We help IT Professionals succeed at work.

Redundant Network Design

lucidus
lucidus asked
on
Take a look at this design:
http://www.lpld.com/campusnetworkblock.jpg
Is it feasible?  My big question since this area is somewhat new to me, is are routers required?  If you have a smaller, redundant network with Layer 3 switches at the distribution/core, then do you need routers?  I.e. is a router required within the Server or WAN blocks?
Thanks for your input!
Comment
Watch Question

Steve JenningsSr Manager Cloud Networking Ops
CERTIFIED EXPERT

Commented:
Without knowing what the application is or the connectivity requirements are I can give you an opinion that's exactly worth what you've paid for it. Yes, it looks feasible.

The 3550's actually do IP routing. Is that your question?

Steve

Commented:
I agree with with SteveJ on all counts.  You do need routing if you want communication between the multiple VLANS and the 3512's can do that.  Ideally, you would want those to be pure layer 2 as they are your backbone and you generally wnat them as fast as possible, so you would want layer 3 (and above if filtering) to happen within the individual "blocks" such as the server block etc.    However, since they are not showing any routing devices in the individual blocks (aside from the server block), I am assuming it is being performed on the 3512-g's.  This is definitely acceptable though and those are pretty darn fast switches at layer 3.
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
I agree also with the routing comments above, but I do question having your WAN and the Internet both in the same BLAN 50, plus you show a 3640 text, but no device. You will need routers also between your firewall and the WAN and the firewall and Internet. I would put the VPN device off of a DMZ on your firewall.

Commented:
I agree the wan block should be seperate from and internet block.  the vpn and firewall should be in the same block, not sure if I agree with putting the VPN device of the firewall.  I have heard this before , but I cant really see it's point, not to mention every design guide I have, and every training class I have taken, always wants it like that.  only reason I can see not to do it that way is if you don't have internal routing capability, but then I would put it behind the firewall as a pass thru.  A better solution would be to save some money, drop the vpn device and do all vpn with your firewall.  what kind will you be using, seems like you are spending alot of money here, I would assume you can afford an enterprise class firewal.

Commented:
Regardless of affordability, this has a lot to do with how many simultaneous VPN sessions you need to support and the amount of traffic on your firewall.  I don't care how big your firewall is, or the bogus test numbers that firewall vendors give out to say that they'll support thousands of concurrent clients - the fact is that encryption is highly processor intensive, and often that should go on its own dedicated box or other operations will pay the price.  Those VPN boxes are made specifically to handle those processes efficiently and depending on the products in question will often absolutely murder a production firewall on peformance stress tests.

Personally, I don't see the big deal with having the WAN and Internet block being the same thing.  Unless you are doing additional filtering inside - then who really cares where it comes in?  However, I will say that in my environment, I do have them split :P.

Also, having the VPN box off of the firewall is debatable.  I've seen it both ways.  I think that one depends on how much you trust the VPN box not to let unwanted traffic in or be susceptible to attack.  Having it hang off the firewall gives a bit more piece of mind.

Commented:
I agree with scraig84 except that his statement about firewall and encryption depends on the specific firewall.  We use the top performaning VPN boxes hands down, and believe me they dont handle our highest loads of VPN traffic any better then our high end firewalls.  they are a little cheaper, but they aren't cheaper then buying a firewall and them instead of a better VPN capable firewall.  In fact we are looking to turn all our VPN boxes into a little revenue on ebay for training classes and new equipment.  We have a few thousand VPN connections on our fw's at peak times and during those times when the fw's are working there hardest the CPU doesn't hit 10%.  There is nothing special about VPN devices other then specialized processors for IPSec and streamlined OSes and specialized ASICs to take the load off the main processor.  Our firewalls have IPSec Cards.  I agree that VPN devices are better at doing VPNs but, you won't notice the difference unless you have insane traffic.  Most enterprises can't generate enough traffic to stress an enterpise class firewall.  ofcourse as usual we are kind of off the topic.  if his internet traffic isn't high, why have a VPN device, if you have an IPSec capable firewall that can handle your traffic, save yourself some money and do that.  As far as your questions, in case you haven't figured it out yet, having layer 3 switches at the core is having routers at the core.  scraig is correct ideally you want layer 2 speed at the core and layer 3 devices at the distribution layer(in each building) but that is really cisco's way of selling more expensive equipment.  It is applical in some enviroments, but those would be high traffic areas as well.  you only have 3 buildings a server block and a WAN block.  Not exactly alot of blocks to switch between.  You will be fine.  Also, the only reason I know of seperating the WAN block from the Internet block is for security reasons, traffic coming in the internet is on same broadcast domain as the WAN block, but the WAN is protected by a firewall.  So no reason to seperate.  I wouldn't have two firewalls though, I would put the WAN off a firewall port.  Save a little money.

Commented:
I think we are agreeing in a strange way.  I didn't say that you should never put VPN functionality on your firewall.  I am saying that there are situations that warrant it, and others that don't - which is basically what you said.  My objection to your comments came from the fact that you don't know what his traffic levels are or the amount of VPN sessions he needs to support, but you still made a decision about which way he should go.

Author

Commented:
I'm out in training all week..  I'll look at the design and answers when I get back and then pick a winner answer...

Commented:
you are correct scraig I assumed he doesn't have over a T-3'w worth of traffic.  Which is the only case I have ever seen needing a high end dedicated VPN device.  But I agree there are times when one is need and other times when the other will suffice.

Author

Commented:
Okay, final comment/question...  No one ever really answered the big part of my question.  Do I need a router in the WAN and/or server block?


Side note:
And just to clarify some other questions/issues that were brought up:

I do have routers between the firewall and the WAN and the firewall and Internet.  They are just not on the diagram.  

The VPN, which is a Cisco 3005 works great were it is right now, but in the futre I might hang it off a DMZ on the firewall.  I've seen the design both ways, and I'm not sure which I prefer...

Also, we have two firewalls to protect ourselves with separate policies.  We have very different policies on our WAN and Internet firewalls and the Watchguard is not capable of doing per port policies - so that is why we have two...

First one to answer the router question gets the points!  Thanks,
-Tim

Author

Commented:
Okay, final comment/question...  No one ever really answered the big part of my question.  Do I need a router in the WAN and/or server block?


Side note:
And just to clarify some other questions/issues that were brought up:

I do have routers between the firewall and the WAN and the firewall and Internet.  They are just not on the diagram.  

The VPN, which is a Cisco 3005 works great were it is right now, but in the futre I might hang it off a DMZ on the firewall.  I've seen the design both ways, and I'm not sure which I prefer...

Also, we have two firewalls to protect ourselves with separate policies.  We have very different policies on our WAN and Internet firewalls and the Watchguard is not capable of doing per port policies - so that is why we have two...

First one to answer the router question gets the points!  Thanks,
-Tim
Commented:
The only reason you would need to put layer 3 devices in all the blocks is if they were connected by a high speed layer 2 backbone.  Especially if it's a different media.  But they aren't they are all connecting to what I believe would be a redundant, high speed, layer 3 Core in the 3550-12G's.  So, to answer your question, no you don't need to add more routers.

Author

Commented:
Okay, final comment/question...  No one ever really answered the big part of my question.  Do I need a router in the WAN and/or server block?


Side note:
And just to clarify some other questions/issues that were brought up:

I do have routers between the firewall and the WAN and the firewall and Internet.  They are just not on the diagram.  

The VPN, which is a Cisco 3005 works great were it is right now, but in the futre I might hang it off a DMZ on the firewall.  I've seen the design both ways, and I'm not sure which I prefer...

Also, we have two firewalls to protect ourselves with separate policies.  We have very different policies on our WAN and Internet firewalls and the Watchguard is not capable of doing per port policies - so that is why we have two...

First one to answer the router question gets the points!  Thanks,
-Tim

Author

Commented:
Good - that's what I wanted to hear...

Explore More ContentExplore courses, solutions, and other research materials related to this topic.