[c-nsp] router and transparent bridging help needed.

Aaron ml at proficuous.com
Thu Dec 6 20:42:49 EST 2007 

Bruce Pinsky wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Aaron wrote:
>   
>> Ibrahim Abo Zaid wrote:
>>     
>>> Dear Aaron
>>>  
>>>  
>>> regarding the bridging frame directly to your internal router via your 
>>> firewall , the below Cisco documents shows transparent bridging over 
>>> many scenarios including frame-relay to ethernet
>>> bridging
>>>  
>>> http://www.cisco.com/en/US/tech/tk331/tk660/technologies_tech_note09186a0080094471.shtml
>>>  
>>> regarding the HW point , i believe that any cisco router support 
>>> frame-relay will do it
>>> starting from Cisco 805
>>>  
>>> i hope you will find that useful in that case
>>>  
>>> best regards
>>> -- Abo Zaid
>>>
>>>       
>> Thanks Abo, that seems to be exactly what I was needing and will
>> do exactly what I was wanting.
>>
>> I wonder why so many different thoughts on what the IOS can and can't do.
>>
>>     
>
> Because the person citing that doc fails to understand that the doc
> describes bridging from one router to another that is also bridging.  What
> I thought you described (and I think others thought) is that you need a
> situation where one of the routers is bridging and the other downstream
> router is routing.  That won't work.  A frame encap'd IPv4 packet will be
> rejected by an interface that is expecting a frame encap'd bridge packet
> (and vice versa).
>
> So in the original example:
>
>   
>> ISP|unknown router|serial(Frame)|address 1.2.3.4
>>                          |
>>                    ______|_______
>>                         wic-1t
>>                 some cisco router
>>                        ethernet
>>                  ---------|-------------
>>                           |
>>                     1.2.3.5eth0
>>               internal router/firewall
>>     
>
>
> packets from "unknown router" will be frame encap'd with NLPID of 0xCC
> indicating IPv4 over frame relay.  If wic-1t router is bridging, it is
> expecting to receive a frame encap'd packet with an NLPID of 0x80 with an
> OUI and PID indicating the type of MAC layer encapsulation to be expecting
> within the frame relay packet.  NLPID's won't match so the packet will be
> rejected.
>
> If "unknown router" can bridge IP instead of routing it, then this could
> work with "some cisco router" acting as a pure bridge.  But if that is the
> ISP router (as indicated), that isn't likely to happen.
>
> So, you're best choice here is probably to readdress "internal router",
> place address 1.2.3.5 on the wic-1t interface, and make "some cisco router"
> routing between your ISP and the "internal router".
>
> - --
> =========
> bep
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHWHnkE1XcgMgrtyYRAivIAJsF9q55N8u3pjmgOqVRPQOdhMju6gCgoDQ6
> hpt8F3FNfJb4DTu4s8roIDs=
> =NUvC
> -----END PGP SIGNATURE-----
>   
Hmmm..food for thought.... Thanks for that explanation Bep.

I thought (ok.. hoped and prayed) that the (some cisco) which I have 
determined to be a 2601, would be able to to protocol conversion from 
frame encap to ethernet frames.   Is there anything that can do that 
reliably?  Or possibly I have not described the situation as well as I 
thought.

 From the above diagram, lets call the ISP with address 1.2.3.4 router 
A  the (some cisco router)  router B and the router at our site (aka 
linux box)/firewall router C, with address 1.2.3.5.  What I had 
originally envisioned was that router B become invisible to both 
sides(aka transparent bridge), while at the same time doing protocol 
conversion between the frame enc and  ethernet enc. 

I have seen some products like, 
http://www.jbmelectronics.com/product/g900face.htm and 
http://adnet002.trustpass.alibaba.com/product/11853526/E1_To_Ethernet_10_100baset_Protocol_Converter.html 
that do strictly protocol conversion, but they seem very high priced.  I 
have also read on some lists that they are not very reliable, somewhat 
flaky if you will. 

I guess then that I will be stuck doing routing on the 2601.   Does this 
make my 2601 more vulnerable at this point?  With this simple (at least 
it seems simple enough) configuration, will I have to worry about 
upgrading the IOS every time a vulnerability comes out?  Do the 
vulnerabilities that get issued really have much impact on a router that 
is doing something as simple as the above? I'm sure you can tell that 
I'm not very knowledgeable on Cisco equipment and although I intend on 
increasing my skill set, at least to the point where I can work within 
IOS w/o fear of breaking things, I'm not currently there, hence the 
extreme N00b questions. 

Thanks again to everyone that has helped.

Aaron

More information about the cisco-nsp mailing list