Lan Lite and Lan Base Differences for Cisco 2960 Switches

Hi habr! On our company's website, we have a FAQ section. Recently, we noticed that the question "How is LAN Lite different from LAN Base for Cisco 2960 Series Switches" is often viewed. In this article I will try to elaborate on the differences between Lan Lite and Lan Base, for example, to describe what is hidden under the words “advanced security features”, “advanced QoS features”, etc., which appear in many comparative tables of Cisco Systems.

Before going directly to the differences between Lan Lite and Lan Base, let's briefly see which models of the 2960 switches are (and there are a lot of them), what are their most significant differences, and which of the 2960 models are relevant at the time of writing this article. The most obvious option is in the form of a table. Green note current models. In light green, we note the current models, but with the only option a set of functions: 2960-CX are only Lan Base, 2960-XR are only IP Lite.

* see UPD at the end of the article
')
In this article, the differences between Lan Lite and Lan Base will be considered only for current models, that is, for 2960-C, 2960-Plus and 2960-X.

Which Cisco 2960 switch to choose: Lan Lite or Lan Base? This issue needs to be resolved before purchasing equipment once and for all, because it is impossible to switch from Lan Lite to Lan Base and back: Lan Lite switches differ from Lan Base in hardware. For 2960-X switches, the cost of Lan Lite is lower than Lan Base costs by about 20%. For switches 2960-Plus, the difference in price can go up to 40% depending on the specific models. In order to make the right choices, you need to understand exactly how the switch will be used, and what functionality the switch may need.

Confusion often occurs when people talk about Lan Lite and Lan Base for a Cisco 2960 switch as a license. Obviously, confusion occurs because in older models of modern Cisco switches, such as the 3560X, 3750X, 3650, 3850, Lan Base denotes the license. Other licenses for the listed IP Base and IP Services switches. These licenses open additional more advanced functionality in comparison with Lan Base. Lan Lite for the listed switches is missing. In the case of the Cisco 2960 Lan Lite and Lan Base, this is not a license .

It is also often found that for Lan Lite and Lan Base is the software version for Cisco switches 2960. Here you can say yes and no. For legacy Cisco 2960, Cisco 2960G switches, as well as modern Cisco 2960-Plus switches, indeed, Lan Lite models require the installation of a Lan Lite software image, and Lan Base models require a Lan Base image, respectively. You cannot install a Lan Base software image on a Lan Lite switch and vice versa. By the way, it is interesting that on the website cisco.com in the download section for Cisco 2960-Plus switches there is an opportunity to download the “wrong” software for the switch. That is, for the Lan Base switch you can, for example, download Lan Lite software:



For other switches (Cisco 2960, Cisco 2960G), downloading “incorrect” software from cisco.com will fail. For more advanced Cisco 2960-C, Cisco 2960-CX, Cisco 2960-S, Cisco 2960-SF, Cisco 2960-X, and Cisco 2960-XR switches, there is a single, universal software image. For example, for Cisco 2960-X switches, the c2960x-universalk9-mz.152-2.E3.bin software can be installed on both the Lan Lite and Lan Base switches. The set of supported functions in this case will be determined solely by the switch model. Installed universal software automatically configures a set of supported functions depending on the hardware platform. It is worth noting that Cisco 2960-XR switches stand out. The set of functions for these switches is called IP Lite (not to be confused with Lan Lite), since these switches are richer in functionality as compared to Lan Base switches. In particular, Cisco 2960-XR supports dynamic routing protocols at the initial level (OSPF for Routed Access, EIGRP Stub) and other additional functions (Policy Based Routing, HSRP, etc.). Also, it is worth noting the Cisco 2960-CX model. For this model, the version of Lan Lite does not exist. The only option is Lan Base.

Thus, the concepts of Lan Lite and Lan Base denote a set of functions, or as it is called in the official documentation of the manufacturer of Cisco Systems - IOS Feature Set.

So, let's go directly to the differences between Lan Lite and Lan Base switches. Differences will be considered only for current models of switches, since the choice of Lan Lite or Lan Base is most relevant at the time of ordering a new switch (in our FAQ there is already a short list of differences for the entire model range). From the current models, we cross out the Cisco 2960-CX (it only has Lan Base) and the Cisco 2960-XR (it only has IP Lite). It remains to consider the Cisco 2960-C (Compact), Cisco 2960-Plus and Cisco 2960-X.

Differences in hardware

Cisco 2960-C Switches

The Lan Lite model is represented by a single Catalyst 2960C-8TC-S Switch.
External differences are absent.
The differences lie exclusively in the list of supported SFP transceivers. Lan Lite switch supports only GLC-SX-MM, GLC-SX-MMD, GLC-LH-SM, GLC-LH-SMD. The Lan Base switch supports a full list of 1 GB transceivers (including Long-Reach Single-Mode Fibers, Extended Long-Reach Single-Mode Fibers and transceivers for single-core optics).

Cisco 2960-Plus Switches

External differences ... here:



On the left is Lan Base, on the right is Lan Lite. And in the upper right corner on Lan Lite it says "Catalyst 2960 Plus Series SI", on Lan Base it says "Catalyst 2960-Plus Series".

Differences:

1. List of supported transceivers. Lan Lite only supports GLC-SX-MM, GLC-SX-MMD, GLC-LH-SM, GLC-LH-SMD, and Lan Base has a full list.
2. Cisco Redundant power system (RPS) 2300 backup power system support.

Cisco 2960-X Switches

The Lan Lite model is represented by two switches: WS-C2960X-24TS-LL and WS-C2960X-48TS-LL.

External differences.

The front panel of the switch clearly shows a set of functions:



On the rear panel of the switch, the Lan Base has a slot for installing the stack module. Lan Lite switch does not support stacking, respectively, there is no slot for installing the module. In the photo, the back panel of the Lan Base switch with the stack module already installed:



Also, for switches 2960-X, unlike other switches 2960, you can find out the set of functions from the command line show license.

Differences:

1. Stacking support. As already noted, Lan Lite models can not be combined / added to the stack.
2. List of supported SFP transceivers. Lan Lite only supports GLC-SX-MM, GLC-SX-MMD, GLC-LH-SM, GLC-LH-SMD, GLC-EX-SMD, and Lan Base has a full list.
3. Support for SFP + transceivers. Lan Lite models do not support SFP +.
4. Cisco Redundant power system (RPS) 2300 backup power system support. It is worth noting here, only Lan Base models support external RPS. Lan lite models do not support, IP Lite models also do not support, but can be equipped with their own backup power supply.
5. PoE / PoE + support. Unlike the 2960-Plus, there are no Lan Lite 2960-X switches with PoE support.
6. RAM. Lan Lite models are equipped with 256 MB DRAM, Lan Base models - 512 MB DRAM.
7. Flash memory. Lan Lite models are equipped with 64 MB DRAM, Lan Base models - 128 MB DRAM.
8. Performance switching factory. Lan Lite models - 50 Gbps, Lan Base models - 108 Gbps.

Differences in the program part

Regardless of the 2960 switch models, there are common differences between Lan Lite and Lan Base in the program part. The fundamental difference is that Lan Lite switches are network devices of the second level of the OSI model (L2 devices), while Lan Base switches are devices of the third level of the OSI model (L3 devices). In other words, Lan Lite switches transmit packets exclusively on the data link layer (L2), while Lan Base switches can work with L3 and L4 headers for transmitting and processing packets. Other differences in the functionality of Lan Lite and Lan Base are mainly a consequence of this fact. To determine whether this or that functionality will work on the Lan Lite switch, in many cases it is enough to understand whether the implementation of the functionality requires analysis / processing of the IP header of the transmitted packet. Consider this statement in more detail with specific examples.

When comparing Lan Lite and Lan Base, feature sets are usually divided into the following groups:

• Level 2;
• Level 3;
• Security;
• Quality of Service (QoS);
• Controllability;

Consider the differences in each group in detail.

Level 2

Lan Lite switches provides basic data link layer functions:

• 802.1Q;
• STP and extensions;
• CDP;
• LLDP
• DTP;
• UDLD;
• VTP v2;
• PAgP / LACP;
• Storm Control;

Lan Base switches provide the following additional features:

• FlexLink;
• LLDP MED;
• VTP v3.

We will not dwell on this group in detail, the listed differences do not depend on the possibility of processing L3 / L4 headers.

Level 3

This is a fundamental difference. Lan Base switches support L3 / L4 header processing and serve as an internetwork routing function. Only static routing is supported. Up to 16 static routes can be configured.

Security

Lan Base switch functionality provides the following additional security features:

• DHCP snooping;
• IP source guard;
• Dynamic ARP inspection (DAI);
• Port Access Lists (pACL);
• Add. 802.1X facilities and integration with Cisco ISE.

DHCP snooping allows you to monitor all DHCP requests within the broadcast domain and block DHCP responses on those ports to which a non-trusted DHCP server can be connected. Thus DHCP snooping allows you to prevent an enemy DHCP server from connecting to the network. In addition, DHCP snooping compiles a database of client mac-address correspondence, issued IP address, lease time, etc. DHCP uses its OSI L4 layer to transmit its packets; therefore, the switch must be able to parse the L3 / L4 headers to implement this functionality. Therefore, DHCP snooping only works on Lan Base switches.

IP source guard allows you to deal with the attacks of changing the source IP address. For this, IP source guard uses a database obtained when using DHCP snooping. Of course, this database can be supplemented with static records manually. Of course, to implement IP source guard, the switch must be able to work with L3 / L4 headers, so this functionality can be implemented only on Lan Base switches.

Dynamic ARP inspection (DAI) allows you to deal with attacks such as ARP poisoning or ARP spoofing, in which an attacker tries to forge ARP responses in order to redirect traffic from legitimate devices to his own gateway. When DAI is enabled, when an ARP response appears on a non-trusted port, the switch inspects the ARP packet and matches the data with the existing database from DHCP snooping and static records. Although the ARP protocol works on the data link layer, for a full DAI implementation, it is necessary to enable DHCP snooping. Therefore, a full DAI can only work on Lan Base switches.

Port Access Lists. I think there is no need for additional explanations here why pACL can be implemented only on Lan Base switches. I want to notice only one thing: pACL can only be applied in the incoming direction. In the out pACL direction, it will not work, although it is usually possible to configure this construction (enter a command) on the switch port.

Add. 802.1X facilities and integration with Cisco ISE. It is quite difficult to consider this issue in full, and I don’t think it makes sense to go deep in this article. However, it is worth noting that some features will work on Lan Lite switches. For example, on Lan Lite switches, you can implement an 802.1X guest Vlan. This functionality helps if the end device does not have an 802.1X client installed and cannot authenticate and authorize on the switch port 802.1X. In this case, the device may be temporarily placed in the quarantine VLAN (or guest VLAN) with limited access to the local network. However, if you plan to fully integrate with Cisco ISE with the inclusion of various functions and the implementation of a relatively complex authorization logic for client devices, I would recommend using a Lan Base switch. Only on the Lan Base switch it will be possible to implement such functions as Web-authentication or downloadable access lists (Downloadable ACL). Web authentication requires redirecting the user's web traffic to a special web page where the user can enter a login / password. Therefore, only the Lan Base switch will cope with this task. For Downloadable ACL, I think, explanations are not required.

Quality of Service (QoS)

Lan Lite switches cannot enforce QoS policies based on DSCP values, since DSCP values ​​are transmitted in the IP header in the ToS field. Thus, QoS policies on Lan Lite switches can be applied solely based on the CoS value transmitted in the link layer header.

However, when considering QoS, it is necessary to distinguish significant differences that are not explicitly caused by the ability to handle L3 / L4 headers. The most significant difference, in my opinion, is that on Lan Lite switches there is no possibility to enable AutoQoS. On Lan Base switches, the AutoQos feature automatically generates QoS settings based on media devices connected to ports. Possible options for the 2960-X:

• auto qos voip {cisco-phone | cisco-softphone | trust}
• auto qos video {cts | ip-camera | media-player}
• auto qos classify [police]
• auto qos trust {cos | dscp}

At the same time, AutoQos performs the following "fine" QoS settings:

• Generates a CoS to DSCP mapping for incoming packets;
• Distributes packets to four queues and WTD trigger thresholds (weighed tail drop) according to CoS values;
• Distributes packets to four queues and three WRT thresholds in accordance with the DSCP values;
• Adjusts the queue sizes and WRT thresholds, as well as the queue weights for the SRR queue service algorithm (shaped round robin).

In addition, for auto qos voip cisco-softphone, the auto qos classify AutoQoS function performs additional settings, including the inclusion of specific policy-maps. All of the above settings are performed by AutoQoS in accordance with best practice from Cisco. More information about AutoQoS can be found here .

In addition to AutoQos, on Lan Lite you cannot use or change the settings of the following QoS functionality:

• trusted boundary — decides whether to trust QoS labels depending on the type of device connected. The type of device connected is determined based on the operation of the CDP.
• policing - evaluate the flow rate (in profile, if the flow does not exceed the specified speed, or out profile, if it exceeds). Also, you cannot configure class-maps and policy-maps;
• marking - apply actions to the data flow depending on the result of the policing step - in profile or out profile. Actions can be: pass (skip the data stream), mark down (change the QoS label for the stream to reduce / degrade the class of service) or drop (drop stream packets).
• mapping tables — change CoS to DSCP mappings, IP Precedence to DSCP mappings, DSCP to DSCP mappings or DSCP mappings for incoming packets. Since the Lan Lite switch can work exclusively with CoS, this item does not make sense to be considered.
• weighted tail drop - change the thresholds of the WRT algorithm.
• ingress queuing - you can change the settings of two incoming queues only on Lan Base switches. In addition, the 2960-S, 2960-CX and 2960-X switches do not support ingress queuing at all;
• egress queuing - changing settings of four outgoing queues is possible only on Lan Base switches.

As can be seen from the listed restrictions for Lan Lite switches, the QoS functional is implemented in the minimum possible version. I do not see any point in delving into the QoS settings for the 2960 switches in this article in more detail. If necessary, the QoS setting for 2960-X switches can be found here .

Controllability

The differences in the functions of the “manageability” section do not follow explicitly from the processing capabilities of the L3 / L4 headers. Among the most significant differences are the following:

• the number of supported SPAN sessions (one session on Lan Lite switches, depending on the model on Lan Base switches);
• Remote SPAN support;
• IP SLA Responder support;
• a wider range of MIB databases;
• the number of VLANs supported;
• number of STP processes supported.

I do not see any point in considering the functional differences between Lan Lite and Lan Base for each model of 2960 switches in more detail. Cisco always offers to clarify the necessary functionality using Feature Navigator . Although, in my opinion, Feature Navigator does not always help, and the Configuration Guide for a particular model will help to clarify more controversial issues.

For convenience, we present the differences in the program part in the form of a table. Some quantitative and / or unique differences inherent in specific switch models are also reflected in this table.



It is worth noting that when setting up a Lan Lite switch in most cases, you can specify commands that include the functionality that is characteristic of a Lan Base switch. For example, you can enter a command that includes the dhcp-snooping on the Lan Lite switch:



However, you need to understand, despite the fact that the functionality can be configured on the switch, in the Lan Lite version, the actually applied commands will not work.

Conclusion

In this article, I looked at the differences between the Lan Lite and Lan Base versions of the current Cisco 2960 switches. I took the 2960-C, 2960-Plus and 2960-X models as relevant. The differences between Lan Lite and Lan Base I considered as hardware and software. When considering software differences, I tried to deduce a fundamental difference - the ability of the switch to work on the third and fourth levels of the OSI model and process L3 / L4 headers. Based on this difference, I showed the example of security features and, in part, QoS features, how to determine which functionality will work in the Lan Lite version of the switch, and which functionality will work only in the Lan Base version. He also highlighted some points that were not determined by the fundamental difference, and showed some unique differences for specific switch models.

Once again I want to pay attention, the transition from Lan Lite to Lan Base and back is not possible. For switches 2960-X, the difference in price is not large (about 20%), but at the same time, with the acquisition of the Lan Lite version, we lose a large amount of functionality. In my opinion, the most significant loss of the Lan Lite switch is the absence of internetwork routing, ACL and AutoQos. On the other hand, for 2960-Plus switches, the difference in price can be 40% for certain models, therefore, the choice of Lan Lite or Lan Base should be taken with some attention. Probably, the Lan Base functions really will not be in demand for the tasks set, and the purchase of 2960-Plus switches in the Lan Lite version will significantly save the budget. Especially when it comes to purchasing a batch of switches.

I hope this article can serve as a guide for choosing Lan Lite and Lan Base versions of Cisco 2960 switches and shed light on some controversial issues.

UPD (11/7/2016):
In the fall of 2016 a new line of switches 2960-L appeared.


These are fixed gigabit switches with Lan Lite feature set. In fact, these switches extend the portfolio of L2 switches with gigabit ports. Before them, there were only 2960-X with Lan Lite (if not to consider compact models). The 2960-X line is represented in just two models: WS-C2960X-24TS-LL and WS-C2960X-48TS-LL. The 2960-L line offers 8, 16, 24, and 48 port switches. Uplink 2 or 4 SFP. There are models with PoE. The 2960-L has more DRAM (512 vs. 256 for 2960-X Lan Lite) and Flash (256 vs. 64 for 2960-X Lan Lite).

As mentioned earlier, the 2960-L line is exclusively L2 switch, that is, with a set of Lan Lite features. However, some of the more advanced Lan Base features are inherent to these switches, such as:

• Port Access Lists (pACL);
• 802.1x;
• Advanced QoS. Now it is possible to remarry CoS based on IP addresses and port numbers from the IP header. There is also support for Weighted Round Robin (WRR), Weighted Tail Drop (WTD).

The 2960-L line is fanless, except for the 48-port switch with PoE (WS-C2960L-48PS-LL).