cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4531
Views
3
Helpful
15
Replies

What is the best network design for my company,Class B or Class A subnet?

Nabaruma
Level 1
Level 1

                   Dear All,

Kindly help analyse the attached proposed network topology of my company (and the branches) and advise me appropriately.

I want to know if the design could work fine or if there are better way to achieve using different design. However, I'm more concern with the position of the devices and the networks between the devices and possibly how routing would be configure easily ( I prefer static route for now).

I look forward for your assistance.

Usman.

2 Accepted Solutions

Accepted Solutions

Hi Usman

There are two options where you could perform the NAT, but you have to consider the following things before taking decision about NAT:-

1. Are you having a BGP peering with your service provider, if yes thn NAT must be performed on that router so that you don;t need to advertise those routes in your network.

2. If you have static default route towards your SP, then you can perform the NAT either on ASA or on router, the only thing is that you have to maitain the public IPs till your ASA and has to announce the reverse route from your router. (Again a bit Cumbersome)

Generally it is recommended to have a default route with your SP and terminate the link directly on firewall and do the NAT over there. But in your case, you have router as well as ASA, so better to perform the NAT on your exit router (Please do the planning how many sessions you are looking for).

regards

shivlu jain    

View solution in original post

I typically like to make the main data center 10.1.x.x/16, the secondary data center 10.2.x.x/16, etc.

Also, the point to point /30's can be from 192.168.0.0/16, or you could do something like 10.255.0.0/16. Whatever you think will fit together after growth. As long as you can summarize the /30's to something like 192.168.0.0/15, that's great.

I like 172.16.0.0/13 for DMZ's. 172.16.0.0 for main data center/location, 172.17.0.0/16 for secondary data center/location, etc.

172.31.0.0/16 for loopbacks on routers.

The big picture is that at some point you'll go to your branch router and want to summarize all of your main location IPs out to the branches. It'll be easier if all you have to put in is 10.1.0.0/16 (you can do the same with 172.23.0.0/16).

View solution in original post

15 Replies 15

shivjain
Cisco Employee
Cisco Employee

Hi

I can see only proposed network topology but couln't see what is the current network topology.

Few Suggestion about the proposed one:-

1. Why the card tech server is not behind firewall. It could be dangerous if it has access to internet.

2. You can select either static or any dynamic router because the network sites are not much.

3. Is the fireall configured in routing mode. I would suggest to terminate your routing domain on 3750x switch by confiuring it as a layer 3 and let firewall do its work of filtering only rather than routing. The advantage of using this is that every time if any of the vlans wants to communicate to each other, the traffic will not unnecessarly hit the firewall interface.

regards

shivlu jain

Shivju,

Thank you so much for the reply. Below are my response:

1. The cardTech is actually 3rd party company and I did not know the details of their network. I only place the their server for you to see what my company connect to. I believe they have those equipments in their design.

2. I never work with dynamic routing protocol but i may give it a try.

3. I would try connecting the Branch router on the 3750 switch and enable it's routing feature as well. Thank you here.

Appreciate.

Sam Byers
Level 1
Level 1

Comments on proposed network topology:

  1. IP numbering looks rough. You'll want to number this in a way that easier to summarize later on. The data center could be 10.1.x.x, branches 10.y.10.x (where y is branch ID, third octet could be incremented for each vlan in the branch if you ever have VoIP and want to separate).
  2. I agree with Shivlu, you could turn on ip route on the 3750 and connect the branch router to that.
  3. Turn EIGRP on. The L3 switch, branch router, and ASA could all be EIGRP neighbors. Depending on how your WAN works to the branch routers, that also could be EIGRP. This makes it easier to add branches and routers. This is more of my own preference, static route would work fine. BUT if they grow, static routes are going to get old really fast.
  4. Turn interface passive on all SVI's on the L3 switch except those that actually have routers adjacent. No need to have hellos going everywhere!
  5. Why two routers in front of ASA? Can't terminate the WAN link to CardTech in the perimeter router?

Sam Byers,

Thank you alot for the reply. Below are my reply for you comment:

1. I would try the Class A subnet (10.1.x.x) as you mentioned especially because of it's portability when it comes to vlan segregation (and voip). Good thinking here.

2. I will try enabling the routing in 3750 switch and connect the branch router. Beatiful.

3. I will try the EIGRP on the device. But am more confortable with static especially because the network is not big and am scared because they say they (the routing protocool) are resource intensive. what do u think?

4. I do not understand this. May be you can simply it for me. You know I'm a novice.

5. The other router close to my perimeter router belongs to CardTech. I believe they placed it there as a security so that we wouldn't know their network design. We only know the node we connect to at their end.

Thank you

Usman

Hi Usman

Few more points:-

1. You can choose either OSPF or EIGRP. As EIGRP is prop. to Cisco and OSPF is open standard. I would strongly recommend to go with OSPF if you want to go with dynamic or simply go with static as you don't have much experience with dynamic routing protocol.

2. the network is not so big, so you can go with static routing without thinking anything.

regards

shivlu jain

Shivlu,

Thank you once again. You are the man.

Again where do you think I should consider when NATing my proxy server to internet? The perimeter router or the ASA? The proposed location of the proxy server would be vlan 172.23.3.0 at Head Office

Regards,

Usman

Hi Usman

There are two options where you could perform the NAT, but you have to consider the following things before taking decision about NAT:-

1. Are you having a BGP peering with your service provider, if yes thn NAT must be performed on that router so that you don;t need to advertise those routes in your network.

2. If you have static default route towards your SP, then you can perform the NAT either on ASA or on router, the only thing is that you have to maitain the public IPs till your ASA and has to announce the reverse route from your router. (Again a bit Cumbersome)

Generally it is recommended to have a default route with your SP and terminate the link directly on firewall and do the NAT over there. But in your case, you have router as well as ASA, so better to perform the NAT on your exit router (Please do the planning how many sessions you are looking for).

regards

shivlu jain    

Sam Byers,

Another thing I have some class A subnets in mind as you suggested but do you also have one in mind for my design?

Also don't you have any issue with the class c ( for point-to-point) subnets I use on the edges of my devices at head office?

I can imagine my network becoming simpler and dynamic now courtesy of you guys.

Thank you,

Usman

Dear All,

If you noticed I have changed the topic of our discussion. I believe with the above choiced words more people on cisco would be able to search and benefit with the knowledge.

Thank you very much.

Usman Musa.

Dear Shivlu,

I don't have a BGP with my ISP and I think the best option is to nat at the perimeter router as you rightly said.

However, i would modify my design and upload for your to see as soon as I finished.

Thank you.

Usman Musa

I typically like to make the main data center 10.1.x.x/16, the secondary data center 10.2.x.x/16, etc.

Also, the point to point /30's can be from 192.168.0.0/16, or you could do something like 10.255.0.0/16. Whatever you think will fit together after growth. As long as you can summarize the /30's to something like 192.168.0.0/15, that's great.

I like 172.16.0.0/13 for DMZ's. 172.16.0.0 for main data center/location, 172.17.0.0/16 for secondary data center/location, etc.

172.31.0.0/16 for loopbacks on routers.

The big picture is that at some point you'll go to your branch router and want to summarize all of your main location IPs out to the branches. It'll be easier if all you have to put in is 10.1.0.0/16 (you can do the same with 172.23.0.0/16).

Hello Shivlu Jain/Sam Byers,

Hope you are all doing well and fine!

Find attached the adjusted network diagram for my company for your  scrutiny and any possible advise.
I would like you to specifically certified the network and various subnets use for the whole company. I preferred the class A (10.y.x.0) for versatility and in case of expansion in the future, where y is the branch number and x is the subnet number.

I really appreciate your previous feedback on this isssue.

Regards,

Usman Musa

1. Do you need to trunk vlans to your ASA? Can it just be connected at L3?

2. Depending on expected growth, you might want you datacenter to have 10.1.0.0/16, and put the  branches in 10.2.0.0/16. That way if you ever want to summarize you can. (ex. Branch 1 = 10.2.1.0/24, Branch 2 = 10.2.2.0/24, etc.)

     a. Or, like mentioned before you can use whole /16 for branches to make it easier to manage (10.y.x.0).

     b. for branches, you have a lot of choices.

3. Your PtP links between your routers have big subnets. Do they need subnets that large? Can they use /30s?

4. Great job!

Sorry this was late, I've been very busy lately! Hopefully, this install went smoothly!

Sam Byers,

Once again thank you for all the support. You are such a reliable fellow. Below are my responses base on your enquiries and changes made on the new topology.

1. I actually created two trunks link to the ASA because of the VLANs I created on the sub-interfaces. Trunk 1 carries vlan 2,3,4 &5 while trunk2 carries vlan 6,7, & 8. I purposely made trunk1 carry the traffic for the different departments while trunk2 is for Datacentre vlans.

2. As you can see on the new topology I used 10.1.2.0/24, 10.2.2.0/24 & 10.3.2.0/24 as the network for my HQ and two other branches respectively, 10.y.x.0 approach as you mentioned ealier. You would also observe I have subnetted the 10.1.2.0 further to different vlans (10.1.2.0, 10.1.3.0, 10.1.4.0 etc). Any additional suggestion would be welcome.

3. As you suggested I have change the PtP links to /30s

My challenges now, I enabled routing on the 3750 switch as earlier advised but how do I make the branches communicate with my HQ vlans and the internet? Do I have to configure a default route on the switch and to where?Remember I use static routing and natting  to the internet is configured on the perimeter router.

I have uploaded the modified topology on the orginal post now name 09062013 for your review.

Awaiting your kind response.

Usman


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco