Skip to main content

Proposed network design with redundancy for a charity

More
18 years 4 weeks ago #17679 by panos
Good morning everybody

I need to build a network for a charity in a place of the world in Asia where internet connection is expensive and not stable at all. The "business" need is to download pages from the same web sites and then to start uploading information to a server in Europe. We decided to use 3 "cheap" ADSL/broadband connections and one *expensive* leased line. Here is a link to the network design that I came up with (hosted at flickr). The idea is to setup the router as the default gateway for each pc and also setup an equal cost for each internet connection and thus having some sort of redundancy (very often the problem is that one of the internet connections fails). I'm afraid that I don't have the necessary confidence to proceed with such a demanding project by myself and that's why I would like to have your views on this:

1) Will the proposed plan work? :D
2) What kind of router should I use? There is an existing Cisco 2600 that I would like to reuse if possible.
3) Is there a way for me to test this in the firewall.cx Cisco Lab?
4) It doesn't have a fireall and probably it has too many ISA servers :(
5) ANY recommendations/additions/comments would be VERY helpful as this is my first time doing something like this.


SEE THE NETWORK DESIGN HERE

Regards,
P.

PS My regards to Chris and the whole firewall.cx team. VERY good website![/url]
More
18 years 4 weeks ago #17682 by Smurf
The design looks fine to me. Just a few questions ?

1. You only have the two ISA Servers, are they there for Loadbalancing or Redundancy ? Not too sure why you are wondering if there are too many ISA Servers ?

2. Your ADSL offices, are they linking to the head office? This isn't in the design so just wondering.

Cannot really throw too much in the router option mix as i am just going through the CCNP and its not really an area of epertise, cannot see any reason why it cannot be re-used though.

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 4 weeks ago #17683 by panos
Hi Smurf,

thanks for the reply. One thing that I didn't mention in the beginning is that the network won't be monitored by any experienced person localy and that's why I would like to keep it as simple as possible. Here are the answers:

1) In order to keep it as simple as possible I would like to have less servers. So 1 server is better than 2 servers. I would prefer to have 2 servers setup for load balancing and redundancy at the same time if that is possible but I haven't checked if ISA 2004 can be setup like that.

2) It is a strange setup. There are 100 people in Asia sending information over HTTP and the internet to servers located in Europe. So the link between the ADSL office and the head office is the internet.

Have you ever designed/built a similar network? Had any problems or do you think that I should pay more attention to any parts of it?

Regards,
Panos
More
18 years 4 weeks ago #17692 by sose
This is a normal lan with internet connection. The only but I see is the decision regarding the placment of isa servers, why not a cisco routers with firewall capabilities instead of the isa servers to save cost.


sose
More
18 years 3 weeks ago #17711 by Smurf

why not a cisco routers with firewall capabilities instead of the isa servers to save cost.


Good question. Unfortunatly i don't really know if the current router will support an IOS image with Firewall/VPN feature set and how much that would cost. I wouldn't have thought you would have any issues in using it for the internet link, aslong as you can connect to your ISP with it (probably can though if its a leased line).

Still not too sure how you want to connect the remote office, its not clear what traffic is required to go between all the different locations. You mention http traffic, if thats just it then you can get away without having any logical link to the different offices. If they do need to link up, then possible a VPN solution would be the way to link the different sites to your main office. This can be done in several ways;

1. Proper VPN Device in your main office, remote office use a router that can support a IPSec VPN connection
2. If the current 2600 router can support the IOS Feature set, you can terminate the remote office routers to connect an IPSec VPN to.
3. You could just use ISA as the VPN devices. You would require them in the remote offices also to setup the VPN tunnel with.
4. You could use a mix of the Routers and ISA server (never tried it)

We have configured some remote sites in my organisation with Cisco ADSL Routers using a VPN Site-to-Site tunnel to connect to the head office and access the internal LAN. It uses IPSec using certificates. We use a VPN Concentrator at the main office to terminate these connections with.

As for the question about the ISA Loadbalancing, it is reletivly easy to do this within ISA 2004. Now, you can configure it through the ISA Snap-In and it will configure the WNLB for you (where with ISA 2000 you had to configure both independantly and then it didn't work very well so you had to rely on third part products to acheive it reliably)

Hope it helps, sorry i cannot really comment on the router side of things, i am currently studying the CCNP so its not my area of expertise.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 3 weeks ago #17715 by Elohim
Where is the egress point? It already fails because you only have one router.
Time to create page: 0.143 seconds