- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Cable Modem as backup to T1 Line [7:102971] posted 09/26/2005
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

> Max - I completely agree with you.  Backup links are popular and this kind
> of configuration is quickly becoming the normal rather than a off the wall
> request.
> My question is, How is this best put into practice?  Given a Cisco Router
> 18xx or 17xx, and Cisco PIX.  Where do I connect the Cable modem to (The
> pix
> or router), how do I handle the NAT (route-maps, and 2 NAT pools?), and
> how
> do I notify the PIX that the T1 Interface is down.

Since I don't think the PIX supports multiple default routes out different
interfaces, You could plug everything into the a larger router, run two
nat pools w/ appropriate route map, CBAC, and have it handle everything.

 Another scenario: you can have the pix connect to the cable modem and the
router handle the T1.  The inside interface of both the PIX and the
Router hang into the same RFC 1918 space.  Have a floating static on the
Router point to the pix inside interface as the secondary gateway or run
OSPF between the two. The issue with this is you essentially have a
firewall sitting there acting as a backup instead of doing something
useful, but it will work. Caveat here is that all the clients default
gateways will need to point to the router, as the PIX doesn't support
ICMP redirects.

You could do the same thing with two routers instead of the PIX/Router
combo as a first step, and then place the PIX behind both routers for
extra security, and run OSPF between all three (the two routers and the

This is probably the most sane option from a design perspective, but you
can certainly come up with various permutations on all three setups to
best meet your clients needs.  A Big "IF" here is in relation to whether
the client needs to host external applications such as mailservers,
webservers etc, as the above designs might require some slight tweaks to
allow for better DMZ scaling.


Message Posted at:
FAQ, list archives, and subscription info: