Solved

Networking design for office and datacentre

Posted on 2015-02-16
12
163 Views
Last Modified: 2015-02-19
Hi all.
I am looking for options, or a best/easiest way for connecting our Office to our datacentre which will be our new ISP. We have just had a dedicated 100mb line put in to connect the two locations.
The office is 192.168.10.0/24 network with a netgear smart switch and a ciscos asa firewall going straight out to the internet with our current provider (who we are getting rid of).
Our datacentre is 172.25.2.0/24 and has a cisco switch and a cisco asa firewall configured.

I need our office computers and the datacentre servers to be able to communicate with each other and also I need the office computers to use the internet connection of the datacentre.
What would be the best configuration for this. I dont know if i need to route via the firewalls or trunk the switches together (or some other way i havent thought of)
I know a few basic cisco commands and i guess i'm probably going to have to learn some netgear.
Any general points in the right direction would be very helpful - thank you.
0
Comment
Question by:jamiegf
  • 6
  • 6
12 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 40612525
I'm not so familiar with netgear models, but for now I'll assume that your netgear switch is just a L2 device - meaning it does not handle routing. This would also mean that with your office subnet 192.168.10.0/24, the default gateway is set at the ASA firewall (correct me if I'm wrong with my assumptions)

Are both the ASA firewall the same model? If they are,maybe later on once you have migrated your internet connectivity to the DC, you might want to consider setting it up as redundant active-standby for added reliability in case on firewall would fail. Though this only provides hardware redundancy, if in case you only have one internet pipe going out of the DC anyway.

What model of Cisco switch do you have at your DC? I just want to confirm if it can do L3 functions like inter-VLAN routing. If in case it cannot, then we'll have to rely on the ASA at the DC site to do routing functions (routing functions is needed, due to your need to segregate office subnet 192.168.10.0/24 and DC server subnet 172.25.2.0/24).

For now, we can start of with this design, with the assumptions that both switches (netgear/cisco) are just L2 devices.

 Office-DC Physical
so a few things to note here:
1. we connected the office-DC using Layer 2 only between sites. Ports on the netgear and the cisco switch are configured as normal access ports and not trunking ports.
2. the port connecting the cisco switch with the DC firewall is configured as trunk port on the switch (allows VLANs X & Y), while the interface on the ASA firewall is configured using sub-interfaces (This saves us physical ports on the ASA)
3. Notice that the default gateway for 192.168.10.1 (I'm assuming the value for now) is the same subnet as the sub-interface at the DC ASA (192.168.10.2, again assuming values as well for now). The reason for this is for ease in migration. To have seamless migration of internet traffic for the office users, though this might not be necessarily needed, 192.168.10.0/24 users will just have to change their default gateway to the DC-ASA value. Also, for the mean time moving users to the DC ASA, we can leave the Office ASA as it is for some time, in case something goes wrong at the DC ISP or DC ASA, we can easily move back to the office ASA by changing user default gateways. (This can be done via doing changes on the DHCP or manually I guess).
4. Now for my last point for now, notice that the default gateway for the office subnet (VLAN x) and the DC subnet (VLAN y) both terminates at the ASA firewall. This is done due to two considerations. First, I have assumed that the Cisco switch cannot do inter-VLAN routing. Second, for security policies, we can handle allowing/denying traffic better at the firewall. For example we can allow only specific ports (DHCP, DNS, HTTPS, etc) between users and servers. This gives us better control and security between hosts and servers. Downside, this adds administrative work for you guys to maintain the firewall (imagine adding a new server, we'll have to add new firewall rule that allows host-server communication). Or if we feel lazy, we just allow the following:
    a. allow all traffic from host to server subnet
    b. allow all traffic from server to host subnet
    c. allow all traffic (maybe not all, only http, https) from host and server subnet to internet.
    d. prevent/allow incoming connections from internet to server or host.

Well for now those are the things I can comment on, feel free to provide more inquiries and clarifications so as we can discuss more and I could provide you further explanation and insights. Hope this helps.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 40612544
Logical Diagram would look like this

Logical Diagram
0
 

Author Comment

by:jamiegf
ID: 40613083
hi ffleisma.
Thank you for such a detailed response.
I think the netgear is L2, yes. And yes, you are correct,the office gateway is the cisco asa 5510 firewall, routing out the traffic.
Unfortunately the DC firewall is a slightly different model (asa 5520).

So, in your method, the trunk is used so that the firewall knows where traffic has come from right? (ie vlan x for the office or vlan y to the dc) - or is there a different reason?

I think my steps are to assign pretty much all ports on the office switch to vlan x (hopefully this doesnt cause any effect at this point, ie loss of connection ?)
next, do the same thing on the dc side and assign ports to vlan y (no disruption is more important here as these are customer web servers etc).
Then i think i need to either create another interface on the dc firewall or amend the existing working one which connects to the dc switch and convert this to a trunk (if that is the correct way of saying it)

And finally update the default gateway - that will be the nice easy bit for me :)

Could u just confirm i have a grasp on this or have i got part of it wrong?
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 40613179
The use of sub-interface on the firewall is optional, primary reason for using sub-interface instead of physical interface is that it saves on physical interfaces. But either way you can use two different physical interface on the ASA connected to the cisco switch (on the cisco switch, it would be assigned on VLAN X and the other on VLAN Y and not trunking like in the sub-interface example). Here is a diagram in case you wish to use physical interfaces instead of sub-interfaces.
Physical Diagram 2If you have already a working setup at the DC and you can spare a physical port on the ASA, then I suggest on using the above design instead to avoid downtime due to reconfiguration of the port into a trunking port.

So that is the final network topology I guess, either go for using sub-interfaces or physical interfaces.


Now for the hard part, migration (I would like to confirm a few details first before I could suggest a seamless migration plan).

Currently, are your servers located at the DC already or still to be migrated from Office site? Also, are the servers already using the 172.25.2.0/24 subnet? On which device (Office-ASA/DC-ASA/Cisco Switch) is the default gateway for the 172.25.2.0/24 currently configured?
Migrating ISP, usually means migrating public IP addresses, which would mean downtime on your end as you change public IP address from one provider to the other. Unless you own your public IP address, in that case you'll need to coordinate with both ISP for announcement of the public IP address space.

I would be glad to comment better once I get a full understanding of your current set-up. Just let me know if you have further questions on using a sub-interface instead of physical interfaces. But aside from that I guess we'll just have to plan a seamless migration plan.
0
 

Author Comment

by:jamiegf
ID: 40613856
There is nothing to migrate over. The servers are already at the DC and are up and live. Yes they use the 172.25.2.0/24 network.  Their default gateway is the Cisco ASA firewall and the DC switch is configured for them to work. So if i could leave those as they are already configured, that would be best.
The ISP and our public (owned) IP addresses are already up and running from the DC. All i need to do is connect our office to that already working network. We are a small office of people only using the current line as a temporary solution for internet access, so we don't need to change any public DNS entries etc.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 40613893
Great! then this would be a seamless migration as the DC and server segment is already up and running and this would just be a matter of moving internet access for users to the DC-ISP.

My suggestion would start off like this.
Step 1 - Current Setup
Office users have Office ASA as default gateway and internet access
DC servers have DC-ASA as default gateway and internet access

Connect office site and DC site using the netgear switch and cisco switch. Port configuration can be access port or trunk port between the switches
Step 2 - Connecting sites using 100Mbps P2P as trunk port
the difference between using a trunk port or access port between sites is that, on a trunk port, you can later on add segmentation on your Office site. In case where you foresee that you'll need a separate VLAN for office site maybe due to expansion or separation of voice traffic and data traffic, configuring it as a trunk port would be ideal to do now to avoid downtime later on when you reconfigure the port into a trunk
During this time, there is still no outage/downtime, as office users still use current Office-ASA as their default gateway and Servers still use DC-ASA as default gateway for internet access.
hopefully on the Office site, you are not using VLAN1 as your VLANX or more importantly VLANX is not equal to VLANY. If your assignment is same for VLANX and VLANY, then you'll have to migrate most likely the Office VLAN to another VLAN to create the segmentation between server VLAN and user VLAN
Create another physical connection between DC-ASA and DC-switch
Step 3 - Create new physical connection between DC ASA and DC switch
create a physical connection between the DC-ASA and DC-switch. Using a different physical interface will let us keep the current working connection for the server segment without interruption due reconfiguration or re-cabling.
at the DC-switch we assign it to VLANX as an access port. If in case you have used default VLAN 1 for VLANX=VLANY, you'll have to use a different VLAN value here which is different from VLANY.
At this point, there is still no downtime. Office use office internet, servers use DC internet.
on the DC-ASA we assign an IP address of 192.168.10.XX, this value is different from the Office-ASA
we migrate user internet by changing their default gateway value from office-ASA IP to DC-ASA IP. This can be seamless through DHCP. As their current IP lease expire, they get updated with new default-gateway value. Or if you want to do it manually, you can update each unused workstation.
consider leaving the setup as it is for a few days before decommissioning the Office-ASA. In case there are issues, you can simply rollback the user default gateway.
Final setup
Step 4 - Final Setup
Here is what the final physical topology would eventually look like.
Both User VLAN default gateway and server VLAN default gateway are terminated at the firewall, but uses different physical interfaces.
You'll probably have to put place the proper ACL and NAT rules to have direct user-server communication.

Hopefully this could give you a helpful idea on your migration. The only issue I guess would be when your current VLAN assignment for the users and servers are using the same default VLAN 1, in which case you'll need to migrate the users to another VLAN.

Let me know if you have any more inquiries, be glad to help out.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:jamiegf
ID: 40614468
on our office switch, everything is on vlan1 (so from the diagram, vlan1 is vlanx).

In the DC, the switch has a vlan2 for the 172.25.2.0/24 network. (so vlan2 is vlany)
vlan1 is currently "no ip address, shutdown" on the dc switch.
Does this mean i can use vlan1 on my new interface on the DC switch instead?
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 40614667
"Interface VLAN1" is the SVI interface which is a Layer3 interface for VLAN1. Having interface VLAN1 with "no ip address, shutdown" just means that the switch is acting as pure Layer 2 device (switching only, no routing)

Also, since 172.25.2.0/24 is already using VLAN2, then it would be fine to use VLAN1 for your user VLAN.

Since we are placing the default gateway for VLAN1 on the ASA instead of the switch (the cisco switch then acts a pure L2 device), you won't need to configure "interface vlan 1" with an IP address and just leave it as it is.

It would just then be a choice of using a trunk port or an access port connecting the two switches between sites. Either way will work.

So to summarize:
connect both switches either as an access port or a trunk port
-as an access port, you'll just have to assign it on VLAN1 for both the netgear and the cisco switch.
-as a trunk port, you'll have to configure the port as trunking using dotq as the trunking protocol. advantage of this as explained earlier is you would later on be able segment/add more VLANs/subnets to your office site.
connect the DC-ASA to the cisco switch
-ASA port configured with IP address 192.168.10.xxxx/24
-switch port is configure as access port assigned to VLAN1
migrate user default gateway to the DC-ASA IP address
-before migrating, you can make sure that the IP is reachable by ping from user office PC.
-make sure firewall ACL and NAT rules are set on the DC-ASA, you can test first with a single PC with it's default gateway set as the DC-ASA and check if it can reach the internet.

Hope this helps you out on your project. Let me know if you have any other inquiries be glad to help you out.
0
 

Author Comment

by:jamiegf
ID: 40615326
Sorry, another question. in the diagram 2 up, there is mention of 'spanning-tree portfast enable'. do i need to do this? I thought spanning-tree was for choosing routes for redundancy - but my knowledge is very limited here.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 40615335
portfast is not necessary, "spanning-tree portfast" just enables to port to come up quicker than the default behaviour. but it is not necessary to put in place.
0
 

Author Comment

by:jamiegf
ID: 40618428
I can now ping out via the DC switch. I still have a few NAT issues but i will create another question as my original question is well and truly answered. Thanks very much for your help ffleisma.
0
 

Author Closing Comment

by:jamiegf
ID: 40618429
This has massively helped me out. Thank you so much.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now