[c-nsp] network design question

Brant I. Stevens branto at branto.com
Mon Nov 20 19:46:40 EST 2006 



On 11/20/06 5:15 PM, "Brian Desmond" <brian at briandesmond.com> wrote:

> I would go with #2. Are you putting a switch pair between the 2821s and
> PIXen or are you meshing e0 and e1 to each of the 2821s?
> 

The PIX need to be able to communicate with each other over all interfaces
for failover to work properly, so the "outside" interfaces will have to be
L2-adjacent with one another.

 
> Thanks,
> Brian Desmond
> brian at briandesmond.com
> 
> c - 312.731.3132
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alex Valentine
> Sent: Monday, November 20, 2006 2:29 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] network design question
> 
> I was having a debate over a proposed network design, and I was
> wondering if some of the people on this list could provide some insight.
>         
> Design #1 (proposed layout)
> T1#1 <-> Cisco 2600#1<-> Pix515e <-> Cisco2821#1 <-> Interal NET
> T1#2 <-> Cisco 2600#2<-> Pix515e <-> Cisco2821#2
>         
> Design #2 (my layout)
> T1#1 <-> Cisco 2821#1 <-> Pix 515e#1,2(failovercble) <-> Internal NET
> T1#2 <-> Cisco 2821#2
>         
> Design #1 has 2600's at the edge, and then the PIX in between two
> routers. The logic being that the 2600's would just act as the T-1
> interface, and the PIX would have the actual external IP addresses,
> because the PIX was more secure to outside traffic than a router. Is
> that true?
>         
> I proposed design #2, because it gets rid of the 2600's all
> together(reducing the potential for hardware failure), and it makes good
> use of the 2800's. My feeling is that it makes a lot more sense to have
> the 2800's handling the external interfaces, and then use the pix after
> to secure the internal network.

I could see going with #1 if the need to use a gateway other than the PIX
were to arise, as you won't get ICMP redirects with the PIX, IIRC.  If that
isn't a requirement, then I'd say go with #2.

>         
> Any thoughts in to the merits of either design? Any opinions/insight
> would be greatly appreciated.
>         
> Thanks,
>         
> Alex
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list