cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
457
Views
0
Helpful
4
Replies
I-TECH
Beginner

BEST PRACTICE FOR VOICE & DATA NETWORK

Good Afternoon Everyone-

I'm hoping to get some insight on the following...

What is the best practice setup and configuration for a VOICE & DATA NETWORK with VLANS with the below network devices…?

 

1- CISCO ASA 5520 || SECURITY FIREWALL AND ROUTING

2 - CISCO 1921 ROUTERS || ROUTING

4- CISCO SG300 SWITCHES 24 PORTS

ROUTERS:

1 FOR DATA NETWORK (NET=100.1 INT-GIG 0/1 VLAN=100 || INT GIG 0/0 BACK-BONE)   




AND




1 FOR VOICE NETWORK (NET-200.1 INT GIG 0/1 VLAN=200 100 || INT GIG 0/0 BACK-BONE)




SWITCHES:

4- CISCO SG300 SWITCHES 24 PORTS

1 FOR VOICE NETWORK NET=200 CONNECTIONS

1 FOR DATA NETWORK NET=100 CONNECTIONS

1 FOR BACKBONE 10.10 CONNECTIONS INCOMING FROM ASA FIREWALL & BOTH ROUTER DEVICES INT GIG 0/0

1 FOR IP SECURITY CAMERAS




ALL WORKSTATIONS ARE CONNECTED TO IP PHONES


Thanks in advance for your assistance...

2 ACCEPTED SOLUTIONS

Accepted Solutions

I suggest that you think carefully and decide what your objective really is. On one hand you say "I've invested a lot of money in this equipment for CCNA & CCNP." So perhaps your objective is to get experience with multiple routers and switches. But then you say "I would like to use all of the devices in a real-world situation for an SMB office" So which is really your objective?

Then let me address some of what you ask:

- "What I need is clarification on VLAN's and what device or device's the VLAN's should live on." A vlan is a layer 2 entity. So the vlan lives on switches. Routing for the vlan is done by a layer 3 interface. That layer 3 interface might be on a switch (SVI) if the switch is layer 3 capable, or it might be on a router or on an ASA. In the environment that you are describing I would suggest that the switches be configured for layer 2 only. The switches would connect to the router(s) on interfaces configured as trunks. The router(s) would have vlan subinterfaces to communicate with the trunk and would provide routing for the inside networks.

- "Q-1 | Should the VLAN's live on the ASA, The Routers, or the L3 Switches?" Answered in previous point.

- "Q-2 | Should VLAN's be configured on all the above devices or just one Device...?" I suggest that the vlan be configured on switch(es). Switches would have trunks so the vlans can communicate with the router. And that the router have vlan subinterfaces so that it can communicate with the vlans and provide routing.

- "Q-3 | If just one Device, which is the best device to use for VLAN's?" I do not believe it should be just one device.

- "Currently, I have SVI's and VLAN's configured on the ASA and the Routers." My suggestion is that the ASA should not have SVIs for the vlans. The ASA should have routed link(s) to the router(s) and the ASA access to the vlans should be static routes on the ASA for the subnets of the inside vlans.

- in your example the ASA connects to L3SW1 and L3SW2. I do not see why you need L3 switches here. The ASA can easily connect to the routers. Even for CCNA I think this is a bit of a stretch. And then L3SW1 and L3SW2 are used to connect the router(s) to the voice and data networks. This is much more appropriate.

- in your example the ASA interfaces have IP addresses in the data vlan and voice vlan. As I said above I do not recommend this. It is appropriate for the router to provide routing for the voice and data vlans. I see no benefit in putting that responsibility/load on the ASA. It will be better if the router(s) do the inter vlan routing and the ASA does the address translations and provides security for the inside networks.

- your example mentions a backbone network. I am not clear where/what that is.

HTH

Rick

View solution in original post

I am glad that my suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

View solution in original post

4 REPLIES 4
Richard Burts
Hall of Fame Guru

You ask some very open ended questions. I am not clear where to start and really what kind of things you are looking for.

- is it looking for suggestions about security of your network devices?

* will you permit remote access for administration? or will you want to restrict it to local console access?

* if remote access is allowed should you restrict it to SSH? or permit telnet also?

* when someone accesses a network device how will you authenticate them? Do you have an authentication server (Radius, tacacs, etc)?

- is it looking for suggestions about management of your network devices?

* will you want a process to check the logs of the devices for indications of issues? If so how will you access the logs? directly on each device? do you have a server available to which the devices could send their log messages? what kind of messages are significant and you should par particular attention to them?

* will you want a process to check the version of code your network devices are running and evaluate whether a new version of code is available, and if so whether it would be beneficial to upgrade the code?

- is it looking for suggestions about the architecture of the network?

* you suggest an architecture with ASA providing outside access, with 2 routers providing services for voice and data, and switches providing access for data, for voice, and for cameras. That seems ok. But I wonder if a router for data and a separate router for voice provides much advantage as compared to a single router providing services for both.

* you suggest an architecture with a router for data and a router for voice. where do the cameras fit into this architecture?

* you suggest a switch for data, a switch for voice, and a switch for cameras. It seems to me that what you really want is a vlan for data, a vlan for voice, and a vlan for cameras. what advantage is there in having separate switches?

- is it looking for suggestions about layer 3 routing?

* the suggested architecture suggests that the switches operate as layer 2 switches, with any routing logic being implemented on the routers and the ASA.

* with vlans/subnets for data, for voice, for cameras, and perhaps for backbone, it would seem that the routers would have locally connected subnets and would not need any dynamic routing protocol. The routers would simply need static routes for any subnet hosted on the other router  and a default route with the ASA as the next hop. The ASA would need static routes for the inside subnets and a default route. No need for dynamic routing on the ASA.

- pretty clearly the ASA needs to provide security for the inside networks. The default architecture of the ASA permits any traffic originated inside to go to outside and permits any response traffic to be forwarded to the inside source. And the ASA by default does not allow traffic originated from outside to be forwarded to inside. So that would seem to satisfy the requirement.

I am not sure what else you might be looking for. If you need more then please clarify what you are looking for.

HTH

Rick

Good Afternoon Richard[

First and Formost, thanks for the detailed response, very helpful...!

Your below info in BLUE is what I'm trying to implement:

- is it looking for suggestions about the architecture of the network?

* you suggest an architecture with ASA providing outside access, with 2 routers providing services for voice and data, and switches providing access for data, for voice, and for cameras. That seems ok. But I wonder if a router for data and a separate router for voice provides much advantage as compared to a single router providing services for both.

* you suggest an architecture with a router for data and a router for voice. where do the cameras fit into this architecture?

* you suggest a switch for data, a switch for voice, and a switch for cameras. It seems to me that what you really want is a vlan for data, a vlan for voice, and a vlan for cameras. what advantage is there in having separate switches?

- is it looking for suggestions about layer 3 routing?

* the suggested architecture suggests that the switches operate as layer 2 switches, with any routing logic being implemented on the routers and the ASA.

* with vlans/subnets for data, for voice, for cameras, and perhaps for backbone, it would seem that the routers would have locally connected subnets and would not need any dynamic routing protocol. The routers would simply need static routes for any subnet hosted on the other router  and a default route with the ASA as the next hop. The ASA would need static routes for the inside subnets and a default route. No need for dynamic routing on the ASA.

- pretty clearly the ASA needs to provide security for the inside networks. The default architecture of the ASA permits any traffic originated inside to go to outside and permits any response traffic to be forwarded to the inside source. And the ASA by default does not allow traffic originated from outside to be forwarded to inside. So that would seem to satisfy the requirement.

 

However; I do have additional questions regarding the VLAN's for VOICE & DATA.

 

I've invested a lot of money in this equipment for CCNA & CCNP.

So having said that, I would like to use all of the devices in a real-world situation for an SMB office...

 

What I need is clarification on VLAN's and what device or device's the VLAN's should live on.

VLAN QUESTIONS:

Q-1 | Should the VLAN's live on the ASA, The Routers, or the L3 Switches?

Q-2 | Should VLAN's be configured on all the above devices or just one Device...?

Q-3 | If just one Device, which is the best device to use for VLAN's?

 

CURRENT VLAN CONFIGS:

VLAN 100 | DATA

VLAN 200 | VOICE

VLAN 300 | CAMERAS & DVR

 

Currently, I have SVI's and VLAN's configured on the ASA and the Routers. All Routes listed in the routing table are Local and Connected with static routes to the other devices.

EXAMPLE:

ASA GIG 0/0 --> ISP ROUTER FOR INTERNET

ASA GIG 0/1 X.X.100.250 -- > L3 SW1 --> R1 | GIG 0/1 x.x.100.1 --> L3 SW1 | DATA NETWORK = SERVERS

ASA GIG 0/2 X.X.200.250 -- > L3 SW2 --> R2 | GIG 0/1 x.x.200.1 --> L3 SW2 | VOICE NETWORK = PBX & IP PHONES

ASA GIG 0/3 X.X.10.250 -- > L3 SW3 --> R1 & R2 | GIG 0/0 X.X.10 BACK-BONE NETWORKS --> L3 SW1 | DATA CONNECTIONS TO EACH DEVICES X.X.10 NETWORK


IP CAMERAS AND DVR'S CONNET TO SW4 WHICH IS CONNECTED TO L3 SW1 FOR INTERNET CONNECTION

 

All devices above can access the internet and ping each other except the IP phones can't see the PBX Server and I can't ping the IP Phone that is directly connected to the workstation.  The IP Phone is statically configured for

 VLAN 200, GATEWAY which is R2 |  x.200.1, and the DNS Servers on the x.x.200 NETWORK

 

The DNS, DC, and PBX Servers are multi-homed and connects to both the

VLAN 100 DATA NETWORKS & VLAN 200 VOICE NETWORKS, The DNS Servers Also connect to VLAN 300 CAMERA NETWORKS

 

The workstation is Statically configured with the

 x.x.100.x IP Address for VLAN 100 the DATA NETWORK connected directly to the IP Phone which is connected to the L3 SW2 Switch on the 200 Network.

 

What am I missing???

 

Thankx

I suggest that you think carefully and decide what your objective really is. On one hand you say "I've invested a lot of money in this equipment for CCNA & CCNP." So perhaps your objective is to get experience with multiple routers and switches. But then you say "I would like to use all of the devices in a real-world situation for an SMB office" So which is really your objective?

Then let me address some of what you ask:

- "What I need is clarification on VLAN's and what device or device's the VLAN's should live on." A vlan is a layer 2 entity. So the vlan lives on switches. Routing for the vlan is done by a layer 3 interface. That layer 3 interface might be on a switch (SVI) if the switch is layer 3 capable, or it might be on a router or on an ASA. In the environment that you are describing I would suggest that the switches be configured for layer 2 only. The switches would connect to the router(s) on interfaces configured as trunks. The router(s) would have vlan subinterfaces to communicate with the trunk and would provide routing for the inside networks.

- "Q-1 | Should the VLAN's live on the ASA, The Routers, or the L3 Switches?" Answered in previous point.

- "Q-2 | Should VLAN's be configured on all the above devices or just one Device...?" I suggest that the vlan be configured on switch(es). Switches would have trunks so the vlans can communicate with the router. And that the router have vlan subinterfaces so that it can communicate with the vlans and provide routing.

- "Q-3 | If just one Device, which is the best device to use for VLAN's?" I do not believe it should be just one device.

- "Currently, I have SVI's and VLAN's configured on the ASA and the Routers." My suggestion is that the ASA should not have SVIs for the vlans. The ASA should have routed link(s) to the router(s) and the ASA access to the vlans should be static routes on the ASA for the subnets of the inside vlans.

- in your example the ASA connects to L3SW1 and L3SW2. I do not see why you need L3 switches here. The ASA can easily connect to the routers. Even for CCNA I think this is a bit of a stretch. And then L3SW1 and L3SW2 are used to connect the router(s) to the voice and data networks. This is much more appropriate.

- in your example the ASA interfaces have IP addresses in the data vlan and voice vlan. As I said above I do not recommend this. It is appropriate for the router to provide routing for the voice and data vlans. I see no benefit in putting that responsibility/load on the ASA. It will be better if the router(s) do the inter vlan routing and the ASA does the address translations and provides security for the inside networks.

- your example mentions a backbone network. I am not clear where/what that is.

HTH

Rick

I am glad that my suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick