Basic Network Design


Looking for a basic design for a small/medium community college campus.  College has about 1200 users in 7 seperate buildings all connected to a MDF.  Have two running ISP's, and 1 backup line, connected to a Cisco 3725 router. Also, have two ASA 5500's (new), two 3850 Cisco routers (new), and a server farm for outside/inside access.  Any ideas?

Currently have 3com switches at each building, but can put cisco 1841's if recommended.

Know this is not efficient, so want to make changes.
                                                           ISP1 ISP2  backup
                                                        |  Cisco 3725     |
                                                              |      |
                         _________              _____________
   server farm -| ASA 5500|----------| 3com switch   | -------------- DHCP server (3 class C blocks)
                         -------------              -------------------
                                                           |  |  |  |  |  |
                                                         | Fiber switch  |
                                                          |   |   |    |    |    |
                                        buildings    1 2  3  4   5   6

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I would connect Each ISP to a separate router and have them behind a firewall.

For each building perhaps connect 2 links connecting to 2 main switches (1 link to each switch) for redundancy and reliability. The 2 main switches will connect to the other end of the firewall.

Perhaps move the DHCP server to the server farm and keep them in a 3rd link from the firewall.

All Internet servers need to be moved to the DMZ segment of the firewall.
I would also recommend that you use a separate subnet/vlan for each building.
If your 1or2 central switches support L3 routing.

The trend is to smaller and smaller subnets, even down to subnet per access switch, to avoid/eliminate  spanning tree.

If you are thinking of VoIP in the future, also try and daisy chain as few as possible devices
kenkup90Author Commented:
Would it be ISP, firewall, then router or ISP, router, then firewall?

Is it better with an 1841 router at each building or a switch?


                                                            ISP1 ISP2  backup
                                                        |  Cisco  | Cisco |          
                                                       |     3835 | 3835  |  HSRP or GLBP?
                                                       |_______|____ _|
                                                                  |  outside
                                         dmz          ____________
          server farm -   -----------------| ASA5500        |
 DHCP server (3 class C blocks)     -------------------
                                                           |  |  |  |  |  |   inside
                                                         | Fiber switch  | router or VLAN's?
                                                          |   |   |    |    |    |
                                        buildings    1 2  3  4   5   6  router or switch?

Thanks for your continued assistance.

Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Answer 1) ISP, router then firewall
Answer 2) There are new switches with Layer 3 (almost like a switch with integrated router) - these are recommended;

Also on your ASA5500, separate the dmz from the server farm.

HSRP or GLBP??? I'm not sure which suits you more - I would go for HSRP if possible.

Router or VLANs? Routers and VLANs and co-exist.
Last line should read:

Router or VLANs? Routers and VLANs can co-exist.
kenkup90Author Commented:

Not sure what you mean by "separate the dmz from the server farm".  Should I put the server farm on the inside interface?  

Already have the equipment purchased,  will need to configure using it.

Thanks for the information you have provided.
Look forward to your response.
I meant put the DMZ in the right leg of the ASA5500 (Similar to your 1st diagram which had the DHCP)

On the left keep DHCP with the Server farm (DMZ should not be part of that)

DMZ will include any server that will be accessed by the Internet users directly such as your main Web Server and/or Mail gateway and/or main DNS Servers. Other servers not accessed directly by Internet users need to be on the Server Farm such as your database servers, File/Sharing Server, Intranet server, Development servers, etc.

I hope this clarifies my suggestion.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kenkup90Author Commented:
Thanks for your assistance.  Much appreciated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.