Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

MOE Tagged Intra-Office/Internet Routing Suggestions

Status
Not open for further replies.
mfoc

mfoc

MIS
Feb 10, 2004
37
US
Currently, I have a 100Mbps MOE circuit connecting two offices and I'm taking a 30Mbps chunk to bring in new Internet service to our Main Office. My issue question is.... What's the best way to split the Internet portion off and send it in through the firewall - or even a different firewall (preferred)? I need to keep the intra-office portion away from the firewall(s) and bring it right into the core switch.

1) I know I should be using my FESX448's as my gateways - but I'm not (not to say I won't, I just haven't yet).

2) I'd like to split my web browsing traffic off altogether and maybe send it out a different firewall. I have a few app servers out on a DMZ in the current config and non-web traffic doesn't flow well through the Barracuda.

3) The 30Mbps VLAN tagged Internet circuit will replace the Qwest Bonded T1 (3Mbps) connection (I may keep it around as a redundant circuit, but it will likely be disco'd).

4) The 2811 "gateways" have add-on switch modules (additional 16 x FE ports) - other than that, they all have the standard 2 x FE ports.

So with the parts I have, what would you suggest? Note: The "30Mbps VLAN Tagged Internet" isn't active yet and is what I will be implementing.

Here's a basic map of the current config:
QMOE-Project.gif


Thanks in advance!!
 
Sort by date Sort by votes
Your scenario has some design issues to consider. Since what you call the 2811 Gateway is the point at which you currently segregate the intranet vs extranet traffic you will need to provide that same segregation for the traffic moving forward. So you will need to either do VLANs or possibly extended VRFs if your provider is giving you VRFs. Either way you will probably want to have the VLANs on separate interfaces until at the gateway router and place your current CE 2811 after the FW in order to aggregate the VLANs over the MOE VLANs. That effectively gives you some data separation through the FWs. Security is an important issue in any event with this type of design and the implications need to be taken into consideration. You have a single pipe, even with multiple VLANs to the intranet and internet (extranet) so at some point they have to be pushed out the same physical interface even if on different virtual interfaces. Just be sure to take precautions from a security viewpoint on your intranet so you don't want any extranet traffic to be able to reach the intranet until after it passes through the FW etc.
 
Upvote 0 Downvote
OK, how about this:
QMOE-Project-Proposed.gif


- It uses the core switch as the gateway
- It splits the QMOE VLAN's at the edge router
- Old firewall with DMZ'd app servers is segregated
- Web browsing traffic uses Barracuda and new firewall

Bonus - it frees up one of my 2811's.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Pankaj88
  • Locked
  • Question
BGP Routing Clarification
Replies
0
Views
128
Pankaj88
Pankaj88
MontrealSoft
  • Locked
  • Question
Heated cabinets suggestions
Replies
2
Views
138
MontrealSoft
MontrealSoft
mikey789
  • Locked
  • Question
Can 4000-M Routing VLANs ?
Replies
0
Views
75
mikey789
mikey789
paramjotsingh
  • Locked
  • Question
InterVALN Routing in Switch 3850
Replies
4
Views
123
paramjotsingh
paramjotsingh
jmkelly
  • Locked
  • Question
Dynamic routing protocols for catalyst 3850 switches
Replies
4
Views
208
ADB100
ADB100

Part and Inventory Search

Sponsor

Back
Top