• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 464
  • Last Modified:

Help with Metro-E setup

Hello!

We have a 10 Mbps Internet pipe coming into a secure data center.  From the data center we also have three PTP 10 Mbps Metro-E connections to three branch offices.  The 10 Meg Internet pipe has a Cisco ASA 5505 managing traffic.  We also have a Citrix farm at the data center.  Each branch office has an Cisco ASA 5505 located at their location which connects back to the ASA at the data center.  Each branch has it's own subnet.  We would like to replace the Cisco ASA's at the branch offices with layer-3 switches.  It has become to big of a pain to route traffic through the ASA's.  We are looking at putting in Cisco Catalyst 3560-8PC switches at each branch office instead.  My question is, will this work?  Will we need to replace the ASA 5505 at the data center?  Then can we just hang layer 2 switches off the Cisco 3560s?  Our ultimate goal is to move an Exchange and other servers to the data center for all the offices to access.  I "drew" a picture below.  Thanks!

                                                          ---------------------
                                                          |  ASA 5505     |  Data Center
                                                           --------------------    192.168.1.1
                                                           /          |           \
                                                         /            |              \
                                                      /               |                 \
                                                  /                   |                     \
                                              /                       |                        \
                 192.168.1.2     /                  192.168.1.3                 \ 192.168.1.4
                                  ------------------      ------------------         --------------------
                                 |ASA Off1     |    |ASA Off2     |      | ASA Off3       |
                                  ------------------       ------------------        --------------------
                        192.168.100.0/24     192.168.200.0/24   192.168.300.0/24
0
swdaugheccs
Asked:
swdaugheccs
  • 2
  • 2
  • 2
2 Solutions
 
mat1458Commented:
>My question is, will this work?  
Yes
>Will we need to replace the ASA 5505 at the data center?  
No, unless you have a site2site VPN configured to reach the other sites. I assume you use plain ethernet.
>Then can we just hang layer 2 switches off the Cisco 3560s?
Yes
0
 
pergrCommented:
In general, it will work to replace the remote ASA with switches.

The network 192.168.300.0/24 does not exist..., so you will have to choose a slightly different addressing.

Now you have all the p2p links 192.168.1.x in the same subnet, so you need to make sure you connect it that way on the ASA. It might be better to have different subnets (and security zones) for each of those links, so that you can create policies for what can go from one remote office to another.

Are you married to Cisco, or would you look also at the Juniper EX2200-C ?
0
 
mat1458Commented:
Did not see the 300... thanks for the correction.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
swdaugheccsAuthor Commented:
Lol.  Thanks for the correction about the 300.  I put that diagram together in a hurry and just used dummy addresses instead of looking at what the sites actually were.  :)  I am a Cisco guy but I'll look at the Junipers.  They are in the same price range.  I've never really used Junipers, just Cisco equipment.  Are the Junipers easier to implement?

We are just using planing ethernet.  No site to site VPNs.

We don't have a need now for the offices to talk to each other but I will keep that in mind. It may come up in the future so may as well plan for it now.
0
 
pergrCommented:
The Juniper is very similar to the Cisco, but Junos is more structured, and more forgiving than IOS.


http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/junos-for-ios-engineers/

With no remote firewalls, it does certainly make sense to at least have the different remote sites in different security zones on the central firewall. For example, if you have a virus outbreak in one remote site, you can isolate it from the other sites.
0
 
swdaugheccsAuthor Commented:
Ended up getting the Cisco 3560.  Works like a champ!  Thanks!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now