Toplogy Design Help

Hi I am currently assessing the problems on a mock network used for a project. I currently have some issues I would like some experts to look at. I have attached some network views of the network I am assessing. Perhaps a designer can chime in and tell me something I am missing.

http://img152.imageshack.us/my.php?image=entirenetworkviewqr7.png

The first picture is a view of the entire network. The shaded areas of the picture are closets where termination happens. All links from switches to the core are fiber. My question is according to cisco's 3-layer model are the 6500's supposed to be in the core, in my scenario they are access layer switches where workstations are terminated. Should they be moved down to the core? I also spotted some single points of failure etc. Also I noticed a mesh network using STP between all the switches would also be better. Any thing else? What am I missing?

http://img222.imageshack.us/my.php?image=networkcorecy4.png

This is the core of the network, my issue is what do you do when you run out of ports to connect devices to such as a ids monitoring system packeteer etc. Do you place a switch in place to expand more ports or should you purchase a module. I think there is an error with the Internet switch being a 2950 12 supporting the extra ports needed for the DMZ switch, packet monitoring system, ids systems. Can anyone please help with some advice? I am really suck on this design.

Find more posts tagged with

Comments

keenon

well heres just my overview.. why would u want to waste a 6500 as an access layer device for end users.. better off going with stack switches (3750) and spend the bucks at the core buiding more redundancy.. the only way i would use a 6500 is possibly at the server farm ..

hmm the second.. my opinion.. first question is why put a 7200 for 2 T1s ( cheaper possibly cheaper do negotiate a subrate DS3 that could expand) when a 3700 or even a 3800 would work as well with less cost and will support a DS3 without a blink.

i think u need redundant firewalls

routingbyrumor

Keenon, I am currently assessing the network for MPLS implementation. Our main goal is to optimize the current of the LAN. This is not my design I am looking for ways to improve and give recommendations on what to do. I'll definitely take your opinion on using 3750's as a access layer device. I thought the 6509's were totoally out of place and should be in the core. I just wanted to confirm with more professionals on what to do. As for the T1's they plan on throwing in an additonal 2 extra T1's since there is a bandwidth shortage. I'll give them a recommendation on the subrate DS3 lines though.
My question is what are redundant firewalls?

keenon

depending on the firewall it will run vrrp.. that will allow u to have 2 firewalls 1 active and 1 standby incase u have a failure.. i have seen this happen

rossonieri#1

hello there,

how big is it exactly?
first you want a 7200 - then 6500 - then 3700 - they are not cheap - in case you want to convince you client about your solutions - better to know what you want to do with their network.

cheers...

routingbyrumor

Rossonieri,

I am not implementing anything, this is their current network design. I just need ways to improve fine tune it etc. The equipment listed here their current equipment used in their building. This is the design plan I recieved from the network engineer. Our job is to recommend a better design, I am really conerned with how they have a 2912 that provides connections to the firewall, dmz, etc. I really wanted to know if there was a better solution design wise.

keenon

routingbyrumor wrote:

Rossonieri,

I am not implementing anything, this is their current network design. I just need ways to improve fine tune it etc. The equipment listed here their current equipment used in their building. This is the design plan I recieved from the network engineer. Our job is to recommend a better design, I am really conerned with how they have a 2912 that provides connections to the firewall, dmz, etc. I really wanted to know if there was a better solution design wise.

ok. .i didn't know that .. then thats different this is an actual network..

1.put access layer switches on any floor that doesn't need a 6500 which looks like most

2. that will gain you additional core switches.. the closet switches you could "stack" with 1 port connecting back to each of your now dual core devices let spanning tree work out the secondary links.

3. network 2 by my count has about 7 connections for a 6500.. if stacked where multiple switches are that cuts the conenction down by 2 back to the core

4. the wan connection you could have terminate on a svi with hsrp on both of the new core devices gained in 2, provided if that router has 2 fa that would have hsrp running as well.

5.
the front end i would recommend if there are no fiber connections removing the 2912 .. for at least 3550-12T

6. dual firewalls that would require .. that could handle the seperation between network 1, 2 , dmz and the internet

hmmm

routingbyrumor

keenon

ok. .i didn't know that .. then thats different this is an actual network..

1.put access layer switches on any floor that doesn't need a 6500 which looks like most

I was thinking to move the 6500's being used as access switches to the core, then implementing HSRP in between for fault tolerance.

2. that will gain you additional core switches.. the closet switches you could "stack" with 1 port connecting back to each of your now dual core devices let spanning tree work out the secondary links.

In place of the 6500's on the 3rd Floor I would place some stackable switches such as 3500 series.

3. network 2 by my count has about 7 connections for a 6500.. if stacked where multiple switches are that cuts the conenction down by 2 back to the core

I would then eliminate multiple drops to the core routers by simply connecting multiple switches together via STP.

4. the wan connection you could have terminate on a svi with hsrp on both of the new core devices gained in 2, provided if that router has 2 fa that would have hsrp running as well.

I don't understand this? Would the WAN connection come off the 6500's now? Would it be a blade on the 6509?

5.
the front end i would recommend if there are no fiber connections removing the 2912 .. for at least 3550-12T

6. dual firewalls that would require .. that could handle the seperation between network 1, 2 , dmz and the internet

Ok thanks for the suggestions. My question would I use a 3550 instead of the 2912 to extend the number of ports? Doesn't a 3550 have 10/00 fast ethernet connections as well? How would I extend the ports of the packeteer and connect devices such as the DMZ switch, Sniffer, etc.

Thanks.

rossonieri#1

hello,

you should stick with core-distro-access model with its device functionality assoc and hirachical bandwidth design.
unless you have several disjointed plants/sites - probably you should focus on L2 redundancy in the backbone.

3500 is a distro device to extend your LAN/vlan - dont think about L2 ports numbers (this is 2900 function).

if you have a solid backbone config - maybe you only need 2 6500 doing clean and dirty network model : clean for the trusted LAN - dirty for the untrusted.

access to FW or whatever DMZ is not a concern since we are focusing on LAN switching.

if you insist - try to calculate how much bandwidth the LAN will consume to access the FW/DMZ - if its big enough then you should think of multi GB port of 3700 switches.

AFAIK packeteer mainly used in your edge internet to LAN connection - unless you have other consideration.

cheers