Network Design

Unanswered Question
Mar 10th, 2009

Hi Experts,

As our compony is looking for network re-designing by getting Layer 3 Swicth (Cisco 3560 E Series),Layer 2 (2950 Switch) and ASA 5510.

please find the attached traditionla network diagram of our compony and sugest me if we bring Layer 3 Swicth (Cisco 3560 E Series),and ASA 5510 where can we place all this devices.

1. is 3560 switch better to place in Distributed layer or Core Layer.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Tue, 03/10/2009 - 02:12

Hello Chamakura,

the C3560 can be good for Distribution.

However, if your company is not so big you can collapse the core and distribution on the same devices.

The ASA 5510 should be placed on the path to the internet links to be able to protect your network

see enteprise campus design

http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/campover.html

If the company is big and you need a core layer you should think of a more powerful pair of devices as your core like C4500 or C6500.

Note: I don't see your attachment file try to post it again

Hope to help

Giuseppe

chamakurak Tue, 03/10/2009 - 02:40

Hi Giuseppe,

Thank You,if that is the case then what about the remaining port of the C3560(24 Ports).

2 Port for 2-ISP

1 Port for the ASA.

how can i do inter vlan routing.

we have 1841 router can i place this in Core layer after that ASA and then the Multilayer Switch in Distribution layer and 2950 in Access Layer.

1. 1841 (Core Router) connected to IS and ASA.

2. ASA 5510 Connected to 3560 Switch.

3. 3560 Switch to Access Layer (2950 Switch).

Rgards

Kiran Kumar Ch

Giuseppe Larosa Tue, 03/10/2009 - 03:34

Hello Kiran,

you can do inter-vlan routing on the C3560 itself.

you just need to enable ip routing and to create the logical Switched virtual interfaces on the C3560

ip routing

vlan 10

vlan 20

int vlan 10

ip address 10.10.10.1 255.255.255.0

no shut

int vlan20

ip address 10.10.20.1 255.255.255.0

this is enough to perform inter-vlan routing

I think the 1841 should be after the ASA if you want to use the ASA to protect your network it needs to be on the path to external world.

I suppose the C1841 terminates some data connection from a service provider and/or an internet connection.

The internet connection can also be connected to the ASA and the c1841 used to connect to some remote site using a data service

the connection with the access layer switches will be made of L2 trunks to carry all the client vlans (vlan 10 and vlan 20 in my example)

Hope to help

Giuseppe

chamakurak Tue, 03/10/2009 - 04:04

Hi Giuseppe,

I have challenge to re-design the Network.

I have following devices.

1. 1841 Router

2. 3560-E Multilayer Switch.

3. ASA 5510

4. 2950 Switches.

Requirements:

1. Priority Basaed Routing for Video,Voice and data.

2. Should perform VLAN's

3. Inter Vlan routing.

with above given devices what type of Design will you suggest.

Regards

Kiran Kumar CH

Giuseppe Larosa Tue, 03/10/2009 - 06:02

Hello Kiran,

actually you didn't provide much more details

The central device is clearly the C3560E that will perform inter-vlan routing.

I guess but I may be wrong that you need to have two exit points one to ASA and one to 1841.

So you can think to have this setup

2950--- L2 trunk --- C3560E

this is for client vlans

exit points are two and connected to C3560E

C3560E --- routed link 1 --- C1841

|---------- routed link 2 ---- ASA

PBR is performed on C3650E that supports it

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_44_se/configuration/guide/swiprout.html#wp1228588

using an extended access-list you can define traffic to be diverted by PBR

just an example

access-list 111 permit udp any any range 16

access-list 111 permit tcp any any eq 554

route-map pbr_mmedia permit 10

match ip address 111

set ip next-hop c1841.ipaddress

the route-map has to be applied inbound on each client Vlan

int vlan10

ip policy route-map pbr_mmedia

int vlan 20

ip policy route-map pbr_mmedia

to complete the solution you need a preferred default route out ASA

ip route 0.0.0.0 0.0.0.0 asa-ipaddress 10

a backup default route to c1841

ip route 0.0.0.0 0.0.0.0 c1841-ipaddress 200

for return paths static routes for the client vlans are needed on both ASA and C1841

Hope to help

Giuseppe

Joseph W. Doherty Tue, 03/10/2009 - 07:39

Just wondering about the combination of 3560-E and 2950. It seems a bit odd for a network design because the 3560-E is about top tier for a standalone Cisco L3 switch yet the 2950s, being 10/100 (except for uplinks), wouldn't seem to merit the need for 3560-E.

Some other equipment you might want to consider, if you don't need 10 gig perhaps a 4948 L3 switch in lieu of the 3560-E; if you don't need 10 gig nor the performance of the 3560-E, perhaps a 3560; if the L3 switch and the L2 switch (es) are next to each other, perhaps a 3750 stack; if you want device redundancy for the "core/distribution", perhaps a 3750 or 3750-E dual unit stack, etc.

Actions

This Discussion