DS3 to WAN and Internet

Discussion in 'Cisco' started by SP, Nov 11, 2003.

  1. SP

    SP Guest

    I currently have 6 T1 host lines to my WAN connected to a Cisco3745 router
    and 2 T1's to the Internet (dual homed, BGP, etc) connected to 2 Cisco7200
    routers. We are considering swapping out the 8 T1's in favor of a single
    DS3 circuit. The DS3 would come into an ATM module on the 3745, we will do
    ATM to Frame Relay for the WAN and will also want to carve out some
    channels/bandwidth for Internet access. I don't believe that this is an
    unusual of a setup. My question is...Where do I locate my firewall? If I
    put it on the ethernet interface, all of my WAN traffic will be subject to
    FW rules. Is it possible to locate my FW's and proxy server on a second
    ethernet interface on the 3745 and have the router send packets inbound and
    outbound to/from the Internet to my Firewalls before routing them? What is
    the best way to do this?

    BTW...we are using Checkpoint FW's

    Thanks.
    SP, Nov 11, 2003
    #1
    1. Advertising

  2. SP

    CCIE8122 Guest

    > I currently have 6 T1 host lines to my WAN connected to a Cisco3745 router
    > and 2 T1's to the Internet (dual homed, BGP, etc) connected to 2 Cisco7200
    > routers. We are considering swapping out the 8 T1's in favor of a single
    > DS3 circuit. The DS3 would come into an ATM module on the 3745, we will do
    > ATM to Frame Relay for the WAN and will also want to carve out some
    > channels/bandwidth for Internet access. I don't believe that this is an
    > unusual of a setup. My question is...Where do I locate my firewall? If I
    > put it on the ethernet interface, all of my WAN traffic will be subject to
    > FW rules. Is it possible to locate my FW's and proxy server on a second
    > ethernet interface on the 3745 and have the router send packets inbound and
    > outbound to/from the Internet to my Firewalls before routing them? What is
    > the best way to do this?
    >
    > BTW...we are using Checkpoint FW's
    >
    > Thanks.


    Not necessarily unusual, but certainly not without its challenges.

    Your question is the exact reason that this is not done very often (or
    rather, is done even when perhaps it should not be).

    In terms of economies of scale, it certainly is a no-brainer to go from
    NxT-1 to DS-3 once you start crowding the 8-10 T-1s range.

    But you are correctly identifying the problem. Really you only have
    three options:

    1) Do PBR from inet int to eth (through fw) back into another eth and
    route normally to rest of inter net; and then the reverse.

    2) Bring in two separate circuits -- one for WAN, one for Inet.

    3) Scrap the Nokia and do CBAC, inspecting outbound on the Inet int.

    I would not recommend doing the first. I have a few customers that I
    have set up that way at their insistence, and over my express
    objections. The reasons are obvious and two-fold. First, it is not
    very secure -- if I hack the inet router, I own the network, dont even
    have to hack the FW. Second, it violates the KISS rule, and can be
    pretty nasty to troubleshoot/administer.

    As far as option three, it is a matter of personal pref, but I always
    prefer to have a hardware-based FW, as opposed to software, especially
    if you are pumping a good deal of stuff through it. Additionally, I
    have found the accuracy of the IOS FW to be less than stellar esp when
    compared to a PIX or Checkpoint. I have far fewer problems with either
    of the latter.


    I would really go with option 2. It is less efficient in terms of cost,
    but you can be creative. For example, for a lot of customers in your
    boat, I put a DS-3 or OC-3 (depending on how many total T-1s they have
    coming in) local loop from the customer prem to the CO -- usually this
    will be through the LEC, as you have PRIs, and other data circuits often
    through the LEC, but it doesnt have to be. Then what you do is you
    order that DS-3/OC-3 (I typically find that with any given carrier, by
    the time you get two DS-3s, it is actually cheaper to go to an OC-3), as
    a DS-3 CO MUX port (or in the case of the OC-3 2 or 3 DS-3 CO MUX
    ports). Now that you have aggregated your DS-1 loops across higher
    facilities, you are capturing most of the economies of scale that you
    would be looking at with your solution. Pretty much every carrier (AT&T
    is the exception because they are boneheads about this) will give you a
    pretty cheap "loop" price because you are just giving them Carrier
    Facility Access (CFA), which often just constitutes a CO cross connect.
    between your LEC and the IXC provider. This charge could be as cheap as
    $6 a month per DS-1, depending on which carrier, and whether the other
    carrier is colo'd in the same CO/POP as the LEC.

    So assuming you have 6 WAN circuits, 2 Internet T-1s, 3 local PRIs, and
    2 LD T-1s. Put a DS-3 with a CO MUX in from your premises to the
    CO--again this would likely be from your LEC. You may even want to
    consider taking this DS-3 not to your local serving wire center, but to
    a CO where a lot of carriers--or at least your carriers of choice-- have
    POPs. You will pay mileage to do this, but in the long run you will
    save big bucks, because you wont have to pay mileage on each T-1. Then,
    you terminate the two Internet T-1s, the LD T-1s, and the 6 WAN T-1s on
    your Customer Provided Access (CPA) at the terminating CO. If the
    terminating CO is the same as your serving wire center, then you can
    ride your 3 local PRIs across the DS-3 as well. If not, then you leave
    them coming in on copper (you typically only get 25-50 off PRIs for CPA
    anyway, so no big deal). Then you just cross connect in the CO/POP to
    your LD carrier, your WAN carrier, your local provider, and your
    internet providers. On your prem, all you will need is an M13 MUX. I
    think NEC makes the best myself, but Adtran, Kentrox, et al make good
    ones too. The M13 will run you around 5 G's. The M13 brings in the
    channelized DS-3 from the demarc, and MUXes it out into the individual
    DS-1s. The beautiful thing here is then you plug one Inet T-1 into one
    router, the other Inet T-1 into a separate router (for not only carrier,
    but CPE redundancy), your LD and PRI T-1s into your PBX, and your WAN
    circuits into yet another router. You just run Cat 5s from the M13 to
    each separate device. A pretty slick and elegant solution.

    And for an extra 6 or 700 per month, if you wish, you can get that DS-3
    with route protection, so that should you suffer a fiber cut or card
    failure anywhere between you and the CO, no service is impacted.

    I have implemented this for many a customer in your shoes. The only
    catch is, you probably want to get your voice guy on board and split the
    cost of the DS-3. But I can almost guarantee you it will save you both
    money.

    If you can find someone to do this for you, great. If not, or if you
    just want further details, send me an email at .
    I own a company that is a Master Agent for Qwest, AT&T, MCI, Global
    Crossing, and several regional carriers, as well as looking at picking
    up SBC, Bell South, and Verizon, so I could hook you up at no cost to you.

    (Sorry all, for the shameless plug, there).

    HTH

    kr
    CCIE8122, Nov 11, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. kev
    Replies:
    4
    Views:
    478
    Scooby
    Nov 17, 2003
  2. Jason

    Internet DS3

    Jason, Jul 19, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,404
    Jason
    Jul 20, 2004
  3. AM
    Replies:
    1
    Views:
    558
    Phillip Remaker
    May 24, 2005
  4. Casper
    Replies:
    1
    Views:
    537
    headsetadapter.com
    Aug 17, 2007
  5. Martin Gallagher
    Replies:
    0
    Views:
    496
    Martin Gallagher
    Nov 27, 2012
Loading...

Share This Page