[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 184
  • Last Modified:

Networking design for office and datacentre

Hi all.
I am looking for options, or a best/easiest way for connecting our Office to our datacentre which will be our new ISP. We have just had a dedicated 100mb line put in to connect the two locations.
The office is network with a netgear smart switch and a ciscos asa firewall going straight out to the internet with our current provider (who we are getting rid of).
Our datacentre is and has a cisco switch and a cisco asa firewall configured.

I need our office computers and the datacentre servers to be able to communicate with each other and also I need the office computers to use the internet connection of the datacentre.
What would be the best configuration for this. I dont know if i need to route via the firewalls or trunk the switches together (or some other way i havent thought of)
I know a few basic cisco commands and i guess i'm probably going to have to learn some netgear.
Any general points in the right direction would be very helpful - thank you.
  • 6
  • 6
1 Solution
ffleismaSenior Network EngineerCommented:
I'm not so familiar with netgear models, but for now I'll assume that your netgear switch is just a L2 device - meaning it does not handle routing. This would also mean that with your office subnet, the default gateway is set at the ASA firewall (correct me if I'm wrong with my assumptions)

Are both the ASA firewall the same model? If they are,maybe later on once you have migrated your internet connectivity to the DC, you might want to consider setting it up as redundant active-standby for added reliability in case on firewall would fail. Though this only provides hardware redundancy, if in case you only have one internet pipe going out of the DC anyway.

What model of Cisco switch do you have at your DC? I just want to confirm if it can do L3 functions like inter-VLAN routing. If in case it cannot, then we'll have to rely on the ASA at the DC site to do routing functions (routing functions is needed, due to your need to segregate office subnet and DC server subnet

For now, we can start of with this design, with the assumptions that both switches (netgear/cisco) are just L2 devices.

 Office-DC Physical
so a few things to note here:
1. we connected the office-DC using Layer 2 only between sites. Ports on the netgear and the cisco switch are configured as normal access ports and not trunking ports.
2. the port connecting the cisco switch with the DC firewall is configured as trunk port on the switch (allows VLANs X & Y), while the interface on the ASA firewall is configured using sub-interfaces (This saves us physical ports on the ASA)
3. Notice that the default gateway for (I'm assuming the value for now) is the same subnet as the sub-interface at the DC ASA (, again assuming values as well for now). The reason for this is for ease in migration. To have seamless migration of internet traffic for the office users, though this might not be necessarily needed, users will just have to change their default gateway to the DC-ASA value. Also, for the mean time moving users to the DC ASA, we can leave the Office ASA as it is for some time, in case something goes wrong at the DC ISP or DC ASA, we can easily move back to the office ASA by changing user default gateways. (This can be done via doing changes on the DHCP or manually I guess).
4. Now for my last point for now, notice that the default gateway for the office subnet (VLAN x) and the DC subnet (VLAN y) both terminates at the ASA firewall. This is done due to two considerations. First, I have assumed that the Cisco switch cannot do inter-VLAN routing. Second, for security policies, we can handle allowing/denying traffic better at the firewall. For example we can allow only specific ports (DHCP, DNS, HTTPS, etc) between users and servers. This gives us better control and security between hosts and servers. Downside, this adds administrative work for you guys to maintain the firewall (imagine adding a new server, we'll have to add new firewall rule that allows host-server communication). Or if we feel lazy, we just allow the following:
    a. allow all traffic from host to server subnet
    b. allow all traffic from server to host subnet
    c. allow all traffic (maybe not all, only http, https) from host and server subnet to internet.
    d. prevent/allow incoming connections from internet to server or host.

Well for now those are the things I can comment on, feel free to provide more inquiries and clarifications so as we can discuss more and I could provide you further explanation and insights. Hope this helps.
ffleismaSenior Network EngineerCommented:
Logical Diagram would look like this

Logical Diagram
jamiegfAuthor Commented:
hi ffleisma.
Thank you for such a detailed response.
I think the netgear is L2, yes. And yes, you are correct,the office gateway is the cisco asa 5510 firewall, routing out the traffic.
Unfortunately the DC firewall is a slightly different model (asa 5520).

So, in your method, the trunk is used so that the firewall knows where traffic has come from right? (ie vlan x for the office or vlan y to the dc) - or is there a different reason?

I think my steps are to assign pretty much all ports on the office switch to vlan x (hopefully this doesnt cause any effect at this point, ie loss of connection ?)
next, do the same thing on the dc side and assign ports to vlan y (no disruption is more important here as these are customer web servers etc).
Then i think i need to either create another interface on the dc firewall or amend the existing working one which connects to the dc switch and convert this to a trunk (if that is the correct way of saying it)

And finally update the default gateway - that will be the nice easy bit for me :)

Could u just confirm i have a grasp on this or have i got part of it wrong?
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

ffleismaSenior Network EngineerCommented:
The use of sub-interface on the firewall is optional, primary reason for using sub-interface instead of physical interface is that it saves on physical interfaces. But either way you can use two different physical interface on the ASA connected to the cisco switch (on the cisco switch, it would be assigned on VLAN X and the other on VLAN Y and not trunking like in the sub-interface example). Here is a diagram in case you wish to use physical interfaces instead of sub-interfaces.
Physical Diagram 2If you have already a working setup at the DC and you can spare a physical port on the ASA, then I suggest on using the above design instead to avoid downtime due to reconfiguration of the port into a trunking port.

So that is the final network topology I guess, either go for using sub-interfaces or physical interfaces.

Now for the hard part, migration (I would like to confirm a few details first before I could suggest a seamless migration plan).

Currently, are your servers located at the DC already or still to be migrated from Office site? Also, are the servers already using the subnet? On which device (Office-ASA/DC-ASA/Cisco Switch) is the default gateway for the currently configured?
Migrating ISP, usually means migrating public IP addresses, which would mean downtime on your end as you change public IP address from one provider to the other. Unless you own your public IP address, in that case you'll need to coordinate with both ISP for announcement of the public IP address space.

I would be glad to comment better once I get a full understanding of your current set-up. Just let me know if you have further questions on using a sub-interface instead of physical interfaces. But aside from that I guess we'll just have to plan a seamless migration plan.
jamiegfAuthor Commented:
There is nothing to migrate over. The servers are already at the DC and are up and live. Yes they use the network.  Their default gateway is the Cisco ASA firewall and the DC switch is configured for them to work. So if i could leave those as they are already configured, that would be best.
The ISP and our public (owned) IP addresses are already up and running from the DC. All i need to do is connect our office to that already working network. We are a small office of people only using the current line as a temporary solution for internet access, so we don't need to change any public DNS entries etc.
ffleismaSenior Network EngineerCommented:
Great! then this would be a seamless migration as the DC and server segment is already up and running and this would just be a matter of moving internet access for users to the DC-ISP.

My suggestion would start off like this.
Step 1 - Current Setup
Office users have Office ASA as default gateway and internet access
DC servers have DC-ASA as default gateway and internet access

Connect office site and DC site using the netgear switch and cisco switch. Port configuration can be access port or trunk port between the switches
Step 2 - Connecting sites using 100Mbps P2P as trunk port
the difference between using a trunk port or access port between sites is that, on a trunk port, you can later on add segmentation on your Office site. In case where you foresee that you'll need a separate VLAN for office site maybe due to expansion or separation of voice traffic and data traffic, configuring it as a trunk port would be ideal to do now to avoid downtime later on when you reconfigure the port into a trunk
During this time, there is still no outage/downtime, as office users still use current Office-ASA as their default gateway and Servers still use DC-ASA as default gateway for internet access.
hopefully on the Office site, you are not using VLAN1 as your VLANX or more importantly VLANX is not equal to VLANY. If your assignment is same for VLANX and VLANY, then you'll have to migrate most likely the Office VLAN to another VLAN to create the segmentation between server VLAN and user VLAN
Create another physical connection between DC-ASA and DC-switch
Step 3 - Create new physical connection between DC ASA and DC switch
create a physical connection between the DC-ASA and DC-switch. Using a different physical interface will let us keep the current working connection for the server segment without interruption due reconfiguration or re-cabling.
at the DC-switch we assign it to VLANX as an access port. If in case you have used default VLAN 1 for VLANX=VLANY, you'll have to use a different VLAN value here which is different from VLANY.
At this point, there is still no downtime. Office use office internet, servers use DC internet.
on the DC-ASA we assign an IP address of 192.168.10.XX, this value is different from the Office-ASA
we migrate user internet by changing their default gateway value from office-ASA IP to DC-ASA IP. This can be seamless through DHCP. As their current IP lease expire, they get updated with new default-gateway value. Or if you want to do it manually, you can update each unused workstation.
consider leaving the setup as it is for a few days before decommissioning the Office-ASA. In case there are issues, you can simply rollback the user default gateway.
Final setup
Step 4 - Final Setup
Here is what the final physical topology would eventually look like.
Both User VLAN default gateway and server VLAN default gateway are terminated at the firewall, but uses different physical interfaces.
You'll probably have to put place the proper ACL and NAT rules to have direct user-server communication.

Hopefully this could give you a helpful idea on your migration. The only issue I guess would be when your current VLAN assignment for the users and servers are using the same default VLAN 1, in which case you'll need to migrate the users to another VLAN.

Let me know if you have any more inquiries, be glad to help out.
jamiegfAuthor Commented:
on our office switch, everything is on vlan1 (so from the diagram, vlan1 is vlanx).

In the DC, the switch has a vlan2 for the network. (so vlan2 is vlany)
vlan1 is currently "no ip address, shutdown" on the dc switch.
Does this mean i can use vlan1 on my new interface on the DC switch instead?
ffleismaSenior Network EngineerCommented:
"Interface VLAN1" is the SVI interface which is a Layer3 interface for VLAN1. Having interface VLAN1 with "no ip address, shutdown" just means that the switch is acting as pure Layer 2 device (switching only, no routing)

Also, since is already using VLAN2, then it would be fine to use VLAN1 for your user VLAN.

Since we are placing the default gateway for VLAN1 on the ASA instead of the switch (the cisco switch then acts a pure L2 device), you won't need to configure "interface vlan 1" with an IP address and just leave it as it is.

It would just then be a choice of using a trunk port or an access port connecting the two switches between sites. Either way will work.

So to summarize:
connect both switches either as an access port or a trunk port
-as an access port, you'll just have to assign it on VLAN1 for both the netgear and the cisco switch.
-as a trunk port, you'll have to configure the port as trunking using dotq as the trunking protocol. advantage of this as explained earlier is you would later on be able segment/add more VLANs/subnets to your office site.
connect the DC-ASA to the cisco switch
-ASA port configured with IP address 192.168.10.xxxx/24
-switch port is configure as access port assigned to VLAN1
migrate user default gateway to the DC-ASA IP address
-before migrating, you can make sure that the IP is reachable by ping from user office PC.
-make sure firewall ACL and NAT rules are set on the DC-ASA, you can test first with a single PC with it's default gateway set as the DC-ASA and check if it can reach the internet.

Hope this helps you out on your project. Let me know if you have any other inquiries be glad to help you out.
jamiegfAuthor Commented:
Sorry, another question. in the diagram 2 up, there is mention of 'spanning-tree portfast enable'. do i need to do this? I thought spanning-tree was for choosing routes for redundancy - but my knowledge is very limited here.
ffleismaSenior Network EngineerCommented:
portfast is not necessary, "spanning-tree portfast" just enables to port to come up quicker than the default behaviour. but it is not necessary to put in place.
jamiegfAuthor Commented:
I can now ping out via the DC switch. I still have a few NAT issues but i will create another question as my original question is well and truly answered. Thanks very much for your help ffleisma.
jamiegfAuthor Commented:
This has massively helped me out. Thank you so much.

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now