Layer 3 Connectivity

Answered Question
Sep 28th, 2010
User Badges:

Hello Friends,


Please find the attached,


1) New Branch is suppose to arrive for the existing HQ,there are no servers on branch locations all is suppose to access from HQ servers   (DHCP,DNS,Domain Controller), these are 2 buildings side by side . Internet link is seperate for Branch users,what type of connectivity should i prefer between Branch and HQ layer2 or layer3??????????


2) If suppose i use layer 3 conectivity between buildings i will be able to get IP address from the DHCP which is located at HQ????????


Ur help will be appreciated.


Thanks

Attachment: 
Correct Answer by Jon Marshall about 6 years 7 months ago

estelamathew wrote:


Dear Calin,


I have 2 New 6500 with 4500 on access layer,All users sitting in Branch building will have their Default Gateway on new 6500 of Branch,so any how i have to  create 1 SVI to speak to OLD 6500 on HQ because to reach HQ Networks i should point to HQ interface. The link between the Branch and HQ (Core switches) can be a layer 2 Trunk or layer 3 with no switchport commands,it does'nt make differences becz the traffic between the 2 building will be a layer 3 only.  Correct me if i m wrong???????????


Question:In this way you can use only L2 and in case that the broadcast domain  become to big (you'll have a lot of users in both buildings using the  same subnet / vlan)

Answers:The vlan will not be shared between the buildings,so the broadcast domain will be within the building.


Question:My concern is i don't have any proxy server or DNS in my new building,how Branch users will go on internet by the Branch internet router.Not by the HQ internet link.


Answers:  ???????????????????



Thanks


Estela


DNS will not be an issue ie. your branch clients can still use DNS in HQ although if you are using a proxy i would have thought this was doing DNS for you ??


If you want to use a proxy and your clients web browsers are configured to use the proxy personally i would setup a proxy in the branch office. However for security reasons it would be a lot better to have centralised access to the internet via HQ assuming your WAN connectivity between sites has enough bandwidth.


Alternatively you could not use a proxy in the branch site and have a default route on your branch core switches pointing to the branch firewall although know you would need some way to sort out DNS. If you have a separate DNS server from proxy in your HQ then you could use that.


There may be a way to get the proxy to redirect branch requests to the branch firewall but i don't know whether this could be done.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Calin Chiorean Mon, 10/04/2010 - 01:20
User Badges:
  • Silver, 250 points or more

Hello,


1) I would use a L2 trunk connection on the link from HQ to Branch. In this way you can use only L2 and in case that the broadcast domain become to big (you'll have a lot of users in both buildings using the same subnet / vlan) that you can easily upgrade to L3 links with the help of SVI interfaces as you don't have to change anything in the L2 trunk topology just allow all necessary VLANs. By using L2 your devices in Branch building can get IP address directly from DHCP server in HQ building


2) If you chose to use L3 (now or later) you still can get IP addresses from DHCP server in HQ building, but using the "ip helper-address" if you have different subnets in HQ and Branch building.


Cheers,

Calin

estelamathew Mon, 10/04/2010 - 05:45
User Badges:

Dear Calin,


I have 2 New 6500 with 4500 on access layer,All users sitting in Branch building will have their Default Gateway on new 6500 of Branch,so any how i have to  create 1 SVI to speak to OLD 6500 on HQ because to reach HQ Networks i should point to HQ interface. The link between the Branch and HQ (Core switches) can be a layer 2 Trunk or layer 3 with no switchport commands,it does'nt make differences becz the traffic between the 2 building will be a layer 3 only.  Correct me if i m wrong???????????


Question:In this way you can use only L2 and in case that the broadcast domain  become to big (you'll have a lot of users in both buildings using the  same subnet / vlan)

Answers:The vlan will not be shared between the buildings,so the broadcast domain will be within the building.


Question:My concern is i don't have any proxy server or DNS in my new building,how Branch users will go on internet by the Branch internet router.Not by the HQ internet link.


Answers:  ???????????????????



Thanks

Correct Answer
Jon Marshall Tue, 10/05/2010 - 09:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

estelamathew wrote:


Dear Calin,


I have 2 New 6500 with 4500 on access layer,All users sitting in Branch building will have their Default Gateway on new 6500 of Branch,so any how i have to  create 1 SVI to speak to OLD 6500 on HQ because to reach HQ Networks i should point to HQ interface. The link between the Branch and HQ (Core switches) can be a layer 2 Trunk or layer 3 with no switchport commands,it does'nt make differences becz the traffic between the 2 building will be a layer 3 only.  Correct me if i m wrong???????????


Question:In this way you can use only L2 and in case that the broadcast domain  become to big (you'll have a lot of users in both buildings using the  same subnet / vlan)

Answers:The vlan will not be shared between the buildings,so the broadcast domain will be within the building.


Question:My concern is i don't have any proxy server or DNS in my new building,how Branch users will go on internet by the Branch internet router.Not by the HQ internet link.


Answers:  ???????????????????



Thanks


Estela


DNS will not be an issue ie. your branch clients can still use DNS in HQ although if you are using a proxy i would have thought this was doing DNS for you ??


If you want to use a proxy and your clients web browsers are configured to use the proxy personally i would setup a proxy in the branch office. However for security reasons it would be a lot better to have centralised access to the internet via HQ assuming your WAN connectivity between sites has enough bandwidth.


Alternatively you could not use a proxy in the branch site and have a default route on your branch core switches pointing to the branch firewall although know you would need some way to sort out DNS. If you have a separate DNS server from proxy in your HQ then you could use that.


There may be a way to get the proxy to redirect branch requests to the branch firewall but i don't know whether this could be done.


Jon

estelamathew Tue, 10/05/2010 - 11:03
User Badges:

Thanks JON for replying.


DNS  will not be an issue ie. your branch clients can still use DNS in HQ  although if you are using a proxy i would have thought this was doing  DNS for you ??

Not clear the above lines


If  you want to use a proxy and your clients web browsers are configured to  use the proxy personally i would setup a proxy in the branch office.  However for security reasons it would be a lot better to have  centralised access to the internet via HQ assuming your WAN connectivity  between sites has enough bandwidth.

Customer has ordered new ASA and internet router to keep Branch internet seperate


Alternatively you could not use a  proxy in the branch site and have a default route on your branch core  switches pointing to the branch firewall although know you would need  some way to sort out DNS. If you have a separate DNS server from proxy  in your HQ then you could use that.

U mean to say Proxy in Branch and DNS in HQ, Can u explore more.






Please Guide me what i m thinking is correct.


Question-1: If i insist a customer to place a secondary DNS in Branch site then users will be able to access internet.Because internal DNS will forward        request to ISP DNS and that will be a Branch firewall only i have to do a PAT on firewall.Please Correct me if i m wrong??


Answer: user request to Yahoo.com> Internal Secondary DNS>DNS Default Gateway (CORE)>ASA-Firewall>Internet Router> ISP DNS> Yahoo.com


Question-2: Suppose in Question-1 if i dont place a Secondary DNS server in Branch site and if i use a HQ Primary DNS server than the packet will flow through the HQ internet firewall.Assuming there is no proxy in HQ and DNS is used to forward request.


Answers: Am i correct???????


Question 3 Suppose if i place a New Proxy server in Branch site with Preferred DNS of ISP and secondary will be internal DNS then it should work???


Answers: 

Jon Marshall Tue, 10/05/2010 - 11:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Estela


DNS  will not be an issue ie. your branch clients can still use DNS in HQ  although if you are using a proxy i would have thought this was doing  DNS for you ??

Not clear the above lines


What i mean is that if you are using a proxy server then the web browser on the client points to this proxy server. And the proxy server does the DNS lookup for the URL not the client ie. the client simply forwards all web requests to the proxy. So do you have a proxy server, a DNS server or both ?


Please Guide me what i m thinking is correct.


Question-1: If i insist a customer to place a secondary DNS in Branch site then users will be able to access internet.Because internal DNS will forward        request to ISP DNS and that will be a Branch firewall only i have to do a PAT on firewall.Please Correct me if i m wrong??


Your'e confusing DNS with routing. If you have a separate DNS server ie. NOT the proxy server, in HQ and that DNS server can resolve internet addresses then you don't need a second DNS server in the branch office. All the DNS server does is resolve names to IP addresses, it doesn't instruct the client where to send the traffic. If you don't have a separate DNS server in HQ ie. it is part of the proxy then you will need a DNS server in the branch office if you don't want your clients resolving directly off the internet.


You would then need to setup PAT as you say on the ASA. You would also need a default-route on your core router/switch pointing to the branch ASA.


Answer: user request to Yahoo.com> Internal Secondary DNS>DNS Default Gateway (CORE)>ASA-Firewall>Internet Router> ISP DNS>

Yahoo.com


No idea what the above is meant to mean but hopefully you should have the answer from my above response.



Question-2: Suppose in Question-1 if i dont place a Secondary DNS server in Branch site and if i use a HQ Primary DNS server than the packet will flow through the HQ internet firewall.Assuming there is no proxy in HQ and DNS is used to forward request.


Answers: Am i correct???????


The DNS response will go via HQ firewall to the internet but that doesn't mean the actual connection to the web server will. See my initial response above.



Question 3 Suppose if i place a New Proxy server in Branch site with Preferred DNS of ISP and secondary will be internal DNS then it should work???


Not sure i understand. If you had a proxy in the branch why would you need a secondary DNS as well ?


Jon

estelamathew Tue, 10/05/2010 - 12:39
User Badges:

Hello Jon


Thanks for ur reply and apppreciate ur help.


I thing there is some confusion in proxy and DNS of HQ, i will make it more clear so that smart people like u can give me solution in one click.


In HQ i have a Proxy server and as well as DNS server with dedicated different machine,Customer has ordered a ASA,Internet router Core switches and access switches to setup Branch Building. There no servers in Branch Building,


Requirement: Branch users should  prefer path from thier (branch) firewall to the new internet.link in Branch (refer to the attachment in 1st mail for diagram)


Thanks.

Jon Marshall Tue, 10/05/2010 - 13:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

estelamathew wrote:


Hello Jon


Thanks for ur reply and apppreciate ur help.


I thing there is some confusion in proxy and DNS of HQ, i will make it more clear so that smart people like u can give me solution in one click.


In HQ i have a Proxy server and as well as DNS server with dedicated different machine,Customer has ordered a ASA,Internet router Core switches and access switches to setup Branch Building. There no servers in Branch Building,


Requirement: Branch users should  prefer path from thier (branch) firewall to the new internet.link in Branch (refer to the attachment in 1st mail for diagram)


Thanks.


Estela


Do you want to use proxy server in your branch as well as HQ. Note, not the same proxy but another one ?


If you don't require it and you are happy for branch clients to go straight to the Internet then you can use the DNS server at HQ to resolve web addresses to IPs and then use the branch internet connection for clients accessing web sites etc.


As previoulsy discussed you will need a default-route on your L3 devices in the Branch office pointing to the ASA in the branch office. You can use the DHCP server(s) in HQ which should also pass out the HQ DNS server address.


Edit - the only benefit to having a dedicated DNS server in the branch office is if your WAN link went down and the branch couldn't get to HQ. Of course the branch clients couldn't then use DHCP either but they may already have an IP address and so would still be able to get to the internet even if HQ was down.


Jon

estelamathew Tue, 10/05/2010 - 22:13
User Badges:

Hello Jon,


Thanks for reply,appreciating ur pateints for giving me time.


1) Do you want to use proxy server in your branch as well as HQ. Note,  not the same proxy but another one ?


Yes if suppose Customer place 1 Proxy in Branch apart from HQ Proxy, Please explain the traffic flow ??



2) If you don't require it and you are happy for branch clients to go  straight to the Internet then you can use the DNS server at HQ to  resolve web addresses to IPs and then use the branch internet connection  for clients accessing web sites etc


If my user request goes to HQ DNS then how will be the traffic flow from user end to Yahoo.com. I think the traffic flow will be from HQ internet link not from Branch???? Pls correct me if i m wrong.??????


3) Edit - the only benefit to having a dedicated DNS server in the branch  office is if your WAN link went down and the branch couldn't get to HQ.  Of course the branch clients couldn't then use DHCP either but they may  already have an IP address and so would still be able to get to the  internet even if HQ was down.


Yes 3rd point is more clear for me.

Jon Marshall Wed, 10/06/2010 - 02:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Estela


1) Do you want to use proxy server in your branch as well as HQ. Note,  not the same proxy but another one ?

Yes if suppose Customer place 1 Proxy in Branch apart from HQ Proxy, Please explain the traffic flow ??


Traffic flow simply remains in the branch. Clients send their requests to proxy server in branch which points to the ASA in the branch office. If your'e proxy is doing DNS resolution which it should be then no traffic from client to internet needs to go to HQ. Note that if you need to use a certain application on the internet that cannot be proxied then you can still use the branch internet but you need DNS resolution somewhere, either in the branch or at HQ.


2) If you don't require it and you are happy for branch clients to go  straight to the Internet then you can use the DNS server at HQ to  resolve web addresses to IPs and then use the branch internet connection  for clients accessing web sites etc

If my user request goes to HQ DNS then how will be the traffic flow from user end to Yahoo.com. I think the traffic flow will be from HQ internet link not from Branch???? Pls correct me if i m wrong.??????


You are wrong


If the DNS server is at HQ and the client has this DNS server set in it's IP configuration (which is usely done through DHCP) then when then the client tries to go to "yahoo.com" it needs to resolve that name to an IP address. So it sends the DNS request to HQ. The DNS server in HQ then sends the request out to a DNS server on the internet via the HQ internet. Once the DNS server has got a reply ie. the ip address of yahoo.com, it sends that back to the branch client. Then the branch client sends a connection request to yahoo.com.


This connection request does NOT go via HQ. It is an IP packet with a destination address of yahoo.com and so will be routed according to the routing tables on the L3 devices in your branch office. You should have a default-route on your L3 device in the branch pointing to the branch ASA so the packet will go there and then out to the internet.


As i said previously, you are confusing the DNS request with the actual web connection. One will go to HQ ie. the DNS request but the actual connection does not go anywhere near HQ.  That is why you have to have a default-route in your branch pointing to the branch ASA.


Jon

estelamathew Wed, 10/06/2010 - 03:25
User Badges:

Thank a Tons Jon,


I was doing mess with DNS request and Routing,But i got the answer from u.


CONCLUSION:


  1. If there is no proxy server in Branch "no problem" the user DNS request will go to HQ but actual traffic will flow from Branch ASA.
  2. If i place a Proxy server in Branch all request will be controlled by Proxy(No DNS) but DNS request will be controlled by HQ DNS, Suppose If my link between HQ and Branch goes down,there will be no internet in branch because no DNS,no DHCP address from  HQ.
  3. But if i changed the Branch proxy server DNS configuration to ISP DNS and if i put statically IP and (ISP) DNS on end user then i will be able to go to the internet.


The 3rd statement is not practical just to be clear.


Thanking u once more and appreciate ur explanation.

Jon Marshall Wed, 10/06/2010 - 05:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

estelamathew wrote:


Thank a Tons Jon,


I was doing mess with DNS request and Routing,But i got the answer from u.


CONCLUSION:


  1. If there is no proxy server in Branch "no problem" the user DNS request will go to HQ but actual traffic will flow from Branch ASA.
  2. If i place a Proxy server in Branch all request will be controlled by Proxy(No DNS) but DNS request will be controlled by HQ DNS, Suppose If my link between HQ and Branch goes down,there will be no internet in branch because no DNS,no DHCP address from  HQ.
  3. But if i changed the Branch proxy server DNS configuration to ISP DNS and if i put statically IP and (ISP) DNS on end user then i will be able to go to the internet.


The 3rd statement is not practical just to be clear.


Thanking u once more and appreciate ur explanation.


1) Yes


2) Yes


3) If your proxy is not doing DNS then yes what you say is correct.


Jon

Jon Marshall Mon, 10/04/2010 - 05:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

estelamathew wrote:


Hello Friends,


Please find the attached,


1) New Branch is suppose to arrive for the existing HQ,there are no servers on branch locations all is suppose to access from HQ servers   (DHCP,DNS,Domain Controller), these are 2 buildings side by side . Internet link is seperate for Branch users,what type of connectivity should i prefer between Branch and HQ layer2 or layer3??????????


2) If suppose i use layer 3 conectivity between buildings i will be able to get IP address from the DHCP which is located at HQ????????


Ur help will be appreciated.


Thanks


If given the choice i would alwys go with L3 links and not L3 links using SVIs but L3 routed ports. The main advantage to this is that you limit L2 broadcast domains to each site and so a problem in one site, such as an STP loop, cannot affect the other site. Imagine if someone created a L2 loop in the branch site and because you were trunking the vlans to the main site you took down HQ as well.


If you do use L3 it is simple enough to DHCP, just use the "ip helper-address x.x.x.x (where x.x.x.x is the DHCP server at HQ). You would apply this command under the L3 vlan interfaces in your branch office.


Jon

estelamathew Tue, 10/05/2010 - 07:58
User Badges:

Hello friends,


Can Anybody answer for my last mail Question.


Thnaks

Calin Chiorean Tue, 10/05/2010 - 11:22
User Badges:
  • Silver, 250 points or more


Please Guide me what i m thinking is correct.


Question-1: If i insist a customer to place a secondary DNS in Branch site then users will be able to access internet.Because internal DNS will forward        request to ISP DNS and that will be a Branch firewall only i have to do a PAT on firewall.Please Correct me if i m wrong??


Answer: user request to Yahoo.com> Internal Secondary DNS>DNS Default Gateway (CORE)>ASA-Firewall>Internet Router> ISP DNS> Yahoo.com


Question-2: Suppose in Question-1 if i dont place a Secondary DNS server in Branch site and if i use a HQ Primary DNS server than the packet will flow through the HQ internet firewall.Assuming there is no proxy in HQ and DNS is used to forward request.


Answers: Am i correct???????


Question 3 Suppose if i place a New Proxy server in Branch site with Preferred DNS of ISP and secondary will be internal DNS then it should work???


Dear Mathew (I hope this is your first name)


There is a little bit of mixed information in your head that create confusion. DNS services have nothing to do with the path that packets is taken to reach Internet. DNS is there to solve domain to IP and vicersa requests. If you manage to direct your DNS queries as you said in the 1st example, that doesn't mean that all other packets will follow the same path. Here is IP routing part.


To give you a simple solution:


1. Use L3 in the HQ to Branch

2. Have a fully configured IGP (OSPF would do it) protocol to have reachability between HQ and Branch

3. Inject default routes to reach Internet; one in Branch coming from ASA (if I remember correctly the topology) and one in HQ, but avoid distribution of this route over the L3 link between HQ and Branch. In this way HQ and Branch will have a more specific route to internal prefixes (e.g. for DNS services) and each location will have a different default route to reach Internet.


I think this will do it! You need some knowledge of routing protocols, but I believe that this is not a problem. I hope you understand the concept.



P.S. @Jon, I saw that Mathew asked me a question. Thanks for replying!. I was in a training and I didn't had time for CSC.


Cheers,

Calin

Actions

This Discussion