Fiber Transport Connectivity and WAN recommendations

We currently have 5 subnets that connect back to one central location.  To simplify things we have subnet A, B, C, D, E and subnet A is our central location.  Not necessarily a need to communicate between all subnets and just need each to communicate back to Subnet A.

Current setup
     Subnet B is connected via T1 (Cisco Router 1700 Series)
     Subnet C is connected via T1 (Cisco Router 1700 Series)
     Subnet D is connected via MPLS (Addtran managed by Qwest)
     Subnet E is connected via MPLS (Addtran managed by Qwest)
     Current firewall are Sonicwall

We have fiber transports being installed between the subnets and is basically a Metro E or VPN line setup.  We are not planning to use any of the above hardware and also do not want to convert everything to a flat network.

Looking for some different ideas and opinions for hardware to use.  Want to keep it simple and cost down.

Would also like another opinion on hardware that could be configured for fail over to a redundant connection, but may not go down that road.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I'm not an expert network engineer, but I have a similar setup that is simple. I'm using Cisco 3750's that do the routing/VLANS among each other. They are expensive new but you can get them fairly cheap "used".

As far as fail-over .. I have an ASA 5510 at my corporate location. At my branches, I use ASA 5505's and have a private and public interface .. if the private interface goes down, I can still access it via a point to point VPN connection between the ASA's. I do not have any routing or fancy rules if it would go down ... mainly a troubleshooting measure or "back door" in case of a problem.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jbarton221Author Commented:
Would it be possible to just the ASA's without the Cisco 3750's?
if you have enough interfaces and VLANs on the ASA5510 it should work to make the routing in asa5510.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

If you swap out your SonicWall (which i suggest regardless), you could probably do it all on an ASA 5510. Looks like you only have 5 subnets which is very small. I think I have around 30 on my 5510.

Reason I recommend the 3750's is the ease of use and reliability. Do you have any layer 2 switches on your network?
jbarton221Author Commented:
Yes we have layer 2 switches everywhere.
The asa has 4 gig ports but you can do sub interfaces so i think that would work just fine with your setup. As long as you have a layer 2 switch behind it, you can setup your vlan's and use the ASA to route between them.
jbarton221Author Commented:
What about using the ASA 5505?  At least using them out at the other sites?
The only way the 5505 is a required device at the other sites is if you have a public facing interface. If it's a point to point metro e connection, you really don't need one. I would assume the ISP would give you their own routers at each location that would terminate the connection.

What i've done is requested both a private and public connection - which then requires a firewall. I use the public interface to create a VPN tunnel from the 5505 to my corporate 5510. You could ask the metro e provider if they can give you both a private and public interface ... or just find a cheap DSL or Cable provider.

I took it a step further and use the public interface to route Internet traffic out of so the only traffic traversing the private pipe, is the private traffic on my local LAN. The pipes I have are not very big so this was a must.
jbarton221Author Commented:
Right now that is exactly what are setup is for 3 of the 4 campuses.  We have separate Iternet connectivity at each.  They also have a separate server that runs DHCP, DNS, some shared files, etc.
The fourth campus does not have their own Internet, which may change, and currenlty use a PTP T1 back to the central location.  They also don't have a server and DHCP is setup as a superscope from our DHCP server at the central location where we use DHCP/IP helper on the Cisco routers.

Although I would love to centralize everything I don't think it will happen and have the separate Internet give us a redundant option also and keeps the MTM pricing down for the fiber connectivty between sites.
jbarton221Author Commented:
Could we just use the 5505 across the board?  Would you not recommend that?
Yes you could - they would do the routing for you just as if you put a router there .. but to be honest, unless each end has a public facing connection, it's not worth the extra money.
jbarton221Author Commented:
But we could just use the 5505 to start at our main location and I believe that has enough ports?

Then if we add any public facing connections we could add a 5505 on the other end?

Is that what you are referring to and to your reference on it being wortht he extra cash?

yeah exactly .. if you have each "node" hitting your main location as a private connection, you can have them all going through the 5505. Without knowing that much about your company, if you can spare the extra money, I would step up to the 5510 as it has more horsepower with room to grow. But isn't necessary in your case. .
jbarton221Author Commented:
I think one problem is they all connect back to one port at our main location and not separate ports.  Wouldn't we have to have something at our branch locations to establish different VLAN's?
Yes - if that's the case, you would have to have the port trunked so it can handle multiple vlan's.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.