Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Traffic help - possible switch upgrade

Status
Not open for further replies.
Geo502

Geo502

Technical User
Oct 18, 2007
10
US
I am new to the upgrading thing with switchs and routers, so i need some advice on what i should do with our current network and how to better route traffic.

We have a small office of 8 users connecting to a switch in a closet that then connects to a 24 port cisco catalyst2950 switch in the datacenter.

we also have a total of 9 servers connected to the same switch in the datacenter. These servers consist of 2 webservers, 1 database server, 2 dns servers and a domain controller, backup server, Anti virus server. ETC..

From the catalyst 2950 it goes into a pix firewall and then to a bgp setup with a 2800 and old 2600 series routers.

I know that it cant be good or (could it) for all of web traffic and internal network traffic to go into the same 24 port switch.
My question is Could I add another switch to one of the ports on the existing switch or will that do any good since it is connected via crossover to the existing switch and traffic would still pretty much be flowing from the same switch.

What is my best solution for the web traffic to our users surfing our site.

I would also like to have the webserver traffic eventually on Gigabyte transmission, but that is a wish later in 2009.


Thanks to whomever takes the time to reply to this post..

 
Sort by date Sort by votes
My reading of it is that it works: the router is "outside", so it routs "in" to the PIX and "out" from the PIX. It's a WAN router only.
The only routing between VLANs 1 & 10 occurs through the PIX.
If you get my drift.

logically, it looks like this:
WAN router<-->OUTSIDE<-->PIX<-->LAN

The confusing bit is that OUTSIDE and LAN are on the same switch.
 
Upvote 0 Downvote
Hello
I have taken a closer look at the switch config.And I must say it's strange.You have the Pix and the router plug into the say switch.It's strange that you network is up and running stable.
In a normal design you will have your PIX outside interface plug only into the router.And the PIX inside interface plug only into the Switch that will serve you private host.
Then you would have your outside service connected to the PIX DMZ interfcae with a Switch.
If you don't have a DMZ you can use VLAN's but with the same concept as above.

Regards
 
Upvote 0 Downvote
Minue - I suppose this is a PIX 506E (only two interfaces?) so they've patched the "Outside" back into the 2950 and configured that port, the router port and the "Outside" server port into a new VLAN to create a "DMZ".

It's not totally awful but it's
1/ confusing
2/ not really best-practice security-wise.


 
Upvote 0 Downvote
Hello
I think the design is very risky!!I haven't figure out the traffic pattern as yet.But as I said before,it's a suprise that the network is stable.
The PIX 506E support VLAN's the design should be :
WAN router connected to PIX outside interface.
Switch connected to PIX inside interface with two VlAN's,one for the DMZ and the other for inside host.
Regards
 
Upvote 0 Downvote
It's perfectly stable, it just isn't secure on the DMZ - maybe that's OK if the DMZ server is a throw-away that can be restored at will.

In any case it's almost certain his PIX won't support trunked ports.

So the design under discussion would be the sensible thing to come up with if your PIX only has 2 interfaces OR if you have a decent PIX but you're being a cheapskate and don't want to buy a 2nd switch.
 
Upvote 0 Downvote
Whirlwind I am not sure where you have the impression that I am being a cheapskate. I mentioned in this thread that I am looking for the best setup for this network. Granted the company doesnt have alot to spend, but i probably could get him to buy another switch or bigger firewall. As the company is getting bigger we are going to see bigger bottlenecks and I am trying to find what would be the best move for security and performance.

The pix is a 506E and yes it is very confusing and it took me awhile to figure what was going on when i first got here and is still is a cluster ***k.

What i have gotten out of this thread is that we need to look at buying a bigger pix or now called ASA, that has an inside/outside and DMZ port. Also another switch would help as well? With another switch I should setup Lan on one and and webservers and outside DNS on another.

 
Upvote 0 Downvote
Minue hit it on the nose. Read his post. As far as I am concerned, do it that way and see what happens. You can always buy equipment if need be later.

Burt
 
Upvote 0 Downvote
anyone recommend a step up from the pix 506e to something with 3 ports and unlimited bandwidth/connections. I once had an Admin that would use a linux box for the firewall and had it between the edge router and the switches.

I am not looking for anything for VPN just access-list, port fowarding, nat, and good throughput.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
347
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
324
Jared R
Jared R
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
119
quazimotto
quazimotto
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
485
BIS
BIS
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
168
bfordz
bfordz

Part and Inventory Search

Sponsor

Back
Top