From: Brad Ellis (brad@ccbootcamp.com)
Date: Tue Mar 28 2006 - 15:28:26 GMT-3
There are ISPs now that are bringing in connectivity via Ethernet or
FastEthernet...
Stefan - what methods of delivery is your ISP providing connectivity? T1?
DSL? E1? Cablemodem? ISDN (sigh)? Fiber? Ethernet/FastEthernet?
If your ISP is providing an Ethernet or FastEthernet connection, then you
can (more than likely) ditch the customer Border Router in the design below.
Depending on how your ISP operates and what kind of service they provide
(manged vs. unmanaged) they may want a device which they can have enable
access to. (In which case you might not want to give them access to your
Firewall/ASA if they provide an ethernet connection of some sort, and
through a border router in there regardless!)
The standard Cisco design looks like this:
ISP
|
Customer BORDER ROUTER
|
Firewall (PIX or ASA)
|
Customer L3 Switch (or in the past, another router to route between internal
private networks)
thanks,
Brad Ellis
CCIE#5796 (R&S / Security)
CCSI#30482
Network Learning Inc - A Cisco Learning Partner (CLP)
YES! We take Cisco Learning credits!
brad@ccbootcamp.com
www.ccbootcamp.com (Cisco Training and Advanced Technology Rental Racks)
Voice: 702-968-5100
FAX: 702-446-8012
----- Original Message -----
From: "Sheahan, John" <John.Sheahan@priceline.com>
To: "Stefan Grey" <examplebrain@hotmail.com>; <ccielab@groupstudy.com>
Sent: Tuesday, March 28, 2006 9:07 AM
Subject: RE: Cisco security perimeter!! :( [bcc][faked-from]
> Perhaps your presales engineer is just trying to make the point that you
> need to terminate your internet circuit on a router before you get to a
> Pix/ASA. There is no way to bring a circuit directly into the Pix/ASA.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Stefan Grey
> Sent: Tuesday, March 28, 2006 11:56 AM
> To: ccielab@groupstudy.com
> Subject: Cisco security perimeter!! :(
>
> Hello guys.
>
> Task.
> Receive from the ISP internet link, vpn link, maybe some other. Then
> provide
> the perimeter security.
>
> 1. Idea 1. Just to put ASA/PIX on the perimeter and than connect it to
> the
> local switch.
>
> 1. My senior presales engenier told me that it is a bad solution. And he
>
> didn't saw such a design before. He tells that always is done so: the
> router
> on the perimeter and than the router itself is connected with the
> firewall
> or ASA. He told that the router is needed to configure the shaping and
> to
> avoid some headaches.
>
> Could you please explain why 1st design is bad. Why shaping is so
> necessary
> on the perimeter router. Why this router is needed and which bad things
> could I receive if I build design 1. (with just one ASA or PIX).
>
> Any help highly appreciated.
>
> _________________________________________________________________
> Find accommodation FAST with MSN Search! http://search.msn.ie/
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3