Design Help

Discussion in 'Cisco' started by Himura, Mar 1, 2006.

  1. Himura

    Himura Guest

    Hi Guys,

    I am trying to re-design a network for the company I work for but dont
    quite have the right idea's, so I hope you guys can help me out. Ok...
    The network currently consists of a single PIX 515 and the ISP border
    router, I have been asked to enable the network to be ready for a
    global MPLS network and to connect various internal subnet's together -
    there are 2 distinct networks currently. I understand that I need a
    layer 3 device somewhere to do the routing. I was going to use a Cisco
    layer 3 switch, as all interconnects are either FE@100mbps or some type
    of RJ-45 presented MPLS WAN link, on the internal LAN sitting between
    the LAN and the PIX.

    I have just realised that the PIX has various entries for different
    internal hosts allowing certain ports that would quite clearly not work
    if I put that switch on the inside between it and the internal hosts. I
    was planning on leaving the internal IP address scheme as is, and
    re-designing from the switches external interface outwards, therefore
    altering the PIX's internal IP address.



    What a mess, I hope that makes.

    Thanks in advance

    Himura
     
    Himura, Mar 1, 2006
    #1
    1. Advertising

  2. Himura

    Charlie Root Guest

    Hi,

    "Himura" <> wrote in message
    news:...
    > Hi Guys,
    >
    > I am trying to re-design a network for the company I work for but dont
    > quite have the right idea's, so I hope you guys can help me out. Ok...
    > The network currently consists of a single PIX 515 and the ISP border
    > router, I have been asked to enable the network to be ready for a
    > global MPLS network and to connect various internal subnet's together -
    > there are 2 distinct networks currently. I understand that I need a
    > layer 3 device somewhere to do the routing. I was going to use a Cisco
    > layer 3 switch, as all interconnects are either FE@100mbps or some type
    > of RJ-45 presented MPLS WAN link, on the internal LAN sitting between
    > the LAN and the PIX.
    >


    will you have direct links between your networks and enable MPLS on your own
    network (why?) or will your provider make MPLS VPN for interconnecting your
    networks through their MPLS cloud? In later case the only thing you need to
    be concerned with is how routing will be done. Think of providers MPLS cloud
    as a single router where all your networks are connected to. So you will
    need to make routing between your networks via this single "virtual" router
    of the provider (yes, even there are many routers on the provider network
    you won't see them). Most of the work will actually be done by the provider
    and will be transparent for you.

    > I have just realised that the PIX has various entries for different
    > internal hosts allowing certain ports that would quite clearly not work
    > if I put that switch on the inside between it and the internal hosts. I
    > was planning on leaving the internal IP address scheme as is, and
    > re-designing from the switches external interface outwards, therefore
    > altering the PIX's internal IP address.
    >

    It's rather difficult to visualize your current and future networks based
    just on the description. Do you have a network diagram (in ASCII format)?

    By the way, if it's your provider who will make MPLS VPN for you, what's
    name of it?

    Kind regards,
    iLya
     
    Charlie Root, Mar 1, 2006
    #2
    1. Advertising

  3. Himura

    Himura Guest

    Sorry about the confusing first post. The MPLS is coming in to link
    offices which are located all around the world. It is most probably
    going to be connected to this office through its own router, but that
    router will need to connect to the internal LAN through the internal
    router.

    The other links from that internal router are,
    1. to another network in the same office that now need to see each
    other.
    2. Another PIX for more DMZ connections
    3. The existing PIX for internet connectivity and VPN.

    The issue I think I will face is when I remove the exisiting PIX from
    being the default gateway on the LAN. The port mapping on the PIX will
    no longer work as all internal LAN traffic will go through the internal
    router, therefore appearing to come from 1 ip address. Is that correct?

    Also forgot to mention, im very ordinary with complex network issues. I
    only have a CCNA.

    Thanks Again
     
    Himura, Mar 1, 2006
    #3
  4. Himura

    Charlie Root Guest

    "Himura" <> wrote in message
    news:...
    > Sorry about the confusing first post. The MPLS is coming in to link
    > offices which are located all around the world. It is most probably
    > going to be connected to this office through its own router, but that
    > router will need to connect to the internal LAN through the internal
    > router.
    >
    > The other links from that internal router are,
    > 1. to another network in the same office that now need to see each
    > other.
    > 2. Another PIX for more DMZ connections
    > 3. The existing PIX for internet connectivity and VPN.
    >

    There are few options how Internet connectivity provided for VPN - it can be
    directly availble to every site, or only to the main site, or it could be
    shared or dedicated Internet gateway at the provider premises. So exact
    configuration will pretty much depend on what you provider offers. Number of
    PIX'es and routers is not really an issue, only off-site connectivity is
    affected.

    > The issue I think I will face is when I remove the exisiting PIX from
    > being the default gateway on the LAN. The port mapping on the PIX will
    > no longer work as all internal LAN traffic will go through the internal
    > router, therefore appearing to come from 1 ip address. Is that correct?
    >

    A network diagram would be really helpful. If traffic will no longer go
    through PIX then obviously it doesn't matter how PIX is configred and you
    have to transfer functionality to your router (if required). Why would
    traffic appears from 1 IP?

    Kind regards,
    iLya
     
    Charlie Root, Mar 1, 2006
    #4
  5. Himura

    Himura Guest

    OK this is the network as is.



    LAN A -----PIX -----Internet
    |
    |
    LAN B -----PIX-----Internet



    Proposed new network.

    MPLS Router
    | 2x
    LAN A -----L3 Switch-----PIX -----Internet
    |
    |
    LAN B -----PIX-----Internet
     
    Himura, Mar 1, 2006
    #5
  6. Himura

    Charlie Root Guest

    "Himura" <> wrote in message
    news:...
    > OK this is the network as is.
    >
    >
    >
    > LAN A -----PIX -----Internet
    > |
    > |
    > LAN B -----PIX-----Internet
    >
    >
    >
    > Proposed new network.
    >
    > MPLS Router
    > | 2x
    > LAN A -----L3 Switch-----PIX -----Internet
    > |
    > |
    > LAN B -----PIX-----Internet
    >


    What is connecting LAN A and B? If there is no routers between PIX'es and
    LAN A/B, I'd suggest you to connect MPLS router(s) to a DMZ interface of
    PIX'es instead, and run OSPF or RIP between MPLS router and PIX'es (unless
    you want to put static route for every network that should be available over
    MPLS), while having default route on PIX'es pointing towards the router from
    your internet provider. This way your users will still have only one default
    gateway (master address of the PIX), therefore no configuration changes for
    them. On the pix you will also keep all your existing NAT and firewall
    rules. Something like following will do:

    LAN_A -+--PIX--+------[MPLS_Router]------>[MPLS]---<other_sites>
    | |
    | |
    | outside
    | |
    inside |
    | |
    | |
    LAN_B -+--PIX--+------[Inet_Router]------>Internet

    You can run two VLAN's on [inside] interface of the firewalls, so both
    firewalls will be available in each VLAN for redundancy.

    Kind regards,
    iLya
     
    Charlie Root, Mar 1, 2006
    #6
  7. Himura

    Himura Guest

    That is 2 x PIX, only 1 L3 Switch.
     
    Himura, Mar 1, 2006
    #7
  8. Himura

    Himura Guest

    LAN A needs to use LAN B internet connection, but no direct access to
    LAN B.

    Main issue is putting in a router between LAN A and its PIX, and the
    result that will have of the rules that currently exist on that PIX in
    term of port mapping. Currently PIX is defualt gateway, that will
    change to Router on LAN A, so the PIX will now only see the router
    instead of the hosts on LAN A.

    Cheers
     
    Himura, Mar 2, 2006
    #8
  9. Himura

    Charlie Root Guest

    "Himura" <> wrote in message
    news:...
    > LAN A needs to use LAN B internet connection, but no direct access to
    > LAN B.
    >
    > Main issue is putting in a router between LAN A and its PIX, and the
    > result that will have of the rules that currently exist on that PIX in
    > term of port mapping. Currently PIX is defualt gateway, that will
    > change to Router on LAN A, so the PIX will now only see the router
    > instead of the hosts on LAN A.
    >


    Don't put a router between LAN A and PIX, just split PIX physical "inside"
    interface into VLAN's.

    Kind regards,
    iLya
     
    Charlie Root, Mar 2, 2006
    #9
  10. Himura

    Himura Guest

    Ahh I see. Didn't know that was possible. Makes alot more sense now.

    OK so next issue....The existing PIX has all its 6 interfaces occupied.
    We need more DMZ interfaces so were thinking of getting another PIX
    515. With no router between the LAN and PIX how would we connect the
    second PIX?
     
    Himura, Mar 2, 2006
    #10
  11. Himura

    Himura Guest

    Sorry...but forgot to add that LAN A will use its own Internet
    connection and only certain servers will use the Internet connect which
    is on LAN B.
    Also the MPLS is to other sites therefore is it not possible to plug in
    the MPLS router directly onto the network rather than going through the
    PIX?

    One of the remote sites thats going to be connected into the MPLS is
    going to have an Internet connect aswell and tha plan is to run BGP
    between the LAN A Internet connection and the connection at the remote
    site.

    Thanks again for all your help.
     
    Himura, Mar 2, 2006
    #11
  12. Himura

    Charlie Root Guest

    "Himura" <> wrote in message
    news:...
    > Sorry...but forgot to add that LAN A will use its own Internet
    > connection and only certain servers will use the Internet connect which
    > is on LAN B.
    > Also the MPLS is to other sites therefore is it not possible to plug in
    > the MPLS router directly onto the network rather than going through the
    > PIX?


    You can plug them directly to the network, but then you'd have to configure
    every host on your network with bunch of static routes pointing to remote
    sites via that MPLS router or run RIP/OSPF on each host. These things are
    usually something to avoid. Think of the MPLS connection like you would have
    a remote site connected via single third-party router (which you obviously
    don't manage!), the routing issue is just the same.

    >
    > One of the remote sites thats going to be connected into the MPLS is
    > going to have an Internet connect aswell and tha plan is to run BGP
    > between the LAN A Internet connection and the connection at the remote
    > site.


    If you will get L3VPN (as opposed to L2VPN) , that won't work
    out-of-the-box. Even if you establish BGP between your routers, there will
    be still MPLS provider routers, they also need to have this routing
    information. In MPLS environment you usually run routing not between sites,
    but between customer and provider edge routers. It's therefore essential
    that you speak to your MPLS provider to agree how the routing will be done.

    Kind regards,
    iLya
     
    Charlie Root, Mar 2, 2006
    #12
  13. Himura

    Himura Guest

    Right...its all falling in place now.

    The second PIX can just be put on the network and the new DMZ
    connections we need can be hooked up that way. The MPLS can be
    connected to the new PIX and the new PIX connected to the old original
    PIX and the internal network.

    Would that work or would I have a problem with the security levels and
    return traffic?
     
    Himura, Mar 2, 2006
    #13
  14. Himura

    Charlie Root Guest

    "Himura" <> wrote in message
    news:...
    > Right...its all falling in place now.
    >
    > The second PIX can just be put on the network and the new DMZ
    > connections we need can be hooked up that way. The MPLS can be
    > connected to the new PIX and the new PIX connected to the old original
    > PIX and the internal network.
    >
    > Would that work or would I have a problem with the security levels and
    > return traffic?
    >

    Make it as simple as possible with as little changes from current setup as
    will be just enough to get bits moving. Security levels shouldn't be a
    problem as long as have respective access rules in place.

    Kind regards,
    iLya
     
    Charlie Root, Mar 2, 2006
    #14
  15. Himura

    Himura Guest

    You have been a great help mate, I think I know what needs to be done
    now.

    Cheers
     
    Himura, Mar 2, 2006
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Link
    Replies:
    4
    Views:
    2,536
    Peter
    Aug 12, 2004
  2. mikebrunn

    Help - EIGRP design question

    mikebrunn, Oct 25, 2004, in forum: Cisco
    Replies:
    1
    Views:
    610
    kakurenaide
    Nov 23, 2006
  3. Jon Lawrence

    Network design help

    Jon Lawrence, Oct 27, 2004, in forum: Cisco
    Replies:
    6
    Views:
    728
  4. TomTom
    Replies:
    2
    Views:
    826
    TomTom
    Oct 9, 2004
  5. Replies:
    5
    Views:
    410
    Baloo
    Feb 16, 2008
Loading...

Share This Page