Re: New LAN Design Help

kostatodo · ‎09-04-2006

I'm new to Cisco and hoping to implement a large Cisco solution. Unfortunately we're not in the position to hire an expert so I'm seeking some much needed advice!

The general plan for phase 1 would be:

A router with 9 interface cards, that will have a 4Gbps trunk to an Internal Network Switch, 1gbps to DMZ switch, 1gbps to WLAN router, 1gbps to identical router for HSRP, 1gbps to WAN switch, and 100mbps to Internet router

The router will need to participate in OSPF, HSRP and do trunking. It needs to do IPSEC vpn tunnels

The Internal Network Switch would have about 40 Vlans to individual departments. Each department uplink to the Internal Network Switch would be 100mbps. Eventually this switch will be doubled up for redundancy.

There would be about 1000 clients going through it via the Internal Network Switch, and through the Router, using the DMZ servers as well as the Internet.

So I have a few questions regarding this setup:

1/ Which type of router should I use?

2/ Which type of switch should I use?

3/ Is the network schema at all correct or would there be a better way of doing it?

Hoping for some help!

mheusinger · ‎09-04-2006

Hi,

you might use a Catalyst 6500 or 4500 or 3750 for all the above. The Layer3 switches will have enough interfaces and Layer2/Layer3 features available to support your requirements.

What I do not understand is: "The Internal Network Switch would have about 40 Vlans to individual departments. Each department uplink to the Internal Network Switch would be 100mbps."

So you are planning for 40 FastEthernet interfaces? It would probably make more sense to use a GE or GE channel trunk for all of them and do shaping/policing if at all required. This would save you a lot of interfaces.

Regards, Martin

kostatodo · ‎09-04-2006

Martin, thanks for your reply.

Basically there are 40 differnet departments located in different physical locations. Each department would have its own VLAN. Would that be the right approach?

So what you're saying is not to use any routers at all? Basically just use Layer3 switches?

What would be the pro's and con's of using L3 Switches as opposed to Routers?

Regards,

Kosta

Edison Ortiz · ‎09-04-2006

1) I recommend going with Cisco 2800 ISR for the IPSec VPN http://www.cisco.com/en/US/products/ps5854/index.html

2) I recommend going with Cisco 3750G for the DMZ, WLAN, WAN switch connections. This switch provides (with the right image) HSRP, OSPF, EIGRP services.

http://www.cisco.com/en/US/products/hw/switches/ps5023/index.html

3) Drop all connections down to the 3750G (all ports support up to 1Gb speed) and perform all the routing there as well as layer2 VLANs.

Nice, clean and inexpensive solution.

In addition, 3750s support stackwise cabling so if you purchase more than one switch for port density, in the config it looks like a single switch.

kostatodo · ‎09-04-2006

So you think I'm right in using Routers to connect Internal Network, DMZ, WAN, WLAN, as opposed to L3 Switches?

Edison Ortiz · ‎09-04-2006

Kosta,

I never stated that. The routers will only be used for the IPSec VPN connection between sites.

Internal routing should be done with L3 switches and the 3750G will be an ideal switch for you and your needs.

kostatodo · ‎09-04-2006

I've attached the "concept design" of the network as a PNG.

Would appreciate some views and criticism.

Edison Ortiz · ‎09-04-2006

Kosta,

The design looks. It all depends on how much money you've allocated in your budget.

Ideally, I would go with 6509s for your 'INT NET SW1' and 'WAN SW1' with a 3560G as the 'DMZ SW1'.

With a medium budget, 4507s should do the job instead of 6509s.

If budget is low, 3570Gs for INT NET and WAN SW1 and 3560G for the DMZ SW1.

The routers are well placed in your network and you can go with either 2800 or 3800 ISR.

As for the switches, try to go with Gb ports all around. It's a waste of money to buy 100Mb ports. Also, are you planning to implement VoIP ? Think about PoE switches.

kostatodo · ‎09-04-2006

Thanks for your interest and help.

There is no VoIP requirement. I will definitely be getting 1Gbps ports all round.

What kind of redundancy would you implement and using which protocols?

Edison Ortiz · ‎09-04-2006

For layer2 redundancy, I recommend configuring etherchanneling between switches and also between switches and servers.

For layer3 redundancy, HSRP (if using ip routes) or any routing protocol (OSPF, EIGRP) should do the job.

kostatodo · ‎09-04-2006

What about doubling up on each device (if cost permits) ?

Edison Ortiz · ‎09-04-2006

If money is no object, sure.

kostatodo · ‎09-04-2006

The IPSEC vpn tunnel would go from the Department Router/Firewall to the CR (main) Router (passing through the Internal network switch) ?

Edison Ortiz · ‎09-05-2006

Kosta,

I don't recommend implementing IPSec VPNs on internal networks. I though you were connecting this location to a remote location over the internet. That's where the IPSec VPN implementation is useful.

cprice2k7 · ‎09-05-2006

Your first step would be to find a Cisco Partner reseller in your area and go over your design with them and they could recommend the equipment you need. Some Cisco resellers will also provide technical support in configuring and designing your network. I was involved in upgrading a large network to a Cisco centric platform and the reseller was a big help in converting our old network configuration to the Cisco platform.

As part of the equipment purchase you should also get the Cisco support option which will provide you Cisco TAC help.