Configure routing on HP switch with 506E for 2 different VLANs and 2 different ISP's

Posted on 2008-09-29
Last Modified: 2010-04-21
Hello all,

I have a network that I am running VOIP to a VSP using Polycom 301 VOIP phones with a flavor of Asterisk.  For voice quality, I would like to use 2 different VLAN's, one for voice and the other for data.  The data VLAN is untagged, while the voice VLAN is tagged using an HP Procurve 2650 switch.  

I have 2 different ISPs, Covad with 2 T'1's into a Samsung IBG2006 router and a Comcast cable modem.  I would like to use the T's for VOIP only and the cable modem for data (mostly web browsing, email from a hosting provider, etc- no service hosting here!).  Of course the static IP's from my providers are on 2 different subnets.

The issue that I have is that I have a single Cisco PIX 506E v6.2 using  that I would like to use with BOTH ISP's and BOTH VLAN's.  I know that the PIX does not support subaddressing with this OS.

My question is can I use the switch to do the routing from the VLAN's and the ISP's for me?  If so, can anyone suggest a config that would work?  

I was thinking about making 4 VLAN's:  2 for my internal network, voice and data (lets call them 1 and 2), and 1 for each of the ISPs CPE (lets call them VLAN's 3 and 4), connect the ISP's ethernet handoffs to the switch, and use the switches routing functions to route traffic to the 2 ports on the switch that are reserved for the PIX.  Of course the ports for the ISP's ethernet handoffs would have to be untagged, with every other VLAN set to "forbid" (as I dont think that I can get the Comcast SMC modem to do VLAN tagging, and would rather no mess with the Covad router if possible).  I would then make the port that the PIX's inside interface a hybrid of VLANs 1 and 2, while the outside interface is connected to a hybrid port consisting of VLANs 3 and 4.  

I think that this hair brained scheme will work, I just need to figure out if I can do this with the switch's routing funtionality, and the best way to do the routing.  I know that this isnt the best way to do this, but hey, I'm on a very tight budget here.  Thanks for your help.
Question by:touchstar-brady

Expert Comment

ID: 22602512
You are making it very hard. I would recommend getting a second PIX.
Or at the very least another device for your second uplink.
LVL 10

Expert Comment

ID: 22602693
That model switch will only do static routing, nothing funky.

For the switch, create 3 VLAN interfaces and turn on routing:

vlan 1
 name "Data"
 ip address
 untagged 1-24

vlan 2
 name "Voice"
 ip address
 tagged 1-24

vlan 5
 name "Internet"
 ip address
 untagged 24

ip default-gateway
ip routing

Then plug the PIX into Port 24, give the PIX a local IP of

- Then give both your DOCSIS modem and the T1 modem an address in the range
- (For the modems) Don't forget to add a route to the + 192.168.10 networks as the PIX.
- (For the PIX) add a route to the + 192.168.10 networks as the HP's VLAN 5 interface.

This is where you've lost me, but I know I can do it on something like a Cisco 851(But I'm not so good with PIX).

Option A:
Create a routemap to forward all packets from the network to the T1 router, and vice-versa for the 192.168.10 network

Option B (If supported):
Bridge both modems and do the PPPoE on the PIX (2 x Dialer interfaces) and do multiple NAT, something like:

ip nat inside source list 22 interface Dialer0 overload
ip nat inside source list 23 interface Dialer1 overload
access-list 22 permit
access-list 23 permit

Not sure if the PIX can do the equivalent.

LVL 12

Accepted Solution

Pugglewuggle earned 500 total points
ID: 22602694
The best thing to do is to use an edge router for the multiple ISP setup.
PIXes do not allow more than one concurrent connection to an ISP - this means that you cannot run two simultaneous ISP lines off a PIX. The "multiple ISP" feature is only for backup connections in case the main connection goes down.
The best way to do it is like this:
Internet ------ Edge router with PBR >> ASA >> Core Switch (VLANS go here) >> network
Internet ----------------^

What I recommend instead is to route all traffic through the PIX to the edge router (assuming it can handle the load). Only have VLANS on your core switch and switches. On the ASA, just use the inside inteface address and put one route in your core switch to that IP address (your core switch has IP Services or EMI license, right? Check by doing a sh ver on it.). Then use the ASA for firewall/VPN and filtering functions. Put one route in the ASA to the inside interface of the edge router. Then, use PBR on the edge router to send the right traffic out the right WAN line. You can also load balance when using the configuration.
Cheers! I hope this helps!

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

LVL 12

Expert Comment

ID: 22602701
BTW this setup is the most widely used in the industry and we have successfully implemented it in many situations for different customers. It works great and gives you the best possible throughput.
LVL 12

Expert Comment

ID: 22602711
Sorry, keep clicking to early. possible throughput as the VLANs aren't routed across the ASA eating up it's throughput. VLANs are instead routed across switches which are much faster when handling this kind of traffic. Only the necessary traffic leaves each device and this reduces wasted bandwidth on all upstream links.

Author Closing Comment

ID: 31501384
Wasnt exactly what I was looking for, only because this PIX cant do what I was looking to do.  The solution was as Puggleuggle described, and it works like a charm.  Thanks all for your help.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
capture pcap with filtered traffic 1 61
managing a small network 6 83
Cisco Policy based routing 2 40
Network Vs Redistribute Connected Commands 3 9
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question