Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Networking Networking
Search Search
Search for:
Tech Support Guy > > >

Redesigning existing network - What is the best plan?


(!)

vseven's Avatar
vseven vseven is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: Jul 2012
Experience: Intermediate
22-Jul-2012, 08:43 AM #1
Question Redesigning existing network - What is the best plan?
Over the last 5 years my company has expanded about 50% and we are now just about out of IP addresses. We have four buildings between two cities (one main and one branch in each), each city have a single subnet with a Cisco 1310 bridge between each building. The main building in each city is connected to each other using a single T1 with AdTran routers. Each city has Active Directory, file server (some DFS Shares), and it's own internet access. We have IP phones on the network and are simply using DSCP for QoS and it's been working fine. We have voice rules setup on the AdTran's based on DSCP and the ports the phone systems in each location use for communication. We also have two VLANs, one for our "secure" network (which has servers, users, phones, everything) and the other a "unsecure" network for customers that connects to the DMZ port of our proxy server for internet access. It looks something like this currently (not showing the branch offices in each city as they have the same subnets as respective city):

Code:
          ISP 1                                     ISP 2
            |                                         |
            |                                         |  
            |             192.168.254.0/30            |
    Layer-2 Switch 1 -- 3205 ---------- 3205 -- Layer-2 Switch 2
    |              | .1                    .2   |              |
    |              |                            |              |
  VLAN 10        VLAN 20                      VLAN 10        VLAN 20
10.0.0.0/24   192.168.0.0/24                10.0.1.0/24   192.168.1.0/24
  
    City A Main Building                        City B Main Building
So the VLAN traffic DOESN'T currently route across the AdTrans (10.0.* routes across, 192.168.* stays on it's respective sides) and the AdTrans doesn't forward the VLAN info. I have recently purchased two Cisco 1921's to replace my aging AdTrans and I also purchased new Dell Layer 3 switches as my core switches in each main office as I'm also almost out of ports. I am now to the point where I have to expand and also plan for another branch office. I believe I have two options:

1) Split each office into it's own subnet using the Dell layer 3 switch as my router which will buy me some time (as I could just switch to a /23 or /22 for expansion in each office if needed). I would keep with the DSCP QoS tagging. One problem with this is I do want all users to be in the same broadcast domain because of some software we use "city wide" and also I know we will run out of IP addresses in the main locations and have to switch to a /23 which I'd like to avoid if possible.

2) Create 4 VLAN's (users, servers/infrastructure, phones, and DMZ/unsecure) using one subnet for each in each city. The DMZ/unsecure like currently would not go across the T1 line (like now). I could do QoS per VLAN (and leave the DSCP QoS on also), would only need one DHCP scope (for users), each "city" would remain it's own broadcast domain, and it would make it easier to segment in the future or say expand just the users scope. Problem with this is it will be harder to manage, tagging all the different ports on the switches and making sure the VLAN's are setup to go over the wireless bridges and the cisco routers.


Is one of these the "preferred" method? Is there a better way to do what I want?

-Allan
zx10guy's Avatar
zx10guy has a Photo Album
Computer Specs
Trusted Advisor with 4,072 posts.
 
Join Date: Mar 2008
22-Jul-2012, 08:55 AM #2
Option 2.
vseven's Avatar
vseven vseven is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: Jul 2012
Experience: Intermediate
22-Jul-2012, 08:45 PM #3
Ok....if I do option 2 I'd setup routing between the VLAN's on the Layer 3 switch as they would all need to talk to each other (other then the dmz vlan). I guess the issue then would be each branch office would have to travel across the wireless bridge to then route back to the same office for some things but I guess it's not a huge deal since the servers are all in the main offices anyway (as is the print servers that they'd have to talk to).

Any other comments? I'm wondering if this would also be the best forum for asking about setting up said routing rules as this is the most complex network I have setup.

-Allan
zx10guy's Avatar
zx10guy has a Photo Album
Computer Specs
Trusted Advisor with 4,072 posts.
 
Join Date: Mar 2008
23-Jul-2012, 08:27 AM #4
Well, in my opinion, having a wireless bridge like this is not the best choice of connectivity for an environment like this.

While your configuration is certainly out of the ordinary for what is asked here on this forum, it's by far not the most complex and really not that difficult. The key to getting this all sorted is to have a diagram and to write out the routing table of the router if needed to ensure all route paths are as intended.
vseven's Avatar
vseven vseven is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: Jul 2012
Experience: Intermediate
23-Jul-2012, 11:00 AM #5
No real choice on the bridges. A wired solution across a major road was quoted at 18k to run fiber under ground. The wireless bridges were $2600 a pair when we originally put them in (Cisco 1310 - G band 54Mbps) and we just bought some UbiquitiNano Bridges for $200 a pair (N band 300Mbps mimo) for the next branch.

I have very good Visio based documentation for everything so keeping track won't be a issue, even made a "VLAN Layout" diagram with every port color coded but I wasn't sure if the complexity of the VLAN's was the way to go. More I read online though the more I think it will be.
vseven's Avatar
vseven vseven is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: Jul 2012
Experience: Intermediate
04-Aug-2012, 03:32 PM #6
So the more I attempt to configure this the more confusing it's getting. I got the Cisco 1921 routers to "route" VLAN's across the T1 (well I configured them to do so...haven't tested yet) and I built all my rules based on the old routers for voice QoS. But the Dell Switch configuration is confusing to say the least to the point where I'm about to give up and just subnet each office onto its own subnet for simplicity or go to a 255.255.254.0 subnet with all the users on 10.0.1.* and all infrastructure on 10.0.0.*.

zx10guy - Is there a good forum to ask those type of questions on or would this site be a good starting point? You seem to know your stuff which means you probably know where to ask. I'm a bit out of my league and I really hate to hire a consultant. I understand the setting up VLAN's part and trunk ports to carry VLAN traffic across the bridges...that I've done before. I'm stuck on the allowing routing between them (allowing VLAN 10, 20, and 30 to talk but NOT 40) and how that will look. I've fully documented what I think everything should look like IP wise, VLAN wise, etc but putting it into action is causing me issues.

Last edited by vseven; 04-Aug-2012 at 03:41 PM..
zx10guy's Avatar
zx10guy has a Photo Album
Computer Specs
Trusted Advisor with 4,072 posts.
 
Join Date: Mar 2008
06-Aug-2012, 08:49 AM #7
I don't understand why you're confused. Routing between VLANs is no big deal. If you're doing it at the 1921 router, you need to create sub-interfaces for each VLAN on a routing port of the 1921 as a VLAN trunking interface. To control routing between VLANs on the router, you need to apply ACLs or invoke CBAC.

Through your own admission, you're out of your league here. There's no shame in admitting you just don't know. Through my years of working in large enterprise environments, the ones that crash hard are the ones who won't admit they don't know and bring in qualified help.
vseven's Avatar
vseven vseven is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: Jul 2012
Experience: Intermediate
06-Aug-2012, 11:12 AM #8
I think if I have enough time I could figure it out. I already configured the 1921s...that wasn't hard since Cisco has a lot of documentation and examples on their site but the switches are just a pain going through each port to configure (we will have 480 ports total). I was planning on using my Dell Layer 3 switches for the VLAN routing (PowerConnect 6248's). But here is a issue I see happening....I was only going to put the Layer 3 switches in each "main" office. Because of that I have no "routing" in each branch office so anyone trying to print to a printer sitting right next to them is traveling over the wireless links then back (we have some apps that need to print directly to a printer). And I really don't want to put in routers or layer 3 switches in the branches.

I think what I will end up doing is going to a /23 subnet, keeping something like 10.1.1.* all staticly configured or DHCP reservations then 10.1.2.* for users all on the default VLAN1. This will satisfy our expansion and ease of renumbering. Then I will maintain our VLAN for DMZ traffic that is physically plugged directly into the DMZ port of our proxy that will not interact with our internal network.

The other issue is something my boss told me years ago.....if I get hit by a bus will people be able to figure it out.

Thanks for your help,

-Allan
zx10guy's Avatar
zx10guy has a Photo Album
Computer Specs
Trusted Advisor with 4,072 posts.
 
Join Date: Mar 2008
08-Aug-2012, 06:49 AM #9
Why don't you want to put layer 3 switches at the branch offices? Based on what I'm seeing here it's the proper way to do this. Expanding your network address space to avoid proper network segregation and routing is just plain sloppy and not best practice.

With regards to the PC6200 series of switches, you do realize you can use a range command at the CLI to apply configurations across multiple ports at the same time.

The comment your boss made is correct. But if you properly document this network, there will be no problems in having someone who really knows networking to figure out what is going on. Even if the the network isn't properly documented, as long as the design is proper, a networking professional can easily figure out what the setup is. On the other hand, if you go ahead with what you're doing, I personally would have some choice words about the intelligence of the administrator implementing this design. Again, there's no shame to let your boss know you need consulting help which it is clear you do.
Lutia's Avatar
Lutia Lutia is offline Lutia has a Profile Picture
Member with 39 posts.
 
Join Date: Aug 2012
Location: Germany
Experience: Advanced
08-Aug-2012, 07:22 AM #10
Quote:
Originally Posted by vseven View Post
but the switches are just a pain going through each port to configure (we will have 480 ports total).
sw#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
sw(config)#interface range FastEthernet 0/1 - 48
sw(config-if-range)#
zx10guy's Avatar
zx10guy has a Photo Album
Computer Specs
Trusted Advisor with 4,072 posts.
 
Join Date: Mar 2008
08-Aug-2012, 08:22 AM #11
Quote:
Originally Posted by Lutia View Post
sw#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
sw(config)#interface range FastEthernet 0/1 - 48
sw(config-if-range)#
The commands you've provided are for Cisco IOS based switches. The switch in question is a Dell PowerConnect 6248. The actual commands are as follows:

configure
interface range ethernet g1-48 or interface range ethernet all
vseven's Avatar
vseven vseven is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: Jul 2012
Experience: Intermediate
08-Aug-2012, 09:55 AM #12
I can't justify layer 3 switches in branch offices with such little people in them (2 - 12 depending on the office).

That range command will definitely save me a lot of time but so much extra complexity for a company with 160 computers might be unnecessary. I will keep plugging away at trying to make the VLAN setup work though. This weekend is the switchover and I have both the VLAN setup and a /23 subnet setup fully documented. Here is what I see my "main office" and one of the "branch office" looking like. Note that the wireless bridges between offices in each city are set to transparent bridging so all traffic it sees just goes over them.

(apparently I cant copy and paste into a post. Image attached).

And this is what I have setup so far. It was easy on the 1921s (default is out our proxy and the only other rules is 10.1.* go over the T1) but I'm just getting stuck on the 6248's routing. I went into Routing -> IP -> Interface Config and set each VLAN up with a IP (as in the image) but then I'm not understanding how each subnet will know of each other I guess is my issue. Do I jsut add static routes that say 10.0.30.0 - 255.255.255.0 - 10.0.30.1 and repeat for 10 and 20 (I dont want 40 to route as it's DMZ..in fact I want to block 40 from the other three). Then add a default route of 10.1.0.0 - 255.255.0.0 - 10.0.30.9 (my router to the other city)?
Attached Thumbnails
Redesigning existing network - What is the best plan?-cityavlansetup.jpg  
Lutia's Avatar
Lutia Lutia is offline Lutia has a Profile Picture
Member with 39 posts.
 
Join Date: Aug 2012
Location: Germany
Experience: Advanced
08-Aug-2012, 11:14 AM #13
You can set static routes for everything, but be aware that every router needs to know a static route for every network you want to access - and this has to be done for both directions. If the network grows larger it can be a huge pain because you need to configure every layer 3 node in the network. That's why there's routing protocols like OSPF.
vseven's Avatar
vseven vseven is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: Jul 2012
Experience: Intermediate
10-Aug-2012, 02:46 PM #14
I bit the bullet and decided to go ahead with the VLAN's. The Dell switch was easier then I thought...just one command enabled routing across the VLAN's. In fact the trouble was writting a rule to DISABLE one VLAN from the others which I figured out. Once that was done I had to setup sub interfaces onthe Cisco router and assign each to a VLAN. Once that was done I plugged the router to my trunk port on the Cisco and everything seems to be working correctly.

The only static routes I had to set was the default route and the route to the other city. The Dell switch did the rest. Oh and that interface range command helped out a lot.
zx10guy's Avatar
zx10guy has a Photo Album
Computer Specs
Trusted Advisor with 4,072 posts.
 
Join Date: Mar 2008
10-Aug-2012, 03:07 PM #15
See, I told you it's not a big deal.

It's too bad the 6200 switches don't support the newer version 4 firmware. It's much nicer and makes the command even closer to what most people are familiar with which is Cisco IOS.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑