1. Home
  2. Cisco Systems
  3. Design Help

Design Help

Hi Guys,

I am trying to re-design a network for the company I work for but dont quite have the right idea's, so I hope you guys can help me out. Ok... The network currently consists of a single PIX 515 and the ISP border router, I have been asked to enable the network to be ready for a global MPLS network and to connect various internal subnet's together - there are 2 distinct networks currently. I understand that I need a layer 3 device somewhere to do the routing. I was going to use a Cisco layer 3 switch, as all interconnects are either FE@100mbps or some type of RJ-45 presented MPLS WAN link, on the internal LAN sitting between the LAN and the PIX.

I have just realised that the PIX has various entries for different internal hosts allowing certain ports that would quite clearly not work if I put that switch on the inside between it and the internal hosts. I was planning on leaving the internal IP address scheme as is, and re-designing from the switches external interface outwards, therefore altering the PIX's internal IP address.

What a mess, I hope that makes.

Thanks in advance

Himura

Reply to
Himura
Loading thread data ...

Hi,

will you have direct links between your networks and enable MPLS on your own network (why?) or will your provider make MPLS VPN for interconnecting your networks through their MPLS cloud? In later case the only thing you need to be concerned with is how routing will be done. Think of providers MPLS cloud as a single router where all your networks are connected to. So you will need to make routing between your networks via this single "virtual" router of the provider (yes, even there are many routers on the provider network you won't see them). Most of the work will actually be done by the provider and will be transparent for you.

It's rather difficult to visualize your current and future networks based just on the description. Do you have a network diagram (in ASCII format)?

By the way, if it's your provider who will make MPLS VPN for you, what's name of it?

Kind regards, iLya

Reply to
Charlie Root

Sorry about the confusing first post. The MPLS is coming in to link offices which are located all around the world. It is most probably going to be connected to this office through its own router, but that router will need to connect to the internal LAN through the internal router.

The other links from that internal router are,

  1. to another network in the same office that now need to see each other.
  2. Another PIX for more DMZ connections
  3. The existing PIX for internet connectivity and VPN.

The issue I think I will face is when I remove the exisiting PIX from being the default gateway on the LAN. The port mapping on the PIX will no longer work as all internal LAN traffic will go through the internal router, therefore appearing to come from 1 ip address. Is that correct?

Also forgot to mention, im very ordinary with complex network issues. I only have a CCNA.

Thanks Again

Reply to
Himura

There are few options how Internet connectivity provided for VPN - it can be directly availble to every site, or only to the main site, or it could be shared or dedicated Internet gateway at the provider premises. So exact configuration will pretty much depend on what you provider offers. Number of PIX'es and routers is not really an issue, only off-site connectivity is affected.

A network diagram would be really helpful. If traffic will no longer go through PIX then obviously it doesn't matter how PIX is configred and you have to transfer functionality to your router (if required). Why would traffic appears from 1 IP?

Kind regards, iLya

Reply to
Charlie Root

OK this is the network as is.

LAN A -----PIX -----Internet | | LAN B -----PIX-----Internet

Proposed new network.

MPLS Router | 2x LAN A -----L3 Switch-----PIX -----Internet | | LAN B -----PIX-----Internet

Reply to
Himura

What is connecting LAN A and B? If there is no routers between PIX'es and LAN A/B, I'd suggest you to connect MPLS router(s) to a DMZ interface of PIX'es instead, and run OSPF or RIP between MPLS router and PIX'es (unless you want to put static route for every network that should be available over MPLS), while having default route on PIX'es pointing towards the router from your internet provider. This way your users will still have only one default gateway (master address of the PIX), therefore no configuration changes for them. On the pix you will also keep all your existing NAT and firewall rules. Something like following will do:

LAN_A -+--PIX--+------[MPLS_Router]------>[MPLS]--- | | | | | outside | | inside | | | | | LAN_B -+--PIX--+------[Inet_Router]------>Internet

You can run two VLAN's on [inside] interface of the firewalls, so both firewalls will be available in each VLAN for redundancy.

Kind regards, iLya

Reply to
Charlie Root

That is 2 x PIX, only 1 L3 Switch.

Reply to
Himura

LAN A needs to use LAN B internet connection, but no direct access to LAN B.

Main issue is putting in a router between LAN A and its PIX, and the result that will have of the rules that currently exist on that PIX in term of port mapping. Currently PIX is defualt gateway, that will change to Router on LAN A, so the PIX will now only see the router instead of the hosts on LAN A.

Cheers

Reply to
Himura

Don't put a router between LAN A and PIX, just split PIX physical "inside" interface into VLAN's.

Kind regards, iLya

Reply to
Charlie Root

Ahh I see. Didn't know that was possible. Makes alot more sense now.

OK so next issue....The existing PIX has all its 6 interfaces occupied. We need more DMZ interfaces so were thinking of getting another PIX

515. With no router between the LAN and PIX how would we connect the second PIX?
Reply to
Himura

Sorry...but forgot to add that LAN A will use its own Internet connection and only certain servers will use the Internet connect which is on LAN B. Also the MPLS is to other sites therefore is it not possible to plug in the MPLS router directly onto the network rather than going through the PIX?

One of the remote sites thats going to be connected into the MPLS is going to have an Internet connect aswell and tha plan is to run BGP between the LAN A Internet connection and the connection at the remote site.

Thanks again for all your help.

Reply to
Himura

You can plug them directly to the network, but then you'd have to configure every host on your network with bunch of static routes pointing to remote sites via that MPLS router or run RIP/OSPF on each host. These things are usually something to avoid. Think of the MPLS connection like you would have a remote site connected via single third-party router (which you obviously don't manage!), the routing issue is just the same.

If you will get L3VPN (as opposed to L2VPN) , that won't work out-of-the-box. Even if you establish BGP between your routers, there will be still MPLS provider routers, they also need to have this routing information. In MPLS environment you usually run routing not between sites, but between customer and provider edge routers. It's therefore essential that you speak to your MPLS provider to agree how the routing will be done.

Kind regards, iLya

Reply to
Charlie Root

Right...its all falling in place now.

The second PIX can just be put on the network and the new DMZ connections we need can be hooked up that way. The MPLS can be connected to the new PIX and the new PIX connected to the old original PIX and the internal network.

Would that work or would I have a problem with the security levels and return traffic?

Reply to
Himura

Make it as simple as possible with as little changes from current setup as will be just enough to get bits moving. Security levels shouldn't be a problem as long as have respective access rules in place.

Kind regards, iLya

Reply to
Charlie Root

You have been a great help mate, I think I know what needs to be done now.

Cheers

Reply to
Himura

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.