Re: Internet Connection for An Enterprise

If you're upgrading to a 2nd Internet connection you'd really ought to reduce the single point of failures on any enterprise equipment costs permitting...

assuming Internet CEs have their outside interface set for the public address /32 and doing Nat for any private inside addresses

Transit Vlan 10 - Point statics from the FW to VIP for Internet1 for dept A (CE1 having a higher FHRP priority, fallback CE2)
Transit Vlan 20 - Point statics from the FW to VIP for Internet2 for dept B (CE2 having a higher FHRP priority, fallback CE1)

Either side of the FWs you should have transit Vlans where North of the FWs is for Internet transit and South being LAN transit for the depts..

Statics back southbound frame CEs to FWs or you could run dynamic...

Physically something like this...

Int1 Int2
  |. |
CE1 CE2
  |. |
SW1. SW2
   |. |
FW1. FW2

Single context is fine for active/standby on FWs but you can run active/active licenses permitting to share the load for the depts..

You may also have an Internet proxy inside the firewalls like most enterprises.....you can either do the source nat here or but I'd leave it to the Internet CEs depending on resources/model

--
BR
Tony
> On 11 Nov 2014, at 23:24, Joe Sanchez <marco207p_at_gmail.com> wrote:
> 
> Like I mentioned the easiest way is to utilize PBR based on the PAT or NAT
> address you provide for that user or group/dept out of your Corporate
> Firewall.
> If you have a both internet connections going into a single router it is
> the easiest way.  If you have separate routers for each internet router you
> will need a Layer 3 device "switch -or- router" switch would be better to
> intercept the traffic as is moves from the outside interface of your
> Firewall towards your Internet Edge routers.  The Switch or routing device
> would look at the address of the translated Dept and make a SRC based
> decision.  Are you an address from DeptA if yes you go out to ISPA, if you
> are SRC address of DeptB you go out of ISPB interface. the same kind of
> logic works for 1router 2 ISP's or 2routers 2 ISP's.  The firewall has to
> either have a private IP range between the outside and edge routers, or
> separate Public blocks will work as well.  If this still doesn't make sense
> let me know.
> 
> 
>> On Tue, Nov 11, 2014 at 2:36 PM, Imran Ali <immrccie_at_gmail.com> wrote:
>> 
>> In  my   case  i  have  a  seperate  router terminating this  dedicated
>> internet connection. 1921
>> 
>> I  created  a sepeate  vlan  for  such  department  .
>> 
>>> On Nov 11, 2014 4:59 PM, "IGMPv9" <cciegroupst_at_gmail.com> wrote:
>>> 
>>> Dear Gurus
>>> 
>>> I hope this email finds you well
>>> 
>>> I have a question for you ..
>>> 
>>> I have an Enterprise that has an Internet Connection however one of my
>>> departments (IT) needs a separate internet connection from a specific
>>> Provider..
>>> 
>>> how can I achieve this ..
>>> 
>>> I.E. the Enterprise has its own internet connection except the IT
>>> department which needs its own connection.
>>> 
>>> 
>>> I appreciate your solutions and explanation to that as well..
>>> 
>>> BR
>>> 
>>> 
>>> Blogs and organic groups at http://www.ccie.net
>>> 
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>> 
>> 
>> Blogs and organic groups at http://www.ccie.net
>> 
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net