Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Newbie high-level design

Hi all,

As you see, we are new at this.

6 VLANs on the first floor, 4 on the second. Each floor has a C4500, tied together with redundant fiber.

The switch on the second floor sits with the router to the internet.

Do we have the right idea? Please advise.

Also, how can we add more redundancy like a second ISP?


Re: Newbie high-level design

You might want to use a simple switch (2950 or 2960 series) to connect everything that should continue to be available when the first 4500 goes down, as this is now a single point of failure. Such a "simple" switch is more likely to stay up in case of a disaster. This switch should be uplinked via Gigabit to both 4500's.




Re: Newbie high-level design

With only 2 switches you are somewhat limited.

I guess you could cable the first floor switch to the 3800 and you could then still have internet access if your floor 2 switch fails.

It is very uncommon for these switches to fail but you could buy redundant supervisors if you really want to attempt for a zero downtime model.

It depends what level of redundancey you want. With that checkpoint firewall and all that other equipment in your path it is going to cost lots to be able to duplicate all that.

If you just want ISP redundacy you will need to make that change beyond your checkpoint firewall. I assume there is another router of some kind that you do not show. This is the location you need to put your second ISP in. You can then work your way back toward your network duplicating equipment as your go.

Community Member

Re: Newbie high-level design

Thanks for the replies guys.

If I link the 4500s together, it will provide redundancy in case one fails, correct? Also, my WAN router handles 2 ISPs for Internet redundancy, unless my IDS/firewall/etc. gear fails? Are there any common practices to mitigate this without duplicating the path?

Does it make sense to put firewall/IDS between switches, etc. to prevent spread of attack? (This is a financial institution).

Ive attached updated diagram and VSD, repost any changes if you feel so inclined :)

Re: Newbie high-level design

When I look at your Internet connection, I find there are quite a lot of systems in a single chain. This will of course increase vulnerability. You might want to look at the Cisco ASA to combine several functions in one device. Please check the attached url if you want some design tips and common practices:



CreatePlease to create content