Hi all,
I'm hoping for some help, full disclosure this is for an assignment so please steer me in the right direction if i'm way off. Appreciate any help that i can get and try not to laugh at some of my questions :)
Task: Redesign a corporate network, key points:
- All wired, no wireless permitted
- VPN access is required for remote users
- Currently uses public site-to-site VPN but would like a private WAN between offices
- HQ needs a DMZ to provide a www server for public
- Currently performance issues with the WAN, its a slow 1Mb link at the moment
- WAN needs to be capable of voice and video to be added at a later date
- Concerned about security
- Unlimited budget
- There is a domain controller at each site
- Approx 60 users at Corporate
- Approx 30 users per branch
- Approx 15 remote access VPN users
Here is a picture of what i've designed (rough draft): https://imgur.com/a/zKEzTpu
Notes:
- Use vlans: office, infrastructure, management
- Use EIGRP for the routers
- Use stack switches, one stack for servers and network and another for access
- Connect stacks via etherchannel
Suggested hardware:
- Cisco ASA 5555-X Firewalls Why: Clustering VPN FirePower
- Cisco 4431 ISR routers Why: Redundant PSU's More ports zbfw and firepower
- Cisco 9300 48 port stacks Why: Stackable Lots of ports 48P with POE+ Opt with secondary PSU
https://www.cisco.com/c/en/us/products/switches/catalyst-9300-series-switches/index.html
Security notes:
- EIGRP with MD5 passwords
- Enable firewall on ISR's?
- Use firepower?
- Disable VTP
- Shutdown unused ports
- Enable port security sticky-mac
- Multi factor auth for VPN users
- Enable banners and domain authentication for all Cisco devices
- Enable syslog
- Enable snmp with password
- Backup configs somewhere?
Questions:
-
Private WAN, i had originally thought i would get provider to connect the sites by providing an Ethernet cable and some ip's for the company. The routers would communicate routes via BGP and it would be some sort of 10Mb link or there abouts. But everywhere i keep seeing MPLS, from what i've read it labels packets and sends them via the path on the ISP's network? I'm a little lost at what i need to do as customer to make this work from my CE at a high level?
-
Firewalls, i have been going around in circles. The Cisco ISR's have firewalls built in but i can't quite work out of its a normal firewall or somehow limited. I would think its better to have a separate firewall vs an integrated one or possible use both? Firewall placement has got me a little confused here, i would have thought the very outer edge to the ISP makes sense but most designs are just inside the customer router.
-
Security design, i'd like to go off some sort of best practice, as per my picture i'm heading towards the zoning design. Is this still current, is there a new and improved design practice?
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
-
Internet connection, would the ISP usually provide access to the internet via the one connection? Is it better to have one connection from private WAN link and one for public internet? I'd like to push the traffic through some sort of filter first, i read the firewall's i've selected can do filtering, is that what others would normally do. As far as branches access internet, it would go via the wan and back out corporate internet connection.
-
I've gone with a hierarchical design approach with collapsed core and dist, considering there is no budget constraints is it generally better to separate it out? Is this still the best approach or is there another way?
http://study-ccna.com/cisco-three-layer-hierarchical-model/
- QoS, i'm still trying to get my head around QoS, but i'm thinking it should use it for at least the servers at this at point and give them priority, when i think of QoS i usually think of IP Phones. Would you give priority to servers over users in this design? Any other considerations?
Any links to best practices or designs welcome, i'm pretty green in this space. I'm just trying to get the high level stuff sorted and will drill down into further detail as i go.
Thanks in advance.
No comments:
Post a Comment