Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
5
Helpful
2
Replies

couple of questions

alsayed
Level 1
Level 1

‎11-23-2010 06:02 AM - edited ‎03-04-2019 10:33 AM

Hi

1)I Read a post in this wonderfull forum that Y should install a dedicated switches  betwen the outside interface of te ASA and the inside interface of the edge routers to avoid arp poising? what is that?pls explain

2) in multihoming envirment,what is the difference between provider independant and the second one?

3)does cisco develope a BGP  multihoming article that describes dual isp , dual router , dual asa active/active?

Thanky guys and thanks cisco for this great forum

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎11-23-2010 06:30 AM

Ali

1) Do you mean arp poisoning ? To be honest i haven't heard this used as an argument that much for a separate switch between firewall and router as arp poisoning works at layer 2 and so the attacker would need to be on the actual network.

There are however good reasons for using a dedicated switch ie. if you misconfigure something like vlans on a dedicated switch then you only mess up the internet connectivity. If you are using a single switch for outside/dmz and maybe inside then a misconfiguration can have far more serious consequences.

Perhaps you could post the link to the thread you were reading ?

2) By provider independant do you mean IP addressing. If so, when you have connections to multiple ISP's provider independant addressing is a huge plus because both ISPs will advertise the same network. So you can setup your NAT translations for dmz servers etc. and if one ISP goes down then the traffic is simply routed via the other ISP. It also means if you move to another ISP you do not have to setup your NAT translations with new addressing.

Compare this with addressing provided by the ISP. If you have 2 ISPs and they each provide you with a block of addresses, then which ones do you use for NAT ? Each ISP is unlikely to want to advertise the others block as this goes against summarized addressing so you have a problem if the ISP whose IPs you are using fails because your NATs are not now reachable.

3) See the following docs -

Enterprise Multuhoming with NAT

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_white_paper09186a0080091c8a.shtml

BGP Multihoming to 2 different providers

http://www.cisco.com/en/US/customer/tech/tk365/technologies_configuration_example09186a008009456d.shtml

Enterprise SAFE reference design document (specifically chapter on Enterprise Internet Edge)

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.html

Jon

alsayed
Level 1
Level 1
In response to Jon Marshall

‎11-30-2010 04:18 AM

thanks Jon for ur Answers,Have u done a project with 2 ISPs? for load Sharing,e.g to make both links pass traffic ? if so plz share ur final idea

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card