dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7486
share rss forum feed

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

Pix 520 with multiple ISP connections?

I have a Pix 520 on the way for my home network. It has 3 FE interfaces in it and I have the latest PixOS and PDM to load into it (will load PDM if it has the 16MB flash, just to play with). Right now I have just one cable connection but the company I work for (and am the IT dept. for) is going to provide me with another connection, could be cable or DSL. What I want to know is can I have two outside interfaces and one inside on the Pix?

I know I won't be able to do bonding with residential connections but I would like to be able to either load balance them and/or failover. I will be setting up a VPN tunnel between my house at the main office and would like it to use only the connection provided by my company. I will also be setting up tunnels to other locations that I would like to go out our connection.

I'm sure I'll have some more specific questions once the Pix gets here but for right now I need to know if I can do what I want with just the Pix. I do have a 2611, 2514 and 7507 that I could put in front of the Pix if need be. I'd rather not use the 7507 as that thing practically requires it's own circuit

Thanks,
Joel

kash1

join:2005-08-13
Houston, TX
you should beable to run bgp on it to give u fallover protection

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to JoelC707
Assuming you would have two independent ISP, then here is what you could setup. For Internet access only, you use your current cable connection. For the VPN, you would use the ISP that your company would provide.

Do you plan to use the PIX to initiate the VPN tunnel? If yes, then the following could be your setup:


== VPN tunnel ==

Your company --- New ISP --- PIX ---- Router --- LAN
|
|
Your current cable ISP
|
Internet

The router could be your 2611. There is no need of BGP (it is not going to be available for you anyway) since static routes on the 2611 would do. Just make sure to route traffic destined to your company towards the new ISP and everything else towards your current cable Internet.

Load Balance may only work for outbound. Failover would be manual, therefore it would not be graceful. Check out following FAQ for more info.

»Cisco Forum FAQ »Redundant Link Graceful Internet Load Balance/Failover

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
They could be different ISPs or they could be the same. If my boss follows my advice then it would be the same ISP, Comcast. The only other choice is DSL.

I would prefer to initiate a VPN tunel over either or both connections. Obviously I wouldn't have the same tunnel over both, but I do want to have a tunnel over the current ISP and a tunnel over the new ISP. I may not have all tunnels active at the same time but I do want that option. I don't know how many either, could be just two more likely could be half a dozen or more.

Yeah without full BGP support on either end (essentially bonding) then load balancing will be outbound only at best. I would like the ability to use either connection should one go down or something. I realize if both are Comcast this will not work unless it was a modem failure or account problem.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
If you prefer to initiate tunnel over either or both ISP, then you cannot use the PIX as the VPN peer. You would have to use a router (it could be the 2611) to initiate the tunnel. You can use the PIX as a firewall only. The setup is as follows:

======== VPN tunnel =======

-- ISP 1 -- \
Your company -- Internet +-- Router -- PIX -- LAN
-- ISP 2 -- /

As you said, tunnel to same destination VPN peer (i.e. your company) can only go over either ISP; can't use both ISP simultaneously. However you could setup graceful failover tunnel to go over 2nd ISP in case tunnel that goes over 1st ISP is down. This setup requires match configuration between your 2611 and your company's VPN equipment.

What VPN equipment does your company use? Cisco equipment or else? If Cisco; is it router, PIX/ASA, VPN Concentrator?

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
I suspected I would have to do something like that. I am curious about how routing would work. Here is how I suspect the IP addresses would be assigned. The LAN at my office uses 192.168.1.0/24, my LAN uses 192.168.0.0/24 and since I have only one public IP I would have to do something like 192.168.50.0/30 between the inside of the router and outside of the PIX. I know basic internet traffic and traverse this with no problem but I am unsure how VPN traffic would traverse this.

Right now on the company side is a HotBrick VPN800/2. I wouldn't mind swapping out to a PIX or ASA (probably ASA Anti-X edition) but it is convincing the people with the checks it would be a wise investment. When I told my boss (president of the company) about all the features and benefits he was ecstatic until he heard the price. Even the base model off ebay is 2 grand. We only paid 500 for the HotBrick we have now and it works just fine so I can see his leeriness. We also do not have to comply with HIPPA but we want to be as close as possible so if that changes we will already be close if not already compliant. I do not believe the HotBrick is compliant but I have not really read up on what the criteria is.

The main office will be a termination point for 8 total VPN tunnels. I know the HotBrick will handle it and in some ways I would almost rather leave it in place unless PDM can configure a VPN tunnel. One time I had the 2611 as my main router and I attempted to setup a VPN tunnel between my house and the office. I'm not that good at the CLI anyway and that was one ofthe more difficult tasks I have ever done. I don't know if I could setup 8 of them if we swapped out to a Cisco device at the main office.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
I believe your company HotBrick VPN800/2 only has single public IP address as its VPN peer?

Assuming it is, then there should be no overlap network between the office and your home (within your organization). This means that there should be no 192.168.0.0/24 at your office and no 192.168.1.0/24 at your home. As long term plan, let's just say that your entire organization would be using 192.168.0.0/16 network as internal network.

Now assume the new ISP would be your main link for VPN tunnel to the office. Then on your 2611, there should be primary route to 192.168.0.0/16 via the new ISP default gateway and be alternate route via the current ISP default gateway. Also on the 2611, there must be a route to 192.168.0.0/24 pointing towards your LAN.

On the office side (on the HotBrick VPN800/2), there should be a single static route to 192.168.0.0/24 via the office ISP default gateway.

There should be a split tunnel on both end, so then traffic destined for the Internet is not going through the tunnel; instead go directly out via each end's ISP.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Little confusing but I think I'm slowly getting it the more I read it.

I have a T1 with a /29 and DSL with a /29 at the office. The DSL isn't in use at all right now but only one IP of each /29 is assigned to the appropriate WAN port. The others are DMZ or 1-1 NAT and even then only one IP is in use there.

I do have it seperated like that. I am seriosuly looking at renumbering my house and the main office as several of the other locations I would want to VPN to use a 192.168.0.0/24 or a 192.168.1.0/24 so to be able to tunnel to them I would need to renumber my house and the main office. I would probably choose something off the wall like a 172.16.224.0/24 and some other choice at the main office. Seems everyone uses a 192.168.x.x/24 and they all choose 0.0/24 or 1.0/24. I seriously doubt I will need a clas B at the office as I could fit all of my network, all of the main office network and every employees network into a Class C and still have ample room for growth.

I do not know when the new ISP link will be turned up, could be a few weeks or a few months. To keep from reconfiguring everything when that does happen I'll likely go ahead and stick the 2611 in front of the PIX that way I just add an NM card and rework the config. Maybe I would understand this easier if you could show me what kind of routing statements I would add to the 2611 or perhaps even a sample config? If there is already one like this in the FAQ please point me to it. I do not believe I will have to add any special config or static routes to the HotBrick side other than the basic VPN tunnel, or would I?

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Renumbering is a good starting point as it is suggested as soon as possible before your network become too big. What I would do is to renumber branches since most likely they are smaller network compare to main office.

When you are reassigning subnet, consider network future growth; so then the new subnet received would be intact for at least 3-5 years.

Since you said branch offices are mainly using either 192.168.0.0/24 or 192.168.1.0/24; then I would suggest to keep using subnet within 192.168.0.0/16. You can just change the 3rd octet, and keep other numbers intact (i.e. change to 192.168.2.0/24, 192.168.3.0/24, and so on).

When you are done with the renumbering, I would provide the sample configuration.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Actually the locations I was referring to that all seem to utilize either 192.168.0.1/24 or 192.168.0.0/24 are all other companies that my dad and I do IT work for. We might have a need at some point to establish a tunnel between their location and my local LAN and having 192.168.0.0/24 in use here already I couldn't establish a tunnel to them. More so with my main office using 192.168.1.0/24 and I have an existing tunnel to there I couldn't establish another tunnel to the same location. Well, I suppose it would be possible but only if the tunnels were manually initiated and only one at a time.

So far my company only has one main office and 7 other home offices. These home offices are just that, employees homes. The ones that even have a local network (some use USB based DSL modems still ) are all on different class c's. I have only gotten to 3 of the home offices so far but the ultimate goal once I get the routers for each is to first setup a network if there isn't one and then to assign them to their own class c (2.0/24, 3.0/24, 4.0/24 etc). They may not be in the 192.168 subnet though. I would probably prefer to go for something in the neighborhood of 172.18. My dad and I looked over the paperwork on all of our clients and most are in 192.168.x.x and only one is in 172.20 so I figure I'm pretty safe going with a 172.18. No others are in 172.x.x.x and only a few are in 10.x.x.x. We are actually looking into renumbering some of our clients and making a list of which client is in what subnet and get rid of this overlap as much as possible.

Do you think a Class C will be too small for the main office considering future growth? Right now I have 22 IP's in use if I counted correctly. I have them arranged like this:
1-4: Reserved
5-99: DHCP pool (almost never have any DHCP clients)
100-199: Servers, UPS, printers, etc.
200-253: Workstations
254: HotBrick router (yeah I'm weird, everyone does 1 for the router I do 254)

I have 1-4 reserved because many of the devices we have if you reset them to factory defaults they have a 192.168.1.1 address. So to get rid of possible conflicts I don't use that range for anything. Some spare devices like a small Netgear firewall resides in that range on 2, 3 or 4. Right now everything increments in fives except for DHCP of course. Servers are 100, 105, 110, etc and workstations are 200, 205, 210, etc. For workstations I'm only up to 225 but servers I'm up to 150 so I'm starting to run out if I keep up this numbering scheme. I don't know why I decided to do it that way, just a habit I was in when numbering my home network even though it isn't that way anymore.

Sorry this was so long, it takes a lot of room to put into words the layout of a couple of networks. Also, thanks for your help thus far. I really appreciate it. I'll appreciate it even more once that PIX arrives (scheduled delivery on Wednesday).

aryoba
Premium,MVM
join:2002-08-22
kudos:4
The reason I suggested to keep 192.168.x.x network and to change only the 3rd octet is to save a lot of work. When keeping the 192.168 network, you only need to change the 3rd octet. You can keep the 1st, 2nd, and the 4th intact.

When the servers numbers at main office grow that fast (now 50/100), then you might want to assign the whole 192.168.1.0/24 only to servers. You can then use 192.168.0.0/24 for workstations and DHCP pool.

For the home office, I believe you can assign /29 since it should be more than enough.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Hmmm I didn't think about it that way. Makes perfect sense actually. I'm the only one that really knows the IP addresses, everyone else uses the hostnames so the renumbering will be completely transparent to them.

Would it be better to supernet the server and workstion ranges or keep them as sperate class c's with a router in between? For example I could do a subnet mask of 255.255.254.0 and be able to use the range 192.168.0.1 - 192.168.1.254 as if it were all one big subnet. My switch is a Layer 2 switch so it cannot route on its own.

You are correct, a /29 should be more than enough for most all of the home network. Some could even get away with a /30 as they only have one PC and the router. I would probably continue to asisgn them a /29 in the event they want a wireless AP or a family computer or something. That way I don't have to renumber yet again.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Ok I've talked with my dad and there are no clients that use these ranges that we know of so here is what I'm looking at using for renumbering.

Main Office:
Infrastructure - 192.168.150.0/24
Workstations/DHCP - 192.168.151.0/24

Large home office:
192.168.152.0/28

6 Home offices:
192.168.152.16/29
192.168.152.24/29
192.168.152.32/29
192.168.152.40/29
192.168.152.48/29
192.168.152.56/29
Still have 24 /29 subnets if my calculations are correct. Should be plenty for future growth.

My home:
192.168.153.0/24
192.168.155.0/30 (For 2611 to PIX connection)

I've left 154 out because I may want to utilize it here at home for some reason in the future. Would it make more sense for me to take 152 since I'm going to take up an entire Class C? My thought is that if for some reason we explode with growth I don't want to have some employees on 152 and some on 156, I'd rather have them on sequential ranges. I actually don't need a full Class C, I could carve out a /30 at the beginning of my subnet for the interconnect between the 2611 and PIX. Now that I think about it I really wouldn't even need a full Class C, I could carve mine up into a few /27's as that would give me plenty of room for our equipment here and give me some spare ranges to stick other things in and to play with. Any suggestions or comments?

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to JoelC707
What I would do is to keep servers and workstations in their own subnet (either /24 or /23). I wouldn't keep servers and workstations in one subnet which could create discontiguous network. However you could reserve /24 or /23 to servers and another /24 or /23 to workstations for future growth.

Are the main office, large home office and the small home offices part of one organization? If yes, then you might want to reserve at least a whole block of /21 network. Therefore you should reserve 192.168.144.0/21 for all of them.

I would think that you might need a whole /24 all for your home since you might support more clients and would need more stuff to install.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
I seriously doubt I will need anything bigger than a /24 for the servers or the workstations. Even if I keep up the 5's thing I've still got 51 possible hosts for each subnet. Right now I have 12 devices in the "server" category and a mere 5 workstations at the main office though I have 20 network lines run throughout the suite for workstations and such.

All the home offices (large and small) are employees of the same corporation. The Large office is actually one of the co-owners of the company and my boss. He has two desktops, a laptop, print server and plans to add a couple more desktops or laptops plus wireless. I doubt he would expand more than that so we are looking at 4 IPs currently and roughly 7 in the future so a /28 seems to fit for that and gives some growth room.

Why do you think I need to reserve over 2000 IP's for the entire company? I'm not saying you're wrong, I'm probably just not getting it.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
At this point I'm not quite sure how fast the organization grow. However if you think /21 is too big for this organization, then you can shrink down to /22. I believe the /22 is the minimal; where one class C for servers, one class C for workstations/DHCP, one class C for infrastructures (i.e. switches, routers, VPN boxes), one /25 for large home offices, and one /25 for small home offices.

The whole idea of assigning subnet is to accommodate current and future network need as contiguous as possible. Usually the term used is that the subnet would keep intact for at least 3-5 years

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Honestly I doubt it will grow very fast in the next few years. The company was founded in 96 and we currently have 9 employees counting the two presidents. There are a handful of outside contractors but they aren't part of the network in any way at all. I have been an employee for about two years now.

Do I really need a Class C devoted to networking infrastructure? I have one main switch (a possible second in the future), a router, and a UPS. I can't put the VPN boxes at the home sites in the same subnet as the router at the main office.

I've never setup a network on the scale you are talking about. The most I have done is two separate class C's with a 2514 in between and even then that was several years ago and just to see if I could make it work. Otherwise I'm pretty new to Cisco equipment and what it can and can't do. Maybe that's why I'm not grasping this, you might be thinking of something that I could do with the right equipment that I don't know about. Sorry I'm kinda hard headed at times.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to aryoba
I've been thinking and designing on this for a little while now and here is what I am looking at currently. Please give suggestions as needed.

My home:
192.168.150.0/23
Will give me 192.168.150.0 - 192.168.151.255
Should I split this up any? Should it be two separate Class C's? Or perhaps a few /27's or something?

My Office:
192.168.152.0/22
Will give me 192.168.152.0 - 192.168.155.255
192.168.152.0/24 - Servers and Infrastructure
192.168.153.0/24 - Workstations and DHCP
192.168.154.0/24 - Subneted for employee homes connected via VPN
192.168.155.0/24 - Unused?

I think what I'm unsure about is how to assign all of these subnets and what equipment I will need beyond what I have now (if any). For example, on the servers do I give them a mask of 255.255.255.0 like they currently have or would they get a 255.255.252.0? I assume the workstations and other equipment would get similar masks?

Also, the workstation subnet will need to be split up even more I think, either that or utilize the unused subnet for DHCP only. I need to have two DHCP ranges, one for employees and such to use and one for clients to check email and surf the internet. I don't want the clients on the same network as everything else. I don't need very many addresses in either DHCP range, a /27 or at minimum a /28 for each should be sufficient I think. Right now DHCP isn't even used but we don't have the AP yet either. If I use an entire Class C for DHCP I would probably just split it up into two /26's.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
I notice that you like to count begin at 192.168.150.0 network. I wonder why you don't start counting from 192.168.0.0 instead?

Subnet for servers at main office I think should be at least /24 since you said the number is already reaching up to 50. Subnet for workstations/DHCP clients would probably at least /24 as well.

As I said previously, the whole idea of assigning subnet is to accommodate current and future network need as contiguous as possible. Usually the term used is that the subnet would keep intact for at least 3-5 years.

When you say "infrastructure", do you mean routers, switches, VPN boxes, and other non-servers (or non-workstations) equipment?

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
The reason I don't want to start at 192.168.0.0 or 192.168.1.0 is that several of the other companies my dad and I do IT work for use those ranges. I currently use 192.168.0.0 at home and 192.168.1.0 at the the company I work for (completely seperate from the other companies).

If I use 192.168.0.0 at the company I work for then I can not establish a tunnel to any of those other companies should I need/want to. That's why I wanted to start at some high number like 150 although I just remembered a location where 192.168.150.0 is currently in use so I do not want to use 150 at my house or at my company.

I think it might be easier if I break it down like this:
192.168.0.0 - used by my lan and 9 other companies I know of
192.168.1.0 - used by my office lan and 6 other companies.

I know I can't establish a tunnel to all of the remaing 0.0's and 1.0's at the same time but thats ok becuase I don't need to.

I think you misunderstood what I was saying a few messages ago. My current servers are on 100 to 150 yes but they are in increments of 5. They're on 100, 105, 110, 115, etc. so in reality I only have 6 servers, I skipped 135 (had plans for it but they fell through), and the remaining 3 are two network printers and a UPS.

By infrastructure I mean switch, router, printers, UPS, etc. Currently what I have that falls in that category is one switch, one router (with VPN), two printers and a UPS. I have plans to add an AP and a network security camera but nothing else at the moment. With only 6 possible devices you can see my confusion with dedicating an entire /24 to that category. Same with the servers although I do have two NICs in each server, that's still only 12 IP's total. Couldn't I use a /25 for the servers and a /25 for the infrastructure? That would still give me 61 IP's in each subnet which should be plenty for future growth.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
I can see that you are still counting subnet in decimal-based and not binary-based as supposed to?

I would not start a high number of 150 since it is not binary factor. I would consider something like 144 or 152.

Try to start counting in binary and redo your subnet reorganization; and see what you can think of.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Ahhh didn't realize there was a "right" way to do it. I was just picking a number. Actually I see what you mean now. I downloaded an IP subnet calculator and when I put in 150 with a /22 mask it says the starting address is 148. Learn something new everyday, thanks.

Well I can't think of any reason to need a tunnel to the network that is using 150 currently but I'd still rather avoid it in general just in case.

Here is what I'm thinking:
Wellsys (company I work for) - 192.168.140.0/22
192.168.140.0/24
* 192.168.140.0/25 - Infrastructure
* 192.168.140.128/25 - Servers
192.168.141.0/24
* 192.168.141.0/25 - Workstations
* 192.168.141.128/26 - Employee DHCP
* 192.168.141.192/26 - Client DHCP
192.168.142.0/24
* 192.168.142.0/28 - Large home
* 192.168.142.16/29 - Small homes (the remainder of 142 would get carved up into /29's)
192.168.143.0/24 - Unused for now

wcleveland (my home LAN) - 192.168.250.0/23
192.168.250.0/24 - Internal computers and equipment
192.168.251.0/24 - Hosted equipment
192.168.252.0/30 - 2611 to PIX cross connect

Any suggestions to the above? I don't think I can but is there any way I can carve a /30 out of the 250 or 251 subnets? Also, I'm looking for suggestions specifically on the DHCP at the office. If possible I would like to use one AP for both and use VLAN's to seperate them. I have found a Linksys that will do this and my switch supports VLAN but I have no experience in that area so any advice you can give me would be much appreciated.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Another key part of subnet organization is supernet and routing. From main office LAN routing perspective (workstation and servers), there should be no discontiguous network. For instance, if you decide to use 192.168.250.0/23 network for your home LAN; then there should be no devices within the 192.168.250.0/23 on other sites' LAN.

Keep in mind that for infrastructure's point-to-point connection (i.e. router to router); the IP address does not have to be routable within the network. Main reason for this is security.

However something like manageable switch, UPS, servers, and workstations; their IP addresses must be routable within the network. Just put ACL to lock down the device to be reachable or manageable from trusted devices.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Ok I think I'm following you here. Had to let it sink in for a little bit. I know that if I use 192.168.250.0 at home then it should not be used elsewhere. That is somewhat the reason behind all of this renumbering, there are too many other locations using the ranges I'm using right now.

So how would I get everything to talk to each other? Well ok I know how to do it but what is the right way? For example, do I assign 192.168.140.1/255.255.255.128 to my main router, 192.168.140.130/255.255.255.128 to one of my servers and 192.168.141.10/255.255.255.128 to my workstation? If I do that then I would need something like a 2611 or 2621 to direct all the packets where they need to go. Also, since I effectively have 5 subnets local now then I would need 5 ethernet interfaces? The other possibility I can see is assigning everything a 192.168.140.x 255.255.252.0 address and let them figure it out on their own. In that case the subnets would essentially be "on paper" or "logical" I would assume.

I do realize that by splitting the servers and infrastructure into two /25's I won't be able to keep the last octet on all of my servers and I'm ok with that. I'm doing a massive renumbering already, what's one more octet . I think I am understanding this (at least I hope I am), I just need some guidance in how to make it all work. Thanks for helping me out here and putting up with my stubbornness.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
In addition of the supernet discussion, when you already decide to use 192.168.250.0/23 network for your home LAN; then you should not break the network and use the portion (i.e. 192.168.250.0/30) for different location other than your home LAN.

Let's say you decide to use 192.168.140.0/25 network for the infrastructure. This should mean that all point-to-point network device infrastructure (i.e. router to router) should be using IP address within the subnet range. Assign /30 subnet (or /31) to each point-to-point connection.

For instance, there are 2 routers within the organization that has direct connection to each other (point-to-point connection). Each router uses interface Ethernet1 as the point-to-point connection to another. Then you might want to use 192.168.140.0/30 for these directly connected routers. The 192.168.140.1 goes under the interface Ethernet 1 of router 1 and the 192.168.140.2 goes under the interface Ethernet 1 of router 2.

When there are more directly connected infrastructure devices, then assign another /30 to those devices' interface. There might be 192.168.140.4/30 for directly connected router 1 and router 3; 192.168.140.8/30 for directly connected router 2 and router 3; and so on.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Ahh ok I gotcha now. Well then the next question I have is do I still use a /30 subnet out of 192.168.140.0/25 even though the routers are not at the same location. Basically meaning that ANY point-to-point connection gets a /30 out of the 192.168.140.0/25 subnet regardless if it is at my house, the main office or an employees house?

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Correct, that is the idea. Therefore whenever you see IP address within 192.168.140.0/25 (i.e. when you do a traceroute), you know that you hit infrastructure device that have direct connection to another device; regardless if the devices are at your house, main office, or employee houses.

As reminder, this 192.168.140.0/25 does not have to be routable within the network due to security issue.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Alright so then what I gather is that I need a router to route between all these subnets. Do I need a router with an interface for each subnet or do I just need one interface with several sub-interfaces? I suspect I could do either one but which one would be better? And if I go with seperate real intrfaces for each subnet I assume I will need 100 meg ports, right? If I use 10 meg ports all trafic to other subnets would get funneled through that 10 meg port and effectively limit my cross-subnet speed to 10 meg.

And for the router, which would be better a 2600 or 3600? I would have to buy a router for the main office as I only have one 2611 and it will be in use at my house. I'm sure the 2514 would be too slow and I don't have room for the 7507 at the main office, hell I don't really have room for it at home either altough that would certainly do the job as it already has all the 100 meg ports I would need.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Unless you have specific reason as to why you would need to use sub interfaces, I would prefer to use an interface for each subnet.

I assume the router would be in strictly Ethernet environment? Are there not routers in place already in the main office?

If you are replacing existing routers in main office, I wonder why you replace them with old routers (i.e. 2600, 3600, or 7507).

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
The only thing that could be classified as a "router" is the HotBrick firewall. There is an Adtran TA608 that my T1 terminates into but that is FDN's, not mine although I do have login access to it.

Basically my network at the main office is pretty simple and goes like this:

T1 --- WAN 1 --\
Hotbrick -- Switch -- Servers/Workstations
DSL -- WAN 2 --/

I do have a few unused ports on the switch (48 Port D-Link) but I suspect it would be full or close to it after adding 5-6 cables for the router. The entire network is Ethernet, sorry thought I had mentioned that before.

I don't mind used hardware (that should be evident after buying the PIX 520 which is much older than my 2611), and we cannot afford the cost of the newer or higher end products. For that matter a 2621 with an NM-4FE (I think they make those) might even be a stretch finacially though I have only done some quick checking for prices.