Critique this topology

Unanswered Question
Apr 16th, 2010

Hi folks,

I have included a Visio document of our network.

This is what our network currently looks like. It used to have all the access switches daisy chained together with one of them wired back to the core switch. I layered the switches so that  there is an aggregate switch in each network closets.  The access switches all connect to the aggregate, with the aggregate switch in each closet connected back to the L3 core switch. This L3 core switch does all the internal routing between inside VLANs, and has a default gateway of the 'inside' interface on the firewall.

What do you not like? Any obvious pitfalls?

I have a second L3 switch with a different set of fiber going to each closet. How would you add it for redundancy as well as load-balancing without creating broadcast storms?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Reza Sharifi Fri, 04/16/2010 - 13:45

Hi,

For redundancy, you need a second layer-3 core switch.  Bring up a second switch and connect it to the first one using a layer-3 link and run VRRP or HSRP between them.  This way if your first core switch goes down your users are not out of business.

HTH

Reza

Jon Marshall Fri, 04/16/2010 - 14:44

Not all of us can read .vsd files. I'm absolutely sure that Reza has covered the important points but for the benefit of others could you also post as a  .jpg/.png

Jon

oneirishpollack Tue, 04/20/2010 - 06:42

Sorry about the file format. I have re-saved it as a .jpg.

Does the aggregate switch that sits between the outside and inside make this network less secure? Should I lose that switch and just have the edge router connected to the outside interface of the firewall, the L3 switch connected to the inside interface of the firewall, and the DMZ and testnet networks connected to their own interfaces? The agrregate switch may have been legacy from our old pix. I am still new to this, but I m not seeing the value of the aggregate switch that is after the edge router.

Also, on the drawing I have the Core, Distribution, and Access layer labeled, or what I believe to be those layers. Is that a reasonable or accurate desciption of those layers based on Cisco definitions.

Thanks again for your time and energy, I really do appreciate it.

Thanks,

Kelly

Jon Marshall Tue, 04/20/2010 - 08:04

Kelly

Reza is right about adding a second L3 switch for redundancy.

However there are more serious concerns. You have a trunk link to the aggregate switch that allows vlan 71 which is your outside vlan on the firewall. I'm assuming, or hoping , that you don't have a L3 SVI for vlan 71 on your L3 switch ?

The aggregate switch is needed because you are bringing in 2 external routed connections ie. VOIP and Internet but whether you want to terminate them both on the same physical switch is debatable.  At the very least you should remove the trunk link between the L3 switch and the aggregate switch and simply connect the L3 switch to the inside interface of the firewall as you say. At least this way you can only get to the L3 switch from the internet by going through the firewall.

Problem you then have is that for VOIP traffic you may not want to go through the firewall. Is your VOIP network secure ie. it is leased lines etc ?

If so the trunk as is between the L3 switch and the aggregate switch could be changed to be only an access port in vlan 70 only so that VOIP traffic could bypass the firewall. Everything else on the outside of the L3 switch needs to go through the firewall.

The aggregate switch is presumably where all your DMZs etc. are created so it is needed. I would still not be entirely comfortable allowing a connection between that switch and the L3 switch even just for VOIP. If possible if you had a spare switch, doesn't have to be L3 or anything you could use that for your L3 switch -> VOIP router connection and then just use the aggregate switch for everything related to the firewall.

Edit - just noticed that your trunk link is also allowing vlan 1. Vlan 1 is not secure and it is recommended not to use it even internally. For an internet facing switch it is even more important not to use it. If you are using vlan 1 to manage the aggregate switch then change it to an unused vlan and shutdown vlan 1.

Jon

Actions

This Discussion