Hello

How is network 2 getting out to the internet at present and if it isnt t does the OP require network 2 to access the internet?
We dont see where the correlation /routing at present between vlan1-2 being performed (if any), is the server doing this?

Even if you turn that L2 switch into a L3 what is the advantage of this?

I would say there isnt not enough information at present to provide a definitive answer, unless i am missing something which is highly likely!

Hi ,

I forgot to give some information.Network 1 is our branch site,it need to access our DC.

Network 2 is other network and it isn't under control. They need to access my server to get some data.

Last time we run persistence route in server,default rout to network 2 and static route to our DC.

I thought it is not proper way so we change to L2 to L3.

If i use NIC teaming i need to run LACP in switch side,correct ? or Which design is the best practice ?

Hi,

Now the design has changed. As network 1 is your branch site. How to connected both sides? Are you using Site to Site VPN, MPLS etc? Why did you show us that it is connected on switch directly? Do you have two ISP connections one like the Internet and another as a site to site VPN or MPLS?

Know we are looking for more information on the same.

Regards,

Deepak Kumar

Hi,

We are using site to site VPN to DC.

I have only one connection to DC.Network 2 is the clients site of other vendors. not mine.Network 2 only can access our server only.Network 2 don't have to access our DC site.

Hi,

How many users are working on Site-A?

Regards,

Deepak Kumar

Hi,

Not too much ,this server is retrieve some data from DC and Network 2 pull this data only.Why ?

Hi,

I asked you to figure out do you really required a Layer 3 switch. If you asking me, I am happy with Layer 2 switch in Network 1 and a port-channel between ASA to Existing Layer 2 switch. Create Two VLAN's on Cisco Switch and same on ASA. Now One VLAN will keep as LAN and one keeps as DMZ. 

It will save your money and provide you an aditional level of security between Server and Clients. Why you configured routes on your server? I don't think it will require in this case because all data will travel to Gateway (ASA) and ASA will take action as per configuration of ACL, NAT etc.

Regards,

Deepak Kumar

Hi,

Do you mean below design ? Network 2 firewall link connect to our switch is 2x 10 G fiber.

Let me know if I am using ASA 5512 .5512 support SFP +. can connect their firewall to my firewall .But i have only one firewall.Can i do as below design ? and let me know ASA can do link aggregation because i need more bandwidth.their firewall links is 2 x 10 G to our network.

Hello

Looks like you have a security issue regards your server you don't mention if this is running some fw application so i am assuming it isn't, Anyway it has presence in both networks as such any breach on that device could leave both networks open to each other.

One possible solution could be to have your network 1 fw provide L3 for vlan 1-2, Add an additional physical into this fw for vlan 2, Team you server nics for vlan 1 between the L2 switch and lastly DMZ vlan2 so only specific hosts can leak into vlan1 for that server

Hi,

the another problem is my firewall cannot support sfp+. Network 2 firewall will use 2 x 10 G fiber.

so i consider L3 switches.

Hi,

Again we came to the same point. How to both sites are connected? Are you using VPN (As you said), or  Direct Fiber cables, or MPLS connection or secondary internet connection for VPN?

If it is VPN connection then why are you thinking that Network 2 is using fiber cable and you can't do this because of the port not available on the firewall? You havan e Internet connection and VPN will make over the existing internet connection. It is software configuration but a part of the hardware.

Hi Deepak kuma,

Network 2 is not my network.i cannot control and cannot say them don't use fiber.

My network is direct fiber network.They don't need to integrate our existion network.They only need to access my server that specifically create for them.my server pull some data from my DC and they will retrieve data from my server.they cannot access directly our DC.So i consider for integration design. The below design is previous design proposed and i don't know what is the best practice.

Some friends advise to use below design .Network 2 is in DMZ zone.

Network 2 firewall is using 2x 10 G firber.(it is their requirement). I need to propose their requirement.

i want to propose cost effective simple design. and i would like to know their firewall link 2x 10 G can directly connect to my firewall. my ASA firewall is 5512.so my firewall support SFP+.