11-30-2012 08:42 AM - edited 03-04-2019 06:17 PM
Dear All,
Kindly help analyse the attached proposed network topology of my company (and the branches) and advise me appropriately.
I want to know if the design could work fine or if there are better way to achieve using different design. However, I'm more concern with the position of the devices and the networks between the devices and possibly how routing would be configure easily ( I prefer static route for now).
I look forward for your assistance.
Usman.
Solved! Go to Solution.
12-03-2012 01:21 AM
Hi Usman
There are two options where you could perform the NAT, but you have to consider the following things before taking decision about NAT:-
1. Are you having a BGP peering with your service provider, if yes thn NAT must be performed on that router so that you don;t need to advertise those routes in your network.
2. If you have static default route towards your SP, then you can perform the NAT either on ASA or on router, the only thing is that you have to maitain the public IPs till your ASA and has to announce the reverse route from your router. (Again a bit Cumbersome)
Generally it is recommended to have a default route with your SP and terminate the link directly on firewall and do the NAT over there. But in your case, you have router as well as ASA, so better to perform the NAT on your exit router (Please do the planning how many sessions you are looking for).
regards
shivlu jain
12-03-2012 06:50 AM
I typically like to make the main data center 10.1.x.x/16, the secondary data center 10.2.x.x/16, etc.
Also, the point to point /30's can be from 192.168.0.0/16, or you could do something like 10.255.0.0/16. Whatever you think will fit together after growth. As long as you can summarize the /30's to something like 192.168.0.0/15, that's great.
I like 172.16.0.0/13 for DMZ's. 172.16.0.0 for main data center/location, 172.17.0.0/16 for secondary data center/location, etc.
172.31.0.0/16 for loopbacks on routers.
The big picture is that at some point you'll go to your branch router and want to summarize all of your main location IPs out to the branches. It'll be easier if all you have to put in is 10.1.0.0/16 (you can do the same with 172.23.0.0/16).
11-30-2012 09:14 AM
Hi
I can see only proposed network topology but couln't see what is the current network topology.
Few Suggestion about the proposed one:-
1. Why the card tech server is not behind firewall. It could be dangerous if it has access to internet.
2. You can select either static or any dynamic router because the network sites are not much.
3. Is the fireall configured in routing mode. I would suggest to terminate your routing domain on 3750x switch by confiuring it as a layer 3 and let firewall do its work of filtering only rather than routing. The advantage of using this is that every time if any of the vlans wants to communicate to each other, the traffic will not unnecessarly hit the firewall interface.
regards
shivlu jain
11-30-2012 02:16 PM
Shivju,
Thank you so much for the reply. Below are my response:
1. The cardTech is actually 3rd party company and I did not know the details of their network. I only place the their server for you to see what my company connect to. I believe they have those equipments in their design.
2. I never work with dynamic routing protocol but i may give it a try.
3. I would try connecting the Branch router on the 3750 switch and enable it's routing feature as well. Thank you here.
Appreciate.
11-30-2012 11:26 AM
Comments on proposed network topology:
11-30-2012 02:27 PM
Sam Byers,
Thank you alot for the reply. Below are my reply for you comment:
1. I would try the Class A subnet (10.1.x.x) as you mentioned especially because of it's portability when it comes to vlan segregation (and voip). Good thinking here.
2. I will try enabling the routing in 3750 switch and connect the branch router. Beatiful.
3. I will try the EIGRP on the device. But am more confortable with static especially because the network is not big and am scared because they say they (the routing protocool) are resource intensive. what do u think?
4. I do not understand this. May be you can simply it for me. You know I'm a novice.
5. The other router close to my perimeter router belongs to CardTech. I believe they placed it there as a security so that we wouldn't know their network design. We only know the node we connect to at their end.
Thank you
Usman
11-30-2012 10:15 PM
Hi Usman
Few more points:-
1. You can choose either OSPF or EIGRP. As EIGRP is prop. to Cisco and OSPF is open standard. I would strongly recommend to go with OSPF if you want to go with dynamic or simply go with static as you don't have much experience with dynamic routing protocol.
2. the network is not so big, so you can go with static routing without thinking anything.
regards
shivlu jain
11-30-2012 11:12 PM
Shivlu,
Thank you once again. You are the man.
Again where do you think I should consider when NATing my proxy server to internet? The perimeter router or the ASA? The proposed location of the proxy server would be vlan 172.23.3.0 at Head Office
Regards,
Usman
12-03-2012 01:21 AM
Hi Usman
There are two options where you could perform the NAT, but you have to consider the following things before taking decision about NAT:-
1. Are you having a BGP peering with your service provider, if yes thn NAT must be performed on that router so that you don;t need to advertise those routes in your network.
2. If you have static default route towards your SP, then you can perform the NAT either on ASA or on router, the only thing is that you have to maitain the public IPs till your ASA and has to announce the reverse route from your router. (Again a bit Cumbersome)
Generally it is recommended to have a default route with your SP and terminate the link directly on firewall and do the NAT over there. But in your case, you have router as well as ASA, so better to perform the NAT on your exit router (Please do the planning how many sessions you are looking for).
regards
shivlu jain
11-30-2012 11:18 PM
Sam Byers,
Another thing I have some class A subnets in mind as you suggested but do you also have one in mind for my design?
Also don't you have any issue with the class c ( for point-to-point) subnets I use on the edges of my devices at head office?
I can imagine my network becoming simpler and dynamic now courtesy of you guys.
Thank you,
Usman
12-03-2012 12:25 AM
Dear All,
If you noticed I have changed the topic of our discussion. I believe with the above choiced words more people on cisco would be able to search and benefit with the knowledge.
Thank you very much.
Usman Musa.
12-03-2012 06:07 AM
Dear Shivlu,
I don't have a BGP with my ISP and I think the best option is to nat at the perimeter router as you rightly said.
However, i would modify my design and upload for your to see as soon as I finished.
Thank you.
Usman Musa
12-03-2012 06:50 AM
I typically like to make the main data center 10.1.x.x/16, the secondary data center 10.2.x.x/16, etc.
Also, the point to point /30's can be from 192.168.0.0/16, or you could do something like 10.255.0.0/16. Whatever you think will fit together after growth. As long as you can summarize the /30's to something like 192.168.0.0/15, that's great.
I like 172.16.0.0/13 for DMZ's. 172.16.0.0 for main data center/location, 172.17.0.0/16 for secondary data center/location, etc.
172.31.0.0/16 for loopbacks on routers.
The big picture is that at some point you'll go to your branch router and want to summarize all of your main location IPs out to the branches. It'll be easier if all you have to put in is 10.1.0.0/16 (you can do the same with 172.23.0.0/16).
03-20-2013 05:49 AM
Hello Shivlu Jain/Sam Byers,
Hope you are all doing well and fine!
I really appreciate your previous feedback on this isssue.
Regards,
Usman Musa
06-08-2013 09:54 AM
1. Do you need to trunk vlans to your ASA? Can it just be connected at L3?
2. Depending on expected growth, you might want you datacenter to have 10.1.0.0/16, and put the branches in 10.2.0.0/16. That way if you ever want to summarize you can. (ex. Branch 1 = 10.2.1.0/24, Branch 2 = 10.2.2.0/24, etc.)
a. Or, like mentioned before you can use whole /16 for branches to make it easier to manage (10.y.x.0).
b. for branches, you have a lot of choices.
3. Your PtP links between your routers have big subnets. Do they need subnets that large? Can they use /30s?
4. Great job!
Sorry this was late, I've been very busy lately! Hopefully, this install went smoothly!
06-09-2013 02:33 AM
Sam Byers,
Once again thank you for all the support. You are such a reliable fellow. Below are my responses base on your enquiries and changes made on the new topology.
1. I actually created two trunks link to the ASA because of the VLANs I created on the sub-interfaces. Trunk 1 carries vlan 2,3,4 &5 while trunk2 carries vlan 6,7, & 8. I purposely made trunk1 carry the traffic for the different departments while trunk2 is for Datacentre vlans.
2. As you can see on the new topology I used 10.1.2.0/24, 10.2.2.0/24 & 10.3.2.0/24 as the network for my HQ and two other branches respectively, 10.y.x.0 approach as you mentioned ealier. You would also observe I have subnetted the 10.1.2.0 further to different vlans (10.1.2.0, 10.1.3.0, 10.1.4.0 etc). Any additional suggestion would be welcome.
3. As you suggested I have change the PtP links to /30s
My challenges now, I enabled routing on the 3750 switch as earlier advised but how do I make the branches communicate with my HQ vlans and the internet? Do I have to configure a default route on the switch and to where?Remember I use static routing and natting to the internet is configured on the perimeter router.
I have uploaded the modified topology on the orginal post now name 09062013 for your review.
Awaiting your kind response.
Usman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide