Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
0
Helpful
4
Replies

Required suggestion on designing my enterprise network

vigneshg
Level 1
Level 1

‎10-20-2023 10:12 AM

Hi Networkers,

I would like to get some suggestion on designing my enterprise network.

I will explain the current design and my requirements.

We have a 3- tier architecture with Core layer (Cisco 3650 stack -2 devices) , distribution layer (cisco 4500 -2 switches in VSS) , Access layer - Aruba L2 switches connecting the end users(PC's , Printers, servers).

Above the core layer, we have a couple of FortiGate firewalls. All the end users has their default-gateway as the firewall internal ip. As of now , we do not have any vlans configured.

The project is to have vlan segmentation for different departments. My question is

Whether i should be creating SVI 's ? In the core layer or on the firewall as the default gateway is configured as the firewall internal ip for the end users.

If i create SVI's on the core switch , then should i need to configure HSRP/VRRP ? so will there be a major design change ?

Is it ok to create SVI's on the firewall and extend the broadcast domain till the firewall?

Your inputs are highly appreciated.

Labels:
0 Helpful
4 Replies 4

ammahend
VIP
VIP

‎10-20-2023 08:37 PM

Usually its a good idea to contain broadcast domain at distribution if not at access layer itself.

Additionally, use radius to do role based dynamic vlan assignment, this would be a good way to segment users based on role. 

-hope this helps-
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-21-2023 12:43 AM

Depends on what Access Layer switches you have and Licenses.

If they are basic Layer 2 switches, then distribution layer is the point where you create SVI segmentation

If you Access Layer switches have routing capabilities, i create local SVI and Layer 2 restricted to Access switch, that give more clean and easy to troubleshoot the issue segment wise.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

vigneshg
Level 1
Level 1
In response to balaji.bandi

‎10-25-2023 09:02 AM

I dont want to do segmentation on distribution layer , as i have to take care of routing from distribution > core > firewall.

My question is to have it on core or firewall with not much of changes in the existing design, since all the traffic is pointed to firewall as default gateway in end users.

 

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-25-2023 03:45 PM

What specific 4500s, 3650s?

From what you describe, 2 layer (access, distro/core) should be fine.

Define SVIs on collapsed core.  Do NOT extend any VLAN across multiple trunks.

With your hardware, you shouldn't need a FHRP.

Route between FWs and collapsed core.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card