JoelC707
join:2002-07-09
Tucson, AZ
clubs:
| Pix 520 with multiple ISP connections?
I have a Pix 520 on the way for my home network. It has 3 FE interfaces in it and I have the latest PixOS and PDM to load into it (will load PDM if it has the 16MB flash, just to play with). Right now I have just one cable connection but the company I work for (and am the IT dept. for) is going to provide me with another connection, could be cable or DSL. What I want to know is can I have two outside interfaces and one inside on the Pix?
I know I won't be able to do bonding with residential connections but I would like to be able to either load balance them and/or failover. I will be setting up a VPN tunnel between my house at the main office and would like it to use only the connection provided by my company. I will also be setting up tunnels to other locations that I would like to go out our connection.
I'm sure I'll have some more specific questions once the Pix gets here but for right now I need to know if I can do what I want with just the Pix. I do have a 2611, 2514 and 7507 that I could put in front of the Pix if need be. I'd rather not use the 7507 as that thing practically requires it's own circuit 
Thanks,
Joel |
|
kash
join:2005-08-13
Houston, TX | you should beable to run bgp on it to give u fallover protection |
|
aryoba
Premium,MVM
join:2002-08-22
| reply to JoelC707
Assuming you would have two independent ISP, then here is what you could setup. For Internet access only, you use your current cable connection. For the VPN, you would use the ISP that your company would provide.
Do you plan to use the PIX to initiate the VPN tunnel? If yes, then the following could be your setup:
== VPN tunnel ==
Your company --- New ISP --- PIX ---- Router --- LAN
|
|
Your current cable ISP
|
Internet
The router could be your 2611. There is no need of BGP (it is not going to be available for you anyway) since static routes on the 2611 would do. Just make sure to route traffic destined to your company towards the new ISP and everything else towards your current cable Internet.
Load Balance may only work for outbound. Failover would be manual, therefore it would not be graceful. Check out following FAQ for more info.
»Cisco Forum FAQ »Redundant Link Graceful Internet Load Balance/Failover |
|
JoelC707
join:2002-07-09
Tucson, AZ
clubs:
| They could be different ISPs or they could be the same. If my boss follows my advice then it would be the same ISP, Comcast. The only other choice is DSL.
I would prefer to initiate a VPN tunel over either or both connections. Obviously I wouldn't have the same tunnel over both, but I do want to have a tunnel over the current ISP and a tunnel over the new ISP. I may not have all tunnels active at the same time but I do want that option. I don't know how many either, could be just two more likely could be half a dozen or more.
Yeah without full BGP support on either end (essentially bonding) then load balancing will be outbound only at best. I would like the ability to use either connection should one go down or something. I realize if both are Comcast this will not work unless it was a modem failure or account problem. |
|
aryoba
Premium,MVM
join:2002-08-22
| If you prefer to initiate tunnel over either or both ISP, then you cannot use the PIX as the VPN peer. You would have to use a router (it could be the 2611) to initiate the tunnel. You can use the PIX as a firewall only. The setup is as follows:
======== VPN tunnel =======
-- ISP 1 -- \
Your company -- Internet +-- Router -- PIX -- LAN
-- ISP 2 -- /
As you said, tunnel to same destination VPN peer (i.e. your company) can only go over either ISP; can't use both ISP simultaneously. However you could setup graceful failover tunnel to go over 2nd ISP in case tunnel that goes over 1st ISP is down. This setup requires match configuration between your 2611 and your company's VPN equipment.
What VPN equipment does your company use? Cisco equipment or else? If Cisco; is it router, PIX/ASA, VPN Concentrator? |
|
JoelC707
join:2002-07-09
Tucson, AZ
clubs:
| I suspected I would have to do something like that. I am curious about how routing would work. Here is how I suspect the IP addresses would be assigned. The LAN at my office uses 192.168.1.0/24, my LAN uses 192.168.0.0/24 and since I have only one public IP I would have to do something like 192.168.50.0/30 between the inside of the router and outside of the PIX. I know basic internet traffic and traverse this with no problem but I am unsure how VPN traffic would traverse this.
Right now on the company side is a HotBrick VPN800/2. I wouldn't mind swapping out to a PIX or ASA (probably ASA Anti-X edition) but it is convincing the people with the checks it would be a wise investment. When I told my boss (president of the company) about all the features and benefits he was ecstatic until he heard the price. Even the base model off ebay is 2 grand. We only paid 500 for the HotBrick we have now and it works just fine so I can see his leeriness. We also do not have to comply with HIPPA but we want to be as close as possible so if that changes we will already be close if not already compliant. I do not believe the HotBrick is compliant but I have not really read up on what the criteria is.
The main office will be a termination point for 8 total VPN tunnels. I know the HotBrick will handle it and in some ways I would almost rather leave it in place unless PDM can configure a VPN tunnel. One time I had the 2611 as my main router and I attempted to setup a VPN tunnel between my house and the office. I'm not that good at the CLI anyway and that was one ofthe more difficult tasks I have ever done. I don't know if I could setup 8 of them if we swapped out to a Cisco device at the main office. |
|
aryoba
Premium,MVM
join:2002-08-22
| I believe your company HotBrick VPN800/2 only has single public IP address as its VPN peer?
Assuming it is, then there should be no overlap network between the office and your home (within your organization). This means that there should be no 192.168.0.0/24 at your office and no 192.168.1.0/24 at your home. As long term plan, let's just say that your entire organization would be using 192.168.0.0/16 network as internal network.
Now assume the new ISP would be your main link for VPN tunnel to the office. Then on your 2611, there should be primary route to 192.168.0.0/16 via the new ISP default gateway and be alternate route via the current ISP default gateway. Also on the 2611, there must be a route to 192.168.0.0/24 pointing towards your LAN.
On the office side (on the HotBrick VPN800/2), there should be a single static route to 192.168.0.0/24 via the office ISP default gateway.
There should be a split tunnel on both end, so then traffic destined for the Internet is not going through the tunnel; instead go directly out via each end's ISP. |
|
JoelC707
join:2002-07-09
Tucson, AZ
clubs:
| Little confusing but I think I'm slowly getting it the more I read it.
I have a T1 with a /29 and DSL with a /29 at the office. The DSL isn't in use at all right now but only one IP of each /29 is assigned to the appropriate WAN port. The others are DMZ or 1-1 NAT and even then only one IP is in use there.
I do have it seperated like that. I am seriosuly looking at renumbering my house and the main office as several of the other locations I would want to VPN to use a 192.168.0.0/24 or a 192.168.1.0/24 so to be able to tunnel to them I would need to renumber my house and the main office. I would probably choose something off the wall like a 172.16.224.0/24 and some other choice at the main office. Seems everyone uses a 192.168.x.x/24 and they all choose 0.0/24 or 1.0/24. I seriously doubt I will need a clas B at the office as I could fit all of my network, all of the main office network and every employees network into a Class C and still have ample room for growth.
I do not know when the new ISP link will be turned up, could be a few weeks or a few months. To keep from reconfiguring everything when that does happen I'll likely go ahead and stick the 2611 in front of the PIX that way I just add an NM card and rework the config. Maybe I would understand this easier if you could show me what kind of routing statements I would add to the 2611 or perhaps even a sample config? If there is already one like this in the FAQ please point me to it. I do not believe I will have to add any special config or static routes to the HotBrick side other than the basic VPN tunnel, or would I? |
|
aryoba
Premium,MVM
join:2002-08-22
| Renumbering is a good starting point as it is suggested as soon as possible before your network become too big. What I would do is to renumber branches since most likely they are smaller network compare to main office.
When you are reassigning subnet, consider network future growth; so then the new subnet received would be intact for at least 3-5 years.
Since you said branch offices are mainly using either 192.168.0.0/24 or 192.168.1.0/24; then I would suggest to keep using subnet within 192.168.0.0/16. You can just change the 3rd octet, and keep other numbers intact (i.e. change to 192.168.2.0/24, 192.168.3.0/24, and so on).
When you are done with the renumbering, I would provide the sample configuration. |
|
JoelC707
join:2002-07-09
Tucson, AZ
clubs:
| Actually the locations I was referring to that all seem to utilize either 192.168.0.1/24 or 192.168.0.0/24 are all other companies that my dad and I do IT work for. We might have a need at some point to establish a tunnel between their location and my local LAN and having 192.168.0.0/24 in use here already I couldn't establish a tunnel to them. More so with my main office using 192.168.1.0/24 and I have an existing tunnel to there I couldn't establish another tunnel to the same location. Well, I suppose it would be possible but only if the tunnels were manually initiated and only one at a time.
So far my company only has one main office and 7 other home offices. These home offices are just that, employees homes. The ones that even have a local network (some use USB based DSL modems still  ) are all on different class c's. I have only gotten to 3 of the home offices so far but the ultimate goal once I get the routers for each is to first setup a network if there isn't one and then to assign them to their own class c (2.0/24, 3.0/24, 4.0/24 etc). They may not be in the 192.168 subnet though. I would probably prefer to go for something in the neighborhood of 172.18. My dad and I looked over the paperwork on all of our clients and most are in 192.168.x.x and only one is in 172.20 so I figure I'm pretty safe going with a 172.18. No others are in 172.x.x.x and only a few are in 10.x.x.x. We are actually looking into renumbering some of our clients and making a list of which client is in what subnet and get rid of this overlap as much as possible.
Do you think a Class C will be too small for the main office considering future growth? Right now I have 22 IP's in use if I counted correctly. I have them arranged like this:
1-4: Reserved
5-99: DHCP pool (almost never have any DHCP clients)
100-199: Servers, UPS, printers, etc.
200-253: Workstations
254: HotBrick router (yeah I'm weird, everyone does 1 for the router I do 254)
I have 1-4 reserved because many of the devices we have if you reset them to factory defaults they have a 192.168.1.1 address. So to get rid of possible conflicts I don't use that range for anything. Some spare devices like a small Netgear firewall resides in that range on 2, 3 or 4. Right now everything increments in fives except for DHCP of course. Servers are 100, 105, 110, etc and workstations are 200, 205, 210, etc. For workstations I'm only up to 225 but servers I'm up to 150 so I'm starting to run out if I keep up this numbering scheme. I don't know why I decided to do it that way, just a habit I was in when numbering my home network even though it isn't that way anymore.
Sorry this was so long, it takes a lot of room to put into words the layout of a couple of networks. Also, thanks for your help thus far. I really appreciate it. I'll appreciate it even more once that PIX arrives (scheduled delivery on Wednesday). |
|
aryoba
Premium,MVM
join:2002-08-22
| The reason I suggested to keep 192.168.x.x network and to change only the 3rd octet is to save a lot of work. When keeping the 192.168 network, you only need to change the 3rd octet. You can keep the 1st, 2nd, and the 4th intact.
When the servers numbers at main office grow that fast (now 50/100), then you might want to assign the whole 192.168.1.0/24 only to servers. You can then use 192.168.0.0/24 for workstations and DHCP pool.
For the home office, I believe you can assign /29 since it should be more than enough. |
|
JoelC707
join:2002-07-09
Tucson, AZ
clubs:
| Hmmm I didn't think about it that way. Makes perfect sense actually. I'm the only one that really knows the IP addresses, everyone else uses the hostnames so the renumbering will be completely transparent to them.
Would it be better to supernet the server and workstion ranges or keep them as sperate class c's with a router in between? For example I could do a subnet mask of 255.255.254.0 and be able to use the range 192.168.0.1 - 192.168.1.254 as if it were all one big subnet. My switch is a Layer 2 switch so it cannot route on its own.
You are correct, a /29 should be more than enough for most all of the home network. Some could even get away with a /30 as they only have one PC and the router. I would probably continue to asisgn them a /29 in the event they want a wireless AP or a family computer or something. That way I don't have to renumber yet again. |
|
JoelC707
join:2002-07-09
Tucson, AZ
clubs:
| Ok I've talked with my dad and there are no clients that use these ranges that we know of so here is what I'm looking at using for renumbering.
Main Office:
Infrastructure - 192.168.150.0/24
Workstations/DHCP - 192.168.151.0/24
Large home office:
192.168.152.0/28
6 Home offices:
192.168.152.16/29
192.168.152.24/29
192.168.152.32/29
192.168.152.40/29
192.168.152.48/29
192.168.152.56/29
Still have 24 /29 subnets if my calculations are correct. Should be plenty for future growth.
My home:
192.168.153.0/24
192.168.155.0/30 (For 2611 to PIX connection)
I've left 154 out because I may want to utilize it here at home for some reason in the future. Would it make more sense for me to take 152 since I'm going to take up an entire Class C? My thought is that if for some reason we explode with growth I don't want to have some employees on 152 and some on 156, I'd rather have them on sequential ranges. I actually don't need a full Class C, I could carve out a /30 at the beginning of my subnet for the interconnect between the 2611 and PIX. Now that I think about it I really wouldn't even need a full Class C, I could carve mine up into a few /27's as that would give me plenty of room for our equipment here and give me some spare ranges to stick other things in and to play with. Any suggestions or comments? |
|
aryoba
Premium,MVM
join:2002-08-22
| reply to JoelC707
What I would do is to keep servers and workstations in their own subnet (either /24 or /23). I wouldn't keep servers and workstations in one subnet which could create discontiguous network. However you could reserve /24 or /23 to servers and another /24 or /23 to workstations for future growth.
Are the main office, large home office and the small home offices part of one organization? If yes, then you might want to reserve at least a whole block of /21 network. Therefore you should reserve 192.168.144.0/21 for all of them.
I would think that you might need a whole /24 all for your home since you might support more clients and would need more stuff to install. |
|
JoelC707
join:2002-07-09
Tucson, AZ
clubs:
| I seriously doubt I will need anything bigger than a /24 for the servers or the workstations. Even if I keep up the 5's thing I've still got 51 possible hosts for each subnet. Right now I have 12 devices in the "server" category and a mere 5 workstations at the main office though I have 20 network lines run throughout the suite for workstations and such.
All the home offices (large and small) are employees of the same corporation. The Large office is actually one of the co-owners of the company and my boss. He has two desktops, a laptop, print server and plans to add a couple more desktops or laptops plus wireless. I doubt he would expand more than that so we are looking at 4 IPs currently and roughly 7 in the future so a /28 seems to fit for that and gives some growth room.
Why do you think I need to reserve over 2000 IP's for the entire company? I'm not saying you're wrong, I'm probably just not getting it. |
|
aryoba
Premium,MVM
join:2002-08-22
| At this point I'm not quite sure how fast the organization grow. However if you think /21 is too big for this organization, then you can shrink down to /22. I believe the /22 is the minimal; where one class C for servers, one class C for workstations/DHCP, one class C for infrastructures (i.e. switches, routers, VPN boxes), one /25 for large home offices, and one /25 for small home offices.
The whole idea of assigning subnet is to accommodate current and future network need as contiguous as possible. Usually the term used is that the subnet would keep intact for at least 3-5 years |
|
JoelC707
join:2002-07-09
Tucson, AZ
clubs:
| Honestly I doubt it will grow very fast in the next few years. The company was founded in 96 and we currently have 9 employees counting the two presidents. There are a handful of outside contractors but they aren't part of the network in any way at all. I have been an employee for about two years now.
Do I really need a Class C devoted to networking infrastructure? I have one main switch (a possible second in the future), a router, and a UPS. I can't put the VPN boxes at the home sites in the same subnet as the router at the main office.
I've never setup a network on the scale you are talking about. The most I have done is two separate class C's with a 2514 in between and even then that was several years ago and just to see if I could make it work. Otherwise I'm pretty new to Cisco equipment and what it can and can't do. Maybe that's why I'm not grasping this, you might be thinking of something that I could do with the right equipment that I don't know about. Sorry I'm kinda hard headed at times. |
|
JoelC707
join:2002-07-09
Tucson, AZ
clubs:
| reply to aryoba
I've been thinking and designing on this for a little while now and here is what I am looking at currently. Please give suggestions as needed.
My home:
192.168.150.0/23
Will give me 192.168.150.0 - 192.168.151.255
Should I split this up any? Should it be two separate Class C's? Or perhaps a few /27's or something?
My Office:
192.168.152.0/22
Will give me 192.168.152.0 - 192.168.155.255
192.168.152.0/24 - Servers and Infrastructure
192.168.153.0/24 - Workstations and DHCP
192.168.154.0/24 - Subneted for employee homes connected via VPN
192.168.155.0/24 - Unused?
I think what I'm unsure about is how to assign all of these subnets and what equipment I will need beyond what I have now (if any). For example, on the servers do I give them a mask of 255.255.255.0 like they currently have or would they get a 255.255.252.0? I assume the workstations and other equipment would get similar masks?
Also, the workstation subnet will need to be split up even more I think, either that or utilize the unused subnet for DHCP only. I need to have two DHCP ranges, one for employees and such to use and one for clients to check email and surf the internet. I don't want the clients on the same network as everything else. I don't need very many addresses in either DHCP range, a /27 or at minimum a /28 for each should be sufficient I think. Right now DHCP isn't even used but we don't have the AP yet either. If I use an entire Class C for DHCP I would probably just split it up into two /26's. |
|
aryoba
Premium,MVM
join:2002-08-22
| I notice that you like to count begin at 192.168.150.0 network. I wonder why you don't start counting from 192.168.0.0 instead?
Subnet for servers at main office I think should be at least /24 since you said the number is already reaching up to 50. Subnet for workstations/DHCP clients would probably at least /24 as well.
As I said previously, the whole idea of assigning subnet is to accommodate current and future network need as contiguous as possible. Usually the term used is that the subnet would keep intact for at least 3-5 years.
When you say "infrastructure", do you mean routers, switches, VPN boxes, and other non-servers (or non-workstations) equipment? |
|
JoelC707
join:2002-07-09
Tucson, AZ
clubs:
| The reason I don't want to start at 192.168.0.0 or 192.168.1.0 is that several of the other companies my dad and I do IT work for use those ranges. I currently use 192.168.0.0 at home and 192.168.1.0 at the the company I work for (completely seperate from the other companies).
If I use 192.168.0.0 at the company I work for then I can not establish a tunnel to any of those other companies should I need/want to. That's why I wanted to start at some high number like 150 although I just remembered a location where 192.168.150.0 is currently in use so I do not want to use 150 at my house or at my company.
I think it might be easier if I break it down like this:
192.168.0.0 - used by my lan and 9 other companies I know of
192.168.1.0 - used by my office lan and 6 other companies.
I know I can't establish a tunnel to all of the remaing 0.0's and 1.0's at the same time but thats ok becuase I don't need to.
I think you misunderstood what I was saying a few messages ago. My current servers are on 100 to 150 yes but they are in increments of 5. They're on 100, 105, 110, 115, etc. so in reality I only have 6 servers, I skipped 135 (had plans for it but they fell through), and the remaining 3 are two network printers and a UPS.
By infrastructure I mean switch, router, printers, UPS, etc. Currently what I have that falls in that category is one switch, one router (with VPN), two printers and a UPS. I have plans to add an AP and a network security camera but nothing else at the moment. With only 6 possible devices you can see my confusion with dedicating an entire /24 to that category. Same with the servers although I do have two NICs in each server, that's still only 12 IP's total. Couldn't I use a /25 for the servers and a /25 for the infrastructure? That would still give me 61 IP's in each subnet which should be plenty for future growth. |
|
