design solutions

kapydan88 · ‎01-18-2020

Hello for everybody.

Can anyone recommend good design recomendation/best practice for next scheme. We have one site with l3 core switch, one router (for gre tunnel from another sites only, nat implemented on asa) and asa for nat+dmz.

I will be grateful for links to exact articles and guides.

balaji.bandi · ‎01-18-2020

May your question is not clear to me, can you elaborate more and give what design you looking.

what is exiting one, what you like to achieve upgrade infrastructure or adding?

you can look cisco valid designs :

https://www.cisco.com/c/en/us/solutions/design-zone/cisco-validated-profiles.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kapydan88 · ‎01-18-2020

Yes, of course. Now we looks at two possible scheme for this solution.

First - without any reservation/HA. One router, one core switch and one asa (which we want to use for all services - nat, dmz, anyconnect).

Second - with reservation/HA. Router only one, two switches in vss/stack and two asa in ha act/standby (unfortunately we have only one router).

Router is used for tunnels from other sites, it has two interfaces - external and internal. Asa - for all services (nat, dmz, vpn anyconnect), one port for each service (external ip for nat, internal ip for nat, dmz, external ip for vpn, internal ip for vpn).

Switch is used like l3 switch - with svi and routing.

I mean recommendation for this network... I know, that its a slightly wrong decision, but this is the data...

balaji.bandi · ‎01-18-2020

Now seems to make sense here what is your approach.

1. Do you have local Access switches which for your LAN, are these other network switches or same 9500?

2. always suggest to WAN switch should be Layer 2, not other Internal network connected to that switches.

3. Make sure most of the Traffic hit outside traffic goes via ASA - So your network is protected.

4. what kind of VPN between branch or remote location? Internet or p2p circuits.

5. if they are using the internet and connected to your Router, then bring the router inside ASA, so ASA has all protection.

This is high level my suggestion based on the information provided, you given physical connectivity diagram

with the above suggestion make high level logical so you understand better, with the traffic flows.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kapydan88 · ‎01-18-2020

1. Do you have local Access switches which for your LAN, are these other network switches or same 9500?

No, there arent any LAN switches in this site, it is one of DC - only one or two cat9500, one or two asa and one isr 4431. All should be connected to cat9500. Now we plan to use a stack from two switches and two asa in HA.

2. always suggest to WAN switch should be Layer 2, not other Internal network connected to that switches.

not for this site, because its DC.

3. Make sure most of the Traffic hit outside traffic goes via ASA - So your network is protected.

Ok. There is

4. what kind of VPN between branch or remote location? Internet or p2p circuits.

Gre tunnel between isr 4431 and remote routers (isr 2900/2800)

5. if they are using the internet and connected to your Router, then bring the router inside ASA, so ASA has all protection.

We plan to use vrf for this purpose - internal interface and tunnel located in different vrf, external interface - without vrf.