to do it.

h2009 · 31 May 2011 at 22:44

Thanks for your replies but my current configuration is doing exactly what I need it to do on the 2950-EL.
If I go back to my question, I'm
Asking if there is any other switch I can replicate the configuration on using a GUI.

Chief Wiggum · 1 Jun 2011 at 07:57

Is there any other reason that you're looking to change other than having a GUI? Do you have to change for a support contract, are you hitting a performance limit. Realistically, how much 'management' do you do on a daily basis?
If the GUI is the only reason for change, then personally, I would urge you to think again. GUI is not really practically for large deployments or regular maintenance. The beauty of cisco is that you can just copy and paste or use range commands.

If you're seto n GUI, you could look at HP switches, but I'm NOt sure if there are licence implications or anything like that or if the features match what you're trying to do. IOS is a good skill to have and most things can be done while you're still waiting for a java guy to load....

Yamahahahahaha · 1 Jun 2011 at 10:04

If you're absolutely desperate for a GUI, maybe look at the Cisco Configuration Professional software.

I tried it once but it's Java based and saying the speed was 'glacial' would be generous.

Hulkster · 1 Jun 2011 at 13:52

We use both Cisco 3750 and HP E series (currently our new unit of choice is the E4800G).

Personally, I prefer the HP (well, it's 3Com really, running Comware 5) units as they are a seriously good bit of kit and i personally feel they are better value than Cisco, where the badge alone slaps on a good amount of money. They are both cracking platforms though and both bulletproof.

That aside...the 4800s have a GUI but it is fairly limited...however you can do VLANs, port isolate groups, etc. The Comware OS is has a fairly similar command structure to IOS for quite a lot of things..I personally don't find it too much hassle working between the two.

However..investing thousands in new kit jsut for a GUI seems a colossal waste of cash to me, and as already said, you will not get a GUI that gives access to all the features unless it's a pretty limited switch.

If you do not need higher end switches then forget about Cisco 3750 or HP E4800Gs, you could consider an HP V series unit such as the 2900 series (formally 3com baseline range) which offers layer 3 static routing, or the lower end of the 4xxx range such as the 4210 if you need full L3 capability.

You could also look into the Ciscon Configuration Assistant.

Skidilliplop · 1 Jun 2011 at 14:53

Probably the best GUI switches I've seen are Extreme networks. The Summit series' 'Screenplay' is very good indeed. It even gives you a CLI terminal interface WITHIN the web interface. But still, to do the advanced stuff you need to use command line in some form. You can get a bit more clever with the configuration management in Epicenter. But then you need to set the server app up and enable SNMPv3 on all your switches. Which is hassle and not worth it unless you have lots.

All that said I wouldn't recommend them in this case as to get 48 ports @ 1gig + layer 3 bits you'd need an X450e-48t. Which is super expensive and a bit overkill.
The gap between managed Layer2 and enterprise aggregate seems to be cisco's patch and Extreme do seem to have left them to it.