Traffic help - possible switch upgrade

[Geo502]

I am new to the upgrading thing with switchs and routers, so i need some advice on what i should do with our current network and how to better route traffic.

We have a small office of 8 users connecting to a switch in a closet that then connects to a 24 port cisco catalyst2950 switch in the datacenter.

we also have a total of 9 servers connected to the same switch in the datacenter. These servers consist of 2 webservers, 1 database server, 2 dns servers and a domain controller, backup server, Anti virus server. ETC..

From the catalyst 2950 it goes into a pix firewall and then to a bgp setup with a 2800 and old 2600 series routers.

I know that it cant be good or (could it) for all of web traffic and internal network traffic to go into the same 24 port switch.
My question is Could I add another switch to one of the ports on the existing switch or will that do any good since it is connected via crossover to the existing switch and traffic would still pretty much be flowing from the same switch.

What is my best solution for the web traffic to our users surfing our site.

I would also like to have the webserver traffic eventually on Gigabyte transmission, but that is a wish later in 2009.


Thanks to whomever takes the time to reply to this post..

 

[burtsbees]

Why do you have a switch connected to the 2950 in the first place? Other than this, adding more switches would slow you down. The best scenario is one switch with everything in the same network/subnet/vlan, if you can get away with it---routing is a lot less efficient than switching. Also, why BGP for the WAN?

Burt

 

[Geo502]

I dont have anything connected to the cisco catalyst 2950. I was asking if I should connect another switch to this to help with traffic.

As far as the BGP. I have two ISPs a sprint link and A wireless link the wireless link is paying for itself I have the other offices paying for and why not use it for i use redunacy and load balancing for my web traffic.

Is it OK to have your incoming web traffic and out going network traffic all on the same switch and on the same subnet. If there is not a better way then i can keep in like it is. But i was just thinking that it doesnt look good when all of the traffic is being routed by one switch.

 

[Geo502]

Sorry .. maybe i need to explain why my thoery behind this is. If I have 30 users connected to the site at one time and then i have my local network users downloading someting and then my mail server is sending out 100 emails and this is all done on the same switch/subnet/vlan, would this be best practice for routing the traffic.

I am new to the networking field and am needing your advice so please guide me to learning what is best to do here.

 

[jpm121]

If your web server is sitting on the same LAN as your servers, users, and everything else, you have more serious concerns than switch traffic. You need a complete redesign of your network to get the web server and its traffic into a DMZ, so that if it gets compromised your LAN isn't at risk. Wow.

Ideally, for your situation (and setting aside the fact that whoever set up your web server should be fired), I'd have all the servers on a gigabit switch, and then your LAN users connected to a 100 Mbps switch that has dual gigabit uplinks to the server switch. Then again, gigabit has gotten cheap so maybe one big switch for everyone.

Get the web server situation fixed though; if it's as you describe that's bad news.

 

[burtsbees]

Furthermore, I would actually separate everything into vlans and use a layer 3 switch to route, with a trunk to an actual router for the WAN. Now I see what you are trying to achieve---I thought you were asking if it is better with more switches or less switches.
I would not agree with having a gig switch for servers and 100MB switch (separate switch) for LAN users---a gig switch link will negotiate down to whatever the LAN nodes are (100MBps), so there is no need to get a second switch. You can do router-on-a-stick with 802.1Q trunking with the 2950, and with only a few vlans, this might be best instead of purchasing a L3 switch. The server connections can be teamed on the server end and port-channeled on the 2950 end for greater throughput.

Burt

Burt

 

[Geo502]

let me tell you that i have a mess on my hands. I have my CCNA Intro but I am not real advanced with things, but am more advanced at the Windows administration then anything. The last IT guy that worked here was fired and when he was fired I was lead to believe that everyting has been setup very nicely, Little did I know that for the last 2mths I would be putting in 60 - 70 hours a week.

I appreciate all of your help and will take them into considerations. Attached is a config with what server is on what port The old admin does have a couple of the ports vlaned but just for the router and pix.

Cisco switch catalyst 2950 running-config

!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
!
hostname xxxx
!
!
ip subnet-zero
!
spanning-tree extend system-id
!
!
interface FastEthernet0/1 - inside pix
description PIX INSIDE
no ip address
duplex full
speed 100
!
interface FastEthernet0/2 - anti virus server
no ip address
!
interface FastEthernet0/3 - outside dns
no ip address
!
interface FastEthernet0/4
no ip address
!
interface FastEthernet0/5 - outside dns
no ip address
!
interface FastEthernet0/6
no ip address
!
interface FastEthernet0/7 - web server
no ip address
!
interface FastEthernet0/8 - db server
no ip address
!
interface FastEthernet0/9
no ip address
!
interface FastEthernet0/10
no ip address
!
interface FastEthernet0/11 - web server
no ip address
!
interface FastEthernet0/12 - production server
no ip address
!
interface FastEthernet0/13 - mail server
no ip address
!
interface FastEthernet0/14 - domain controller
no ip address
!
interface FastEthernet0/15 - domain controller
no ip address
!
interface FastEthernet0/16 - the office users
no ip address
!
interface FastEthernet0/17
no ip address
!
interface FastEthernet0/18
switchport access vlan 10
no ip address
!
interface FastEthernet0/19
switchport access vlan 10
no ip address
!
interface FastEthernet0/20
description NS2 Server
switchport access vlan 10
no ip address
duplex full
speed 100
!
interface FastEthernet0/21
switchport access vlan 10
no ip address
!
interface FastEthernet0/22
switchport access vlan 10
no ip address
!
interface FastEthernet0/23 - outside pix
description PIX OUTSIDE
switchport access vlan 10
no ip address
duplex full
speed 100
!
interface FastEthernet0/24 - cisco 2800 router
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan2
description WAN
no ip address
no ip route-cache
shutdown
!
interface Vlan3
description default
no ip address
no ip route-cache
shutdown
!
interface Vlan4
description default
no ip address
no ip route-cache
shutdown
!
interface Vlan6
description test
no ip address
no ip route-cache
shutdown
!
interface Vlan10
no ip address
no ip route-cache
shutdown
!
ip http server
!


can i do anything with what i have here to help with traffic?

 

[VinceWhirlwind]

You need to identify your bottleneck(s) - upgrading your switch won't help if it's the PIX that's holding you up (which is the most likely bottleneck, after your internet connection). Depending on which PIX it is, they are mostly 100Mb interfaces and have very limited throughput.

You need 2 switches.

Your internal LAN should be on one.

Your webserver (and anything else that's publicly-accessible) should be on the other. ("DMZ").

Each switch should patch to its own port on the PIX, which needs to be configured to protect your LAN from your DMZ.

 

[vipergg]

It looks like they are using the 2950 to break everything out from your dmz to your inside net . It makes it tough to determine what goes where when they do that . You can check on the switch utilization by occasionaly using the "show controllers utilization " , this gives you individual port and switch fabric utilization.

 

[burtsbees]

You need 2 switches."
Why? Just being on switches does not separate the LAN from the servers, in any way at all---still one big broadcast domain...all that does is cause more latency.
If separation was an issue, vlans could solve that. Internal traffic should be fine just traversing the switch, and server to LAN separated by two vlans would separate the broadcast domain and create two, thus causing less traffic in each section (VLAN).
I never got any impression that there was a bottleneck in the network from Geo---
Are there problems you are experiencing right now, Geo?
By the way, your previous IT dude never set up a management SVI or a trunk for the switch, unless there was one there before---the port leading to the router is configured as an access port...

Burt

 

[VinceWhirlwind]

You've misunderstood me - the two switches should of course not be connected.

Now that you mention it, I'm not sure if the concern is performance or security.
If performance is the issue, then I would look at the PIX. If the switch shows it's dropping frames, then definitely get a new one & separate the two networks.
If it's security, these two networks need to be separated onto two switches.

 

[Geo502]

There are times when it does get slow, I have just installed Mrtg and am going to monitor the traffic thru the pix. the metrics for the bgp are not setup very well. we have a 1.5meg T1 pipe from sprint and a 6Meg from a local wireless isp. We do not utilize the 6meg as much as we should.

It can get busy at times on the site and if someone is downloading something large then we then can see some latency. Im not sure if users pulling up the site on the other end experience it but Im sure they do. The MRTG will help find all of that.

As far a security, you ask. Well that is another one that needs to be tackled. WhirlwIND stated that it could be the Pix that could slow things down, should I look into a firewall for security and efficiency?

 

[burtsbees]

The PIX IS a firewall---there are things on the router end you could configure, like QoS, CAR, NBAR, etc to limit bandwidth for certain apps (HTTP, for example), and monitor traffic. I would definitely use the 6MB for regular traffic, and maybe the T1 as a backup...

Burt

 

[VinceWhirlwind]

This is what I mean about identifying your bottleneck:
Edge switch ports: 100Mb/s
Server switch ports: 100Mb/s
Switch uplink to PIX: 100Mb/s
PIX throughput: ?200Mb/s
Uplink to router: 100Mb/s
pipe to the internet: 6Mb/s

So if it's going slow while people are using the internet, it's your internet connection that's holding you up.

 

[burtsbees]

I disagree---the internet traffic is separate from regular LAN traffic, separated by the router. Maybe whatever particular host happens to be downloading MP3's at the time is slow, but that should be it.

Burt

 

[VinceWhirlwind]

I'm not sure he's complaining about the LAN traffic - what do
"There are times when it does get slow"
"It can get busy at times on the site and if someone is downloading something large then we then can see some latency"
mean, precisely?

 

[burtsbees]

I don't think he was complaining about anything at all---just wanted to know what the best set up would be, since the previous IT dude got fired and built this network, like vlans in an L2 switch with no trunk port(lol), etc.

Burt

 

[VinceWhirlwind]

The VLANs are there because they separate the "inside" from the "outside": he has two different networks on one switch which are routed between each other via the PIX.
The only devices "outside" are the PIX ("outside"), the WAN router and the "NS2Server".

 

[Minue]

Hello
Adding another switch isn't going the solve the problem about the slow downloads.The WAN is the bottle-neck.If I were you I would go about solving the problem in steps.
1.You could buy new a switch to have some redundancy or mabye to divide the network,but this isn't must, the same can be done with VLAN's
2.Divide the External servers from you inside LAN for security reasons
3.Configure the Routing protocol the make use of the two links(load balancing)
4.If load balancing doesn't solve the problem, use QOS

Regards
Minue

 

[burtsbees]

The VLANs are there because they separate the "inside" from the "outside": he has two different networks on one switch which are routed between each other via the PIX."
I know that---my point is that the genius never created a trunk to the router for router-on-a-stick to make it work!

Burt