| [HELP] 2 questions for a new net design (VLAN's & IPSEC VPN's) After the help on deciding which gear to get to fix this hell of network, I did the initial design of how the network would look like, I'm (trying) to use packet tracer to simulate the lab to avoid using real gear, because I dont have everything yet, and is not convenient to wait for it to get here.
1. problem are VLAN Configuration: I dont know if it's a bug on packet tracer but is not supposed that when I set a trunk btw 2 switches and only allow a determinated vlan, when I do the "show vlan brief" just appear the vlan allowed on the target switch?
target switch:
Switch3_MOD_SD#sho run
Building configuration...
Current configuration : 1114 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch3_MOD_SD
!
!
!
interface FastEthernet0/1
switchport trunk allowed vlan 41
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 41
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface Vlan1
no ip address
shutdown
!
no cdp run
!
!
line con 0
!
line vty 0 4
login
line vty 5 15
login
!
!
end
Switch3_MOD_SD#sho vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gig1/1, Gig1/2
10 WAN active
40 servers active
41 ws-sdop active Fa0/2
60 extranet active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
This is the main switch:
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Central_MOD_SD
!
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/1
switchport trunk allowed vlan 41
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
switchport trunk allowed vlan 41
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
switchport trunk allowed vlan 41
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/4
switchport access vlan 40
!
interface FastEthernet0/5
switchport access vlan 40
!
interface FastEthernet0/6
switchport access vlan 10
!
interface FastEthernet0/7
switchport access vlan 60
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 143.1.0.2 255.255.0.0
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
!
interface Vlan41
ip address 192.168.41.1 255.255.255.0
!
interface Vlan60
ip address 10.0.60.1 255.255.255.0
!
ip classless
ip route 192.168.45.0 255.255.255.0 143.1.0.1
ip route 143.13.0.0 255.255.0.0 143.1.0.1
!
!
!
no cdp run
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
I never did VLAN's on a multilayer switch, when I did my CCNA I just used the "router on a stick" config, so bear with anything weird you see there; also I will be using EIGRP for routing traffic, but looks like there's a bug in Packet tracer that don't allow a multilayer switch to use it, on routers it works fine.
The other question is the following:
I have 2 "mobile" branches, what I mean for mobile is that these are trailers where the people go and do whatever service we offer, like if they where on a "physical" branch. The problem, is that I originally connected these trailers with a 3G cellular connection and a linksys WRT54G, acting as a PPTP client to make a "VPN" connection to HQ.
I want to implement IPSEC VPN's to make an appropiate and permanent solution; but the 3G connection although is fast, is a natted connection; which means the router I intend to use will not have a public ip address. The router will be a 871W; and the question is, can I do a site2site VPN with a 871W behind a natted internet connection? obviuously the at the HQ there will be a public and static ip address for terminating the tunnels.
Sorry for the long post, any help appreciated.
--
All Is possible... |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | Re: [HELP] 2 questions for a new net design (VLAN's & IPSEC VPN' Layer-2 VLAN configuration on Layer-3 switches is the same as on Layer-2 switches. The problem I see on your configuration is that you need to permit Native VLAN to pass through trunk ports in addition to the host VLAN 41. |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | reply to Angralitux
You could do site-to-site VPN with NAT-ed network where the VPN terminator sits behind NAT-ed box. From your description, you may want to consider using Easy VPN instead of traditional site-to-site IPSec VPN where the HQ VPN terminator acts as the VPN server and the remote office VPN terminator acts as the VPN client. This Easy VPN solution is designed where at least one of the following criteria meets.
* VPN client sits behind NAT box where the VPN client IP address will be NAT-ed
* VPN client network uses dynamic Public IP address which may change at anytime
* You don't really have management access to the Internet router or firewall that sits in front of the VPN client |
|
cramer
join:2007-04-10
Raleigh, NC
kudos:5 | reply to Angralitux
"show vlan" will not report anything about trunked ports. You'll have to lookup the exact vlan ("show vlan id 41") or check the port configuration ("show int f0/1 switchport"). It's always bugged me that Cisco does that. |
|
| reply to aryoba
Why is necessary to allow native VLAN traffic? it's been a long time but I recall the instructor saying native vlan must be relocated to another number OR disable it's traffic on access switches, to avoid admin traffic on user domain, this is to add security to the design or something like that.
My original question still stands: Why I'm seeing all VLAN's on access switches when I configured the trunk to just allow one vlan? or this is a expected behavior of VTP? to be honest I dont remember if I saw this on the labs I did or not.
if I disallow native VLAN traffic on the trunk interfaces, will this interfere with VTP?
--
All Is possible... |
|
|
|
| reply to cramer
I used the "show vlan brief" on the access switches. For what I researched looks like I was wrong, this is a expected behavior, as this will show all vlans available on the VTP domain.
--
All Is possible... |
|
| reply to aryoba
that's not the scenario I described. I will try to describe it rudimentary:
[=] - HQ Network 10.0.x.x
|
|
O- HQ Router/Firewall (Wan Public Address) 200.x.x.x
|
() - Internet
|
O - ISP Gateway (Wan Public Address) 201.x.x.x
|
O - 3G Router (WAN Private address Range) 172.16.x.x
|
O - 871W Router (Private Address Range)192.168.x.x
|
|
[=] - Branch Network 10.0.x.x
I hope that clears it. I have a pix and a 837 router, I will try to reproduce the thing here. The request I got is that both networks must be able to see each other (I.E. ping from a private address from HQ can go to a BRANCH host.
--
All Is possible... |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | reply to Angralitux
said by Angralitux:Why is necessary to allow native VLAN traffic?
Since you are using dot1q encapsulation protocol for trunks, then you need to have Native VLAN to pass through this encapsulation protocol as VLAN database is passed through using such Native VLAN in and out of the switch. If your device is an edge device (i.e. router or host), then there might not be a need to allow Native VLAN to pass through. |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | reply to Angralitux
said by Angralitux:that's not the scenario I described. I will try to describe it rudimentary:
[=] - HQ Network 10.0.x.x
|
|
O- HQ Router/Firewall (Wan Public Address) 200.x.x.x
|
() - Internet
|
O - ISP Gateway (Wan Public Address) 201.x.x.x
|
O - 3G Router (WAN Private address Range) 172.16.x.x
|
O - 871W Router (Private Address Range)192.168.x.x
|
|
[=] - Branch Network 10.0.x.x
I hope that clears it. I have a pix and a 837 router, I will try to reproduce the thing here. The request I got is that both networks must be able to see each other (I.E. ping from a private address from HQ can go to a BRANCH host.
The Easy VPN solution is still applicable to such network design. In fact, such design is typical for Easy VPN solution deployment where the remote sites are either mobile or home users. |
|
| reply to aryoba
I suspected that would be the case, to correct it I'll fix the config to allow native vlan and rename it to another thing.
--
All Is possible... |
|
| reply to aryoba
Ok, and what is this "Easy VPN" thing you're talking about? is a feature on routers/PIX's? will this comply with the request that each network see each other? how do I use it?
--
All Is possible... |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | Easy VPN is basically simplified version of traditional site-to-site IPSec VPN as follows
* One VPN terminator acts as central (hub) VPN terminator, or simply called VPN server while the remaining VPN terminators as VPN clients
* No need to specify VPN clients' peer IP address on VPN server configuration on ISAKMP configuration. You still need to configure the rest though such as the protocol, hash, and authentication method.
You can see the Easy VPN approach is similar to those VPN client software authenticating process that is installed and used on laptop by remote users to connect to VPN server. Check out the following link for illustration.
»www.cisco.com/en/US/tech/tk583/t···18.shtml |
|
| Ok, I see everything too easy, but I'm not seeing the way things will route to or from; I suppose the routes will be added when both ends start the tunnel?
On the hub router I see there's a list of ip's that will be assigned to hosts, but: are these for the device running the tunnel (the pix I suppose); or will this be for the hosts behind?
--
All Is possible... |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | The route path is similar to traditional site-to-site IPSec VPN where a remote site connects directly to a central site over the tunnel since both site-to-site and Easy VPN are simply point-to-point (or point-to-multipoint) network.
The VPN server IP address pool is not applicable in your situation since you are using VPN hardware (either router or PIX) as the VPN client. If you are using laptop running VPN client software, then the IP address pool will be applicable. Check out other Easy VPN sample configuration from the parent link as follows for further illustration.
»www.cisco.com/en/US/products/hw/···anchor11 |
|
| reply to Angralitux
Well I'm down to just 1 cisco device to build the lab  because the pix 501 I had, just fried itself. Looks like the AC adapter was a bit loose and I was moving it atm and it decided to burn itself.
Now i'm down to one 837, and cant nothing with it.
Aryoba thanks for pointing out the easy VPN thing, the only bad thing is that it forces me on having a cisco device on each end, I suppose I can have also a classic crypto tunnel for non cisco devices too, which will be necessary for connection to third parties.
--
All Is possible... |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | I believe Easy VPN is a Cisco solution so I don't think the solution would work or be stable using non-Cisco device. When you have non-Cisco VPN box, then the safest solution is to deploy traditional site-to-site IPSec VPN.
As to your PIX issue, perhaps you could just buy a power adapter replacement from one of those ebay seller  |
|
| nope, the pix was the one fried not the AC adapter. I believe I could repair it, as it's really (I think) a capacitor. It was just one, and looks fried as hell on the pix motherboard, near the power input. What I dont understand was why it had to get fried? the only thing inusual on this pix, is that it had a few years without being used. I connected it using the original AC adapter that came with it, and there are not known electrical problems at my place... hmmm.
I'll try to find the capacitor, but it'll be hard without looking at the Bill of Materials of this particular pix, because of the burnt I can't read anything that tells me which attributes the cap had.
--
All Is possible... |
|
