Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Tips for new topology

Hello everyone.

I want to improve the network of the University where I work, which attached the Images of the current state and desired.

We have two circuits one for classroom Internet, wifi, laboratories (30 MB) and one for administrative staff (12 MB) of the Institution. Laboratories exit through segment.

In the proposed improvements had it placed all interfaces vlan in the core and create acl's for the networks wifi, students, laboratories and classrooms can not communicate with the administrative segment and access to IPVPN, DMZ and servers to fail to through the firewall.

Some said to me:

     Place the interfaces in the core is not recommended, should go into the firewall.
     Reduce vlans laboratory (currently vlan 1 laboratory), because I am generating unnecessary overhead.

Currently I have the 5520, I were proposing a 5515-x, now I have a total of 3000 users (students and staff) which grow to approximately 6000 users in the next few years (new pavilion will be built).

I wonder if this 5515-x is good or should look to 5525x.

Would like to know how to handle these types of scenarios, in this case a university.

  • Network Management
Everyone's tags (1)
Hall of Fame Super Silver

Your proposed subnets are

Your proposed subnets are good as you can easily summarize them and manage the access-list on the switch should you decide to stay with your plan of keeping it there. While I can see why some would advocate putting all the L3 interfaces on the firewall, it only makes it unnecessarily act as the router between/among Lab and staff subnets.

Which model of firewall to use depends more on the overall throughput you need. The data sheet shows that either model has more than enough throughput for your traffic volumes. Note that keeping local LAN-LAN traffic on the core switch keeps the ASA from having to carry that workload as well.

I would consider some of the ASA Next Generation Firewall services - CX (with WSE and AVC) or FirePOWER modules. Those give you the deep visibility into traffic and advanced protection capability that is alluded to with your placement of the web filtering appliance on your diagram.