Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Network design questions

Reply
Thread Tools

Network design questions

 
 
gautamzone@gmail.com
Guest
Posts: n/a
 
      02-05-2007
Hi friends,

I just wanted to share a design of an old network, and based on that
ask for suggestions on integrating the new network into the old
network.

The old network has essentially two categories of users: Admin and
Guests. There are two network segments created for both of
them as well which are as follows:

Admin Users: 192.168.0.0 / 24
Guest users: 10.254.1.0 /24

The access method is different for both categories of users. With
regards to outside access, the Admin users go through the firewall.
But guest users dont touch the firewall. Regarding DHCP, the Admin
users get their DHCP address from a server in
192.168.0.0/segment. For wireless users, the DHCP server / Default
Gateway is the Egress server (a Linux box) with IP address
10.254.1.1 / 24. The default gateway for the Admin users is the
firewall viz. 192.168.0.254. Both the Egress server and the Symantec
firewall have a public interface too connecting to the router.

The 3560's connecting to the Egress, Symantec are all Layer 2. The
same servers will be used by the new network users too for DHCP
allocation, Internet access, firewall filtering. There are no VLAN's
in the current network, which means, there is only VLAN viz. VLAN 1.
The old network was setup by third party.

With regards to the new network in a different building, the network
design and integration has been contracted to us.
Now, there is a core / distribution switch 4506 connected to 3560
access switches in different floors. The access switches are connected
to users and access points. We are planning for floor based VLAN's and
also ensuring that wired / wireless VLAN's are separated too. The
design is pretty simple if you look at the new building / network
alone. But a few questions that pop up are as follows:

1. The 4506 switch connects through fiber to the old building 3560
switches which in turn connect to the Egress and Symantec firewall.
Now, how should the ports connecting the 4506 to the 3560 be
configured? As trunks? I am not sure as 3560 will have no ports
configured in VLAN's created on 4506. So, why should it receive VLAN
info from 4506?

2. How will I be able to pass traffic from VLAN's on the new network
to the servers in the old network? The old network has only one VLAN
viz. VLAN1. And the new network has multiple VLAN's.

As of now, all that I can think is configure the 3560's connected to
servers as Layer 3 devices. The 3560's can be used to route traffic
between the old network and new network. The 3560 and 4506 can share a
common VLAN. There can be routes created on the 3560's pointing to
4506 for reaching VLAN's created on new network. Similarly, there can
be routes added on core to reach the 3560's for old network. But the
DHCP servers become two hops away now for clients on new network. So,
first hop is 4506 switch and second hop is the 3560 connected to the
server. SO, I believe I need to configure ip-helper address on the
4506 as well as the 3560 switches?? I really need some help in
validating this solution as well.

Once I know the answer to these two questions, I think that the setup
pretty much gets straightforward. I can configure ip-helper address to
pass DHCP requests to different DHCP servers on the Layer 3 vlan
interface. And I can use policy-based routing to pass traffic to
different default gateways (for admin and guests) because that is
source-sensitive.

Looking forward to your kind help in this regard

Thanks a lot
Gautam

 
Reply With Quote
 
 
 
 
gautamzone@gmail.com
Guest
Posts: n/a
 
      02-06-2007
Hi friends,

Sorry for the terribly long post!!! I just wanted to be descriptive
about the issue.

To sum up, I just have one concern. How can I integrate a VLAN-based
network into a non-VLAN network? The non-VLAN or VLAN1 network has all
the servers / Internet access services?

I just need a rough idea on how to proceed. Once I get it, I am ready
to take up from there!!! All the switches at the edge are 3560
Standard Image and the core is 4560.

Thanks!!!

Gautam





On Feb 5, 12:27 pm, (E-Mail Removed) wrote:
> Hi friends,
>
> I just wanted to share a design of an old network, and based on that
> ask for suggestions on integrating the new network into the old
> network.
>
> The old network has essentially two categories of users: Admin and
> Guests. There are two network segments created for both of
> them as well which are as follows:
>
> Admin Users: 192.168.0.0 / 24
> Guest users: 10.254.1.0 /24
>
> The access method is different for both categories of users. With
> regards to outside access, the Admin users go through the firewall.
> But guest users dont touch the firewall. Regarding DHCP, the Admin
> users get their DHCP address from a server in
> 192.168.0.0/segment. For wireless users, the DHCP server / Default
> Gateway is the Egress server (a Linux box) with IP address
> 10.254.1.1 / 24. The default gateway for the Admin users is the
> firewall viz. 192.168.0.254. Both the Egress server and the Symantec
> firewall have a public interface too connecting to the router.
>
> The 3560's connecting to the Egress, Symantec are all Layer 2. The
> same servers will be used by the new network users too for DHCP
> allocation, Internet access, firewall filtering. There are no VLAN's
> in the current network, which means, there is only VLAN viz. VLAN 1.
> The old network was setup by third party.
>
> With regards to the new network in a different building, the network
> design and integration has been contracted to us.
> Now, there is a core / distribution switch 4506 connected to 3560
> access switches in different floors. The access switches are connected
> to users and access points. We are planning for floor based VLAN's and
> also ensuring that wired / wireless VLAN's are separated too. The
> design is pretty simple if you look at the new building / network
> alone. But a few questions that pop up are as follows:
>
> 1. The 4506 switch connects through fiber to the old building 3560
> switches which in turn connect to the Egress and Symantec firewall.
> Now, how should the ports connecting the 4506 to the 3560 be
> configured? As trunks? I am not sure as 3560 will have no ports
> configured in VLAN's created on 4506. So, why should it receive VLAN
> info from 4506?
>
> 2. How will I be able to pass traffic from VLAN's on the new network
> to the servers in the old network? The old network has only one VLAN
> viz. VLAN1. And the new network has multiple VLAN's.
>
> As of now, all that I can think is configure the 3560's connected to
> servers as Layer 3 devices. The 3560's can be used to route traffic
> between the old network and new network. The 3560 and 4506 can share a
> common VLAN. There can be routes created on the 3560's pointing to
> 4506 for reaching VLAN's created on new network. Similarly, there can
> be routes added on core to reach the 3560's for old network. But the
> DHCP servers become two hops away now for clients on new network. So,
> first hop is 4506 switch and second hop is the 3560 connected to the
> server. SO, I believe I need to configure ip-helper address on the
> 4506 as well as the 3560 switches?? I really need some help in
> validating this solution as well.
>
> Once I know the answer to these two questions, I think that the setup
> pretty much gets straightforward. I can configure ip-helper address to
> pass DHCP requests to different DHCP servers on the Layer 3 vlan
> interface. And I can use policy-based routing to pass traffic to
> different default gateways (for admin and guests) because that is
> source-sensitive.
>
> Looking forward to your kind help in this regard
>
> Thanks a lot
> Gautam



 
Reply With Quote
 
 
 
 
Drake
Guest
Posts: n/a
 
      02-06-2007

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi friends,
>
> Sorry for the terribly long post!!! I just wanted to be descriptive
> about the issue.
>
> To sum up, I just have one concern. How can I integrate a VLAN-based
> network into a non-VLAN network? The non-VLAN or VLAN1 network has all
> the servers / Internet access services?
>
> I just need a rough idea on how to proceed. Once I get it, I am ready


You need to route between different vlans (subnets), probably at the core
switch.

You should also be aware of some security problems associated with having a
single VLAN for Management and data:

http://www.cisco.com/en/US/products/...8013159f.shtml


--
Posted via a free Usenet account from http://www.teranews.com

 
Reply With Quote
 
gautamzone@gmail.com
Guest
Posts: n/a
 
      02-06-2007
Thanks a lot for the useful inputs!!

I have just thought about a solution based on your inuts and I request
your kind help in validating it.

1. 4506 connects to 3560
----------->
On VLAN 192 (Admin)
2. 4506 connects to 3560
----------->
On VLAN 10 (Wireless)

Both 4506 and 3560 have Layer 3 SVI's for VLAN 10 and VLAN 192. The
4506 will point to the 3560's SVI's to reach the networks behind them
through static route on 4506. Similarly, the 3560's will point to the
4506's SVI's to reach the networks behind the 4506 through static
routes. (I will need to configure IP routing on the 3560's to make
them Layer 3).

So, basically the links between the 4506 and the 3560 are NOT trunk
links and just normal links whose ports are access ports.

The servers in the old network (behind the 3560's) will have a route
add statement (and equivalent route statement for Linux box) to reach
the networks behind the 4506 having the 3560's VLAN 1 IP as the next
hop.

Does this solution sound workable?

Thanks a lot again and sorry to post so many questions in this
regard.

Gautam





On Feb 6, 8:23 pm, "Drake" <(E-Mail Removed)> wrote:
> <(E-Mail Removed)> wrote in message
>
> news:(E-Mail Removed) oups.com...
>
> > Hi friends,

>
> > Sorry for the terribly long post!!! I just wanted to be descriptive
> > about the issue.

>
> > To sum up, I just have one concern. How can I integrate a VLAN-based
> > network into a non-VLAN network? The non-VLAN or VLAN1 network has all
> > the servers / Internet access services?

>
> > I just need a rough idea on how to proceed. Once I get it, I am ready

>
> You need to route between different vlans (subnets), probably at the core
> switch.
>
> You should also be aware of some security problems associated with having a
> single VLAN for Management and data:
>
> http://www.cisco.com/en/US/products/...roducts_white_...
>
> --
> Posted via a free Usenet account fromhttp://www.teranews.com



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Class design/design pattern resources TomTom MCSD 2 10-09-2004 07:38 AM
OO design in servlet design question dave Java 5 07-17-2004 12:58 PM
Xilinx Schematic design vs VHDL code design ZackS VHDL 5 07-09-2004 07:51 AM
Re: Questions....questions....questions Patrick Michael A+ Certification 0 06-16-2004 04:53 PM
Looking for help/resources on Writing a nice detailed design / tech design for vb.net code SpamProof Java 3 12-01-2003 06:06 AM



Advertisments