Laserfiche WebLink
Phase 1: Firewall and Internet Migration Planning <br /> Develop a migration plan to migrate existing Cisco ASA5520 configurations to Cisco ASA5585. <br />Configuration will migrate like-for-like except the following: <br />o Public IP Addresses will change as the ISP is changing. A new IP subnet will be allocated <br />by the ISP and routed in BGP. Firewall configurations must change to accommodate the <br />IP address change. <br /> IPSEC site-to-site VPNs at remote City locations: ExtraTeam will <br />change/reconfigure upto 3 remote City owned devices to accommodate new IP <br />addresses: ASA firewalls (5505 or similar) or SOHO Cisco Routers (IOS based). <br /> The City will be responsible for DNS changes or changes needed outside of City <br />owned Cisco network equipment to accommodate the IP address change. <br />o EIGRP routing will be enabled on the “inside” interface to enable automatic failover of <br />City Hall networks to backup 5515 or backup 100Mb ISP. <br />o A new DMZ will be provisioned to provide Internet access to the Police Department, <br />connected to a new 3850 IP-Services switch stack. <br /> EIGRP routing will be enabled on this “Police Internet DMZ” to enable automatic <br />failover of Police networks to backup 5515 or backup 100Mb ISP. <br /> The 3850 IP-Services switch stack will make routing decisions and provide a new <br />fiber connection to the PD for Internet. <br />o 3 new DMZs will be provisioned to provide Internet access to remote locations who’s <br />networks are currently trunked back to City Hall via fiber optic cable: <br /> 2 separate wireless networks (connected as 1G Ethernet to the ASA firewalls). <br /> The “library public” network (connect as 1G Ethernet to the ASA firewalls). <br /> A new 2960-X switch stack will be provisioned to provide Layer-2 VLANs for the <br />DMZs and 1G connectivity. <br /> NOTE: VLANs are assumed trunked via fiber optic cables to the remote sites, shall <br />exist as Layer-2 only VLANs on City Hall switching equipment, connected as 1G <br />access ports to the ASA firewalls. <br /> BGP Planning: <br />o Teleconference with ISPs (Internet Service Providers) to assist with the provisioning and <br />related planning with turn-up of BGP routing. <br />o The design will require the service providers to announce (via BGP) a single default route <br />(0.0.0.0/0) for the entire Internet. The 10G provider’s 0.0.0.0/0 will always be preferred. <br />NOTE: there are rare conditions such that a service provider may been having problems <br />with their own network or peering connections, yet that provider still announces a route <br />for 0.0.0.0/0 to us. In this case, we are unable to automatically failover to the backup <br />provider because the primary provider must first stop announcing 0.0.0.0/0 route to <br />indicate that their Internet is down. This caveat is commonly accepted by customers if <br />they trust the reliability of their service provider’s network. The only “perfect failover” <br />requires dedicated ASR routers to accept full Internet routing tables (nearly 1 million IP <br />routes, which the ASA firewall cannot handle). <br />o The primary 10G service provider will assign 1 or more IP Address blocks for use on the <br />Internet. This IP address block will be shared by both providers, with the primary provider <br />having a higher preference.