Announcement

Collapse
No announcement yet.

Router Placement

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Router Placement

    Hi
    Currently I have my leased line terminated to a Checkpoint Firewall, which is doing a pretty good job. Now I am getting a Cisco 2811 router , I am also thinking about going for an extra DSL connection so that I can have a failover net connection if possible. So my question is where do you suggest me to place the router?

    Current net diagram is attached to this posting


    The one I am having in mind is also attached to this posting and you must be able to see it at the bottom of this post.


    I am pretty much confused about the IP address scheme changes I need to do to achive this. What are the suggestion you have on this.

    Thanx
    Dotfish
    Attached Files

  • #2
    Re: Router Placement

    While I am new to this whole thing, and I would say that daviddavis, therreanaut, and a host of others can probably answer your question far better than I can, why not upgrade the 2811 to the firewalled IOS and replace the Checkpoint altogether?

    Less devices, simpler administration, less power consumption...

    Only a thought. If you still want to add the router to your existing setup, one of those fine gentlemen can help you far better than I.

    Chris

    Comment


    • #3
      Re: Router Placement

      Hi Dotfish,

      Thanks for your post.

      Your proposed diagram is a keeper, in my opinion. Go with what you proposed.

      You need the router out the outside of the network to make routing decisions between your two ISP's (the T1 and the DSL line). The router will know who has what network and what ISP is up or down.

      The checkpoint will be there to protect your DMZ and internal LAN. That is where you want it.

      I wouldn't replace the checkpoint because a checkpoint is a better firewall than the 2811 ever will be, even with the firewall IOS features. Just like a Cisco PIX or ASA are better firewalls than the 2811 ever will be. However, the 2811 is a better router than the checkpoint ever will be. You need both when you begin to move from a small network to a medium size network.

      Thanks for your post and let us know how your changes work out or if you have questions along the way.

      -David
      David Davis - Petri Forums Moderator & Video Training Author
      Train Signal - The Global Leader in IT Video Training
      TrainSignalTraining.com - Free IT Training Products
      Personal Websites: HappyRouter.com & VMwareVideos.com

      Comment


      • #4
        Re: Router Placement

        Hi All
        First of all Thank you so much for those quick replies.

        worldbuilder(chris), Thanks for ur suggestion but I really donít want to replace the checkpoint for 2 reason. No 1 , as daviddavis suggested its best for its job. No 2 reason it really cost good amount of money which I donít wanted to go waste. Plus removing checkpoint removes an additional layer of security which I think wont be recommended. But many thanks for your suggestion and I appreciate it.

        David I will go by what you suggested as me too feels keeping checkpoint adds little security to the existing setup as, if the router gets compromised I may still have my network little safe with checkpoint being there I suppose. I fully agree with you as I think routers are better designed to do routing than packet inspection. Reason to go for the router was that the network is growing.

        Ok now my query is regarding the subnetting the existing IP range, do you think thatís right? or should I use network of 10.x.x.x between the checkpoint and router? Btw I have got quite few NAT rules in checkpoint so do you think thatís going to have any problems in the proposed setup

        I got few more queries which I will post it later.

        Many Thanx once again
        regards
        Dotfish

        Comment


        • #5
          Re: Router Placement

          Hi Dotfish,

          Do you have some static IP's from your ISP? If so, I would subnet it out and put two between the inside of the router and outside of the checkpoint. Then put some in the DMZ and use the others for any servers that are NAT'ted from the inside.

          In other words, have your checkpoint do the NATting, not the router. However, if you have only 1 or 2 public, then you will have to have the router do the NATting for everything.

          Let me know if that helps or if you have more questions.

          Thanks,
          David
          David Davis - Petri Forums Moderator & Video Training Author
          Train Signal - The Global Leader in IT Video Training
          TrainSignalTraining.com - Free IT Training Products
          Personal Websites: HappyRouter.com & VMwareVideos.com

          Comment


          • #6
            Re: Router Placement

            Originally posted by daviddavis View Post
            Hi Dotfish,

            Do you have some static IP's from your ISP? If so, I would subnet it out and put two between the inside of the router and outside of the checkpoint. Then put some in the DMZ and use the others for any servers that are NAT'ted from the inside.

            In other words, have your checkpoint do the NATting, not the router. However, if you have only 1 or 2 public, then you will have to have the router do the NATting for everything.

            Let me know if that helps or if you have more questions.

            Thanks,
            David
            Yes I have got 5 static IPs from my ISP and right now I am using 4 of them for NATing the servers inside including the proxy server which is in DMZ. One I kept as reserve. I will go by ur advice and have my Checkpoint box doing the NATing & router doing just the routing part. But now my doubt is, How this particular setup is going to help me in increasing the performance of the network in anyway. Or any suggestion where this router can used for optimum utilization?.

            Thanx
            Dotfish

            Comment


            • #7
              Re: Router Placement

              Hi dotfish,

              Hmm, how will it increase performance? Well, what is doing the routing now?

              In general, seperating firewalling from routing will increase performance if they were combined together before. Replacing an old router with a new one sounds like it would also increase performance.

              I suspect, however, that unless your hardware was somehow overloaded before these changes, the true limiation of your performance is the speed of your Internet circuit and the latency of your provider (like a Tier 1 vs a Tier 3 provider).

              Thanks for your post!
              David
              David Davis - Petri Forums Moderator & Video Training Author
              Train Signal - The Global Leader in IT Video Training
              TrainSignalTraining.com - Free IT Training Products
              Personal Websites: HappyRouter.com & VMwareVideos.com

              Comment


              • #8
                Re: Router Placement

                Hi David,
                Sorry for the delay in replying
                Right now the Checkpoint Box is doing the Routing between the network & ISP.
                Regarding separating the Firewalling from Routing, what you suggest in my current setup as I think it will be anyway the Checkpoint box is going to route the packets between Network & Router, or am I wrong? Pls correct me if I am wrong.


                Regards
                Dotfish

                Comment


                • #9
                  Re: Router Placement

                  Hi dotfish,

                  I would agree that firewalls can route and have to route to do their job.

                  Depending on how much traffic you have (packets per second), in all reality, the checkpoint may work fine. However, here are some reasons that someone will typically use a router in your situation:
                  - connect to a WAN interface that the firewall doesn't support. For example, say you have a T1 to the Internet. Most firewalls just have an Ethernet interface on the outside. The router must be used to convert the T1 to Ethernet.
                  - offload INTERNET routing from the firewall (what path through the Internet do I take to contact this destination). OR to use routing protocols that the firewall doesn't support - like BGP
                  - pure performance - the firewall cannot handle both the demands of routing and firewalling. Say you do full BGP Internet routing, the routing alone can use 512MB of RAM or more. This is very demanding. Firewalls typically don't have BGP nor could they run full BGP routing and do firewalling well.

                  So, yes, even if you put in the router, the firewall is still routing packets between the 3 networks attached to it (inside, dmz, and outside) but it isn't making routing decisions on what Internet ISP to choose (say you had your TWO Internet circuits).

                  Does that make sense?

                  I hope that helps.

                  Thanks
                  David
                  David Davis - Petri Forums Moderator & Video Training Author
                  Train Signal - The Global Leader in IT Video Training
                  TrainSignalTraining.com - Free IT Training Products
                  Personal Websites: HappyRouter.com & VMwareVideos.com

                  Comment


                  • #10
                    Re: Router Placement

                    Yes perfectly David,
                    In fact another reason to go for this router was the need to have a failover dsl link which currently not possible with my checkpoint box. Plus I donít want my checkpoint receiving and dropping all broadcasts from my ISP side which adds up load on my checkpoint box, I think thatís best handled by routers.

                    Thank You so much for your patients in answering & clearing my small doubts.
                    You were kind enough to bear me with all these questions and I must say people like you, makes this forum a great place to interact for newbies like me. Thanx a ton and may appear again to annoy the forum with my silly doubts []. Will be hanging around this forum to learn more from you all.

                    Thanks & Regards
                    Dotfish

                    Comment


                    • #11
                      Re: Router Placement

                      Dotfish,
                      Thanks for your kind words. I am glad that I could help!
                      All that I ask in return is that perhaps you could help someone else in the forum if you see somewhere that you can contribute your knowledge. I figure that is how it works...
                      All the best,
                      David
                      David Davis - Petri Forums Moderator & Video Training Author
                      Train Signal - The Global Leader in IT Video Training
                      TrainSignalTraining.com - Free IT Training Products
                      Personal Websites: HappyRouter.com & VMwareVideos.com

                      Comment


                      • #12
                        Re: Router Placement

                        Hi David,
                        I would be very glad to help anyone in this forum with what ever little knowledge I have. I fully agree with you and it will be my pleasure to be here to help others.

                        Thanx once again
                        Dotfish

                        Comment


                        • #13
                          Re: Router Placement

                          Awesome dotfish!

                          All the Best to you,
                          David
                          David Davis - Petri Forums Moderator & Video Training Author
                          Train Signal - The Global Leader in IT Video Training
                          TrainSignalTraining.com - Free IT Training Products
                          Personal Websites: HappyRouter.com & VMwareVideos.com

                          Comment

                          Working...
                          X