Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
856
Views
10
Helpful
6
Replies

Network design and routing tips

nrnick
Level 1
Level 1

‎04-30-2009 12:10 PM - edited ‎03-06-2019 05:28 AM

Is someone see any mistakes or can comment or suggest on this scenario ?

I have a 2801 service router, running CuCME and CUE, which will connect using the two FastEthernet port in etherchannel trunk mode to the C2960 head switch.

The same C2960 head switch will connect to the distribution switch CE500-24PC in etherchannel trunk mode using both switch two Gb uplink Port.

The CE500-24PC distribution switch will connect all desktops and IPhones.

The servers (4 of them) will connect to C2960 head switch using NIC teaming on the Native DATA VLAN 20.

The wireless bridge will connect to the C2960 in trunk mode.

A ASA5505, which serve as a Security Applicance, VPN, IP NAT and ADSL router, will connect to the C2960 using the NATIVE DATA VLAN 20. The 2801 will have the default route configure through the ASA for Internet.

Should i use a separate VLAN or IP range for the default route through the ASA ?

We want to use NIC teaming and etherchannel to increase bandwidth and resilience.

Any suggestions ?

Labels:
0 Helpful
6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-01-2009 03:51 AM

Hello Nicolas,

what is important from a security point of view is to give not a chance for the ASA to be bypassed:

so the internal inside interface of the ASA can connect to the C2960 core switch but the interface to outer world should connect directly to internet link or via a different switch.

Using a dedicated point to point link would put the C2801 as a bottleneck in accessing the internet.

Be aware that a router like C2801 is not supposed to be able to handle a single FE at line rate and so its capability to perform inter-vlan routing over the two FE etherchannel is limited.

It is also used for unified communications hosting the CUCME that requires resources.

So it is probably better to leave the ASA as the default gateway in the data vlan.

see the following document for router performances

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

Hope to help

Giuseppe

nrnick
Level 1
Level 1
In response to Giuseppe Larosa

‎05-01-2009 06:45 AM

Hello Giuseppe, thanks for the reply.

If i understand correctly, it is not necessary or pratical to create an etherchannel with both NIC on the 2801, since it is not able to handle the line rate for L3 ?

Would you recommended using only one FE in trunk mode or one FE for the DATA VLAN and one FE for the VOICE VLAN ?

What do you mean by a dedicated point to point link with the 2801 ?

You suggested using the ASA as the default gateway on the DATA VLAN for all desktop and servers and the 2801 as the default gateway for switches, wireless bridge and access point in trunk mode, and also for the VOICE VLAN. Am i correct ?

Would I create a bottleneck also if I link the 2 switches in Gb etherchannel ? the CE500 is wirespeed performance.

Thanks again,

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to nrnick

‎05-01-2009 06:59 AM

Hello Nicholas,

thanks for your kind marks.

I would use a single FE with two Vlan subinterfaces for the data vlan and the voice vlan.

However, as I wrote in first thread I would give inter vlan routing role to the ASA.

if you have only one voice vlan and one data vlan PCs need to go to another ip subnet only when accessing the internet.

with point to point link between router and ASA I meant to have or a direct link between them or a third vlan where the two connects, but in this case the router would need to route all traffic to and from internet and it has already a lot of tasks for voip.

I would give the router only this role.

Then if you have a separate management vlan it can have as default gateway the router.

L2 performances of both switches is good enough.

You can configure a GE etherchannel between them it should provide link redundancy.

Hope to help

Giuseppe

nrnick
Level 1
Level 1
In response to Giuseppe Larosa

‎05-01-2009 11:13 AM

Hello Giuseppe,

Thanks again for all your help.

Correct me if i'm wrong, but the ASA5505 basic license doesn't support trunking. It come with 3 preconfigured vlan, VLAN ID 1 Inside, ID 2 Outside and ID3 (Restricted) DMZ. I do not really understand how i can do inter vlan routing for DATA and VOICE vlan...

As i understand, if i use etherchannel on the 2 FE on the 2801 is solely for redundancy...

Thanks,

Nicolas

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to nrnick

‎05-03-2009 03:29 AM

Hello Nicolas,

if you have only one data vlan, one voice vlan and the internet access you don't need intervlan routing because phones and pcs don't need to talk to each other.

my suggestion is to connect the ASA inside to the data vlan to offload internet routing from the C2801.

Then the C2801 can have subinterfaces for both voice vlan and data vlan.

About port-channel on c2801: I'm not sure that the routed built-in FE ports on the C2801 can do it.

Hope to help

Giuseppe

0 Helpful

Mohamed Sobair
Level 7
Level 7

‎05-01-2009 11:38 AM

Hi Nicolas,

In order to get better response/answers from Netpro community, I would highly advice in such questions to include your current design in a simple drawing.

Mohamed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card