I have been working on a network topology design for one of my clients. Please see the attached pdf detailing the diagram and traffic flow scenarios.
The routers have a 4 port switch module that connects to Switches A Primary and B Secondary. There will be 1 Vlan50 LAN interface on the router, with Switchport access vlan50 on the Switch ports. Additional vlans may be added in the future and the Switch ports will be changed to Trunks.
Based on this cabling, do I need to simply enable spanning-tree on the switchports and switches? Or will this design require more specific spanning-tree configuration options? Is the portfast command required on any of these ports?
I am looking for feedback on this design. Are there any apparent routing issues that would prevent traffic flow under the normal operation and failover scenarios detailed in the pdf document?
Thank you for your comments and feedback.
Firstly having routers outside your firewalls is a waste - what are they routing?? They have a default gateway to the ISP and that's it. How are you securing them? I presume the customer wants to be able to connect to them/manage them? If the routers are compromised, you compromise the inside network, from either bad security or config mistakes on the firewalls/routers.
This design merely fulfils current requirements - you should design your topology to be future proof and fulfil requirements the customer has not even considered yet.
Connect the metro Ethernet directly to the outside of the PIX firewalls on the "outside" interfaces of the active/standby PIX/ASA.
Move the routers back inside the topology, have your redundancy there. Have RTR Primary connect to switch 1, and RTR Secondary connect to Switch 2, run HSRP between the routers, give switch 1 & 2 vlan management interfaces. Connect switch 1 to switch 2 - you now have a fully redundant layer 2/3 topology. This topology allows you to connect remote customer sites if desired in the future, via VPN's or direct circuits to the "Inside" protected network. You now have the option to run multiple IP subnets, easily configured/managed - you can have multiple VLAN's perhaps separating servers from workstations or even the finance department from the typing pool etc. They may even want to host services in a DMZ...
Attached is how I would change the proposed topology using existing equipment and providing future expansion.