IP Design scheme

viniciuscoutinho · ‎07-23-2013

Hi Guys,

I would like a help regarding to IP addresses in our Core Router (Cisco 2911), see the diagram attached.

Currently, we are doing a migration plan of our data center, that's new diagram, but we faced out a problem to set the IP addressES. We have to set an IP between the Core router (Cisco 2960) and the switches (Cisco 2911) to do the communication, but we cannot set the subnet 192.168.1.x, because it's the subnet to the int g/01 192.196.1.5 towards to Firewall and also we cannot change the subnet of our internal network...Switches, Servers

Do you have any idea how to figure out that?

Tks in advance! Vini

usasigcis · ‎07-23-2013

Vini,

first thing first, i recommend you not to publish your real public ip addresses here, you can use xxx on 2nd or 3rd octates to mask it.

when it comes to you problem, you dont have many options,

1) you should change the ip address of the router g0/1 connecting to firewalls , that would be the easiest approach.

2) can you split the /24 into smaller pieces such as 4 x //22 or 2 x /23

3) get rid of the router. just connect switches to firewall pair directly and connect the router to Firewalls which is going to Melbourne/Sydney

viniciuscoutinho · ‎07-23-2013

Hi there,

The goal is to control and manage the traffic from Melbourne / Sydney to the Internet that why we placed a router between firewall and WAN/Servers.
The Cisco Router 2911 comes with 3 gigabit ports as standard, the IT system administrator told if we install a module 4-Port Cisco EtherSwitch HWICs, we could set the IP subnet 192.168.1.x... coz it's in a different module...Do you think is that make sense?
Tks for your reply!!!

usasigcis · ‎07-23-2013

no you dont need an extra card.

you can create an bvi on the two ports of the 2911 and connect those two ports to FWs

and connect to sw to ASA directly for 192.168.1.0/24 network. if you dont want to change any address currently existing.

viniciuscoutinho · ‎07-23-2013

Ok, it's make sense, but if I connect the ASA firewall directly to the SW, I'll be able to control the traffic/monitor to the network 192.168.1.0/24?...as I mentioned the main goal of the router 2911 is control the traffic between WAN / net 192.168.1.0 and firewall.

usasigcis · ‎07-23-2013

in this case, you squeeze the router in between switch and ASA but re-ip the connection.

ex; ASA inside 10.1.x.1/29 <---> 10.1.x.2/29 Router 192.168.1.1/24 <----> Switch (192.168.1.0/24)

(192.168.x.0/24)

I

WAN(192.168.x.0/24)

makes sense?

usasigcis · ‎07-23-2013

please rate if that helped.

Thanks

viniciuscoutinho · ‎08-06-2013

As we cannot change any ip address, the best approach is to connect the switches ----> Firewall

Thanks for your help!