Help with Metro-E setup

Posted on 2012-09-19
Last Modified: 2012-09-27

We have a 10 Mbps Internet pipe coming into a secure data center.  From the data center we also have three PTP 10 Mbps Metro-E connections to three branch offices.  The 10 Meg Internet pipe has a Cisco ASA 5505 managing traffic.  We also have a Citrix farm at the data center.  Each branch office has an Cisco ASA 5505 located at their location which connects back to the ASA at the data center.  Each branch has it's own subnet.  We would like to replace the Cisco ASA's at the branch offices with layer-3 switches.  It has become to big of a pain to route traffic through the ASA's.  We are looking at putting in Cisco Catalyst 3560-8PC switches at each branch office instead.  My question is, will this work?  Will we need to replace the ASA 5505 at the data center?  Then can we just hang layer 2 switches off the Cisco 3560s?  Our ultimate goal is to move an Exchange and other servers to the data center for all the offices to access.  I "drew" a picture below.  Thanks!

                                                          |  ASA 5505     |  Data Center
                                                           /          |           \
                                                         /            |              \
                                                      /               |                 \
                                                  /                   |                     \
                                              /                       |                        \
            /                         \
                                  ------------------      ------------------         --------------------
                                 |ASA Off1     |    |ASA Off2     |      | ASA Off3       |
                                  ------------------       ------------------        --------------------
Question by:swdaugheccs
    LVL 10

    Accepted Solution

    >My question is, will this work?  
    >Will we need to replace the ASA 5505 at the data center?  
    No, unless you have a site2site VPN configured to reach the other sites. I assume you use plain ethernet.
    >Then can we just hang layer 2 switches off the Cisco 3560s?
    LVL 17

    Assisted Solution

    In general, it will work to replace the remote ASA with switches.

    The network 192.168.300.0/24 does not exist..., so you will have to choose a slightly different addressing.

    Now you have all the p2p links 192.168.1.x in the same subnet, so you need to make sure you connect it that way on the ASA. It might be better to have different subnets (and security zones) for each of those links, so that you can create policies for what can go from one remote office to another.

    Are you married to Cisco, or would you look also at the Juniper EX2200-C ?
    LVL 10

    Expert Comment

    Did not see the 300... thanks for the correction.

    Author Comment

    Lol.  Thanks for the correction about the 300.  I put that diagram together in a hurry and just used dummy addresses instead of looking at what the sites actually were.  :)  I am a Cisco guy but I'll look at the Junipers.  They are in the same price range.  I've never really used Junipers, just Cisco equipment.  Are the Junipers easier to implement?

    We are just using planing ethernet.  No site to site VPNs.

    We don't have a need now for the offices to talk to each other but I will keep that in mind. It may come up in the future so may as well plan for it now.
    LVL 17

    Expert Comment

    The Juniper is very similar to the Cisco, but Junos is more structured, and more forgiving than IOS.

    With no remote firewalls, it does certainly make sense to at least have the different remote sites in different security zones on the central firewall. For example, if you have a virus outbreak in one remote site, you can isolate it from the other sites.

    Author Closing Comment

    Ended up getting the Cisco 3560.  Works like a champ!  Thanks!

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now