We are going to have a second T-1 installed using 2-2620 routers and 3 3550 switches and want to use both T-1's for 3 meg bandwidth. We would also like for 2 of the routers and 2 of the switches to back each other up. We have a checkpoint firewall that we plan to replace with 2 Pix and add an IDS and CSS later. Any help on what would be the best design?
Thanks for you reply. I currently have a CCNA but I'm a little short on design and switches. I'm much more at home with routers.Currently we are at one location. The idea here is to make our intranet connection and servers redundant. This may mean we move half of our equipment to a building 500 feet away (fiber) or possably across town (T-3). With this in mind we would like to have full use (inbound and outbound) to the 3 meg pipe to our ISP. All 3 Switches are WS-C3550-24 one SMI the other two are EMI and are currently on order along with the second T-1. The two 2620 are in place one with a full T-1 the other is a backup T-1 for the first that will become a second T-1 in one week. We would like to put the two 3550 EMI's (For HSRP)behind each router one each and trunk to both routers in a vlan. Behind the switches is currently a checkpoint firewall soon to become two PIX redundant. Then the third switch (3550 SMI) I could send Viso dwg if that would help. With this said here are my first round of questions
1 Are we correct that we need EMI on switches SW1 and SW2 for HSRP and only SMI on SW3?
2 We are going to combine our T-1s using the 3550 switches. Can these do load balancing and HSRP at the same time?
3 In the future we plan on getting 2 Cisco Pix 525s , 2 CCSs and an IDS. Is there anything we should do setup wise to the switches to help this?
4 Should the DMZs be put on SW3 and have V-Lans or should they go directly to the firewall?
5 How would you setup SW1 and SW2 to do load balancing for the routers?
6 Can 2 trunks 1 on SW1 and 1 on SW2 each going to a different routers load balance for the internal network?
I hope this helps you out some. Also, if you would like to send me a visio, I would be more than happy to take a look at it.
1 - You can run HSRP between the two routers and not need two switches. 2 switches would make for a more redundant connection, but all you need is 1 SMI switch connected to the 2 routers and configure them for HSRP.
2 - Do you truely want to load balance or do you want one T1 to be for backup purposes? Are the 2 T1's from the same ISP and autonomous system? If they are then you can just use static routes to do load balancing and have the ISP setup static routes to you. If not, BGP will need to be involved. Yes, the routers can do load balancing and HSRP at the same time.
4 - My personal preference is to always put the DMZ off a separate port on the Firewall.
5 - HSRP does not load balance, so you would have a couple of choices to make if you truely want to load balance from Internal network to routers. You could do load sharing instead of load balancing and setup multiple HSRP groups on the routers for each different VLAN you have and use a different priority on the routers for each group. This would cause the different VLANs to each use the specified router as the primary. Another choice would involve a 3rd router but would only require 1 switch. If this option is of interest than let me lnow and i can go into more detail.
I hope some of this helps. Also, like I said before, feel free to send me the visio and I will look at it and send me any questions you have.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...