Help with Metro-E setup

Hello!

We have a 10 Mbps Internet pipe coming into a secure data center.  From the data center we also have three PTP 10 Mbps Metro-E connections to three branch offices.  The 10 Meg Internet pipe has a Cisco ASA 5505 managing traffic.  We also have a Citrix farm at the data center.  Each branch office has an Cisco ASA 5505 located at their location which connects back to the ASA at the data center.  Each branch has it's own subnet.  We would like to replace the Cisco ASA's at the branch offices with layer-3 switches.  It has become to big of a pain to route traffic through the ASA's.  We are looking at putting in Cisco Catalyst 3560-8PC switches at each branch office instead.  My question is, will this work?  Will we need to replace the ASA 5505 at the data center?  Then can we just hang layer 2 switches off the Cisco 3560s?  Our ultimate goal is to move an Exchange and other servers to the data center for all the offices to access.  I "drew" a picture below.  Thanks!

                                                          ---------------------
                                                          |  ASA 5505     |  Data Center
                                                           --------------------    192.168.1.1
                                                           /          |           \
                                                         /            |              \
                                                      /               |                 \
                                                  /                   |                     \
                                              /                       |                        \
                 192.168.1.2     /                  192.168.1.3                 \ 192.168.1.4
                                  ------------------      ------------------         --------------------
                                 |ASA Off1     |    |ASA Off2     |      | ASA Off3       |
                                  ------------------       ------------------        --------------------
                        192.168.100.0/24     192.168.200.0/24   192.168.300.0/24
swdaugheccsAsked:
Who is Participating?
 
mat1458Connect With a Mentor Commented:
>My question is, will this work?  
Yes
>Will we need to replace the ASA 5505 at the data center?  
No, unless you have a site2site VPN configured to reach the other sites. I assume you use plain ethernet.
>Then can we just hang layer 2 switches off the Cisco 3560s?
Yes
0
 
pergrConnect With a Mentor Commented:
In general, it will work to replace the remote ASA with switches.

The network 192.168.300.0/24 does not exist..., so you will have to choose a slightly different addressing.

Now you have all the p2p links 192.168.1.x in the same subnet, so you need to make sure you connect it that way on the ASA. It might be better to have different subnets (and security zones) for each of those links, so that you can create policies for what can go from one remote office to another.

Are you married to Cisco, or would you look also at the Juniper EX2200-C ?
0
 
mat1458Commented:
Did not see the 300... thanks for the correction.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
swdaugheccsAuthor Commented:
Lol.  Thanks for the correction about the 300.  I put that diagram together in a hurry and just used dummy addresses instead of looking at what the sites actually were.  :)  I am a Cisco guy but I'll look at the Junipers.  They are in the same price range.  I've never really used Junipers, just Cisco equipment.  Are the Junipers easier to implement?

We are just using planing ethernet.  No site to site VPNs.

We don't have a need now for the offices to talk to each other but I will keep that in mind. It may come up in the future so may as well plan for it now.
0
 
pergrCommented:
The Juniper is very similar to the Cisco, but Junos is more structured, and more forgiving than IOS.


http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/junos-for-ios-engineers/

With no remote firewalls, it does certainly make sense to at least have the different remote sites in different security zones on the central firewall. For example, if you have a virus outbreak in one remote site, you can isolate it from the other sites.
0
 
swdaugheccsAuthor Commented:
Ended up getting the Cisco 3560.  Works like a champ!  Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.