Network design questions

Discussion in 'Cisco' started by gautamzone@gmail.com, Feb 5, 2007.

  1. Guest

    Hi friends,

    I just wanted to share a design of an old network, and based on that
    ask for suggestions on integrating the new network into the old
    network.

    The old network has essentially two categories of users: Admin and
    Guests. There are two network segments created for both of
    them as well which are as follows:

    Admin Users: 192.168.0.0 / 24
    Guest users: 10.254.1.0 /24

    The access method is different for both categories of users. With
    regards to outside access, the Admin users go through the firewall.
    But guest users dont touch the firewall. Regarding DHCP, the Admin
    users get their DHCP address from a server in
    192.168.0.0/segment. For wireless users, the DHCP server / Default
    Gateway is the Egress server (a Linux box) with IP address
    10.254.1.1 / 24. The default gateway for the Admin users is the
    firewall viz. 192.168.0.254. Both the Egress server and the Symantec
    firewall have a public interface too connecting to the router.

    The 3560's connecting to the Egress, Symantec are all Layer 2. The
    same servers will be used by the new network users too for DHCP
    allocation, Internet access, firewall filtering. There are no VLAN's
    in the current network, which means, there is only VLAN viz. VLAN 1.
    The old network was setup by third party.

    With regards to the new network in a different building, the network
    design and integration has been contracted to us.
    Now, there is a core / distribution switch 4506 connected to 3560
    access switches in different floors. The access switches are connected
    to users and access points. We are planning for floor based VLAN's and
    also ensuring that wired / wireless VLAN's are separated too. The
    design is pretty simple if you look at the new building / network
    alone. But a few questions that pop up are as follows:

    1. The 4506 switch connects through fiber to the old building 3560
    switches which in turn connect to the Egress and Symantec firewall.
    Now, how should the ports connecting the 4506 to the 3560 be
    configured? As trunks? I am not sure as 3560 will have no ports
    configured in VLAN's created on 4506. So, why should it receive VLAN
    info from 4506?

    2. How will I be able to pass traffic from VLAN's on the new network
    to the servers in the old network? The old network has only one VLAN
    viz. VLAN1. And the new network has multiple VLAN's.

    As of now, all that I can think is configure the 3560's connected to
    servers as Layer 3 devices. The 3560's can be used to route traffic
    between the old network and new network. The 3560 and 4506 can share a
    common VLAN. There can be routes created on the 3560's pointing to
    4506 for reaching VLAN's created on new network. Similarly, there can
    be routes added on core to reach the 3560's for old network. But the
    DHCP servers become two hops away now for clients on new network. So,
    first hop is 4506 switch and second hop is the 3560 connected to the
    server. SO, I believe I need to configure ip-helper address on the
    4506 as well as the 3560 switches?? I really need some help in
    validating this solution as well.

    Once I know the answer to these two questions, I think that the setup
    pretty much gets straightforward. I can configure ip-helper address to
    pass DHCP requests to different DHCP servers on the Layer 3 vlan
    interface. And I can use policy-based routing to pass traffic to
    different default gateways (for admin and guests) because that is
    source-sensitive.

    Looking forward to your kind help in this regard

    Thanks a lot
    Gautam
     
    , Feb 5, 2007
    #1
    1. Advertising

  2. Guest

    Hi friends,

    Sorry for the terribly long post!!! I just wanted to be descriptive
    about the issue.

    To sum up, I just have one concern. How can I integrate a VLAN-based
    network into a non-VLAN network? The non-VLAN or VLAN1 network has all
    the servers / Internet access services?

    I just need a rough idea on how to proceed. Once I get it, I am ready
    to take up from there!!! All the switches at the edge are 3560
    Standard Image and the core is 4560.

    Thanks!!!

    Gautam





    On Feb 5, 12:27 pm, wrote:
    > Hi friends,
    >
    > I just wanted to share a design of an old network, and based on that
    > ask for suggestions on integrating the new network into the old
    > network.
    >
    > The old network has essentially two categories of users: Admin and
    > Guests. There are two network segments created for both of
    > them as well which are as follows:
    >
    > Admin Users: 192.168.0.0 / 24
    > Guest users: 10.254.1.0 /24
    >
    > The access method is different for both categories of users. With
    > regards to outside access, the Admin users go through the firewall.
    > But guest users dont touch the firewall. Regarding DHCP, the Admin
    > users get their DHCP address from a server in
    > 192.168.0.0/segment. For wireless users, the DHCP server / Default
    > Gateway is the Egress server (a Linux box) with IP address
    > 10.254.1.1 / 24. The default gateway for the Admin users is the
    > firewall viz. 192.168.0.254. Both the Egress server and the Symantec
    > firewall have a public interface too connecting to the router.
    >
    > The 3560's connecting to the Egress, Symantec are all Layer 2. The
    > same servers will be used by the new network users too for DHCP
    > allocation, Internet access, firewall filtering. There are no VLAN's
    > in the current network, which means, there is only VLAN viz. VLAN 1.
    > The old network was setup by third party.
    >
    > With regards to the new network in a different building, the network
    > design and integration has been contracted to us.
    > Now, there is a core / distribution switch 4506 connected to 3560
    > access switches in different floors. The access switches are connected
    > to users and access points. We are planning for floor based VLAN's and
    > also ensuring that wired / wireless VLAN's are separated too. The
    > design is pretty simple if you look at the new building / network
    > alone. But a few questions that pop up are as follows:
    >
    > 1. The 4506 switch connects through fiber to the old building 3560
    > switches which in turn connect to the Egress and Symantec firewall.
    > Now, how should the ports connecting the 4506 to the 3560 be
    > configured? As trunks? I am not sure as 3560 will have no ports
    > configured in VLAN's created on 4506. So, why should it receive VLAN
    > info from 4506?
    >
    > 2. How will I be able to pass traffic from VLAN's on the new network
    > to the servers in the old network? The old network has only one VLAN
    > viz. VLAN1. And the new network has multiple VLAN's.
    >
    > As of now, all that I can think is configure the 3560's connected to
    > servers as Layer 3 devices. The 3560's can be used to route traffic
    > between the old network and new network. The 3560 and 4506 can share a
    > common VLAN. There can be routes created on the 3560's pointing to
    > 4506 for reaching VLAN's created on new network. Similarly, there can
    > be routes added on core to reach the 3560's for old network. But the
    > DHCP servers become two hops away now for clients on new network. So,
    > first hop is 4506 switch and second hop is the 3560 connected to the
    > server. SO, I believe I need to configure ip-helper address on the
    > 4506 as well as the 3560 switches?? I really need some help in
    > validating this solution as well.
    >
    > Once I know the answer to these two questions, I think that the setup
    > pretty much gets straightforward. I can configure ip-helper address to
    > pass DHCP requests to different DHCP servers on the Layer 3 vlan
    > interface. And I can use policy-based routing to pass traffic to
    > different default gateways (for admin and guests) because that is
    > source-sensitive.
    >
    > Looking forward to your kind help in this regard
    >
    > Thanks a lot
    > Gautam
     
    , Feb 6, 2007
    #2
    1. Advertising

  3. Drake Guest

    <> wrote in message
    news:...
    > Hi friends,
    >
    > Sorry for the terribly long post!!! I just wanted to be descriptive
    > about the issue.
    >
    > To sum up, I just have one concern. How can I integrate a VLAN-based
    > network into a non-VLAN network? The non-VLAN or VLAN1 network has all
    > the servers / Internet access services?
    >
    > I just need a rough idea on how to proceed. Once I get it, I am ready


    You need to route between different vlans (subnets), probably at the core
    switch.

    You should also be aware of some security problems associated with having a
    single VLAN for Management and data:

    http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml


    --
    Posted via a free Usenet account from http://www.teranews.com
     
    Drake, Feb 6, 2007
    #3
  4. Guest

    Thanks a lot for the useful inputs!!

    I have just thought about a solution based on your inuts and I request
    your kind help in validating it.

    1. 4506 connects to 3560
    ----------->
    On VLAN 192 (Admin)
    2. 4506 connects to 3560
    ----------->
    On VLAN 10 (Wireless)

    Both 4506 and 3560 have Layer 3 SVI's for VLAN 10 and VLAN 192. The
    4506 will point to the 3560's SVI's to reach the networks behind them
    through static route on 4506. Similarly, the 3560's will point to the
    4506's SVI's to reach the networks behind the 4506 through static
    routes. (I will need to configure IP routing on the 3560's to make
    them Layer 3).

    So, basically the links between the 4506 and the 3560 are NOT trunk
    links and just normal links whose ports are access ports.

    The servers in the old network (behind the 3560's) will have a route
    add statement (and equivalent route statement for Linux box) to reach
    the networks behind the 4506 having the 3560's VLAN 1 IP as the next
    hop.

    Does this solution sound workable?

    Thanks a lot again and sorry to post so many questions in this
    regard.

    Gautam





    On Feb 6, 8:23 pm, "Drake" <> wrote:
    > <> wrote in message
    >
    > news:...
    >
    > > Hi friends,

    >
    > > Sorry for the terribly long post!!! I just wanted to be descriptive
    > > about the issue.

    >
    > > To sum up, I just have one concern. How can I integrate a VLAN-based
    > > network into a non-VLAN network? The non-VLAN or VLAN1 network has all
    > > the servers / Internet access services?

    >
    > > I just need a rough idea on how to proceed. Once I get it, I am ready

    >
    > You need to route between different vlans (subnets), probably at the core
    > switch.
    >
    > You should also be aware of some security problems associated with having a
    > single VLAN for Management and data:
    >
    > http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_...
    >
    > --
    > Posted via a free Usenet account fromhttp://www.teranews.com
     
    , Feb 6, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. TomTom
    Replies:
    2
    Views:
    836
    TomTom
    Oct 9, 2004
  2. rdt

    Web Design questions

    rdt, Jul 13, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    664
    Bebop & Rocksteady
    Jul 13, 2003
  3. Replies:
    5
    Views:
    418
    Baloo
    Feb 16, 2008
  4. linguafr

    ospf design questions

    linguafr, Apr 2, 2008, in forum: Cisco
    Replies:
    3
    Views:
    461
    stephen
    Apr 3, 2008
  5. Patrick Michael

    Re: Questions....questions....questions

    Patrick Michael, Jun 16, 2004, in forum: A+ Certification
    Replies:
    0
    Views:
    838
    Patrick Michael
    Jun 16, 2004
Loading...

Share This Page