I want to redesgin my company network

junaid haroon · ‎02-16-2013

Hi

Currently we 180 users in my company headoffice.And we have three branch offices on VPN.

My current network design for headofffice is a follows

ISP------------------------>Router--------------->Pix firewall---------------------->Internal network (1 vlan)

I wan t to divide ny internal network with multiple VLans.Please suggest me any Good guide how i make a multiple vlans and terminate these on my pix firewall.

Tim Smith · ‎02-17-2013

Hi,

This is a pretty open question.

First questions would be around what you are trying to achieve (some sort of security or segmentation for example)

Anyway, here is a pretty simplistic overview.

Let's say you want to introduce 2 new vlans and subnets - data and voice for example

A pretty standard approach here would be to introduce a layer 3 switch into the internal network behind the PIX. (Of course there are other ways too)

This device could be configured to both segment the network at layer 2 and then provide the layer 3 routing (inter vlan routing) between those networks. For a small network something like a 3750 switch could perform this function.

Very rough example of 3750 style config

! Create the layer 2 vlan's

vlan 101

name Data101

!

vlan 102

name Voice102

! Enable IP routing

ip routing

! Create the layer 3 vlan SVI's / interfaces

interface vlan 101

description *** Data VLAN 101 ***

ip address 10.1.101.0 255.255.255.0

interface vlan 102

description *** Voice VLAN 102 ***

ip address 10.1.102.0 255.255.255.0

! Create default route to pix

ip route 0.0.0.0 0.0.0.0 10.1.101.254

! Assign switch ports to be in the various vlans

int g1/0/1

description *** PC on data vlan ***

switchport access vlan 101

int g1/0/2

description *** Phone on voice vlan ***

switchport access vlan 102

int g1/0/3

description *** PC and Phone - using say a Cisco phone that supports 802.1q ***

switchport access vlan 101

switchport voice vlan 102

Your VPN tunnels may also need to be updated to ensure that the remote sites will encrypt traffic to all of the new subnets on your internal network. i.e. Typically updating ACL's. i.e. summary of 10.1.0.0 / 16 could cover everything behind the pix. You may need to update route on pix as well.

By no means definitive, but maybe it gives you a basic idea.

Cheers,

Tim

junaid haroon · ‎02-17-2013

Hi smith,

Actually i want to create a vlans for my internal network how i create these vlans on PIx firewall.Can you please send me any helpful link regarding Vlans on PIx firewall.

tobyarnett · ‎02-27-2013

Junaid,

So if you are trying to design a new network and your trying to create some VLAN's, I would look at it as a Tiered approach. So in a tiered approach your Tier1 are your public facing zones, Tier 2 are your application servers, Tier 3 are your database servers, and Tier 4 would be your back end user systems.

If you want to create a DMZ on your firewall you can create a Layer 2 VLAN only on your switch, and assign your firewalls DMZ interface to the switch on this new layer 2 vlan (lets say vlan 100 for example). Now any device you want in this DMZ assign it to VLAN 100 and these devices are now routed through the firewall. The layer 2 VLAN keeps them all in the same network, but the routing exists on the Firewall. Now you can create a management VLAN that will be used for your inside interface on the firewall (lets say vlan 999) as well as all your other networking devices.

Your Tier 2 devices you can number in any manner but using something say in the 200's would

signify these are Tier 2 zones. You can use these for your application servers, jump servers, SNMP management servers, ect... Follow this pattern for each of your zones.

As for the WAN network it was stated above and I second that your VPN solution would probably be better if you used a DMVPN design on your WAN. This would scale better, provide good security, and allow for better management and implementation of you new remote offices.

I am not sure of any single document that I could reference to put all this in place. Most of designing a network comes from a compilation of different documents, corporate policies, architecture standards, and life lessons. If you want a few documents though here are the ones I would recommend:

DMVPN Document:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html

VLAN Security Best Practices

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf

-Toby

Please don't forget to rate any helpful post.

_____________________________________
There are no great limits to growth because there are no limits of human intelligence, imagination, and wonder.
- Ronald Reagan

-Toby

Please don't forget to rate any helpful post.

_____________________________________
There are no great limits to growth because there are no limits of human intelligence, imagination, and wonder.
- Ronald Reagan

Marwan ALshawi · ‎02-18-2013

Just to add to the nice Post from Mr Tim

it is recommended ( but not must ) to have the router facing the Internet/WAN for many reasons such as better QoS capabilities, support for routing if required with GRE for example, also in the future you could consider DMVPN to simplify the VPN for remote sites that make it more scalable

from the LAN side if you want to have firewalling between the VLANs then you can have L2 switch with the desired VLANs and configure the Firewall to do the intervlan routing and firewall traffic between these vlans

if no firewalling between the VLANs is needed then just use the aproach suggest by Tim above

Tim good to see you in CSC

HTH

Tim Smith · ‎02-18-2013

Hey Marwan!

Good to hear from you mate. I'll ping you on LinkedIn to see what you're up to these days!

Cheers,

Tim.