Network Reconfiguration Advice

Answered Question
Dec 10th, 2009
User Badges:

Aloha,


I am looking for advice as to what might be the best solution for replacing a medium sized business infrastructure.


Our current configuration is:


Frame Relay Connection + DIA >> Cisco 8141 >> PIX 506E >> Internal LAN


The internal LAN is currently a single vlan supporting 150 users at a single site. There are about ten users that are using the PIX VPN. Eventually our VPN needs will grow to support external customers, so a VPN device that can set different levels of security will be necessary.


The NOS is Windows Server 2003 with plans to go to Server 2008. Email is Exhange 2003, plans to go to Exchange 2010. It's a pretty simple setup.


I have been asked to develop a soltution to replace the aging firewall and router. We would like to have two ISP's, set up to failover and load balance if necessary. The new ISP's will be Cable and DSL. We are doing away with the frame-relay solution. We may need to create point to point VPN's at some point. I am thinking that the Cable and DSL carriers will the routing ethernet.


We will eventually be supporting VOIP. It will be some flavor/configuration of Unified Messaging, so the new router has to be voice ready to support 150-250 phones. We will upgrade our switches at that point to Cisco POE switches and create a second VLAN for voice to implement QOS.


What would the experts out there suggest to replace the current router and firewall? And how would you configure it. My first thought is that it would look like this:


ISP's >>>>> ASA >>>> Voice Router >>> Internal LAN


The ASA would have three ethernet connections, two to the ISP's and one to the router. The router would need a connection to the ASA, the internal network and eventually a PRI.


Money is not an issue, but I would like the solution to be cost effective.


Any advice would be greatly appreciated!


Mahalo,


Tony

Correct Answer by tprendergast about 7 years 8 months ago

In all reality, the layer 3 POE switch should do your voice traffic and vlan routing. The router is outside the firewall in this instance because it provides you more granularity of control over your EGP, or exterior routing.This means you can exert more control over how you choose the ISP for routing certain traffic, how you recover from link failures, etc. The ASA isn't really meant to be a full router, it just has some of the features that compliment the firewall/vpn functionality.


There are security benefits as well. First, you can run simple ACLs on the inbound links from ISP to your network to filter generally unwanted traffic. This is actually important, because there are lots of firewall-based security attacks out there that can cripple your network quickly if you have the firewall all the way at the edge. A firewall creates an entry in the session-state table for each inbound connection (i'm simplifying this somewhat), and has a finite amount of memory to maintain that session-state table. If someone rapidly sends bogus connections to a valid destination, they can fill your state table and cause the firewall to drop any further connections coming to your network. The router is much more capable of handling large numbers of connections, and you can do very granular traffic shaping and QoS on inbound connections to minimize your exposure to firewall attacks.


If you boil it down, think of it as "use the right tool for the job" in each segment of your network. You have the exterior gateway (router), perimeter defense (ASA), and interior gateway (layer 3 switch). The Layer 3 POE Cisco Switches are very capable of routing all your voice traffic and even doing QoS/CoS to ensure that your voice quality is always maintained.


Cheers, and good luck on your upgrade!

Tim

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
tprendergast Thu, 12/10/2009 - 11:38
User Badges:
  • Silver, 250 points or more

I would actually suggest:


ISPS-->Router-->ASA-->LAN


The router will do a better job of managing two providers and getting you to a load-balanced or failover configuration than the ASA will. This configuration also gets you closer to future growth of running BGP with larger provider circuits as you grow, rather than reconfiguring another time.


When you upgrade to POE switches, getting a layer3 switch will allow you to do all the necessary voice routing configuration without having to go out to the external router. This is a pretty traditional configuration.


Look at the ISRs (1900/2900 series) for your edge, an ASA 5505/5510 for your new firewall (have it assign different profiles/tunnel groups to users, giving you the opportunity to support multiple privilege levels of people on VPN), and a Layer 3 POE Switch + several layer 2 poe switches. I'd even consider, if you can afford to, putting a 3750 POE stack in place so you manage all of your switches like a single device.


I hope that helps. Ask questions if you want more clarification. I tried to leave it a little generic so you could think of how you would apply your needs to this cookie-cutter model.


Cheers,

Tim


Please rate if this was helpful.

Tony LaSoya Thu, 12/10/2009 - 13:28
User Badges:

Tim,


Thank you for your reply. It is all good information.


The only question I have is why would you put the router outside of the firewalled network. Although this current network is configured that way, I have always put my firewall on the perimeter. Isn't the router needed inside the LAN to route voice? Or can the ASA handle that vlan traffic. It's been awhile sine I have done more than just configure inside interfaces/vlans So forgive me if I am asking basic questions.


Otherwise, it is all good advice and much appreciated.


Mahalo!


Tony

Correct Answer
tprendergast Thu, 12/10/2009 - 13:52
User Badges:
  • Silver, 250 points or more

In all reality, the layer 3 POE switch should do your voice traffic and vlan routing. The router is outside the firewall in this instance because it provides you more granularity of control over your EGP, or exterior routing.This means you can exert more control over how you choose the ISP for routing certain traffic, how you recover from link failures, etc. The ASA isn't really meant to be a full router, it just has some of the features that compliment the firewall/vpn functionality.


There are security benefits as well. First, you can run simple ACLs on the inbound links from ISP to your network to filter generally unwanted traffic. This is actually important, because there are lots of firewall-based security attacks out there that can cripple your network quickly if you have the firewall all the way at the edge. A firewall creates an entry in the session-state table for each inbound connection (i'm simplifying this somewhat), and has a finite amount of memory to maintain that session-state table. If someone rapidly sends bogus connections to a valid destination, they can fill your state table and cause the firewall to drop any further connections coming to your network. The router is much more capable of handling large numbers of connections, and you can do very granular traffic shaping and QoS on inbound connections to minimize your exposure to firewall attacks.


If you boil it down, think of it as "use the right tool for the job" in each segment of your network. You have the exterior gateway (router), perimeter defense (ASA), and interior gateway (layer 3 switch). The Layer 3 POE Cisco Switches are very capable of routing all your voice traffic and even doing QoS/CoS to ensure that your voice quality is always maintained.


Cheers, and good luck on your upgrade!

Tim

Tony LaSoya Thu, 12/10/2009 - 15:37
User Badges:

Tim,


Thank you for the detailed explanation! The next step is some research on IOS configurations for the router to allow failover and load sharing. All in all, this should be a simple network configuration, but I wanted to make sure I proceed down the right path.


I am sure I will be back on this forum with more questions!


I appreciate the assistance!


Tony

Actions

This Discussion