[c-nsp] network design question

Alex Valentine alex at phataudio.org
Mon Nov 20 16:59:24 EST 2006


Robbie, 

Thanks for the input. The T-1 providers are different, but there are no
further constraints. The basic premise behind the design #1, is that
having a pix exposed to the outside network is more secure that having a
2800 series router exposed, which, I believe to be a false assumption,
but I am not a networking guru or anything, so that was the motivator
for posting to the list.

On Mon, 2006-11-20 at 15:39 -0600, robbie.jacka at regions.com wrote:
> If you plan on having the L3 device closest to your internal network route
> internally for you (i.e., in/out same interface), you'll have to run PIX
> 7.2 or later and use the 'same-security-interface permit intra-interface'
> command.  Having said that, option 2 seems to be the more robust solution.
> But you seem to be getting into some tricky waters regarding
> load-balancing. Are there further constraints on your edge configuration, a
> la requiring per-packet/session load balancing, different T1 providers,
> etc?
> 
> robbie
> 
> 
>                                                                            
>              "Alex Valentine"                                              
>              <alex at phataudio.o                                             
>              rg>                                                        To 
>              Sent by:                  cisco-nsp at puck.nether.net           
>              cisco-nsp-bounces                                          cc 
>              @puck.nether.net                                              
>                                                                    Subject 
>                                        [c-nsp] network design question     
>              11/20/2006 02:28                                              
>              PM                                                            
>                                                                            
>                                                                            
>                                                                            
>                                                                            
> 
> 
> 
> 
> I was having a debate over a proposed network design, and I was
> wondering if some of the people on this list could provide some insight.
> 
> Design #1 (proposed layout)
> T1#1 <-> Cisco 2600#1<-> Pix515e <-> Cisco2821#1 <-> Interal NET
> T1#2 <-> Cisco 2600#2<-> Pix515e <-> Cisco2821#2
> 
> Design #2 (my layout)
> T1#1 <-> Cisco 2821#1 <-> Pix 515e#1,2(failovercble) <-> Internal NET
> T1#2 <-> Cisco 2821#2
> 
> Design #1 has 2600's at the edge, and then the PIX in between two
> routers. The logic being that the 2600's would just act as the T-1
> interface, and the PIX would have the actual external IP addresses,
> because the PIX was more secure to outside traffic than a router. Is
> that true?
> 
> I proposed design #2, because it gets rid of the 2600's all
> together(reducing the potential for hardware failure), and it makes good
> use of the 2800's. My feeling is that it makes a lot more sense to have
> the 2800's handling the external interfaces, and then use the pix after
> to secure the internal network.
> 
> Any thoughts in to the merits of either design? Any opinions/insight
> would be greatly appreciated.
> 
> Thanks,
> 
> Alex
> (See attached file: smime.p7s)
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3659 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20061120/5f6040df/attachment.bin 


More information about the cisco-nsp mailing list