Help me to choose the right device

rafaelgarcia · ‎04-09-2007

Hi,

Our network is going to be redesigned. We have about 50 employees with remote agents using 501.

Our new design will be something like:

INTERNET -- ROUTER -- PIX -- L3 SWITCH -- LAN

My main problem is that there is another router connected to the L3 SWITCH (2651XM). I need to determine when the internet router is down so my data is sent through the 2651XM automatically (using something like HSRP or GLBP if possible). I thought about using a routing protocol but I am not aware that a Pix runs EIGRP (which is what we are currently running) but OSPF.

Here are my questions:

1. Would changing the routing protocol be worth the headache and get the work done?

2. Would you recommend another Pix, ASA or just keeping the one I have?

I would like to know whether changing my existing Pix will benefit my company.

Thanks a lot in advanced.

acomiskey · ‎04-09-2007

Have you considered "Reliable Static Routing Backup Using Object Tracking"?

http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a00801d862d.html

You can't run this on your 501, but you could on an ASA, referred to as Dual ISP. Unless you have at least a 3750 you can't run it on your L3 switch either.

rafaelgarcia · ‎04-09-2007

Hi,

I don't think that would work. I have attached a diagram so you can have a better idea. The Pix is a 506E not 515 as it says.

Thanks.

acomiskey · ‎04-09-2007

It could work if you ran object tracking on the 2651 and moved it in between the Pix and the 3550. Your default route in the 2651 would be the inside of Pix as long as an icmp track was up to the upstream neighbor of your 1760. When that track failed, the default route would move to your Dallas connection. If I understood you correctly, I think that's what you want, correct me if I'm wrong. This may not be the best solution, but probably the cheapest.

mightymouse2045 · ‎04-09-2007

I'd think about investing in a couple of switches - one live and one as a hot standby. Then you can have your internet go into the switch - then use both your routers connected into the switch using HSRP(now VRRP), and then back into your switch and one cable out into your ASA. I would then think about purchasing a second ASA box and have them in an Active-Active config (same as your routers) - and then into your L3 switch. Now the switch at your external facing edge is the single point of failure (but you have a hot standby) - and both your router and your ASA (being the most complicated and critical components) have redundancy. Of course your L3 switch is also a single point of failure which you may also want to look at but is entirely up to the budget :P

My 2 cents worth at any rate :)

Cheers,

Peter

rafaelgarcia · ‎04-09-2007

Hi,

Thanks for your feedback.

Mightymouse, your solution sound really good but expensive; althouhg, I am open to buy another type of Pix or ASA if needed.

Acomiskey, I undestand what you are saying but the reason why this router is not in between the Pix and the Internet router is because it will handle my PRI and any routing to Dallas; therefore, I just wanted dedicated to that since it will handle (in the future) a point-to-point connection.

Now, I now that if I run OSPF on the Pix I would probably be able to get the job done. What is your feedback on that?