[c-nsp] network design question
Alex Valentine
alex at phataudio.org
Mon Nov 20 16:59:24 EST 2006
Robbie,
Thanks for the input. The T-1 providers are different, but there are no
further constraints. The basic premise behind the design #1, is that
having a pix exposed to the outside network is more secure that having a
2800 series router exposed, which, I believe to be a false assumption,
but I am not a networking guru or anything, so that was the motivator
for posting to the list.
On Mon, 2006-11-20 at 15:39 -0600, robbie.jacka at regions.com wrote:
> If you plan on having the L3 device closest to your internal network route
> internally for you (i.e., in/out same interface), you'll have to run PIX
> 7.2 or later and use the 'same-security-interface permit intra-interface'
> command. Having said that, option 2 seems to be the more robust solution.
> But you seem to be getting into some tricky waters regarding
> load-balancing. Are there further constraints on your edge configuration, a
> la requiring per-packet/session load balancing, different T1 providers,
> etc?
>
> robbie
>
>
>
> "Alex Valentine"
> <alex at phataudio.o
> rg> To
> Sent by: cisco-nsp at puck.nether.net
> cisco-nsp-bounces cc
> @puck.nether.net
> Subject
> [c-nsp] network design question
> 11/20/2006 02:28
> PM
>
>
>
>
>
>
>
>
> I was having a debate over a proposed network design, and I was
> wondering if some of the people on this list could provide some insight.
>
> Design #1 (proposed layout)
> T1#1 <-> Cisco 2600#1<-> Pix515e <-> Cisco2821#1 <-> Interal NET
> T1#2 <-> Cisco 2600#2<-> Pix515e <-> Cisco2821#2
>
> Design #2 (my layout)
> T1#1 <-> Cisco 2821#1 <-> Pix 515e#1,2(failovercble) <-> Internal NET
> T1#2 <-> Cisco 2821#2
>
> Design #1 has 2600's at the edge, and then the PIX in between two
> routers. The logic being that the 2600's would just act as the T-1
> interface, and the PIX would have the actual external IP addresses,
> because the PIX was more secure to outside traffic than a router. Is
> that true?
>
> I proposed design #2, because it gets rid of the 2600's all
> together(reducing the potential for hardware failure), and it makes good
> use of the 2800's. My feeling is that it makes a lot more sense to have
> the 2800's handling the external interfaces, and then use the pix after
> to secure the internal network.
>
> Any thoughts in to the merits of either design? Any opinions/insight
> would be greatly appreciated.
>
> Thanks,
>
> Alex
> (See attached file: smime.p7s)
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3659 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20061120/5f6040df/attachment.bin
More information about the cisco-nsp
mailing list