This is what our network currently looks like. It used to have all the access switches daisy chained together with one of them wired back to the core switch. I layered the switches so that there is an aggregate switch in each network closets. The access switches all connect to the aggregate, with the aggregate switch in each closet connected back to the L3 core switch. This L3 core switch does all the internal routing between inside VLANs, and has a default gateway of the 'inside' interface on the firewall.
What do you not like? Any obvious pitfalls?
I have a second L3 switch with a different set of fiber going to each closet. How would you add it for redundancy as well as load-balancing without creating broadcast storms?
For redundancy, you need a second layer-3 core switch. Bring up a second switch and connect it to the first one using a layer-3 link and run VRRP or HSRP between them. This way if your first core switch goes down your users are not out of business.
Sorry about the file format. I have re-saved it as a .jpg.
Does the aggregate switch that sits between the outside and inside make this network less secure? Should I lose that switch and just have the edge router connected to the outside interface of the firewall, the L3 switch connected to the inside interface of the firewall, and the DMZ and testnet networks connected to their own interfaces? The agrregate switch may have been legacy from our old pix. I am still new to this, but I m not seeing the value of the aggregate switch that is after the edge router.
Also, on the drawing I have the Core, Distribution, and Access layer labeled, or what I believe to be those layers. Is that a reasonable or accurate desciption of those layers based on Cisco definitions.
Thanks again for your time and energy, I really do appreciate it.
Reza is right about adding a second L3 switch for redundancy.
However there are more serious concerns. You have a trunk link to the aggregate switch that allows vlan 71 which is your outside vlan on the firewall. I'm assuming, or hoping , that you don't have a L3 SVI for vlan 71 on your L3 switch ?
The aggregate switch is needed because you are bringing in 2 external routed connections ie. VOIP and Internet but whether you want to terminate them both on the same physical switch is debatable. At the very least you should remove the trunk link between the L3 switch and the aggregate switch and simply connect the L3 switch to the inside interface of the firewall as you say. At least this way you can only get to the L3 switch from the internet by going through the firewall.
Problem you then have is that for VOIP traffic you may not want to go through the firewall. Is your VOIP network secure ie. it is leased lines etc ?
If so the trunk as is between the L3 switch and the aggregate switch could be changed to be only an access port in vlan 70 only so that VOIP traffic could bypass the firewall. Everything else on the outside of the L3 switch needs to go through the firewall.
The aggregate switch is presumably where all your DMZs etc. are created so it is needed. I would still not be entirely comfortable allowing a connection between that switch and the L3 switch even just for VOIP. If possible if you had a spare switch, doesn't have to be L3 or anything you could use that for your L3 switch -> VOIP router connection and then just use the aggregate switch for everything related to the firewall.
Edit - just noticed that your trunk link is also allowing vlan 1. Vlan 1 is not secure and it is recommended not to use it even internally. For an internet facing switch it is even more important not to use it. If you are using vlan 1 to manage the aggregate switch then change it to an unused vlan and shutdown vlan 1.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...