[c-nsp] 827 router as 'DMZ'
Dan
dan at technc.com
Fri Apr 13 10:49:48 EDT 2007
Jesse,
I had looked into doing that as well. The only problem is that the 2800
series of routers does not support pppoe connections on a sub
interface. Only on a full l3 interface or an atm wic.
Dan.
Jesse Alexander wrote:
> Hello Dan,
>
> Thanks a lot!
>
> I think that a multilayer switch could be very helpful to you. You
> can put the four DSL connections on the switch on one vlan, and make
> the connection to the 2801 a trunk. Or you can put each DSL line on
> its own VLAN and determine on the 2801 who/what accesses which DSL
> line via VLANs. Cisco 3550 switches are EOL, but you can probably get
> one at a reasonable price, and they are multilayer switches.
>
> Here is the data sheet on the 3550 series:
>
> http://www.cisco.com/en/US/products/hw/switches/ps646/products_data_sheet09186a00800913d7.html
>
>
> The 3550 is just an example. There are tons of multilayer switches,
> and although I prefer Cisco, I have heard some decent things about HP
> Procurve mulilayer switches, and they are much less expensive.
>
> Sample configs as to what I am thinking about (they are not full
> configs, but basic enough that will work):
>
> <<<<< SAMPLE ONE >>>>>
>
> conf t
> vlan database
> vlan10 name DSL_VLAN
> exit
> !
> conf t
> Interface Loopback0
> ip address [public IP and subnet mask of the single public IP address
> you get]
> no shut
> !
> int fa0/1
> description DSL1
> switchport mode access vlan10
> no shut
> !
> int fa0/2
> description DSL2
> switchport mode access vlan10
> no shut
> !
> int fa0/3
> description DSL3
> switchport mode access vlan10
> no shut
> !
> int fa0/4
> description DSL4
> switchport mode access vlan10
> no shut
> !
> int fa0/5
> description trunk to 2801
> switchport mode trunk
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 10
> no shut
> end
>
> <<<<< SAMPLE TWO >>>>>
>
> or ... you can have each DSL line with its own VLAN to manage what
> traffic goes out each (you would designate this via VLANs on the 2801):
>
> conf t
> vlan database
> vlan10 name DSL1
> vlan20 name DSL2
> vlan30 name DSL3
> vlan40 name DSL4
> exit
> !
> conf t
> Interface Loopback0
> ip address [public IP and subnet mask of the single public IP address
> you get]
> no shut
> !
> int fa0/1
> description DSL1
> switchport mode access vlan10
> no shut
> !
> int fa0/2
> description DSL2
> switchport mode access vlan20
> no shut
> !
> int fa0/3
> description DSL3
> switchport mode access vlan30
> no shut
> !
> int fa0/4
> description DSL4
> switchport mode access vlan40
> no shut
> !
> int fa0/5
> description trunk to 2801
> switchport mode trunk
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 10,20,30,40
> no shut
> end
>
> Just make sure VTP is set to transparent ;)
> show vtp status
>
> Sincerely,
>
> Jesse
>
>
>
> ----- Original Message ----- From: "Dan" <dan at technc.com>
> To: "Jesse Alexander" <ut-longhorns at hotmail.com>;
> <cisco-nsp at puck.nether.net>
> Sent: Thursday, April 12, 2007 9:04 AM
> Subject: Re: [c-nsp] 827 router as 'DMZ'
>
>
>> Let me see if I can paint a better picture.
>>
>> I work for a school district and each school that is accessing the
>> internet from this particular location gets routed out a particular
>> dsl line according to usage stats. So right now the 2801 is setup to
>> do pbr to each of the linux dsl routers that I have behind it. The
>> linux dsl routers are connecting to my isp through the modems
>> provided. The linux dsl routers are standard workstations converted
>> to do pppoe/nat/routing/queueing. I would like to simplify this
>> configuration with some kind of cisco hardware. The reason I have 4
>> dsl lines is because there is nothing else available in my location.
>> I now have the 827 working and I have replaced one of the linux boxes
>> and modems with that unit instead. This will be a little better but
>> I would have like to use the 2801 to do everything.
>>
>> Dan.
>>
>> Jesse Alexander wrote:
>>> Hello Dan,
>>>
>>> How are the four DSL lines delivered to you? Are they providing
>>> some kind of 'modem' that all four terminate on, or are you dealing
>>> with four DSL modems, or otherwise? I haven't worked with multiple
>>> commercial DSL lines previously. I mainly work with T1's, T3's,
>>> OC3's, etc.. lol. But with some clarification, we can find a way
>>> for standard networking to do its thing :)
>>>
>>> You say that you want to use the 2801 to NAT. What network goals
>>> are you trying to acheive? I believe if I can understand the bigger
>>> picture I can be more helpful.
>>>
>>> Does your ISP require you to authenicate for your DSL connections?
>>>
>>> Sorry for all my questions.
>>>
>>> Sincerely,
>>>
>>> Jesse
>>>
>>> ----- Original Message ----- From: "Dan" <dan at technc.com>
>>> To: "Jesse Alexander" <ut-longhorns at hotmail.com>;
>>> <cisco-nsp at puck.nether.net>
>>> Sent: Wednesday, April 11, 2007 11:58 AM
>>> Subject: Re: [c-nsp] 827 router as 'DMZ'
>>>
>>>
>>>> Jesse,
>>>>
>>>> I only have one external IP. So it looks like I'm stuck with
>>>> having nat on the 827. What I really wanted to do is to have all
>>>> four of my dsl lines terminated on the 2801 router with the hwic
>>>> 4esw. I have explored that option and it will not work because of
>>>> a limitation of the hwic. So I was looking for a cheaper solution
>>>> that would allow me to use the 827 router as a pppoe termination
>>>> point and then I was going to use the 2801 for nat.
>>>>
>>>> Do you know of any other cheap solution that would work to
>>>> terminate 4 dsl lines and use the 2801 router for nat?
>>>>
>>>> Thanks,
>>>> Dan.
>>>>
>>>> Jesse Alexander wrote:
>>>>> Hi Dan,
>>>>>
>>>>> If you have a public /30 IP range available to use, then easiest
>>>>> way is to assign e0 one IP and the other router's directly
>>>>> connected interface the other usable IP, such as:
>>>>>
>>>>> int e0
>>>>> ip address 209.126.2.1 255.255.255.252
>>>>>
>>>>> On other router:
>>>>>
>>>>> int [insert]
>>>>> ip address 209.126.2.2 255.255.252
>>>>>
>>>>> That way, the two are directly connected and therefore know how to
>>>>> route to each other. You can then use NAT on the 2801.
>>>>>
>>>>> Otherwise, you can use private IP's between the two, but NAT will
>>>>> be needed on the 827.
>>>>>
>>>>> Kinda hard not knowing what assets you have available to you for
>>>>> IPs and such.
>>>>>
>>>>> What would be best is if you had, say, a public /29 netblock from
>>>>> your ISP. That gives you 6 usable IPs. Have them set the 1st
>>>>> usable for your 827's interface that connects to your ISP's modem
>>>>> via mac address of your 827 (depending on how your ISP does that
>>>>> ... mine needs the mac address of my router, which is a 851).
>>>>>
>>>>> Then assign e0 the next available IP, and the 2801's interface
>>>>> that directly connects to the 827 then next IP available in the
>>>>> series of IPs you are allocated.
>>>>>
>>>>> I realize I have an 851 verses your 827, but I am certain that
>>>>> what you want to do can be done.
>>>>>
>>>>> I can be of more help if I know more specifics.
>>>>>
>>>>> Sincerely,
>>>>>
>>>>> Jesse
>>>>>
>>>>> ----- Original Message ----- From: "Dan" <dan at technc.com>
>>>>> Cc: <cisco-nsp at puck.nether.net>
>>>>> Sent: Tuesday, April 10, 2007 2:19 PM
>>>>> Subject: [c-nsp] 827 router as 'DMZ'
>>>>>
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I'm wondering if anyone has been able to setup an 827 router as a
>>>>>> DMZ
>>>>>> router. What I would like to be able to do is have this box
>>>>>> connecting
>>>>>> to my ISP via PPPoE, then have the box forward all traffic
>>>>>> through the
>>>>>> e0 interface into a port on my 2801 router where I would setup
>>>>>> nat. Is
>>>>>> this possible with this 827 router?
>>>>>>
>>>>>> Thanks,
>>>>>> Dan.
>>>>>>
>>>>>> _______________________________________________
>>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>
More information about the cisco-nsp
mailing list