Solved

Configure routing on HP switch with 506E for 2 different VLANs and 2 different ISP's

Posted on 2008-09-29
6
1,153 Views
Last Modified: 2010-04-21
Hello all,

I have a network that I am running VOIP to a VSP using Polycom 301 VOIP phones with a flavor of Asterisk.  For voice quality, I would like to use 2 different VLAN's, one for voice and the other for data.  The data VLAN is untagged, while the voice VLAN is tagged using an HP Procurve 2650 switch.  

I have 2 different ISPs, Covad with 2 T'1's into a Samsung IBG2006 router and a Comcast cable modem.  I would like to use the T's for VOIP only and the cable modem for data (mostly web browsing, email from a hosting provider, etc- no service hosting here!).  Of course the static IP's from my providers are on 2 different subnets.

The issue that I have is that I have a single Cisco PIX 506E v6.2 using  that I would like to use with BOTH ISP's and BOTH VLAN's.  I know that the PIX does not support subaddressing with this OS.

My question is can I use the switch to do the routing from the VLAN's and the ISP's for me?  If so, can anyone suggest a config that would work?  

I was thinking about making 4 VLAN's:  2 for my internal network, voice and data (lets call them 1 and 2), and 1 for each of the ISPs CPE (lets call them VLAN's 3 and 4), connect the ISP's ethernet handoffs to the switch, and use the switches routing functions to route traffic to the 2 ports on the switch that are reserved for the PIX.  Of course the ports for the ISP's ethernet handoffs would have to be untagged, with every other VLAN set to "forbid" (as I dont think that I can get the Comcast SMC modem to do VLAN tagging, and would rather no mess with the Covad router if possible).  I would then make the port that the PIX's inside interface a hybrid of VLANs 1 and 2, while the outside interface is connected to a hybrid port consisting of VLANs 3 and 4.  

I think that this hair brained scheme will work, I just need to figure out if I can do this with the switch's routing funtionality, and the best way to do the routing.  I know that this isnt the best way to do this, but hey, I'm on a very tight budget here.  Thanks for your help.
0
Comment
Question by:touchstar-brady
6 Comments
 
LVL 8

Expert Comment

by:MrJemson
ID: 22602512
You are making it very hard. I would recommend getting a second PIX.
Or at the very least another device for your second uplink.
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22602693
That model switch will only do static routing, nothing funky.

For the switch, create 3 VLAN interfaces and turn on routing:

vlan 1
 name "Data"
 ip address 192.168.10.254/24
 untagged 1-24
 exit

vlan 2
 name "Voice"
 ip address 172.16.20.254/24
 tagged 1-24
 exit

vlan 5
 name "Internet"
 ip address 192.168.1.254/24
 untagged 24

ip default-gateway 192.168.1.1
ip routing
end

Then plug the PIX into Port 24, give the PIX a local IP of 192.168.1.1/24

- Then give both your DOCSIS modem and the T1 modem an address in the 192.168.1.0/24 range
- (For the modems) Don't forget to add a route to the 172.16.20.0 + 192.168.10 networks as the PIX.
- (For the PIX) add a route to the 172.16.20.0 + 192.168.10 networks as the HP's VLAN 5 interface.

This is where you've lost me, but I know I can do it on something like a Cisco 851(But I'm not so good with PIX).

Option A:
Create a routemap to forward all packets from the 172.16.20.0/24 network to the T1 router, and vice-versa for the 192.168.10 network

Option B (If supported):
Bridge both modems and do the PPPoE on the PIX (2 x Dialer interfaces) and do multiple NAT, something like:

ip nat inside source list 22 interface Dialer0 overload
ip nat inside source list 23 interface Dialer1 overload
access-list 22 permit 172.16.20.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.16.255

Not sure if the PIX can do the equivalent.

0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 22602694
The best thing to do is to use an edge router for the multiple ISP setup.
PIXes do not allow more than one concurrent connection to an ISP - this means that you cannot run two simultaneous ISP lines off a PIX. The "multiple ISP" feature is only for backup connections in case the main connection goes down.
The best way to do it is like this:
Internet ------ Edge router with PBR >> ASA >> Core Switch (VLANS go here) >> network
                                   |
Internet ----------------^

What I recommend instead is to route all traffic through the PIX to the edge router (assuming it can handle the load). Only have VLANS on your core switch and switches. On the ASA, just use the inside inteface address and put one route in your core switch to that IP address (your core switch has IP Services or EMI license, right? Check by doing a sh ver on it.). Then use the ASA for firewall/VPN and filtering functions. Put one route in the ASA to the inside interface of the edge router. Then, use PBR on the edge router to send the right traffic out the right WAN line. You can also load balance when using the configuration.
Cheers! I hope this helps!


0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22602701
BTW this setup is the most widely used in the industry and we have successfully implemented it in many situations for different customers. It works great and gives you the best possible throughput.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22602711
Sorry, keep clicking to early.
...best possible throughput as the VLANs aren't routed across the ASA eating up it's throughput. VLANs are instead routed across switches which are much faster when handling this kind of traffic. Only the necessary traffic leaves each device and this reduces wasted bandwidth on all upstream links.
0
 

Author Closing Comment

by:touchstar-brady
ID: 31501384
Wasnt exactly what I was looking for, only because this PIX cant do what I was looking to do.  The solution was as Puggleuggle described, and it works like a charm.  Thanks all for your help.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now