Best way to split a T1 to the internet

Hi,

We are looking at options to split our T1 and make it accessible to 4 different networks for the WAN traffic.

The option we are considering currently is:


                                     --> firewall1 --> nw1
T1 -> Hispeed full - HUB ---> firewall2 --> nw2
                                    ---> firewall3 --> nw3
                                    ---> firewall 4 --> nw4

The traffic is not that high so this is feasible in terms of bandwidth utilization.
Any thoughts or suggestions on this?
damehtaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
I used to manage 4 private T1s and an internet T1 with a Cisco 2811 router  and Cisco 1750 routerand it worked just great for us. In your case, what is the HUB doing there and also do you intend to have 4 firewalls ?

Something like this;

T1-------1750Router---------PIX-------------2811----4T1s

I mean, if it is coming to your central location, cost wise I would just have all of them go through a single firewall since the traffic is not much as per you.

What networking devices are you having for this?

Cheers,
Rajesh
damehtaAuthor Commented:
I am trying to split the T1 so that 4 different networks can access it. The 4 firewalls are for the 4 networks and the idea behind the hub is that the 4 firewalls can be reached from the WAN side with a public IP.

T1 --- 1750 ----PIX----3550---LAN1
                 ----TZ170--2950---LAN2
                 ----PIX ---2950---LAN3
                 ----PIX---2950---LAN4

This could probably be achieved by VLAN on the switches behind 1 firewall, but that is not an option due to management reasons
damehtaAuthor Commented:
T1 --- 1750 --HUB---PIX----3550---LAN1
                          ----TZ170--2950---LAN2
                          ----PIX ---2950---LAN3
                          ----PIX---2950---LAN4
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

Download eBook
The--CaptainCommented:
Does the 1750 support traffic shaping?  That would be my only immediate concern with your proposed layout.

Cheers,
-Jon
damehtaAuthor Commented:
I am not sure about that, i can double check with the provider, it is their managed router.

Out of curiosity, how would that affect the proposed layout?
jeffkellCommented:
Your router should be able to take a trunk interface.
On your switch(es), define each of the 4 networks as different vlans.
Feed a trunk to the router, the router can define 4 subinterfaces, one for each vlan, as if you had four inside interfaces on the router.

If you have a 3550 (which is layer 3) it could do the routing beforehand, but if not, a 1750 should do subinterfaces just fine (which IOS version)?
damehtaAuthor Commented:
Thanks Jeff, but like i mentioned on one of the comments earlier, VLAN is not an option due to infrastructure management reasons.
jeffkellCommented:
Sorry, missed that part.

Why a hub?  Why not a switch?  Firewall outside interfaces into the switch, switch tags the vlans on trunk to the router?

You need the outside interfaces of all four firewalls on the same subnet?  or different subnets?

Or am I missing something else in your requirements?
damehtaAuthor Commented:
Since no VLAN's in picture, and no subnetting involved other than that provided by ISP, a hub will find all the 4 firewall outside interfaces?
jeffkellCommented:
You're saying you want to "make it accessible to 4 different networks for the WAN traffic".  What are the IPs/subnets of the four networks, and your router inside IP/subnet?  You have at least four subnets if you have four networks.

Maybe it's just a problem with wording... when I say "subnet" I really mean a "network", e.g., 192.168.1.0/24.
Somebody has to route somewhere, at some point; what is the default gateway for your firewalls?
damehtaAuthor Commented:
Say for example,

Router(1750) - a.b.c.1

FW1 outside - a.b.c.2 gw - a.b.c.1 inside - 192.168.1.0/24
FW2 outside - a.b.c.3 gw - a.b.c.1 inside - 192.168.2.0/24
FW3 outside - a.b.c.4 gw - a.b.c.1 inside - 192.168.3.0/24
FW1 outside - a.b.c.5 gw - a.b.c.1 inside - 192.168.4.0/24
jeffkellCommented:
Sure, that will work with a hub or switch as long as your a.b.c.1 is at least an a.b.c.0/29 or larger, and you have static routes in your 1750:

ip route 192.168.1.0 255.255.255.0 a.b.c.2
ip route 192.168.2.0 255.255.255.0 a.b.c.3
ip route 192.168.3.0 255.255.255.0 a.b.c.4
ip route 192.168.4.0 255.255.255.0 a.b.c.5

jeffkellCommented:
(Unless you are doing NAT in your firewalls and NATing into the outside interface, in which case you don't need routing at all).

rsivanandanCommented:
Yap, looks like you are good to go and have taken care most of the part. You'll have to make sure the 'hub' component regularly check and see if you're still okay and all greeny..

Cheers,
Rajesh
damehtaAuthor Commented:
Rajesh,

thats the only concern i had with a hub - collisions, do you know of a better way to do this without VLAN's?
jeffkellCommented:
Use a switch.  If you have some spare ports on one of those 2950s, just put them on an unused vlan to create a "virtual switch" and plug in your firewalls and router.  You're all set without having to buy another switch.
rsivanandanCommented:
With traffic aggregating on the hub, I mean, you'll have to watch it. It is not about VLANs, see anyways since you have different subnets L3 broadcasts are taken care to an extent except for the hub stage. Man, I hate hubs... they make life hell.... :-(

But if you have a good hub (a new one is a good one for hubs, just me :-)), that should take care of it.

Cheers,
Rajesh
The--CaptainCommented:
>>Does the 1750 support traffic shaping?  That would be my only immediate concern with your proposed layout.

>I am not sure about that, i can double check with the provider, it is their managed router.
>
>Out of curiosity, how would that affect the proposed layout?

Not at all.  You might want traffic shaping options in case one of the networks starts consuming an inordinate portion of your total bandwidth.  The physical layout would not change - either the edge device can rate-limit specific traffic, or it can't...

With regard to the arguments against having a hub connecting the 1750 to the firewalls - indeed, a 5-port switch is so cheap that it is hard to justify a course of action that does not include replacing the hub with a switch - however, a switch really helps when mutiple machines need to connect to one another (ports 1 and 5 can talk to each other at the same time ports 2 and 4 are talking to each other, which is not possible with a hub) - not so much of a benefit when 4 machines all need to connect to the same other machine.

Cheers,
-Jon



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.