Solved

Routing and Switching: VLAN & Traffic Shaping.

Posted on 2006-07-08
4
1,546 Views
Last Modified: 2013-11-16
Hi All,

Hope this mail finds you all in good health and high spirits.

Comming to my query.


I have in my network:


Internet Router - Serial going to Leased Line.
E1 connecting to the Pix 515 3FE
E2 connecting to ADSL 1
E3 Connecting to ADSL 2
E4 Connecting to ADSL 3


Ethernet from Router E1 Connects to Pix Outside.


Pix Inside Connects to Proxy ISA Server.


Proxy ISA Server connects to CAT 4500 Switch with VLAN 10, VLAN 20, VLAN 30, VLAN 40, VLAN 50.



Requirement:


All internet WWW/FTP traffice to go through ADSL Lines.

VLAN 10 to go through ADSL 1
VLAN 20 to go through ADSL 2
VLAN 30,40,50 to go through ADSL 3.



Does the network design sound workable. If so any supporting docs for refrence.


Please feel free to email for further queries.


Rgds.

TA

0
Comment
Question by:tsdelvi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 15

Expert Comment

by:Frabble
ID: 17064567
Assuming it's a Cisco router, then you'll use Policy-based routing.

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml

You would create a policy and apply it to E1. The policy matches the source address with a whichever network and forwards to the required next hop gateway for ADSL 1, 2 or 3

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17064785
For sure this can be done using PBR but you have to understand the fact that, if you do the NAT on the PIX then, the router won't know or can't differentiate between these. So natting has to be done at the router in this case and only then you can divert traffic based on the subnet. What this tells is, if you want to terminate a vpn tunnel on the PIX then it wouldn't be possible.

Cheers,
Rajesh
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
ID: 17064887
It is absolutely not workable.
Since only the T1 connects to the router the PIX would then have to make all the advanced routing decisions and it simply does not "do" PBR. The PIX can only have one default route and, for example, to send all www->any traffic to DSL 1 means DSL1 must be the default gateway, else the destination IP is all that matters and if that IP does not have a specified route out a specific interface then there is no choice but to toss it out to the default.

If they all connected to the router, then the router can make those types of policy based decisions and have multiple next-hops for specified traffic. Just not the PIX.

If they did all connect to the router, and you let the PIX do the NAT, then you can only nat to the public IP of your primary line and the router would have to double-nat all other traffic depending on what interface it goes out. It is easy enough to create separate nat/globals for each internal vlan so that your router knows which vlan generates the traffic that it needs to make routing decisions on.
0
 
LVL 15

Expert Comment

by:Frabble
ID: 17064959
> if you do the NAT on the PIX then, the router won't know or can't differentiate between these.

If you NAT on the PIX then source NAT to a different address based on the internal network. Apply PBR as mentioned. Source NAT again on router if required.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question