Design Question

[kunz12]

Hello everyone -

I have a design question that involves a Cisco ASA firewalls (2 actually, one of them is for failover), a stack of 3750 switches and a Cisco 3845 router. I am a little confused about how the equipment should be connected for optimal routing and switching at our data center.

Here's the scenario. We will have 3 VLAN's hosting different kinds of servers. These servers need to be accessed by all sites that are connected to our MPLS cloud. The 3845 router too will be connected to the MPLS cloud from our data center. The ASA's (also at the DC) will be connected to an Internet router for Internet connectivity.

So here are my questions:

1. how should the 3845 router be configured so that it routes traffic to different sites, but also provides access to the internet from servers in all different vlan's?
2. would i need to create a trunk port on each switch in the stack or just 1 trunk port for the stack should be enough?
3. would I need a router interface and an ASA interface on each vlan?

I am a little confused about this thing...So any help would be greatly appreciated!!

 

[burtsbees]

You do not need a router interface and asa interface in each vlan---the 3750's will route, just make sure that the router and asa know about the vlans. There is only a need for one trunk for the stack, but I would put two for redundancy. The most powerful switch needs to be the stack master (like if you have two 3750-48's and one 3750-48G, the 48G would be the stack master). As far as STP in a stack, I am not sure how that works...
You would need NAT in the router for traffic to get out to the internet, unless the MPLS cloud is a private deal (I know little about MPLS). Your provider should give you a config for the edge anyway...
Are you planning to encrypt traffic between sites, like with site-to-site vpn's (or do you need to with MPLS???)?

Burt

 

[kunz12]

Ok, to make things simpler, lets assume I have a single 3750 switch which needs 2 VLAN's on it. The respective VLAN IP addresses on the 3750 will be the default gateway for the servers in those two respective vlan's. The 3750 switch will need to be connected to a 3845 router (which is connected to the MPLS cloud). OSPF will be configured for dynamic routing between the 3845 router and the 3750 switch.

My question now is:

1.) Can I use the native VLAN on the 3750 switch to connect to the 3845 router? Or should I create another VLAN on the 3750 for communication with the router?
2.) If the 3750 switch needs to connect to an ASA 5510 for the Internet, should that connection be on the native VLAN or a separate VLAN as well?
3.) If I need 2 DMZ's on the ASA, can I create additional VLAN's on the 3750 for the 2 DMZ equipment? If yes, then would the equipment in the DMZ's use the vlan interface as the default gateway or the will they use the ip address of the dmz interface as their default gateway?

Thanks again!

 

[ADB100]

1) Don't use a VLAN, use a routed interface

interface FastEthernet1/0/48
 no switchport
 ip address 10.1.1.1 255.255.255.252
!

2) Again don't use a VLAN, use a routed interface and configure routing between the ASA & the 3750. You can either use static routes or as you are going to configure OSPF anyway use that.

3) Create the DMZ's on the ASA and connect another switch or use the 3750 but only create the VLANs at Layer-2 in the 3750 (i.e. don't create 'interface vlan X' for the DMZ vlans)

Andy