Solved

Configure routing on HP switch with 506E for 2 different VLANs and 2 different ISP's

Posted on 2008-09-29
6
1,156 Views
Last Modified: 2010-04-21
Hello all,

I have a network that I am running VOIP to a VSP using Polycom 301 VOIP phones with a flavor of Asterisk.  For voice quality, I would like to use 2 different VLAN's, one for voice and the other for data.  The data VLAN is untagged, while the voice VLAN is tagged using an HP Procurve 2650 switch.  

I have 2 different ISPs, Covad with 2 T'1's into a Samsung IBG2006 router and a Comcast cable modem.  I would like to use the T's for VOIP only and the cable modem for data (mostly web browsing, email from a hosting provider, etc- no service hosting here!).  Of course the static IP's from my providers are on 2 different subnets.

The issue that I have is that I have a single Cisco PIX 506E v6.2 using  that I would like to use with BOTH ISP's and BOTH VLAN's.  I know that the PIX does not support subaddressing with this OS.

My question is can I use the switch to do the routing from the VLAN's and the ISP's for me?  If so, can anyone suggest a config that would work?  

I was thinking about making 4 VLAN's:  2 for my internal network, voice and data (lets call them 1 and 2), and 1 for each of the ISPs CPE (lets call them VLAN's 3 and 4), connect the ISP's ethernet handoffs to the switch, and use the switches routing functions to route traffic to the 2 ports on the switch that are reserved for the PIX.  Of course the ports for the ISP's ethernet handoffs would have to be untagged, with every other VLAN set to "forbid" (as I dont think that I can get the Comcast SMC modem to do VLAN tagging, and would rather no mess with the Covad router if possible).  I would then make the port that the PIX's inside interface a hybrid of VLANs 1 and 2, while the outside interface is connected to a hybrid port consisting of VLANs 3 and 4.  

I think that this hair brained scheme will work, I just need to figure out if I can do this with the switch's routing funtionality, and the best way to do the routing.  I know that this isnt the best way to do this, but hey, I'm on a very tight budget here.  Thanks for your help.
0
Comment
Question by:touchstar-brady
6 Comments
 
LVL 8

Expert Comment

by:MrJemson
ID: 22602512
You are making it very hard. I would recommend getting a second PIX.
Or at the very least another device for your second uplink.
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22602693
That model switch will only do static routing, nothing funky.

For the switch, create 3 VLAN interfaces and turn on routing:

vlan 1
 name "Data"
 ip address 192.168.10.254/24
 untagged 1-24
 exit

vlan 2
 name "Voice"
 ip address 172.16.20.254/24
 tagged 1-24
 exit

vlan 5
 name "Internet"
 ip address 192.168.1.254/24
 untagged 24

ip default-gateway 192.168.1.1
ip routing
end

Then plug the PIX into Port 24, give the PIX a local IP of 192.168.1.1/24

- Then give both your DOCSIS modem and the T1 modem an address in the 192.168.1.0/24 range
- (For the modems) Don't forget to add a route to the 172.16.20.0 + 192.168.10 networks as the PIX.
- (For the PIX) add a route to the 172.16.20.0 + 192.168.10 networks as the HP's VLAN 5 interface.

This is where you've lost me, but I know I can do it on something like a Cisco 851(But I'm not so good with PIX).

Option A:
Create a routemap to forward all packets from the 172.16.20.0/24 network to the T1 router, and vice-versa for the 192.168.10 network

Option B (If supported):
Bridge both modems and do the PPPoE on the PIX (2 x Dialer interfaces) and do multiple NAT, something like:

ip nat inside source list 22 interface Dialer0 overload
ip nat inside source list 23 interface Dialer1 overload
access-list 22 permit 172.16.20.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.16.255

Not sure if the PIX can do the equivalent.

0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 22602694
The best thing to do is to use an edge router for the multiple ISP setup.
PIXes do not allow more than one concurrent connection to an ISP - this means that you cannot run two simultaneous ISP lines off a PIX. The "multiple ISP" feature is only for backup connections in case the main connection goes down.
The best way to do it is like this:
Internet ------ Edge router with PBR >> ASA >> Core Switch (VLANS go here) >> network
                                   |
Internet ----------------^

What I recommend instead is to route all traffic through the PIX to the edge router (assuming it can handle the load). Only have VLANS on your core switch and switches. On the ASA, just use the inside inteface address and put one route in your core switch to that IP address (your core switch has IP Services or EMI license, right? Check by doing a sh ver on it.). Then use the ASA for firewall/VPN and filtering functions. Put one route in the ASA to the inside interface of the edge router. Then, use PBR on the edge router to send the right traffic out the right WAN line. You can also load balance when using the configuration.
Cheers! I hope this helps!


0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22602701
BTW this setup is the most widely used in the industry and we have successfully implemented it in many situations for different customers. It works great and gives you the best possible throughput.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22602711
Sorry, keep clicking to early.
...best possible throughput as the VLANs aren't routed across the ASA eating up it's throughput. VLANs are instead routed across switches which are much faster when handling this kind of traffic. Only the necessary traffic leaves each device and this reduces wasted bandwidth on all upstream links.
0
 

Author Closing Comment

by:touchstar-brady
ID: 31501384
Wasnt exactly what I was looking for, only because this PIX cant do what I was looking to do.  The solution was as Puggleuggle described, and it works like a charm.  Thanks all for your help.
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ISE or Windows NPS for RADIUS and 802.1x 2 51
not able to to ping server on a switch 1 33
ASA 5505 packet drops 14 45
WLC and radius 4 11
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question