Network Design and Issues.

Unanswered Question
Jan 11th, 2010

Hello,

I have a case that i am trying to solve and i could use some help.

Let me first describe the situation and then we will move on to possible design solutions.

I i have a customer with the below simple topology :

Internet-Router

         |

      ASA

    10.4.4.1

         |

    10.4.4.2

Core-Router <---Lease_Line--> Branches (10.0.0/16)

    10.1.1.1

          |

    10.1.1.X

We decided to buy a 3x3750 stack switches in order to separate users(vlan2), servers(vlan3),supervisors(vlan4).

The topology would then look something like that.

     Internet-Router

              |

           ASA

         10.4.4.1

              |

         10.4.4.2

       3750-Stack -------------Core-Router <---Lease_Line--> Branches

    |       |           |

vlan2 vlan3  vlan 4

vlan 2= 10.2.1.1/24

vlan 3= 10.3.1.1/24

vlan 4= 10.4.1.1/24

where the core router now is a member of users vlan(vlan2) and the branches would be accessible from servers or supervisors via a static route.

The problem now is that another company will be added to this network. It will share resources from the servers vlan for example mail,proxy,dns,active directory etc BUT it will have it's own internet line and it's own leased line with different branches. Like a mirror.

The supervisor vlan must have access everywhere.

So here we come to this :

Equipment :

I have 2xASA 5510 Security plus License with 8 interfaces each.

As far as i am concerned if i just add another vlan to my current topology with my new users, put a static route on 3750stack so they can have access to their branches from the new router,  everything would be nice and smooth BUT then, i will have only one internet feed and the second-new line- will be used as a failover. I will also have VPN capabilities  which i want to.

Now In case i want to use both internet lines things get a bit messy. I will have to change mode to my ASA to multiple, and use shared INTERNAL interfaces for supervisors and servers.

Any ideas ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 01/11/2010 - 09:48

trustcisco wrote:

Hello,

I have a case that i am trying to solve and i could use some help.

Let me first describe the situation and then we will move on to possible design solutions.

I i have a customer with the below simple topology :

Internet-Router

         |

      ASA

    10.4.4.1

         |

    10.4.4.2

Core-Router <---Lease_Line--> Branches (10.0.0/16)

    10.1.1.1

          |

    10.1.1.X

We decided to buy a 3x3750 stack switches in order to separate users(vlan2), servers(vlan3),supervisors(vlan4).

The topology would then look something like that.

     Internet-Router

              |

           ASA

         10.4.4.1

              |

         10.4.4.2

       3750-Stack -------------Core-Router <---Lease_Line--> Branches

    |       |           |

vlan2 vlan3  vlan 4

vlan 2= 10.2.1.1/24

vlan 3= 10.3.1.1/24

vlan 4= 10.4.1.1/24

where the core router now is a member of users vlan(vlan2) and the branches would be accessible from servers or supervisors via a static route.

The problem now is that another company will be added to this network. It will share resources from the servers vlan for example mail,proxy,dns,active directory etc BUT it will have it's own internet line and it's own leased line with different branches. Like a mirror.

The supervisor vlan must have access everywhere.

So here we come to this :

Equipment :

I have 2xASA 5510 Security plus License with 8 interfaces each.

As far as i am concerned if i just add another vlan to my current topology with my new users, put a static route on 3750stack so they can have access to their branches from the new router,  everything would be nice and smooth BUT then, i will have only one internet feed and the second-new line- will be used as a failover. I will also have VPN capabilities  which i want to.

Now In case i want to use both internet lines things get a bit messy. I will have to change mode to my ASA to multiple, and use shared INTERNAL interfaces for supervisors and servers.

Any ideas ?

Firstly it would be a better design to have the existing core router connected to the 3750 stack with a L3 P2P link rather than have it part of the user vlan 2.

That aside it's not entirely clear where the new comapny users will be - are they going to be on the same 3750 stack as your existing users ?

If so and you want them to use their own Internet feed then you could use PBR to force them to go via their own internet link but only if the internet link is behind a different ASA. So you could use existing internet link for existing users + any inbound internet connectivity and then the new internet link for new users.

Are you concerned with internal security between the new and existing companies because if you are then simply adding a vlan onto the 3750 is probably not the way to go ?

Jon

trustcisco Mon, 01/11/2010 - 10:57

Hi Jon and thanks for your answer,

Besides security issues, both companies will share internet via a common proxy server located to the servers vlan.

On my first scenario, yes the new users-company will be added to the existing 3750 stack in a completely different vlan with access only to specific servers, proxy, mail etc. Don't forget that the new company also have a different router to interconnect via lieased line with it's own branches, these router would be part of the same vlan. In that way new users would be able to access their branches and vice versa, have access to shared services, mail,proxy etc and will be completely separated from my existing company by deny them access with L3 acl's on the 3750 stack.

In that case i would use my first 5510 in single mode with 1 primary dsl and one failover and keep vpn capabilities which is ok.

But i would like to try something else instead.

I want to make my second dsl active for my new company and have all the benefits of the above solution.

Funny thing is that if i didn't have ASA and had another firewall that supports multiple wan this case would be a piece of cake, but it would also be very simple and boring

So what do you think ?

Actions

This Discussion

Related Content