Solved: Network Design

joseph.steve · ‎05-22-2012

Hello

I have been told to setup a network with proper security and QOS. The Setup includes

Head Office with 200 users

25 Branch offices connecting to HO with local telecom MPLS Cloud

20 International Branches connecting to HO over VPN

Video Conferencing with good Quality

Ensure having Redundant Internet link < 2 Internet Provider >

Decent Internet surfing speed with restriction to social networking sites

Hosting services at HO

Centralized Mail services
Centralized ERP Application
Centralized Portal Hosting - Sharepoint
Windows Server, DNS,DHCP

National Branch office should get IP address from HO

International Branch Office should contain

Windows DHCP,DNS
Internet Browsing Traffic from local provider

Available devices in HO

4507 series L3 Switch with 24 port SFP module + 48port 10/100/100 Ethernet module

3845 series Router X 2

2960 switches X 10

ASA 5520

Will the 4507 sufficient enough as BackBone Switch.
Can VPN and MPLS service be enabled on same router? Is this recommended

what more hardware we would need and how to terminate both Internet links. The placement of MPLS router, VPN device on the network

cheers

Steve

Leo Laohoo · ‎05-24-2012

13MB Internet Bandwidth in HO, do  we need to buy additional hardware to gurantee dedicated bandwidth for different services, not sure if qos can gurantee bandwidth incomming / outgoing.

3845 can push 13 Mbps of traffic without breaking a sweat.

planning to connect Servers, switches, routers to 4507

Ok, so I presume you're going to be using 1 Gbps or 10 Gbps? I wouldn't recommend plain 4507. Look at 4507R+E and Sup7E (not Sup7LE).

View solution in original post

Tagir Temirgaliyev · ‎05-27-2012

1. For Kiwi syslog any specific setup in needed or follow the installation guide.

follow the installation guide

2. kiwi syslog is freeware i assume.

there is kiwi syslog freeware and not too

3.the configuration you posted will display all failed and passed only or more information.

all attempts

dont forget to rate post

View solution in original post

Leo Laohoo · ‎05-22-2012

25 Branch offices connecting to HO with local telecom MPLS Cloud

20 International Branches connecting to HO over VPN

What is the bandwidth of the HO?

Will the 4507 sufficient enough as BackBone Switch.

Depends on what's connected to the switch? What are the uplinks?

Devavrat Oka · ‎05-23-2012

I would recommend having two ASAs for active/passive failover. Use the 3845 routers to peer with remote offices over MPLS. Use BGP for this.

Run an internal routing protocol (EIGRP) between 4507 and ASAs. 4507 is the CORE. If possible, use a second 4507 as redundant CORE.

Use the 2960s as Access switches. If possible, stack them. Run port-channel up to the CORE from these Access switches.

As far as the International offices are concerned, you can terminate the VPN on the routers (3845) or use the outside interface on the ASA (which is not what I would do). The ASAs running failover would share the active outside IP address, which would be the peer for the VPN tunnel. In case of a failover, switching between ASA roles would cause a timeout and break the VPN tunnel. Hence terminate on 3845s.

HTH

joseph.steve · ‎05-24-2012

Hello leolaohoo

13MB Internet Bandwidth in HO, do we need to buy additional hardware to gurantee dedicated bandwidth for different services, not sure if qos can gurantee bandwidth incomming / outgoing.

2. planning to connect Servers, switches, routers to 4507

Hello Oka

thank you for kind feedback.

Not clear to run DHCP on Router or Windows Server.

Can National branch office get ip from Central DHCP Server (HO)

Can you advice on tool for Monitoring network devices, alert on config changes, auto config backup weekly or on config change.

Tool to get all logs for passed or failed attempts accessing network devices

Leo Laohoo · ‎05-24-2012

13MB Internet Bandwidth in HO, do  we need to buy additional hardware to gurantee dedicated bandwidth for different services, not sure if qos can gurantee bandwidth incomming / outgoing.

3845 can push 13 Mbps of traffic without breaking a sweat.

planning to connect Servers, switches, routers to 4507

Ok, so I presume you're going to be using 1 Gbps or 10 Gbps? I wouldn't recommend plain 4507. Look at 4507R+E and Sup7E (not Sup7LE).

Tagir Temirgaliyev · ‎05-24-2012

1. Tool to get all logs for passed or failed attempts accessing network devices

---------

for example kiwi syslog installed on pc with address a.b.c.d

on each cisco network devices

en

conf t

logging message-counter syslog

logging buffered 100000

logging buffered debbug

logging a.b.c.d

access-list 23 permit any log

...

line vty 0 4

access-class 23 in

...

wr

so each telnet attepts will be logged in syslog

2. Can you advice on tool for Monitoring network devices,

------

try mrtg

3. alert on config changes, auto config backup weekly or on config change.

---

Cisco ACS

dont forget to rate post

joseph.steve · ‎05-25-2012

Hello leolaohoo - thanks for sharing your experience. what is difference between SUP 7E against SUP 7LE.

can you ellaborate more on QOS

Hello ttemirgaliyev - For Kiwi syslog any specific setup in needed or follow the installation guide. kiwi syslog is freeware i assume. the configuration you posted will display all failed and passed attempt only or more information.

Tagir Temirgaliyev · ‎05-27-2012

1. For Kiwi syslog any specific setup in needed or follow the installation guide.

follow the installation guide

2. kiwi syslog is freeware i assume.

there is kiwi syslog freeware and not too

3.the configuration you posted will display all failed and passed only or more information.

all attempts

dont forget to rate post

Leo Laohoo · ‎05-29-2012

Hello leolaohoo - thanks for sharing your experience. what is difference between SUP 7E against SUP 7LE.

can you ellaborate more on QOS

I haven't used the Sup7LE but all I can determine is that the Sup7LE is the "dumb down" version of the Sup7E. The "L" stands for LITE. The Sup7LE has a lower switching throughput, for example.

Check out the comparison table between the two supervisor cards from here. Click the "Supervisor" tab.

Devavrat Oka · ‎05-29-2012

Not clear to run DHCP on Router or Windows Server.

Can National branch office get ip from Central DHCP Server (HO)

Can you advice on tool for Monitoring network devices, alert on config changes, auto config backup weekly or on config change.

Tool to get all logs for passed or failed attempts accessing network devices

It is recommended you run DHCP on a windows server or a linux host. The reason being less CPU utlization on a cisco device if you lease time is less and you have a lot of DHCP clients. Other reason is DHCP would have to rely on the network performance. If you lose a certain link that goes up to your DHCP server (cisco device), your clients would not be able to reach out to the DHCP server (no DHCP ACK).

Yes remote offices can get DHCP from a Head Office but again, not recommended to have DHCP go over WAN.

Use solar winds orion as a netmon tool.

Like others have suggested, use kiwi log.