Need help in designing a network.

Unanswered Question
Feb 4th, 2012

Hi Frnds,

I am seeking a help to design a network. Pls help the contents are below--

I have following devices---

two ASA-5540

two fortinet 311B

two cisco 3560 switches and a few L2 switches and routers

we've a server farm all in one vlan

2 ISPs need to be kept in redundant mode

Startegy should follow--

almost 400 users...

one server shouldn't be talkin to other...

physically everything located in the same building....

subnets are yet to be decided...

pls help me with a basic n rough structure n strategy...bcoz I dont have information than this.

I cant understand how to start and and implement.

Looking for your kind support.

Regards,

Amit

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
ciscoamit_497 Sat, 02/04/2012 - 00:54

Hi Leo!!

I agree but I dont have any idea in designing.

So, pls help..and provide an overview over it.

Thnx

v.ganapathi Sat, 02/04/2012 - 02:23

Hello Amit,

Not sure why you require so many firewalls. I can assume, ASA can be a perimeter firewall, what about Fortigate? Are you going to have any other link terminated on FG firewall? Unless you have some link terminating here, i don't see a requirement to have one extra pair of firewall in there. This will add sheer latency.

Serverfarm

1) As you said, you have one VLAN defined for all the servers

2) Also you said you need a technique to stop communication between servers.

Ok, you have to some reading for this. You are having a Cisco 3650 switches, so i would suggest to use VLAN access-maps to block intra-VLAN traffic. Do some reading on VLAN Access-maps.

ISP Redundancy

You said you have two ISPs & you want redundancy. Some questions for you to figure out

"Will you have an inbound traffic from internet ? (i.e will you any servers exposed to internet to provide public services?)"

About ASA firewalls (considering it to be on the perimeter) : Based on how you plan to utilize your dual ISPs, you need to decide the high-availability setup.

Figure out the above information & will help you further.

Thanks

Vivek

ven.taylor Fri, 03/02/2012 - 10:02

Hi Amit.

This really isn't a task for the inexperienced.  If you're new to this kind of thing, I'd recommend hiring a consultant for a while to help you with the onsite design considerations. 

However, here are a few things to consider:

Your ISPs will hand you eBGP.  You'll want to consider iBGP relationships if you'd like to load-share between your ISPs.

If they're strictly redundant, you may be wasting money if one isn't going to be used except in a failover situation.

Maybe some EIGRP between your premise routers and your core 3650s.  Then you can redistribute EIGRP into BGP and vice versa. 

Your ASAs can be installed right behind your premise routers.  A simple inside/outside/dmz configuration will do.  If you have a web presence or F5, it can go in the DMZ.

I'm assuming you'll want to use the 3560s as a core pair.  Your next two strongest L3 switches should be a server distro pair.  If you only have the two 3560s as L3 switches, then I'd recommend homing the servers in on them as well as all your user distribution switches and collapse your core.  You want to avoid single points of failure.  That is paramount.  User switches and servers should be dual-connected to your core switch pair.

Put all your switches in the same VTP domain and use VTP transparent (server/client will eventually bite you) with Rapid Spanning-Tree.  Run HSRP, VRRP, or GBLP for all your user and server vlans.

If you have enough L3 switches, keep all your server subnets on a separate pair of server farm switches.  Run EIGRP between your server switch pair and your core switch pair.  It will reduce routing overhead on your core switch pair.

I'm attaching a simple diagram that could push you in the right direction.

Exactly what kind of hardware do you have?  You said you had some L2 switches and some routers.

I'm a little concerned about your requirement that the servers not talk to one another.  Why?  You've already got them in a single vlan.  If you're worried about chatter, each switch port is its own collision domain.  Each vlan is its own broadcast domain.  If this is someone else's requirement, I'd push for a reason why.

If you're having problems on your server vlan, you may have a server NIC issue to investigate.

Either way, if you have a lot of servers, I'd try to break them up into vlans based on their purpose.  If your servers provide dhcp, they'll need to be reachable by ip helper addresses on your user vlans.

Keep your user vlans /24.  They're easier to manage and troubleshoot this way... No trying to figure out the gateway while you're trying to fix something.  It's always .1  PC configuration is easier too.

I don't know how much experience you have, but I know it can be daunting.  This is a lot of information.  Be careful and design for tomorrow, not today.  Figure out where you want to be, not where you are.  If you design for today, you'll always be behind the curve.

Ven

Actions

Login or Register to take actions

This Discussion

Posted February 4, 2012 at 12:30 AM
Stats:
Replies:4 Avg. Rating:
Views:404 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,012
2 8,155
3 7,745
4 7,088
5 6,752
Rank Username Points
115
88
85
74
38