Cisco Switching/Routing :: ASA5505 / Network Design With Multiple Gateways?
Apr 11, 2013
remote location on MPLS circuit terminated on a Cisco router that has Internet connectivity through Central Site router. We are installing a cable modem at the remote location that is to be used as the Primary Internet Connection but still be able to use Internet through MPLS if the cable Internet goes down. We want the failover/fallback to be handled automatically.
We have an ASA5505 for the cable Internet which then feeds into the ISPs modem.
At first I was thinking about getting a module for the remote router so the cable Internet could be terminated on the remote router as well but that introduces a single point of failure. I would also like to firewall both the MPLS and the cable Internet but if I do so on the ASA there is another single point of failure.
We have two Cisco 5505 firewalls connecting to two ISP's . The two internal LAN's on the firewalls are 192.168.184.0/24 & 192.168.186.0/24. We also have a Cisco C3560x layer3 switch with vlan interfaces 184.3 & 186.3. We have two DGS-3100 Dlink layer 2 switches connecting our users to the Layer 3. Ip routing is enabled for intervlan communication & I can reach the Switch interfaces & firewall gateways from machines on both on the vlans.We have pbr enabled on the 3560 & users only on the .186 network can get to the internet. The switch is running the ipservices license & the sdm template is "desktop routing" .
Users on the .184 cannot access the internet but we can ping the layer3 interface & the firewall gateway. [code]
I have a small network that i want to setup, i have 1 2900 router and i'd like to create subinterfaces for the internal. but more importantly i'd like to have the dsl modems connected to the router with traffic from one subinterface going through one modem and traffic from the other going through the other.
I'm looking for feedback and constructive criticism on our network redesign project for our company.We are currently on a 192.168.1.x/24 and running out of addresses. We are looking to move to the following design and implement VLANs as well for segregation and security. We are probably going to use a few SG300s for switches. [code]
I have been recently asked to design a network. What I have for equipment is four 2960G's and one 1941 router. One switch is a root switch and the other three will have end devices on them.I have decided on three V lans to go with: VLAN20 Data, VLAN30 ISCSI, and VLAN99 Management each with seperate trunk links and redundancy (see picture below).
I have a seperate trunks for each V lan using the switch port trunk allowed. With exception to the Data V lan.My design has the Data V lan as the native because it is going to be receiving untagged traffic from the external network. I have set up inter v lan routing on the 1941 via sub-interfaces to allow them to talk to each other (or because of allowed they cannot?). I have one port coming from my router to my switch via Ethernet cable which is my bridge out. I have my external port doing a NAT translation for my inside addresses and a Default route set up ip route 0.0.0.0 0.0.0.0 gig0/0. I am using rapid- PVST to prevent loops and provide my zero downtime convergence when a link goes down. As it stands right now I cannot talk out of my network or inside of my network.
You can see it is highly redundant and I do not want to change it. This network is going to be deployed but there will never be anybody physically there to manage it which is why I made it as redundant as humanly possible.
I am just browsing and looking for a solution to converge my multi-vendor switched network and bring some redundancy to it as recently we managed to get a redundant links. I have a need to change core switch to Cat3750G, which has Per-V LAN-RSTP+ on board, but tests have shown that it won't be compatible with some other proprietary per-V LAN RSTP solution other vendor's switches use currently.
So, I thought maybe standard-based MSTP design might do the trick. I've made some tests and got some weird and unstable switching result. I have two topology rings with a core switch in the center. Every ring has about 10 switches, so practically network diameter may vary from 5 switches (when spanning-tree converges in the center and I have a blocking port somewhere int the middle of the ring) to about 10-11 switches (if a I have link failure on any of ports right at the core switch). I disconnected one port from core switch to eliminate a possible switching loop while I will be configuring new MSTP design. Then I started enabling MSTP on all the switches staring from core Cat3750G to MSTP, one by one, placing all switches to the same MSTP region, and placing all V LAN's to default MSTI0(CIST) cause I don't need to organize any separate MSTP instances for every V LAN or for group of V LAN s. When I turned MSTP on on 7th or 8th switch in the chain (cause I had a physical chain when I disconnected one port out of redundant ring) I got all switches "flapping", storming and flooding the network with broadcasts. Even when I had one redundant port disabled.
I have no idea what I am doing wrong. I noticed that Cat3750G has an option that defines a possible network diameter which actually automatically changes some hello, max age etc. attributes according to diameter specified. When I defined a maximum network diameter of 7, if didn't change anything: I still have hello timer of 2 sec etc. I've been wondering if the maximum network diameter has something more than just a "variable" to fine tune hello timers etc? Maybe I won't be able to use MSTP in my network which might have diameter more that 7 switches. Or maybe it was a mistake of placing all the switches to the same region and all the v LAN s to the default MSTI0 (CIST) and I should configure one MSTI per V LAN or per some group of V LANs and subdivide my switches to few MSTP regions?
We our currently using site-to-site VPN tunnels to connect our multiple offices using static public IP's via ADSL connections.We wanted to get an additional ADSL connection from a different ISP so that if one connection drops, the other could be used.Are there any hardware devices or tricks we can use to automatically get our networks to failover to use the backup ADSL connection and have our VPN traffic remain up?
I have mobile users using air cards that connect to the network with a VPN product called Net Motion. Our firewall is a ASA 5510. Once connected to the Net Motion VPN server the user will get a DHCP address from our network. In the past we could not get the VPN tunnel to complete since our layer 3 switch (3750G IP services) has 3 egress points and the egress point that we needed the VPN traffic to go out of is not the default gateway. To solve this we had the air card carrier set switch our air cards to static IP addresses and using route statements for the public IP addresses and access lists we got it to work.
The problem with this is that every new air card we provision needs a static IP address. My question is would policy based routing work in this scenario? The problem has been that the VPN tunnel was not able to complete the negotitaion phase as the traffic came into the switch and was trying to go out the default gateway. The VPN client wont get an internal IP address until the VPN tunnel is created.
I would like to get away from using static IP addresses.
We are in the process of installing time clocks at some of our sites around the USA. Our security department has asked that the time clocks be completely isolated from the rest of the network. The time clocks will be administered by ADP via a centralized firewall utilizing NAT. We have multiple subnets available at each site. Let me give an example to calrify what I would like to do. Example: Site A has 10.168.19.0 /24 user subnet and is configured for VLAN1 using 10.168.19.1 on the router as the default gateway. I would like to use subnet 10.168.20.0 /24 for the time clocks, configure it for VLAN2 and use 10.168.20.1 as the router gateway address for VLAN2. This should allow me to NAT one of our additional public IP addresses to the 10.168.20.1 gateway address thus completely isolating the time clocks from the remainder of the network. Problem is I have not done this before so I'm a little confused about how to configure it in the Cisco 3750 switches.
We have a HP Procurve 5412zl switch as our default gateway for all our VLANs from there the traffic will be going to a Cisco ASA 5515 and then to a Cisco 3800 Router then to our ISP.
We have yet to purchase the ASA but my question is about my future configuration. I will have the router of last resort on the 5412zl setup to point to the ASA inside interface, how does that work with multiple VLANs? For instance the ASA inside interface would be 10.0.0.1 but traffic could come from another VLAN via the switch with a 192.168.1.x address. Would the ASA just pass it on to the router? Or would it conside this spoofing and drop the packet?
Lastely, if we have WCCP set for the ASA's inside interface, how would it handle the redirect for multiple VLANs ip addresses? Would I use GRE for the redirect to my web filter?
I have 2x v10000 Websense Security Gateways that are connected to 2x 6500 SUP720. When I turn on cluster management function between Websense appliance, they speak to each other only if they are connected in the same 6500. When they are connected one in every 6500 cluster management does not work. They are connected on the same physical vlan. Do I need multicast to be configured in the 6500 switches?
We have 2 sites, each with 2 x 4506 switches which will be connected togther using an etherchannel. The switches will provide access ports for client devices and will be configured with HSRP to provide gateway redundancy. SW1 will be HSRP active.2 metro ethernet links will be installed in each site which will connect back to our HQ sites. OSPF will be used over the backbone to provide resiliency and to allow shortest path routing to each HQ and to prevent traffic over the HQ to HQ link.
The 4506 will be trunked togther with an SVI for providing OSFP adjacency.For the traffic flow from SW2 to HQ2, traffic will hit SW1 and then route back to SW2 and then to HQ2. Is this the best way to do this? Should a second link be connected between switches just for routing or should something like GLBP be used?
I have a typical LAN environment that spans across a large warehouse. I have done a lot of redesigning of the environment to satisfy the need for a disaster recover plan. I now have created a LAN with multiple v lans and must also connect all the access layer switches back to the core switch where the servers are.
I was thinking of something simple such as Port channel of 2 Gbps across the backbone and simple floating static routes . I have then moved my wan access link to a 3750 and implemented routing a CEF at each of the 3 core switches (blue). My question is more of design.
We have remote office where we have 2921 router with 6 layer 2 switches. We have few servers which need to be in specific vlan.
2921 router does not have switching engine we are using this to support VOIP.
So on 2921 router i created 6 sub interfaces for each vlan and assign them to their specfic vlans. Then I have trunk connection to switch 1. Now switch 1 connects to all other switches in the network. As our company design all layer 2 switches should be transparent mode. i tested them i can ping from one switch to all other switches.
Router vtp mode i set to transparent mode and from all switches i can ping the router sub interfaces.
if the above design is acceptable how does the routers know which one is active and which one is standby ? if we need a direct connection between two routers they have to be on a seperate subnet and routers dont allow broadcasts - so how will hsrp work on routers ?
We are designing a LAN Network for ourselves.The proposed design is as follows:
4 x 2960S switches in a Stack Access-Stack-I 4 x 2960S-PoE switches in a second Stack Access-Stack-II
2 x 3750X switches in a Stack Core-Stack
Now I would like to connect it in the following manner ?First,I would like to use EtherChannel using the 10Gig LinksSecondly, I would like to use Cross-Stack EtherChanel too.I have given a graphical illustration of the connectivity Now my Qs: a) Will the 2960S supports EtherChannel using the 10G links and the 3750X too... b) Does the proposed solution will work... or It will have any problems.
QoS design problem that I have. I have a client that is deploying new 4507 series switches with SUP6Es. The client will be running lots of voice, streaming video, and video conferencing over the LAN and want to base QoS on Cisco Media net recommendations.
I need to design a new QoS policy with focus on the above media services with basic queuing for critical data services. I have read the Media net design guide and the suggested 12-class model will be too complex to start with but I have seen references to start with a 8-class model with the ability to easily migrate to 12-class in the future. The 8-class model meets all of our requirements but I need to understand how this will work with the 4507 queuing model? [URL]
I've been tasked to come up with a design to segment our internal network to reduce broadcast domain size. In addition, we are running out of DHCP available DHCP addresses. I need to have a solution that will give me more available IP's, but reduce our broadcast domain.
We are Cisco VoIP shop. Our current environment consists of dual 6509 chassis in a VSS config. We have 10 access switches that are model 3750's. Each 3750 has dual 1Gb fiber links to the VSS Core in an etherchannel configuration. We have 2 VLANS (data and voice) that spread throughout every switch. Both VLAN's have their own DHCP scope.
Our current broadcast domain is a 255.255.248.0, so we have over 2000 potential broadcast devices. Cisco recommends not having larger than 512. So my research has brought me to a design as follows:
MY DESIGN: > Have individual voice and data VLANs for each closet switch. > We have 10 closet switches so this would require 20 new vlans > With every separate VLAN we would need a different DHCP scope. > Configure 20 new DHCP scopes for the 20 new VLANs. > Each DHCP scope would have a 512 available addresses. > Enable IP Routing and configure EIGRP on the VSS Core and 3750's. > I'm tossing around the idea of have each 3750 be an EIGRP Stub. Not sure yet.
QUESTIONS: 1. How to verify what I described in my design? 2. Any alternative solution that might be less complicated than configuring Layer 3 on all my access switches? 3. Any thoughts on configuring EIGRP Stub vs. having the VSS Core do all the work? 4: Any template that I could base my 3750 config from?
Small datacenter design. My requirements and setup will be as follows Dell PowerEdge M1000E Blade Chassis (initially one full chassis)Dell Powerconnect 10GbE Blade SwitchesDell Compellent Storage Array 10Gb iSCSI with redundant controllersDell Powerconnect 7024 dedicated external storage Virtual host blade servers 2 x Cisco ASA for firewall (5525-X or similar in active-active configuration)2 x redundant routers or switches as gateway to public internet I am looking to be able to segregate customers (approximately 100) into seperate VLANs at the access layer and route them up to the Cisco ASA firewalls using Dot1Q trunking for segregation. The Cisco ASA's will perform NAT functionality and route to the redundant gateways. I then need to police each customers traffic at the gateway to limit bandwidth and perform specific traffic marking along with simply routing out to the internet.
Budget is somewhat restrictive so I am looking for the most "cost effective" devices I can use at the gateway to perform the traffic policing/marking/routing for each customer.
On occasion employees are downloading large files for business purposes, at very fast speeds. This has the potential to overwhelming our Internet circuits which causes our Customers problems accessing our Web Hosting services.
Our network is comprised mostly of 2960S switches for the employees. Webservers are connected to other 2960(nonS) switches and directly into the 6509 VSS.
Customer’s traffic comes in through one pair of ASA’s. Employee’s traffic is handled by another pair of ASA’s.
Employee traffic flows from the 2960’s, past an L3 SVI on the 6509, then through the Employee ASA’s, then to the ASR’s, then out to the ISP#1 or ISP#2
Web Server traffic flows from the 2960’s or 6509, to the Customer ASA, then to the ASR’s then out to ISP#1 or ISP#2. Web server traffic does not flow through an L3 SVI.
The goal is to allow employees the ability to have the most bandwidth they can, however customer traffic always has to be preferred in the event of a ISP circuit approaching its limit.
This past networkers I was at the Cisco booth discussing how the 2248 can connect to the 5548 and have server connectivity. It was told to me that now, as of a fairly recent NX-OS release, you can have the 2248 going dual-homed to both 5548 via VPC and then have a server connected to both 2248 and be in active-active mode. Is this correct?
When we first deployed our 5548 and 2248 we had to put the 2248 in a straight pin mode, where it only had connections to one 5548 and then the server would dual connect to the 2248's and be in active-active mode. I was told that this changed with an NX-OS release however documentation still seems to be fragmented on what exactly is the case.
I would like to do the following architecture with the same C3750 : network X,Y,Z connected to 3750 in VRF D the 3750 uses a routed interface on subnet E for the default route in VRF D on this routed interface a BYPASS EQUIPMENT the other BYPASS EQUIPMENT interface is connected also to another routed interface on subnet E "also" this routed interface is in another VRF C with other network A and B.do you know if it will work because of 2 routed interfaces on the same IP subnet or is there a way to do that ? the only goal for me is to catch traffic from network X,Y,Z on SYN and ACK.
We have our network setup as displayed in the attached. We have 2 HQ offices and 1 branch office. The branch office needs to connect to resources located at both HQs but taking the most effecient path. We have ethernet circuits connecting from each HQ to 2 x Cisco 3560 switches in the branch. HSRP has been configured on the 3560 switches with SW1 as active and SW2 as standby. OSFP has been configured in a single area 0 and the path cost on the link between HQs has been increase to allow 3560 SW1 to route to HQ1 directly and HQ2 via 3560 SW2.The 3560s are connected with a trunk with a L3 SVI for OSPF. This seems to work ok but I have noticed that the branch could become transit if the HQ1 to HQ2 link breaks. How can this be avoided? I realise that if we configure the branch subnets and SW1 to SW2 link in a stub area (area1) then all traffic will route from SW1 to HQ1 and will never share over SW2. I'm assuming that this is because OSPF chooses inter-area routes over intra-area.
I'm working designing a switch system for our core/data center.
We have 5 esx hosts, 2 sans with 3 nodes each. We have voice servers, a couple of routers and a few odds and ends. There are 7 other locations aggregating into this data center via 1-2gbps fiber connections. The bandwidth usage on these links is minimal, but there is a total of about 3000 devices aggregating into the system. My main concern right now is the 3560G's are seeing many output drops, due to the small buffer size on those switches. I have been looking at couple of options to resolve this issue, including the 4948E, 4507E, and 3750X switches.
Budget being the biggest factor, I am finding that the 4507 might be out of the price range. So I was leaning towards the 4948E switches for connecting the servers and iscsi san's as the 3750X is not recommended for iscsi. Redundancy is important so I would like to have two. The second concern is that I need to aggregate the fiber connections and for that I was looking at the ME-3600X or possibly the WS-C3750X-12S-E. I'm running eigrp, so this switch would need to have full routing, as it would also serve as the core switch for the 4948E's.
So in the end I was thinking that two 4948E switches up linked to the ME-3600X which would do full routing for the fiber aggregation and any routing needed for the servers and sans.
Servers and Sans_________4948E________ME-3600X_________7 fiber connections |____________4948E_____________|
I would look at a second ME-3600X in the future for redundancy. This is the lowest cost biggest buffer solution that I could find.
I've got a network with the following address and subnet mask:
xxx.17.0.0 255.255.0.0
The original gateway that we had on the network is at:
xxx.17.0.254
This gateway is a Netgear VPN firewall and it also has a bit of port forwarding going on to a couple of servers on the network.We've now had a new line put in and we have to use different hardware on that line so in order to phase that in, I've set this up as a new gateway at:
xxx.17.1.254
Internally, the clients and servers are quite happy with this and will happily use the new line.Problem arises when users connect via VPN to the OLD gateway (I haven't got VPN set up on the new one yet). Users can still connect to the VPN but can't see any machine that is using the new gateway.How can I get around that? Does the old gateway need a static route?
We are about to install a new network consisting of Cat 4500s with Sup7E at the Access Layer, with Nexus 7000 at the Distribution and Core layers. We have 14 floors with at least three 4500s on each floor. Within the office block where the Access Layer and Distribution Layer reside we need to support secure borderless networking using 802.1x to place users from different parts of the business into segregated networks at layer 3.All switches will have the feature sets to support MPLS/ VRF / OSPF / EIGRP / BGP etc.We quickly dismissed the idea of using VRF-Lite due to the sheer number of Vlans we would need to managage and maintain, the point to point links alone just to get one additional VRF on each floor required far too many Vlans.As a result we are now considering deploying MPLS. The obvious benefits include scalability and manageability, the fact that all switch to switch links can now be routed, instead of having to using SVIs.
I installed m0n0wall in a virtualized environment, i have 10 PCs connected to a router ( 192.168.1.0/24) which connect them to the internet through PPPoE, the problem is that this router does not have a QoS so what i want to do is the following :-
let all the PCs get their IP from the Router and the default gateway will be m0n0wall
the moon wall will have 2 interface (Lan 192.168.1.20) and (Wan 192.168.1.21 and default gateway 192.168.1.1)
now when any PC want to access the internet it should go through m0n0wall and then m0n0wall will forward the connection to the default gateway through the wan interface which is the PPPoE running on the router (192.168.1.1)
I need to route a subnet from a 7204 to 2 different gateway's which are not Cisco based. I cannot use HSRP, GLBP or VRRP as the other 2 gateways don't support theses protocols. Yet they do support OSPF, RIP, and BGP.... Take note that this setup is in a ISP scenario. How can I acheive gateway redundancy?
I have two different networks on same LAN.One net has public 2xx.x.x.x IPs (some on DMZ, they are servers with their own internal firewalling) and goes through a GBeth switch to a Cisco 25xx router for accessing HDSL modem with several HDSL trunks and then Internet. That router is configured to let external IPs access only DMZ IPs, of course.The other net has 192.168.x.x IPs and goes through another GBeth switch to a DLink router to access ADSL. Mainly for download traffic at a low flat cost.I would like to have a way to let the 192.x.x.x machines access the servers on the DMZ of the 2xx.x.x.x net without going outside the physical LAN. The servers host mail services and so sending heavy attached documents needs a hi-speed LAN connection and certainly not the ADSL upload capability. Not to say about servers web contents maintenance.
I would like to make a design with 4 Nexus 5596UP. 2 of them equipped with Layer 3 Expansion Module so they can serve as core layer and the other 2 Nexus used as Layer 2 for aggregation server layer.The 2 Nexus in the core layer will run HSRP and will peer with ISP via BGP for Internet connection The 2 Nexus in the aggregation layer will be configured as layer 2 device and have FEX and switches connected to them.What I am ensure of is how the vpc and port-channel configuration should look like between the 4 nexus. What I was thinking is to run vpc between the 2 Nexus in the aggregation layer and between the 2 Nexus in the core layer. Than I was thinking of connecting each Nexus in the aggragtion layer to both Nexus in the core layer using port-channel and vice-versa.
we are planning a Nexus datacenter project with this layout:Our experiences with Nexus switches are not so large until now and the manuals are very extensive.Both N5K´s should be connected directly with all 4 N2K switches. I did not find a layout like this in the manuals. Only a design,where only 2 N2K are connected to one N5K, with this fex config:Now I´m not sure if it is right to make a config like this with the same slots and fex´s or with different slots and fex´s.
For a branch office we have an ASA5505 connected to the ISP with an DHCP provided public IP "locked" to the local MAC This works ok!Now - the ISP may provide up to 5 public IP's (all DHCP assigned).Is it possible to configure 2-5 public interfaces in the ASA?? As IP's are DHCP assigned there must be something (a interface) to request the address.Would this be possible, and if so - what license would be required??NAT routing on the inside should be possible as well.
