Solved

Routing and Switching: VLAN & Traffic Shaping.

Posted on 2006-07-08
4
1,533 Views
Last Modified: 2013-11-16
Hi All,

Hope this mail finds you all in good health and high spirits.

Comming to my query.


I have in my network:


Internet Router - Serial going to Leased Line.
E1 connecting to the Pix 515 3FE
E2 connecting to ADSL 1
E3 Connecting to ADSL 2
E4 Connecting to ADSL 3


Ethernet from Router E1 Connects to Pix Outside.


Pix Inside Connects to Proxy ISA Server.


Proxy ISA Server connects to CAT 4500 Switch with VLAN 10, VLAN 20, VLAN 30, VLAN 40, VLAN 50.



Requirement:


All internet WWW/FTP traffice to go through ADSL Lines.

VLAN 10 to go through ADSL 1
VLAN 20 to go through ADSL 2
VLAN 30,40,50 to go through ADSL 3.



Does the network design sound workable. If so any supporting docs for refrence.


Please feel free to email for further queries.


Rgds.

TA

0
Comment
Question by:tsdelvi
  • 2
4 Comments
 
LVL 15

Expert Comment

by:Frabble
ID: 17064567
Assuming it's a Cisco router, then you'll use Policy-based routing.

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml

You would create a policy and apply it to E1. The policy matches the source address with a whichever network and forwards to the required next hop gateway for ADSL 1, 2 or 3

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17064785
For sure this can be done using PBR but you have to understand the fact that, if you do the NAT on the PIX then, the router won't know or can't differentiate between these. So natting has to be done at the router in this case and only then you can divert traffic based on the subnet. What this tells is, if you want to terminate a vpn tunnel on the PIX then it wouldn't be possible.

Cheers,
Rajesh
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
ID: 17064887
It is absolutely not workable.
Since only the T1 connects to the router the PIX would then have to make all the advanced routing decisions and it simply does not "do" PBR. The PIX can only have one default route and, for example, to send all www->any traffic to DSL 1 means DSL1 must be the default gateway, else the destination IP is all that matters and if that IP does not have a specified route out a specific interface then there is no choice but to toss it out to the default.

If they all connected to the router, then the router can make those types of policy based decisions and have multiple next-hops for specified traffic. Just not the PIX.

If they did all connect to the router, and you let the PIX do the NAT, then you can only nat to the public IP of your primary line and the router would have to double-nat all other traffic depending on what interface it goes out. It is easy enough to create separate nat/globals for each internal vlan so that your router knows which vlan generates the traffic that it needs to make routing decisions on.
0
 
LVL 15

Expert Comment

by:Frabble
ID: 17064959
> if you do the NAT on the PIX then, the router won't know or can't differentiate between these.

If you NAT on the PIX then source NAT to a different address based on the internal network. Apply PBR as mentioned. Source NAT again on router if required.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Samba Question 11 75
google exe file 5 66
Cisco 2960 unable to add SFP modules to device 9 64
BGP recommended setup with failover 2 46
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question