Differences between Lan Lite and Lan Base for Cisco 2960 Switches

Hi habr! On the website of our company, we maintain a section “Questions and Answers” ​​(FAQ). Recently, we noticed that the question “What is the difference between LAN Lite and LAN Base for Cisco 2960 series switches” is often viewed. In this article I will try to dwell in more detail on the differences between Lan Lite and Lan Base, for example, to describe what is hidden under the words “advanced security features”, “advanced QoS functions”, etc., which appear in many Cisco Systems comparison tables.

Before proceeding directly to the discussion of the differences between Lan Lite and Lan Base, we will look very briefly at which 2960 switch models (and there are a lot of them), what are their most significant differences, and which of the 2960 models are relevant at the time of writing. The most obvious option is in the form of a table. Green note the current model. We note the current models with light green, but with the only option there is a set of functions: 2960-CX are only Lan Base, 2960-XR are only IP Lite.

* see UPD at the end of the article

In this article, the differences between Lan Lite and Lan Base will be considered only for current models, that is, for 2960-C, 2960-Plus and 2960-X.

Which Cisco 2960 Switch to Choose: Lan Lite or Lan Base? This issue must be resolved before buying equipment once and for all, because it is impossible to switch from Lan Lite to Lan Base and vice versa: Lan Lite switches differ from Lan Base in hardware. For 2960-X switches, Lan Lite costs about 20% less than Lan Base. For 2960-Plus switches, the price difference can go up to 40% depending on specific models. In order to make the right choice, you need to understand exactly how the switch will be used, and what functionality the switch may require.

Confusion often occurs when they talk about Lan Lite and Lan Base for Cisco 2960 switches as a license. Obviously, confusion occurs because the older models of modern Cisco switches, such as 3560X, 3750X, 3650, 3850, Lan Base denotes a license. Other licenses for the listed IP Base and IP Services switches. These licenses open up additional more advanced functionality compared to Lan Base. Lan Lite for the listed switches is missing. In the case of the Cisco 2960, Lan Lite and Lan Base are not a license .

It is also often believed that for Lan Lite and Lan Base it is the software version for the Cisco 2960 switches. Yes and no can be said here. For legacy Cisco 2960, Cisco 2960G switch models, as well as for modern Cisco 2960-Plus switches, indeed, Lan Lite models require the installation of a Lan Lite software image, and Lan Base models require a Lan Base image, respectively. You cannot install a Lan Base software image on a Lan Lite switch and vice versa. By the way, it is interesting that on the cisco.com website in the download section for the Cisco 2960-Plus switches there is an opportunity to download the “wrong” software for the switch. That is, for the Lan Base switch, you can, for example, download Lan Lite software:



For other switches (Cisco 2960, Cisco 2960G), downloading the “wrong” software from cisco.com will fail. For more modern Cisco 2960-C, Cisco 2960-CX, Cisco 2960-S, Cisco 2960-SF, Cisco 2960-X, and Cisco 2960-XR switches, there is a single, universal software image. For example, for the Cisco 2960-X switches, the c2960x-universalk9-mz.152-2.E3.bin software can be installed on both the Lan Lite and the Lan Base switch. The set of supported functions in this case will be determined solely by the model of the switch. The installed universal software automatically configures the set of supported functions depending on the hardware platform. It is worth noting that the Cisco 2960-XR switches stand apart. The set of functions for these switches is called IP Lite (not to be confused with Lan Lite), since these switches are richer in functionality compared to Lan Base switches. In particular, the Cisco 2960-XR supports entry-level dynamic routing protocols (OSPF for Routed Access, EIGRP Stub) and other additional features (Policy Based Routing, HSRP, etc.). Also worth noting is the Cisco 2960-CX. There is no Lan Lite version for this model. The only option is Lan Base.

Thus, the concepts Lan Lite and Lan Base denote a set of functions, or as it is called in the official documentation of the manufacturer of Cisco Systems - IOS Feature Set.

So, let's go directly to the differences between the Lan Lite and Lan Base switches. We will consider the differences only for the current switch models, since the choice of Lan Lite or Lan Base is most relevant at the time of ordering a new switch (our FAQ already has a short list of differences for the entire model range). From the current models, we delete the Cisco 2960-CX (it has only Lan Base) and the Cisco 2960-XR (it has only IP Lite). It remains to consider the Cisco 2960-C (Compact), Cisco 2960-Plus and Cisco 2960-X.

Hardware Differences

Cisco 2960-C Switches

Lan Lite is represented by the only Catalyst 2960C-8TC-S Switch.
External differences are absent.
The differences are solely in the list of supported SFP transceivers. Lan Lite switch supports only GLC-SX-MM, GLC-SX-MMD, GLC-LH-SM, GLC-LH-SMD. The Lan Base switch supports a complete list of 1 GB transceivers (including Long-Reach Single-Mode Fibers, Extended Long-Reach Single-Mode Fibers and transceivers for single-core optics).

Cisco 2960-Plus Switches

External Differences ... Here:



Left Lan Base, right Lan Lite. And in the upper right corner on Lan Lite it says “Catalyst 2960 Plus Series SI”, on Lan Base it says “Catalyst 2960-Plus Series”.

Differences:

1. List of supported transceivers. Lan Lite only supports GLC-SX-MM, GLC-SX-MMD, GLC-LH-SM, GLC-LH-SMD, and Lan Base is a complete list.
2. Support for the Cisco Redundant Power System (RPS) 2300

Cisco 2960-X Switches

Lan Lite is represented by two switches: WS-C2960X-24TS-LL and WS-C2960X-48TS-LL.

External differences.

The set of functions is clearly indicated on the front panel of the switch:



Lan Base has a slot for installing a stack module on the rear panel of the switch. Lan Lite switch does not support stacking; accordingly, there is no slot for installing a module. In the photo, the back panel of the Lan Base switch with the stack module already installed:



Also, for 2960-X switches, unlike other 2960 switches, you can find out the set of functions from the command line of the show license command.

Differences:

1. Stacking support. As already noted, Lan Lite models cannot be merged / added to the stack.
2. List of supported SFP transceivers. Lan Lite only supports GLC-SX-MM, GLC-SX-MMD, GLC-LH-SM, GLC-LH-SMD, GLC-EX-SMD, and Lan Base is a complete list.
3. Support for SFP + transceivers. Lan Lite models do not support SFP +.
4. Support for the Cisco Redundant power system (RPS) 2300 backup power system. It is worth noting here, only Lan Base models support external RPS. Lan lite models do not support, IP Lite models also do not support, but can be equipped with their own redundant power supply.
5. Support PoE / PoE +. Unlike the 2960-Plus, the Lan Lite models of the 2960-X with PoE are not available.
6. RAM. Lan Lite models come with 256 MB DRAM, Lan Base models have 512 MB DRAM.
7. Flash memory. Lan Lite models are equipped with 64 MB DRAM, Lan Base models have 128 MB DRAM.
8. Performance switching factory. Lan Lite models are 50 Gb / s, Lan Base models are 108 Gb / s.

Software Differences

Regardless of the 2960 switch models, there are general differences between Lan Lite and Lan Base in the software. Fundamental difference: Lan Lite switches are OSI model Layer 2 network devices (L2 devices), while Lan Base switches are OSI model Layer 3 devices (L3 devices). In other words, Lan Lite switches transmit packets exclusively at the data link layer (L2), while Lan Base switches can work with L3 and L4 headers to transmit and process packets. Other differences in the functionality of Lan Lite and Lan Base are mainly a consequence of this fact. To determine whether a particular functional will work on a Lan Lite switch, in many cases it’s enough to understand Whether the analysis / processing of the IP header of the transmitted packet is required to implement the functionality. Let us consider this statement in more detail with specific examples.

When comparing Lan Lite and Lan Base, feature sets are usually divided into the following groups:

• Level 2;
• Level 3;
• Security;
• Quality of Service (QoS);
• Controllability;

Consider the differences for each group in detail.

Layer 2

Lan Lite switches provide basic link-level features:

• 802.1Q;
• STP and extensions;
• CDP;
• LLDP
• DTP
• UDLD;
• VTP v2;
• PAgP / LACP;
• Storm Control

Lan Base switches provide the following additional features:

• Flexlink
• LLDP MED;
• VTP v3.

We will not dwell on this group in detail, the differences listed do not depend on the ability to process L3 / L4 headers.

Level 3

This is a fundamental difference. Lan Base switches support the processing of L3 / L4 headers and perform the function of gateway routing. Only static routing is supported. Up to 16 static routes can be configured.

Security

Lan Base switch functionality provides the following additional security features:

• DHCP snooping;
• IP source guard;
• Dynamic ARP inspection (DAI);
• Port Access Lists (pACL);
• Add. 802.1X tools and integration with Cisco ISE.

DHCP snooping allows you to monitor all DHCP requests within the broadcast domain and block DHCP responses on the ports to which an untrusted DHCP server can be connected. Thus, DHCP snooping allows you to prevent an enemy DHCP server from connecting to the network. In addition, DHCP snooping compiles a database for matching the client's mac address, issued IP address, lease time, etc. DHCP uses its L4 OSI model to transmit its packets. Therefore, the switch must be able to parse L3 / L4 headers to implement this functionality. Therefore, DHCP snooping only works on Lan Base switches.

IP source guard allows you to deal with attacks of spoofing the source IP address. For this, the IP source guard uses the database obtained using DHCP snooping. Of course, this database can be supplemented with static entries manually. Of course, to implement IP source guard, the switch must be able to work with L3 / L4 headers, so this functionality can only be implemented on Lan Base switches.

Dynamic ARP inspection (DAI) allows you to deal with attacks such as ARP poisoning or ARP spoofing in which an attacker tries to fake ARP responses in order to redirect traffic from legitimate devices to their own gateway. When DAI is enabled, when an ARP response appears on an untrusted port, the switch inspects the ARP packet and compares the data with the existing database from DHCP snooping and static entries. Although the ARP protocol works at the data link layer, DHCP snooping must be enabled for the full implementation of DAI. Therefore, a full-fledged DAI can only work on Lan Base switches.

Port Access Lists. I think there is no need for further explanation of why pACL can only be implemented on Lan Base switches. I want to note only one nuance: pACL can be applied only in the incoming direction. In the out direction, pACL will not work, although it is usually possible to configure this design (enter a command) on the switch port.

Add. 802.1X tools and integration with Cisco ISE. It is quite difficult to consider this issue in full, and I do not think that it makes sense to go deep into the framework of this article. However, it is worth noting that some functions will work on Lan Lite switches. For example, on Lan Lite switches, you can implement 802.1X guest Vlan. This functionality helps if the end device does not have an installed 802.1X client and cannot authenticate and authorize on the 802.1X port of the switch. In this case, the device can be temporarily quarantined by VLAN (or guest VLAN) with limited access to the local network. However, if you plan to fully integrate with Cisco ISE with the inclusion of various functions and the implementation of relatively complex authorization logic for client devices, I would recommend using a Lan Base switch. Only on the Lan Base switch will it be possible to implement features such as Web authentication or Downloadable ACLs. Web authentication requires redirection of the user's web traffic to a special web page on which the user can enter a username / password. Therefore, only the Lan Base switch will cope with this task. For Downloadable ACL, I think no explanation is required.

Quality of Service (QoS)

Lan Lite switches cannot implement QoS policies based on DSCP values, because DSCP values ​​are transmitted in the IP header in the ToS field. Thus, QoS policies on Lan Lite switches can only be applied based on the CoS value transmitted in the link layer header.

However, when considering QoS, it is necessary to highlight significant differences that are not explicitly determined by the ability to process L3 / L4 headers. The most significant difference, in my opinion, is that Lan Lite switches do not have the option to enable AutoQoS. On Lan Base switches, AutoQos automatically generates QoS settings depending on the media devices connected to the ports. Options for 2960-X:

• auto qos voip {cisco-phone | cisco-softphone | trust}
• auto qos video {cts | ip camera | media-player}
• auto qos classify [police]
• auto qos trust {cos | dscp}

At the same time, AutoQos performs the following "fine" QoS settings:

• Configures CoS to DSCP mapping for inbound packets;
• Distributes packets into four queues and thresholds for WTD (weighed tail drop) in accordance with CoS values;
• Distributes packets into four queues and three WRT thresholds according to DSCP values;
• Configures queue sizes and WRT thresholds, as well as queue weights for the SRR (shaped round robin) queuing algorithm.

In addition, for auto qos voip cisco-softphone, auto qos classify, the AutoQoS function performs additional settings, including the inclusion of specific policy-maps. AutoQoS performs all of these settings in accordance with Cisco best practice. More details about AutoQoS can be found here .

In addition to AutoQos, you cannot use or change the settings of the following QoS functionality on Lan Lite:

• trusted boundary — Decide whether to trust QoS labels based on the type of device connected. The type of device connected is determined based on the operation of the CDP.
• policing - evaluate the flow rate (in profile, if not the flow exceeds the set speed, or out profile, if it exceeds). Also, you cannot configure class-maps and policy-maps;
• marking - apply actions to the data stream depending on the result of the policing step - in profile or out profile. Actions can be: pass (pass the data stream), mark down (change the QoS label for the stream to reduce / degrade the class of service) or drop (drop packets of the stream).
• mapping tables - change mapping maps CoS to DSCP, IP Precedence to DSCP, DSCP to DSCP or DSCP to QoS for incoming packets. Since the Lan Lite switch can work exclusively with CoS, this item does not make sense for consideration.
• weighted tail drop - change the thresholds of the WRT algorithm.
• ingress queuing - you can change the settings of two incoming queues only on Lan Base switches. In addition, the 2960-S, 2960-CX, and 2960-X switches do not support ingress queuing at all;
• egress queuing - you can change the settings of four outgoing queues only on Lan Base switches.

As you can see from the listed restrictions for Lan Lite switches, QoS functionality is implemented in the smallest possible way. I do not see the point of delving into the QoS settings for 2960 switches in more detail in this article. If necessary, configure QoS for 2960-X switches here .

Manageability

Differences in the functions of the "manageability" section do not follow explicitly from the processing capabilities of L3 / L4 headers. Among the most significant differences are the following:

• the number of supported SPAN sessions (on Lan Lite switches one session, on Lan Base switches - depending on the model);
• Remote SPAN support;
• IP SLA Responder support;
• a wider range of MIBs;
• number of supported VLANs;
• number of supported STP processes.

I do not see the point of considering in more detail the functional differences between Lan Lite and Lan Base for each model of 2960 switches. Cisco always offers to refine the desired functionality using Feature Navigator . Although, in my opinion, Feature Navigator does not always help, and the Configuration Guide for a specific model will help to clarify more controversial issues.

For convenience, we present the differences in the software in the form of a table. Some quantitative and / or unique differences inherent to specific switch models are also shown in this table.



It is worth noting that when configuring the Lan Lite switch in most cases, you can specify commands that include the functionality inherent to the Lan Base switch. For example, you can enter a command that includes dhcp-snooping on the Lan Lite switch:



However, you need to understand that although the functionality can be configured on the switch, in the Lan Lite variant the commands actually used will not work.

Conclusion

In this article, I examined the differences between Lan Lite and Lan Base versions of the current Cisco 2960 switches. I included the 2960-C, 2960-Plus, and 2960-X models in the current ones. The differences between Lan Lite and Lan Base I reviewed as hardware and software. When considering software differences, I tried to derive a fundamental difference - the ability of the switch to work at the third and fourth levels of the OSI model and process L3 / L4 headers. Based on this difference, I showed with the example of security functions and, in part, QoS functions, how you can determine which functionality will work in the Lan Lite version of the switch and which functionality exclusively in the Lan Base version. Also, I highlighted some points that are not caused by the fundamental difference, and showed some unique differences for specific models of switches.

Once again I want to pay attention, the transition from Lan Lite to Lan Base and vice versa is not possible. For the 2960-X switches, the price difference is not large (about 20%), but at the same time, with the purchase of the Lan Lite version, we lose a large amount of functionality. In my opinion, the most significant loss of the Lan Lite switch is the lack of gateway routing, ACL, and AutoQos. On the other hand, for 2960-Plus switches, the price difference can be 40% for certain models, therefore, the choice of Lan Lite or Lan Base should be treated with some attention. Probably, the Lan Base functions really will not be in demand for the tasks, and the purchase of 2960-Plus switches in the Lan Lite version will significantly save the budget. Especially when it comes to purchasing a batch of switches.

I hope this article can serve as a guide for choosing the Lan Lite and Lan Base versions of the Cisco 2960 switches and shed some light on some controversial issues.

UPD (11/07/2016):
In the fall of 2016, a new line of 2960-L switches appeared.


These are fixed gigabit switches with Lan Lite feature set. In fact, these switches expand the portfolio of L2 switches with gigabit ports. Before them there were only 2960-Xs with Lan Lite (if not to consider compact models). The 2960-X line is represented by only two models: WS-C2960X-24TS-LL and WS-C2960X-48TS-LL. The 2960-L line offers 8, 16, 24, and 48 port switches. Uplinks 2 or 4 SFP. There are models with PoE. The 2960-L has more DRAM (512 vs 256 for the 2960-X Lan Lite) and Flash (256 vs 64 for the 2960-X Lan Lite).

As mentioned earlier, the 2960-L line is exclusively L2 switches, that is, with a set of Lan Lite features. However, some of the more advanced Lan Base features, such as:

• Port Access Lists (pACL);
• 802.1x;
• Advanced QoS. Now you can re-mark CoS based on IP addresses and port numbers from the IP header. Also added support for Weighted Round Robin (WRR), Weighted Tail Drop (WTD).

The 2960-L line is fanless except for the 48-port PoE switch (WS-C2960L-48PS-LL).