we have anew office and have a 2800 router as a WAN router it has a 3G card and a DSL link. We have a ASA which has to be configured to 2800 router. we want that ASA shd have a VPN link with pirmary site over DSL if DSL fails it shd automatically fall to 3G....what we really need and how it would be done interims of IP addressing do we need any special IP from service provider.?
View 2 RepliesLocal LAN is connected with cisco 2800 router and SRX 210 Firewall, currently all LAN segment will go to my Data Center via ISP A and all internet traffic from LAN segment will go to internet via SRX firewall, there is no relation/connection between cisco router and SRX firewall. I have separate AS no. s for both the ISP
I am having attached scenario. based on current one I would like to do following.
1. I need to use PBR at LAN Switch ( its L3 Switch) such that in normal scenario - local VLAN traffic is equally distributed on both ISP.
2. dedicated internet traffic will flow through ISP B only and if WAN link of ISP B goes down, the internet traffic will pass through ISP A.
( in normal scenario, ISP A will utilized 100 % for LAN traffic to reach it to DC but once ISP B link goes down, the b/w of ISP A will be divided to route 50% traffic for LAN segment to DC and rest 50% traffic of LAN segment to internet)
Is GET VPN be a better choice than DMVPN in order to support VoIP, Video over IP, Advanced QoS and Multicast? I think it should be the better choice based on what is described as the benefits and how it works but I just want an expert opinion.
Can separate groups be created using the same key serves? I need to protect two functionally separate WAN segments that terminate on the same DC core routers. However I want the separate WAN segments to have different encryption policies. Is this possible?
It is stated in the deployment guide for GET VPN that "Network Address Translation (NAT) is not supported by GETVPN. NAT must be performed before encryption or after decryption when GET is used." However the NAT capability is required on all the routers.
The 2900 series routers has embedded hardware encryption but according to the router perfomance guide, with a mix of traffic such as NAT, QoS and IPSec VPN they are unable to provide 100 mbps of throughput. Does the new ISM VPN modules would allow the routers to achieve 100 mbps of throughput with the services mentioned above?
and this router will connect to 18 access point.and each access point need 30 usable host...how to design this netwotk, what subnet should i use...there is only 1 router, so just have only 1 default gateway,it is if the network have too many host, the speed will slow down, because they need wait others host to broadcast?
View 11 Replies View RelatedI have a customer with a unique configuration. They have two point to point connections - one using a laser link between buildings, and a backup fiber connection running ospf. Issue is when the laser link goes down, there is loss/no forwarding during the reconvergence, causing issues with transffering video feeds.
View 7 Replies View RelatedI'm working on a new network design for my company. We're expanding and opening some more offices and satalite sites. We're a UK based company but opening some US sites.We have a main UK office (Office A on the diagram) a call centre (Office B) and then two buildings on another site (Office C). The USA offices will be very small and only require a couple of computers, hence the small IP allocation. I have marked the IP addresses of the links on the diagram, I intend to use 3560 switches for all the switches marked and all links will be layer 3 to route multiple VLANs from each site to each site (where permitted). question is this: How do I achieve this in the switches? I'm thinking that OSPF is the way forward, is this right? I want to do as little configuration on the switches as possible to allow for dynamic updates of the network (i.e. I don't want to add static routes for everything).
View 7 Replies View Relatedi need to design a site-to-site VPN and VPN for remote users. I have attach a drawing, need to know if this is good setup. Mostly my concern is security. Im using ASA5520 for edge firewall and Linux firewalls are for additional security.I have to create 5 site-to-site VPN using IPSEC and 5 remote VPN clients. Site-to-site VPN are for trusted Office and remote VPN clients are only for our staff use.
From the diagram ASA5520 is configured as followed
outside interface is set to security 0 and connected to boder router to internet, inside interface is set to security 100 which is connected to a linux firewall which then goes to our internal lan.DMZ interface is set to security 50 which is connected to DMZ segment ,I decided to use the 4th interface for all VPNs which is set to security 100, and for this 4th interface i have created two sub interfaces vlan 400 (for site-tosite VPN) and vlan 500 (for remote access VPN). I did this because i have to use two separate linux firewall box. Linux firewall box for Site to Site VPN is configured with NAT but Linux firewall box for remote access VPN users are configured without NAT. I also want to know do i need to create a CA server or can i use pre-shared key with XAuth for remote access VPN users?
i want complete details about ethernet design and technologies
View 1 Replies View RelatedI have gotten the assignment of constructing a fictional network for my school.. and i cannot quite agree with myself upon which equipment i should choose.. its supposed to be all cisco. i need to supply 5000 users all in all, but only 300 on this site. i need to know which connections would be the most reasonable to use and of course which routers "if any" and switches i need.. (+ additional modules if needed) i have tried to make a visio representation, but i just think something is way off.
View 6 Replies View RelatedI have a new project coming up that will require more IPs added to an already quite full class C network. My other issue stems from foolishly putting all hosts in the crowded C network onto the management VLAN. In turn, I have to make each port a trunk.Moving forward I'm wondering what's best for design.or if I should just attempt to change the subnet mask across the board.?
View 5 Replies View RelatedI am in the process of planning our new network. Our business is changing from hosting its own data centre, to moving it to a professional facility. We have 120 users, over 100 servers (physical and virtual) and three sites (main premise, data centre, dr site). The new network will connect all three. Our new WAN links are almost ordered. We will be making use of a managed MPLS IP VPN, with a 100M access rate at each site. I am currently focusing on the desing of the network at the main business premise. We have a significant investment in Cisco 2960 & 3750 switches and Fortinet firewall appliances. I plan to re-use these in the design.
Our current LAN is very flat and I want to segment the network. My plan is to create a number of VLANs, enable the Inter VLAN routing on the 3750 and then attach the 3750 to the Fortinet appliance which will provide stateful firewalling and traffic policin based on the VLAN (subnet) addresses. It is important that the traffic be routed as quickly as possible from this site to our prod and dr data centres.The 2960's act as the access layer, the 3750 as the distribution layer. The 2960's will connect via port channels (layer 2) to the 3750's and the VLAN interfaces will be configured on the 3750.
I was then planning on creating a VLAN on the 3750 to connect to the Fortigate appliance with a /29 address to limit the addresses used whilst also providing some flexibility for any future design changes.I want to implement a little security between the VLANs on the 3750 switches. I have a question about this coming up.I then plan to use the Fortigate appliance to do basic traffic policing based on source/destination addresses.
The WAN routers will connect to the Fortinet appliance on a Gigabit copper interface. The WAN routers will run HSRP between themselves and only one router will be active at any one time. The failover will be managed by the Fortigate and Cisco routers.I plan to define those addresses hosted at the other data centres and associate them with the interface associated with the WAN.I will then define the routing on the firewall for the two other data centres through summary routes for each of the sites. We will run static routing from the Cisco 3750 to the Fortigate and Fortigate to WAN router. We have no other networks/sites and won't have any others in the future.
If I have five iBGP routers in AS 64512 and one of the iBGP router has an eBGP peer to a different AS, which iBGP router (r1, r2, r4, r5, or r8) should I chose to be my route reflector and why? Also, what happens if the route reflector router fails? Do I designate a backup route reflector? I'm new to BGP.
View 4 Replies View RelatedI have a pair of SRP527W-U units, which each connect to a seperate ISP by ADSL2+I am attempting to use each simulatenously as follows:ISP-A via CiscoA for general traffic, and to run HTTP server X,ISP-B via CiscoB to run HTTP server Y,HTTP servers X and Y are on one machine, but binding to two seperate IP addresses eg x.x.x.3 and x.x.x.4,In a situation like this, I would normally configure CiscoA and CiscoB with x.x.x.1 and x.x.x.2 respectively,CiscoA would run DMZ to x.x.x.3 and CiscoB DMZ to x.x.x.4,The server would use x.x.x.1 as the default route.Then I would set CiscoA to have a policy route catching source address x.x.x.4 and sending it to next-hop/gateway x.x.x..
View 5 Replies View RelatedWe have remote office where we have 2921 router with 6 layer 2 switches. We have few servers which need to be in specific vlan.
2921 router does not have switching engine we are using this to support VOIP.
So on 2921 router i created 6 sub interfaces for each vlan and assign them to their specfic vlans. Then I have trunk connection to switch 1. Now switch 1 connects to all other switches in the network. As our company design all layer 2 switches should be transparent mode. i tested them i can ping from one switch to all other switches.
Router vtp mode i set to transparent mode and from all switches i can ping the router sub interfaces.
We are small transit ISP for other downlinks. And currently have such setup 7201 and 7206NPE-G1, as core and edge routers also we have connected to IXP. Downlinks usually BGP connected to one of border router which is terminated via VLAN, thus sub interface. IXP are also connected via VLAN on router.
What I don't like about this is when one borderd goes down downlink will lose connectivty, also recently we start growing and getting more downlinks, so balancing between borders become problem. So my question is, how to make setup less fragile and more redudant.
Currently we have a 50mb pipe with our carrier SONIC. We have signed another contract with another provider here in town (Charter) to multihome our Internet connections in an active/active configuration. We have leased our /24 space through our carrier SONIC. ARIN has already approved our org-ID for an ASN and they will be sending us that once the billing portion is finished.
There a few design considerations I was hoping I could get some insight from the community on.. Before I start, the ultimate goal for us to use BOTH Internet connections in an active/active configuration - utilizing both pipes..
Disclaimer: I have gathered this design from a lot of other posts that have somewhat of a similiar topology with ASA-->3750-->router pair-->CPE--internet...
What kind of routes should I get from each carrier? I have been told that partial/partial routes plus a default route form each carrier is the way to go. Also, I've heard mention that full routes from both carriers are preferred. My ASR1001's can support ~500k routes. I know the global table is approximately ~337k routes. My goal is to use both pipes and use the best outbound path per carrier.
We will be leasing our /24 space from SONIC. I plan on running OSPF on the DC-Edge-SW1 in conjunction with iBGP - so I can default originate two equal cost routes back to my ASA. My confusion is when the traffic hits DC-Edge-SW1, there will be default equal-cost iBGP routes to both ASR1001's (DC-Edge-RT1 & DC-Edge-RT2). If the switch does not have the BGP table, it will just load-share across both ASR's. When the traffic hits the ASR's, will they know which carrier has the best path and route accordingly?
Should the iBGP connection between both routers be directly connected ? Or will it suffice through the L3 3750 connection? Also, with the limitations on the routes for the ASR1001 at ~500k. If we end up getting full routes from carriers and create a iBGP neighborship between both routers, will this exceed the route limitations on this platform? On both routes, I will have the network statement 'network 12.231.69.0 mask 255.255.255.0.' This is a leased network from SONIC, and we NAT everything on our ASA to 12.231.69.10. My question is, will this be a problem broadcasting this network from our AS to both carriers AS? Refer to bgp-design.jpg - is it a requirement that I use our leased public subnet 12.231.69.0/24 for the interfaces from ASA5510 -> 3750 -> ASR1001?
I'm new to routing and cisco in general. I'm inheriting a rather simple setup but would like to approach the next steps with a good strategy. Currently we have a 2901 router with public IP's on bother interfaces. The internal facing interface is our gateway for some webservers and a firewall. Not we are looking to add a colocation site and establish a site to site VPN using another 2901. My goal is to have the colocation use the same internal 10.100.0.0/23 network. My question is what is the best way of going about this since the router at the main site has public IP's on both interfaces? Do I need to multi-home the internal facing interface? If so, what else needs to be done?
View 1 Replies View RelatedHow to design network with two buildings. each buildings five- storey buildings.buildings 1 has 200 computer and buildings 1 has 150 computer. which topology and cabling to use
View 2 Replies View RelatedI am going to design a network of an University.I want solution completely on cisco
View 2 Replies View RelatedI've been tasked with designing a network consisting of 3 separate broadcast domains with each one representing a separate business accross 3 separate floors. None of the companies should be able to communicate with each other.I've been told that the design should only represent the first 3 layers of the OSI model so I'm only looking at Cabling, Switching and Routing.
I don't expect you all to tell me exactly how I should do this, however I just need a starting point. My main issue is with routing. I'm aware that each port on a router represents a broadcast domain so if I use one router, 3 broadcast domains, does that means that none of the domains will be able to communicate with each other? Should I use more than one router or can i get away with one? Also just so you are aware I've been told not to use VLans and each broadcast domain must have its own ip address schema.
I am planning to get the following Hardware;AIR-CT5508-50-K9 5508 Series Controller for up to 50 APs AIR-LAP1262N-E-K9 802.11a/g/n Ctrlr-based AP; Ext Ant; E Reg Domain..During my design, i am considering to get the following security features.I don't have WCS and Mobility Services Engine (MSE). Managing Access Points at remote/WAN office.wIPS configuration (without WCS and MSE)How Rouge APs will be detected and Prevented. Can Automated prevention be implemented.Is wIPS (with WLC 5508) support to detect and prevent Rouge AP.Is Proxy Redirection supported on WLC so that the traffic from Wireless clients will automatically be redirected to Proxy (without adding the proxy in explorers of Wireless Clients).
View 7 Replies View RelatedI am planning on implementing a metro ethernet circuit to replace a more expensive circuit to connect my office and data center. This circuit will be configured by the provider in a 'transparent' manner, which will allow us to pass vlans freely over the circuit without having to create a QinQ tunnel. This is a layer 2 only metro ethernet circuit.Planning on connecting the office end to a 3750 (switch A) and the data center end to a 2960 (switch B). The data center end will have a couple of other 2960s hanging off of it for server connectivity (switches C & D). I plan to use a 2811 (router A)for layer 3 connectivity in the data center. Switch B will plug into router A and switches C & D will plug into switch B using two port-channelled links. I can post a diagram if needed.I will use rpvst here and configure switch B as the root bridge.There are about 10 vlans that I use between the office and data center. Router A is also used to connect to other environments such as staging, production and also to the internet. I think this should be a straight-forward configuration since it is mostly layer 2. Should switch B be the root bridge?
View 3 Replies View RelatedWe are evaluating the one-arm design for the ACE 4700 and need some clarifications:
1. Are there any limitations in the one-arm design and the SSL offloading
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
ASA design. I have two Cisco ASA 5585 which are connecting to two Nexus 7K. I looked at one design and it seems I can make Redundant interfaces on ASA and put two physical interfaces (Link1-1/1-2) into it however the down side I can see is it will utilize one link out of 4 at one time. As per my understanding if I make redundant interface on ASA 1 and put 1-1/1-2 into it only one link would be active at one time. This will force Nexus2 to send all traffic to Nexus 1 in order to reach ASA. Ideally I want a solution where both switches could send traffic straight to Active Firewall and incase of failure both links to standby firewall.
View 5 Replies View Relatedis it possible to run hsrp on two routers (not l3 switch) connected to a l2 switch ? if so does the two routers need a back to back connection ?
i know if use two l3 switches (instead of routers) and connect to a LAN switch then we need a back to back connection between the L3 switches
also can we use hsrp on vss on 6500?
design
1800 router 1800 ROuter
| |
| |
|---------- L2 switch-------------------------------|
if the above design is acceptable how does the routers know which one is active and which one is standby ? if we need a direct connection between two routers they have to be on a seperate subnet and routers dont allow broadcasts - so how will hsrp work on routers ?
L3 switch --------------------------l3 switch
| |
| |
|---------------L2 switch---------------|
i have two Cisco 3845 routers connected to 3 different ISPs ,
-ISP 1 with link bandwidth of 24 Mbps
-ISP 2 with link bandwidth of 16 Mbps
-ISP 3 with link bandwidth of 8 Mbps
i have a public AS from a ripe along with 2 Class Address (Public independent)
1) what is the best design and configuration to utilize the 3 Links ,outbound and inbound (since we have our public address along with AS) my boss told me,all These 3 links must be active
2)what is the recommended design and configuration for the whole topology , pls share the best gotchas
3)what is the need of iBGP?why we need it when we run bgp?
I recently ran into some problems concerning the use of a Cisco layer 3 switch (3560) as an Internet edge device to perform a simple static route between the customers network and the ISP POP router. Although this device can perform the routing at the edge for Internet traffic, I am concerned that this device has limitations when it comes to functions such as traffic shaping to the subscribed bandwidth of the Metro Ethernet access to the Internet. Since the 3560 could not conform to the 20 Mbps of subscribed bandwidth, any traffic beyond 20 Mbps was dropped causing performance issues with applications that use TCP. I am trying to find design documents or white papers that would either support or not support using a layer 3 switch as an Internet perimeter device instead of a router. I would like to know if Cisco has a specific perspective on this subject and whether or not they would ever recommend actually using a layer 3 switch model that is a 37XX or below?
View 3 Replies View RelatedWe are designing a LAN Network for ourselves.The proposed design is as follows:
4 x 2960S switches in a Stack Access-Stack-I 4 x 2960S-PoE switches in a second Stack Access-Stack-II
2 x 3750X switches in a Stack Core-Stack
Now I would like to connect it in the following manner ?First,I would like to use EtherChannel using the 10Gig LinksSecondly, I would like to use Cross-Stack EtherChanel too.I have given a graphical illustration of the connectivity Now my Qs: a) Will the 2960S supports EtherChannel using the 10G links and the 3750X too... b) Does the proposed solution will work... or It will have any problems.
Is there any documents that I can use to design an IPSEC remote access solution using 2 data centers . One data center is primary and other one is secondary. The VPN is terminated in ASA 5520. End users using cisco client.
View 6 Replies View RelatedClient has a 5515X and two ISP connections and a 2911 router to use for ISP connections. The 2911 as configured only has three ports. They nat a lot of stuff to public ips. What are my options for designing ISP failover?
View 2 Replies View RelatedQoS design problem that I have. I have a client that is deploying new 4507 series switches with SUP6Es. The client will be running lots of voice, streaming video, and video conferencing over the LAN and want to base QoS on Cisco Media net recommendations.
I need to design a new QoS policy with focus on the above media services with basic queuing for critical data services. I have read the Media net design guide and the suggested 12-class model will be too complex to start with but I have seen references to start with a 8-class model with the ability to easily migrate to 12-class in the future. The 8-class model meets all of our requirements but I need to understand how this will work with the 4507 queuing model? [URL]
I've been tasked to come up with a design to segment our internal network to reduce broadcast domain size. In addition, we are running out of DHCP available DHCP addresses. I need to have a solution that will give me more available IP's, but reduce our broadcast domain.
We are Cisco VoIP shop. Our current environment consists of dual 6509 chassis in a VSS config. We have 10 access switches that are model 3750's. Each 3750 has dual 1Gb fiber links to the VSS Core in an etherchannel configuration. We have 2 VLANS (data and voice) that spread throughout every switch. Both VLAN's have their own DHCP scope.
Our current broadcast domain is a 255.255.248.0, so we have over 2000 potential broadcast devices. Cisco recommends not having larger than 512. So my research has brought me to a design as follows:
MY DESIGN:
> Have individual voice and data VLANs for each closet switch.
> We have 10 closet switches so this would require 20 new vlans
> With every separate VLAN we would need a different DHCP scope.
> Configure 20 new DHCP scopes for the 20 new VLANs.
> Each DHCP scope would have a 512 available addresses.
> Enable IP Routing and configure EIGRP on the VSS Core and 3750's.
> I'm tossing around the idea of have each 3750 be an EIGRP Stub. Not sure yet.
QUESTIONS:
1. How to verify what I described in my design?
2. Any alternative solution that might be less complicated than configuring Layer 3 on all my access switches?
3. Any thoughts on configuring EIGRP Stub vs. having the VSS Core do all the work?
4: Any template that I could base my 3750 config from?
I currently have an ASA 5520 in production without using subinterfaces. I have connected an interface on the ASA to a 4507, the 4507 contains SVIwhich perform the routing for our internal network. I have another ASA 5520 and I am playing around with a few new design scenarios. The problem I am currently having is with SubInterfaces on the inside of the network. I understand the subinterfaces on the outside network, I am using subinterfaces on the outside for dual homing ISPs.
I don't understand the multiple subinterfaces on the inside, for some reason I can't wrap my mind around using them. I have created a few and trunked a port from my 3560X to the ASA interface. Here is my design.
ASA 5520 Config(I realize that this isn't how it would look in CLI, I just don't remember all of the commands)
interface Gi 0/1
nameif Physical Interface
no ip address
interface Gi 0/1.10
nameif Prod_USERS
ip address 172.16.10.1 255.255.255.0
security-level 100
interface Gi 0/1.20
nameif Users
ip address 10.10.16.1 255.255.255.0
security-level 100
Alright so in this scenario I would have a trunk port from my 3560X connected to interface Gi 0/1 on the ASA. On the 3560X I would created the two VLANs (vlan 10 and vlan 20); I also created an SVI on the 3560X as follows.
3560X config
interface VLAN 10
description PROD_USERS
ip address 172.16.10.2 255.255.255.0
no shut
interface VLAN 20
description USER-NET
ip address 10.10.16.2 255.255.255.0
no shut
Now I create a default route on the 3560X as follows, "ip route 0.0.0.0 0.0.0.0 172.16.10.1". By doing this, I can only route my 172.16.10.0 network out to the internet, not the 10.10.16.0 network? I have to remove the default route above and add ip route 0.0.0.0 0.0.0.0 10.10.16.0 for clients on that network to browse out to the web.
So I am obviously missing something crucial here and I just can't wrap my head around this design scenerio for some reason. the topology necessary for this configuration to function correctly and how I can get both of my VLANs to function properly. I would like for the 3560X to route traffic internally until traffic needs to browse into the DMZ or out to the web, and at such time it should then use the firewall.