Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

4506 Core Switch, 7204 Core Router, 3700 border router - HELP

Hi, I'm looking for some guidance/recommendations. I'm looking at ways to eliminate the need for extra equipment/costs and here is what I am thinking.

I currently have Comcast EDI (CPE) that connects to my 3700 border router, from the border router I have a 2960 External Switch that connects to my 2 HA firewalls, the firewalls then connect to my internal network via the 4506 core switch (just switching) and then for routing I have the 7204 core router.

What I am thinking about attempting is to eliminate the border router, external switch and core router and use just my 4506 for all three. I can easily conceive of how to move my core router into my core switch, but I'm not sure if A) its a good idea to move the border router to the core switch B) how to vlan this with the default gateway as I currently have on my border router C) if it is a security concern to set it up this way.

Any help, guidance or suggestions on this would be appriceated.

3 REPLIES
New Member

4506 Core Switch, 7204 Core Router, 3700 border router - HELP

Hi,

It seems the most logical thing to do would be to eliminate your external switches and 1 firewall.  Under your current scenario you have a single router and a single core switch, both single points of failures.  Having 2 firewalls does not really buy you anything because you have a single core and single BR.  In fact you have actually introduced another point of failure by adding the 2960 switch.

You can certainly get rid of your BR and connect your CPE device directly into your FW.  Then you can connect your FW into your core router.  I will assume you have 1 Vlan since you do not list any.  The easiest configuration would be to have our FW internal interface be the DG for all of your devices and the FW will forward all of your external traffic to your CPE.  All local traffic will be switched within your 4500.

If you have more than 1 vlan the DG on your internal devices would simply be the VLAN interface on the core switch.  For example if you have VLAN 10, create a vlan interface w/ ip address of 192.168.1.1 /24.  All devices on that vlan would use 192.168.1.1 as their DG.  VLAN 20 would have a vlan interface of 192.168.2.1 /24 and all devices on that vlan would have a DG of 192.168.2.1.  The Core Switch itself would have a DG that pointed to the FW internal interface.

Hope that helps.

New Member

4506 Core Switch, 7204 Core Router, 3700 border router - HELP

Thanks for the reply. To clearify, yes I have multiple VLAN's (data, voice, wireless, etc) so that is a good point and helpful information. As for the firewalls they are setup as primary/standby and thus are valuable in the event the primary goes down then the secondary would pickup until the primary came back online.

Finally, let me help clear up the picture. Below is my current network setup, I would like to eliminate the Border Router, Core Router and External Switch and use only the Core Switch. What I think I need to do is 1) turn on routing on the core switch give it the IP that I currently use on my core router for the default gateway of all my internal traffic, and setup all existing routes that I had on my core router. 2) I would create a VLAN for the Border router, give it an IP and needed routes. 3) Designate two ports in a VLAN for both firewalls, acting as the external switch. Thus eliminating both routers and 1 switch leaving me with just the 4506.

Avendittelli,

Does this still seem feasable and logical? Or am I missing what you are describing to me as the direction I should take?

Thanks again...

New Member

4506 Core Switch, 7204 Core Router, 3700 border router - HELP

It seems what you want to do is correct.  Remember CEF will do all the routing for you when you create VLAN interfaces.  So be careful when you create the vlan interfaces as routing will happen between them automatically.

Make sure you create your default route and you should be good with the plan you stated above.

1154
Views
0
Helpful
3
Replies