I am looking for advice as to what might be the best solution for replacing a medium sized business infrastructure.
Our current configuration is:
Frame Relay Connection + DIA >> Cisco 8141 >> PIX 506E >> Internal LAN
The internal LAN is currently a single vlan supporting 150 users at a single site. There are about ten users that are using the PIX VPN. Eventually our VPN needs will grow to support external customers, so a VPN device that can set different levels of security will be necessary.
The NOS is Windows Server 2003 with plans to go to Server 2008. Email is Exhange 2003, plans to go to Exchange 2010. It's a pretty simple setup.
I have been asked to develop a soltution to replace the aging firewall and router. We would like to have two ISP's, set up to failover and load balance if necessary. The new ISP's will be Cable and DSL. We are doing away with the frame-relay solution. We may need to create point to point VPN's at some point. I am thinking that the Cable and DSL carriers will the routing ethernet.
We will eventually be supporting VOIP. It will be some flavor/configuration of Unified Messaging, so the new router has to be voice ready to support 150-250 phones. We will upgrade our switches at that point to Cisco POE switches and create a second VLAN for voice to implement QOS.
What would the experts out there suggest to replace the current router and firewall? And how would you configure it. My first thought is that it would look like this:
ISP's >>>>> ASA >>>> Voice Router >>> Internal LAN
The ASA would have three ethernet connections, two to the ISP's and one to the router. The router would need a connection to the ASA, the internal network and eventually a PRI.
Money is not an issue, but I would like the solution to be cost effective.
Any advice would be greatly appreciated!
In all reality, the layer 3 POE switch should do your voice traffic and vlan routing. The router is outside the firewall in this instance because it provides you more granularity of control over your EGP, or exterior routing.This means you can exert more control over how you choose the ISP for routing certain traffic, how you recover from link failures, etc. The ASA isn't really meant to be a full router, it just has some of the features that compliment the firewall/vpn functionality.
There are security benefits as well. First, you can run simple ACLs on the inbound links from ISP to your network to filter generally unwanted traffic. This is actually important, because there are lots of firewall-based security attacks out there that can cripple your network quickly if you have the firewall all the way at the edge. A firewall creates an entry in the session-state table for each inbound connection (i'm simplifying this somewhat), and has a finite amount of memory to maintain that session-state table. If someone rapidly sends bogus connections to a valid destination, they can fill your state table and cause the firewall to drop any further connections coming to your network. The router is much more capable of handling large numbers of connections, and you can do very granular traffic shaping and QoS on inbound connections to minimize your exposure to firewall attacks.
If you boil it down, think of it as "use the right tool for the job" in each segment of your network. You have the exterior gateway (router), perimeter defense (ASA), and interior gateway (layer 3 switch). The Layer 3 POE Cisco Switches are very capable of routing all your voice traffic and even doing QoS/CoS to ensure that your voice quality is always maintained.
Cheers, and good luck on your upgrade!