Laserfiche WebLink
Phase 1:Firewall and Internet Migration Planning <br /> • Develop a migration plan to migrate existing Cisco ASA5520 configurations to Cisco ASA5585. <br /> Configuration will migrate like-for-like except the following: <br /> o Public IP Addresses will change as the ISP is changing. A new IP subnet will be allocated <br /> by the ISP and routed in BGP. Firewall configurations must change to accommodate the <br /> IP address change. <br /> • IPSEC site-to-site VPNs at remote City locations: ExtraTeam will <br /> change/reconfigure upto 3 remote City owned devices to accommodate new IP <br /> addresses:ASA firewalls(5505 or similar)or SOHO Cisco Routers(IOS based). <br /> • The City will be responsible for DNS changes or changes needed outside of City <br /> owned Cisco network equipment to accommodate the IP address change. <br /> o EIGRP routing will be enabled on the "inside" interface to enable automatic failover of <br /> City Hall networks to backup 5515 or backup 100Mb ISP. <br /> o A new DMZ will be provisioned to provide Internet access to the Police Department, <br /> connected to a new 3850 IP-Services switch stack. <br /> • EIGRP routing will be enabled on this"Police Internet DMZ"to enable automatic <br /> failover of Police networks to backup 5515 or backup 100Mb ISP. <br /> • The 3850 IP-Services switch stack will make routing decisions and provide a new <br /> fiber connection to the PD for Internet. <br /> o 3 new DMZs will be provisioned to provide Internet access to remote locations who's <br /> networks are currently trunked back to City Hall via fiber optic cable: <br /> • 2 separate wireless networks(connected as 1G Ethernet to the ASA firewalls). <br /> • The"library public"network(connect as 1G Ethernet to the ASA firewalls). <br /> • A new 2960-X switch stack will be provisioned to provide Layer-2 VIANs for the <br /> DMZs and 1G connectivity. <br /> • NOTE:VLANs are assumed trunked via fiber optic cables to the remote sites,shall <br /> exist as Layer-2 only VLANs on City Hall switching equipment, connected as 1G <br /> access ports to the ASA firewalls. <br /> • BGP Planning: <br /> o Teleconference with ISPs(Internet Service Providers)to assist with the provisioning and <br /> related planning with turn-up of BGP routing. <br /> o The design will require the service providers to announce(via BGP)a single default route <br /> (0.0.0.0/0)for the entire Internet. The 10G provider's 0.0.0.0/0 will always be preferred. <br /> NOTE:there are rare conditions such that a service provider may been having problems <br /> with their own network or peering connections,yet that provider still announces a route <br /> for 0.0.0.0/0 to us. In this case, we are unable to automatically failover to the backup <br /> provider because the primary provider must first stop announcing 0.0.0.0/0 route to <br /> indicate that their Internet is down. This caveat is commonly accepted by customers if <br /> they trust the reliability of their service provider's network. The only"perfect failover" <br /> requires dedicated ASR routers to accept full Internet routing tables (nearly 1 million IP <br /> routes,which the ASA firewall cannot handle). <br /> o The primary 10G service provider will assign 1 or more IP Address blocks for use on the <br /> Internet. This IP address block will be shared by both providers,with the primary provider <br /> having a higher preference. <br /> 3 <br />