Configure routing on HP switch with 506E for 2 different VLANs and 2 different ISP's

Hello all,

I have a network that I am running VOIP to a VSP using Polycom 301 VOIP phones with a flavor of Asterisk.  For voice quality, I would like to use 2 different VLAN's, one for voice and the other for data.  The data VLAN is untagged, while the voice VLAN is tagged using an HP Procurve 2650 switch.  

I have 2 different ISPs, Covad with 2 T'1's into a Samsung IBG2006 router and a Comcast cable modem.  I would like to use the T's for VOIP only and the cable modem for data (mostly web browsing, email from a hosting provider, etc- no service hosting here!).  Of course the static IP's from my providers are on 2 different subnets.

The issue that I have is that I have a single Cisco PIX 506E v6.2 using  that I would like to use with BOTH ISP's and BOTH VLAN's.  I know that the PIX does not support subaddressing with this OS.

My question is can I use the switch to do the routing from the VLAN's and the ISP's for me?  If so, can anyone suggest a config that would work?  

I was thinking about making 4 VLAN's:  2 for my internal network, voice and data (lets call them 1 and 2), and 1 for each of the ISPs CPE (lets call them VLAN's 3 and 4), connect the ISP's ethernet handoffs to the switch, and use the switches routing functions to route traffic to the 2 ports on the switch that are reserved for the PIX.  Of course the ports for the ISP's ethernet handoffs would have to be untagged, with every other VLAN set to "forbid" (as I dont think that I can get the Comcast SMC modem to do VLAN tagging, and would rather no mess with the Covad router if possible).  I would then make the port that the PIX's inside interface a hybrid of VLANs 1 and 2, while the outside interface is connected to a hybrid port consisting of VLANs 3 and 4.  

I think that this hair brained scheme will work, I just need to figure out if I can do this with the switch's routing funtionality, and the best way to do the routing.  I know that this isnt the best way to do this, but hey, I'm on a very tight budget here.  Thanks for your help.
touchstar-bradyAsked:
Who is Participating?
 
PugglewuggleConnect With a Mentor Commented:
The best thing to do is to use an edge router for the multiple ISP setup.
PIXes do not allow more than one concurrent connection to an ISP - this means that you cannot run two simultaneous ISP lines off a PIX. The "multiple ISP" feature is only for backup connections in case the main connection goes down.
The best way to do it is like this:
Internet ------ Edge router with PBR >> ASA >> Core Switch (VLANS go here) >> network
                                   |
Internet ----------------^

What I recommend instead is to route all traffic through the PIX to the edge router (assuming it can handle the load). Only have VLANS on your core switch and switches. On the ASA, just use the inside inteface address and put one route in your core switch to that IP address (your core switch has IP Services or EMI license, right? Check by doing a sh ver on it.). Then use the ASA for firewall/VPN and filtering functions. Put one route in the ASA to the inside interface of the edge router. Then, use PBR on the edge router to send the right traffic out the right WAN line. You can also load balance when using the configuration.
Cheers! I hope this helps!


0
 
MrJemsonCommented:
You are making it very hard. I would recommend getting a second PIX.
Or at the very least another device for your second uplink.
0
 
kyleb84Commented:
That model switch will only do static routing, nothing funky.

For the switch, create 3 VLAN interfaces and turn on routing:

vlan 1
 name "Data"
 ip address 192.168.10.254/24
 untagged 1-24
 exit

vlan 2
 name "Voice"
 ip address 172.16.20.254/24
 tagged 1-24
 exit

vlan 5
 name "Internet"
 ip address 192.168.1.254/24
 untagged 24

ip default-gateway 192.168.1.1
ip routing
end

Then plug the PIX into Port 24, give the PIX a local IP of 192.168.1.1/24

- Then give both your DOCSIS modem and the T1 modem an address in the 192.168.1.0/24 range
- (For the modems) Don't forget to add a route to the 172.16.20.0 + 192.168.10 networks as the PIX.
- (For the PIX) add a route to the 172.16.20.0 + 192.168.10 networks as the HP's VLAN 5 interface.

This is where you've lost me, but I know I can do it on something like a Cisco 851(But I'm not so good with PIX).

Option A:
Create a routemap to forward all packets from the 172.16.20.0/24 network to the T1 router, and vice-versa for the 192.168.10 network

Option B (If supported):
Bridge both modems and do the PPPoE on the PIX (2 x Dialer interfaces) and do multiple NAT, something like:

ip nat inside source list 22 interface Dialer0 overload
ip nat inside source list 23 interface Dialer1 overload
access-list 22 permit 172.16.20.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.16.255

Not sure if the PIX can do the equivalent.

0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
PugglewuggleCommented:
BTW this setup is the most widely used in the industry and we have successfully implemented it in many situations for different customers. It works great and gives you the best possible throughput.
0
 
PugglewuggleCommented:
Sorry, keep clicking to early.
...best possible throughput as the VLANs aren't routed across the ASA eating up it's throughput. VLANs are instead routed across switches which are much faster when handling this kind of traffic. Only the necessary traffic leaves each device and this reduces wasted bandwidth on all upstream links.
0
 
touchstar-bradyAuthor Commented:
Wasnt exactly what I was looking for, only because this PIX cant do what I was looking to do.  The solution was as Puggleuggle described, and it works like a charm.  Thanks all for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.