Router solutions for merging two networks

Posted on 2005-04-12
Last Modified: 2012-05-05
Here is my situation.  

Dept A of my company looks like the following

INTERNET ---------- Router (2600) ------- PIX (515) -------- Frame Router (1720) ---------- 2 2950 Switches
                                                                                               -                -
                                                                                               -                -
                                                                                               -                -
                                                                                         Remote           Remote
                                                                                          Site A              Site B

Dept B

INTERNET ----------- CABLE MODEM --------------- Store bought switches (hubs really).

I want to move Dept B to Dept A's 2950 switches and separate the networks via Vlans.  No problems there, that is easy enough.  Dept B would also like to keep its Cable Connection, and point everyone in Dept B out the Cable Modem to get access to the Internet.  Everyone in Dept A will still go out the Internet Router.  

I needs suggestions on possible solutions.  The only one I can come up with is to buy a better router inside the PIX for the Frame Connection, but to also have an interface that goes out the cable side as well (any suggestions on a good router for this, and I'm all ears).  

Of course, the issue with this is that the PIX isn't protecting Dept B.  Can I use another interface on the PIX and have it attached to the cable modem?  I know I'd have to watch out for Nat in this case.  

I'm open to discussion/suggestions.  Look forward to hearing what all you have to say.

Question by:neowolf219
    LVL 79

    Expert Comment

    A couple of approaches that you can explore..
    Limitations of the existing hardware:
      - the PIX can have one and only one default gateway
      - The 1720 only has one Ethernet port
      - The 2600 probably only has one Ethernet port

    Capabilities of the existing hardware:
     - switches do VLAN's (great idea, by the way)
     - 1720 does trunking of vlans
     - PIX 515 does VLAN's
     - 1720 does policy routing
     - 2600 does policy routing
     - PIX can be configured to differentiate Dept A and Dept B to the 2600 (different NAT/PAT addresses)

    I would assume that the current PIX and Internet connection will fully support the users of Dept B, but they still want to feel some autonomy and be able to claim their own Internet connection.
    Some possible solutions:
    Scenario 1:
      Setup the VLAN's on the 2950, trunking on the 1720 to route between Dept B and Dept A
      Put a new firewall device (another PIX 506e perhaps) in VLAN B with them, connected to cable modem
      Users are pointed to the 1720 vlan subinterface as their default gateway
      1720 uses policy routing to send their Internet bound traffic out the cable, via the new PIX506e
      Downside is that if the cable is out, no failover to the primary connection through Dept A
      Downside is that you now have two firewalls to support
      That can be fixed with upgrade to the 1720 to support SAA probes and advanced static routing. That might require a new feature set (possibly Enterprise) and memory upgrade to support the features. Might be more cost effective to just buy a new router there, maybe a new Cisco 2811.

    Scenario 2:
      Put a switch between the 2600 and the PIX that can do VLAN's
      Setup trunking on the 2600 LAN
      Setup the PIX to differentiate Dept A and Dept B with different NAT/PAT addresses
      Setup policy-based routing on the 2600 to send Internet traffic from Dept A through the primary (T1, I suppose) connection, and anything originating from Dept B, nat a second time and send out the Cable modem.
      Same downside of not being able to do anything dynamic with the cable modem to provide failover routing if the cable is out. Same upgrade path, new 2811 setup for SAA probes.
      Upside is that you only have to upgrade the 2600, and you have only one PIX to manage/maintain

    Scenario 3:
      Upgrade the PIX to 7.0(1) that can do policy routing and handle dual default gateways
      Let the PIX do all the work using dual outside interfaces. One connected to 2600, one connected to cable modem.

    Since the new PIX 7.0(1) was just released, and it may require a memory upgrade, this might be the most risky solution, mainly because it takes advantage of a host of "new" features of the PIX and have not been extensively tested / documented yet. In the long run, it may be the "best" solution..

    I'd like to hear other approaches as well....

    LVL 11

    Assisted Solution

    I don't think another PIX interface is a workable approach.  If you can put another Ethernet interface on the 2600 to hook up the cable modem, you can NAT Dept B to a different (private?) external address on the PIX and have the 2600 (or something a little beefier) route traffic from that address out to the cable modem.  (The 2600 will also need to ecognize that as an internal address to be forwarded to the PIX and not kicked out the default route to the Internet....)

    LVL 3

    Author Comment

    I've actually been contemplating what PennGwyn has said, mainly because that's the only way I know how :)

    If I Nat Dept B to a different address on the PIX than Dept A, then Upgrade the Internet Router to have an extra interface pointing toward the cable modem, policy routing isn't that bit of a deal.  

    I've convinced these guys to upgrade a router at one of their remote sites to a 1721 (don't even ask what they were using prior).  But if I can convince them to purchase, say, a 2800 router, I'll take their current Internet router and replace it with the old router at the remote site.  Because of this, another low end PIX probably won't be a solution, even though it is an excellent and completely feasible solution.  

    From looking above, both you guys are on the same path.  My question is, do I need the switch sitting in front of the PIX (lrmoore, scenerio 2)?  I've got a meeting but I'm going to sit down and draw all this out later this evening.  If I have a revelation I'll post here, and, as always, I welcome ANY comments.

    Thanks for your time guys!
    LVL 79

    Accepted Solution

    In my scenario #2, yes a VLAN capable switch would be required, but only because you have just one LAN interface and you need to plug 3 devices in (PIX, router, cable modem).
    if you upgrade the 2600 to something with dual interfaces, then the switch no longer is necessary.
    The only downside to policy routing is that there is no failover. Without failover, what is the justification for having dual connections? We get around that with SAA probes:
    LVL 3

    Author Comment

    Ahhh ... gotcha.  I'll read that link later.  Good job guys.  That's what I needed (now just have to make it work ... the fun part :) )

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    Title # Comments Views Activity
    IOS for 2811 2 47
    server can't ping default gateway 25 66
    Windows 2012 Essentials - change of router 24 51
    Enterasys QoS setup 2 21
    Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
    In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now