• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 259
  • Last Modified:

Router solutions for merging two networks

Here is my situation.  

Dept A of my company looks like the following

INTERNET ---------- Router (2600) ------- PIX (515) -------- Frame Router (1720) ---------- 2 2950 Switches
                                                                                               -                -
                                                                                               -                -
                                                                                               -                -
                                                                                         Remote           Remote
                                                                                          Site A              Site B

Dept B

INTERNET ----------- CABLE MODEM --------------- Store bought switches (hubs really).

I want to move Dept B to Dept A's 2950 switches and separate the networks via Vlans.  No problems there, that is easy enough.  Dept B would also like to keep its Cable Connection, and point everyone in Dept B out the Cable Modem to get access to the Internet.  Everyone in Dept A will still go out the Internet Router.  

I needs suggestions on possible solutions.  The only one I can come up with is to buy a better router inside the PIX for the Frame Connection, but to also have an interface that goes out the cable side as well (any suggestions on a good router for this, and I'm all ears).  

Of course, the issue with this is that the PIX isn't protecting Dept B.  Can I use another interface on the PIX and have it attached to the cable modem?  I know I'd have to watch out for Nat in this case.  

I'm open to discussion/suggestions.  Look forward to hearing what all you have to say.

  • 2
  • 2
2 Solutions
A couple of approaches that you can explore..
Limitations of the existing hardware:
  - the PIX can have one and only one default gateway
  - The 1720 only has one Ethernet port
  - The 2600 probably only has one Ethernet port

Capabilities of the existing hardware:
 - switches do VLAN's (great idea, by the way)
 - 1720 does trunking of vlans
 - PIX 515 does VLAN's
 - 1720 does policy routing
 - 2600 does policy routing
 - PIX can be configured to differentiate Dept A and Dept B to the 2600 (different NAT/PAT addresses)

I would assume that the current PIX and Internet connection will fully support the users of Dept B, but they still want to feel some autonomy and be able to claim their own Internet connection.
Some possible solutions:
Scenario 1:
  Setup the VLAN's on the 2950, trunking on the 1720 to route between Dept B and Dept A
  Put a new firewall device (another PIX 506e perhaps) in VLAN B with them, connected to cable modem
  Users are pointed to the 1720 vlan subinterface as their default gateway
  1720 uses policy routing to send their Internet bound traffic out the cable, via the new PIX506e
  Downside is that if the cable is out, no failover to the primary connection through Dept A
  Downside is that you now have two firewalls to support
  That can be fixed with upgrade to the 1720 to support SAA probes and advanced static routing. That might require a new feature set (possibly Enterprise) and memory upgrade to support the features. Might be more cost effective to just buy a new router there, maybe a new Cisco 2811.

Scenario 2:
  Put a switch between the 2600 and the PIX that can do VLAN's
  Setup trunking on the 2600 LAN
  Setup the PIX to differentiate Dept A and Dept B with different NAT/PAT addresses
  Setup policy-based routing on the 2600 to send Internet traffic from Dept A through the primary (T1, I suppose) connection, and anything originating from Dept B, nat a second time and send out the Cable modem.
  Same downside of not being able to do anything dynamic with the cable modem to provide failover routing if the cable is out. Same upgrade path, new 2811 setup for SAA probes.
  Upside is that you only have to upgrade the 2600, and you have only one PIX to manage/maintain

Scenario 3:
  Upgrade the PIX to 7.0(1) that can do policy routing and handle dual default gateways
  Let the PIX do all the work using dual outside interfaces. One connected to 2600, one connected to cable modem.

Since the new PIX 7.0(1) was just released, and it may require a memory upgrade, this might be the most risky solution, mainly because it takes advantage of a host of "new" features of the PIX and have not been extensively tested / documented yet. In the long run, it may be the "best" solution..

I'd like to hear other approaches as well....

I don't think another PIX interface is a workable approach.  If you can put another Ethernet interface on the 2600 to hook up the cable modem, you can NAT Dept B to a different (private?) external address on the PIX and have the 2600 (or something a little beefier) route traffic from that address out to the cable modem.  (The 2600 will also need to ecognize that as an internal address to be forwarded to the PIX and not kicked out the default route to the Internet....)

neowolf219Author Commented:
I've actually been contemplating what PennGwyn has said, mainly because that's the only way I know how :)

If I Nat Dept B to a different address on the PIX than Dept A, then Upgrade the Internet Router to have an extra interface pointing toward the cable modem, policy routing isn't that bit of a deal.  

I've convinced these guys to upgrade a router at one of their remote sites to a 1721 (don't even ask what they were using prior).  But if I can convince them to purchase, say, a 2800 router, I'll take their current Internet router and replace it with the old router at the remote site.  Because of this, another low end PIX probably won't be a solution, even though it is an excellent and completely feasible solution.  

From looking above, both you guys are on the same path.  My question is, do I need the switch sitting in front of the PIX (lrmoore, scenerio 2)?  I've got a meeting but I'm going to sit down and draw all this out later this evening.  If I have a revelation I'll post here, and, as always, I welcome ANY comments.

Thanks for your time guys!
In my scenario #2, yes a VLAN capable switch would be required, but only because you have just one LAN interface and you need to plug 3 devices in (PIX, router, cable modem).
if you upgrade the 2600 to something with dual interfaces, then the switch no longer is necessary.
The only downside to policy routing is that there is no failover. Without failover, what is the justification for having dual connections? We get around that with SAA probes:
neowolf219Author Commented:
Ahhh ... gotcha.  I'll read that link later.  Good job guys.  That's what I needed (now just have to make it work ... the fun part :) )
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now