Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Internet via existing Frame-relay

Reply
Thread Tools

Internet via existing Frame-relay

 
 
Doug
Guest
Posts: n/a
 
      08-12-2004
Client in Colorado has a frame-relay connection to our office in
Dallas via XO frame-relay. They are getting internet via XO coming
in on that same frame using an additional PVC. Colorado end is using
a 1600 with a WIC.

Any good white papers to read up on how to make this work?
 
Reply With Quote
 
 
 
 
Barry Margolin
Guest
Posts: n/a
 
      08-12-2004
In article <(E-Mail Removed) >,
http://www.velocityreviews.com/forums/(E-Mail Removed) (Doug) wrote:

> Client in Colorado has a frame-relay connection to our office in
> Dallas via XO frame-relay. They are getting internet via XO coming
> in on that same frame using an additional PVC. Colorado end is using
> a 1600 with a WIC.
>
> Any good white papers to read up on how to make this work?


Set up sub-interfaces, and then point the default route to the new PVC.

interface Serial0
no ip address
encapsulation frame-relay

interface Serial0.1
description PVC to Dallas
ip address <addr> <mask>
frame-relay interface-dlci ###

interface Serial0.2
description PVC to ISP
ip address <outside addr assigned by ISP> <mask from ISP>
frame-relay interface-dlci ###

ip route 0.0.0.0 0.0.0.0 Serial0.2

--
Barry Margolin, (E-Mail Removed)
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
 
Reply With Quote
 
 
 
 
Doug
Guest
Posts: n/a
 
      08-13-2004
Thanks Barry, I figured it was something along those lines but I've never
done it.



"Barry Margolin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article <(E-Mail Removed) >,
> (E-Mail Removed) (Doug) wrote:
>
>> Client in Colorado has a frame-relay connection to our office in
>> Dallas via XO frame-relay. They are getting internet via XO coming
>> in on that same frame using an additional PVC. Colorado end is using
>> a 1600 with a WIC.
>>
>> Any good white papers to read up on how to make this work?

>
> Set up sub-interfaces, and then point the default route to the new PVC.
>
> interface Serial0
> no ip address
> encapsulation frame-relay
>
> interface Serial0.1
> description PVC to Dallas
> ip address <addr> <mask>
> frame-relay interface-dlci ###
>
> interface Serial0.2
> description PVC to ISP
> ip address <outside addr assigned by ISP> <mask from ISP>
> frame-relay interface-dlci ###
>
> ip route 0.0.0.0 0.0.0.0 Serial0.2
>
> --
> Barry Margolin, (E-Mail Removed)
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***



 
Reply With Quote
 
Scooby
Guest
Posts: n/a
 
      08-13-2004
"Doug" <(E-Mail Removed)> wrote in message
news:h5VSc.246453$%_6.26303@attbi_s01...
> Thanks Barry, I figured it was something along those lines but I've never
> done it.
>
>
>
> "Barry Margolin" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > In article <(E-Mail Removed) >,
> > (E-Mail Removed) (Doug) wrote:
> >
> >> Client in Colorado has a frame-relay connection to our office in
> >> Dallas via XO frame-relay. They are getting internet via XO coming
> >> in on that same frame using an additional PVC. Colorado end is using
> >> a 1600 with a WIC.
> >>
> >> Any good white papers to read up on how to make this work?

> >
> > Set up sub-interfaces, and then point the default route to the new PVC.
> >
> > interface Serial0
> > no ip address
> > encapsulation frame-relay
> >
> > interface Serial0.1
> > description PVC to Dallas
> > ip address <addr> <mask>
> > frame-relay interface-dlci ###
> >
> > interface Serial0.2
> > description PVC to ISP
> > ip address <outside addr assigned by ISP> <mask from ISP>
> > frame-relay interface-dlci ###
> >
> > ip route 0.0.0.0 0.0.0.0 Serial0.2
> >
> > --
> > Barry Margolin, (E-Mail Removed)
> > Arlington, MA
> > *** PLEASE post questions in newsgroups, not directly to me ***

>
>


The problem comes with how to implement your firewall. It is a much nicer
setup when you have a separate device that interfaces to the internet. More
expensive, but a better solution, I think.



 
Reply With Quote
 
PES
Guest
Posts: n/a
 
      08-13-2004

"Doug" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Client in Colorado has a frame-relay connection to our office in
> Dallas via XO frame-relay. They are getting internet via XO coming
> in on that same frame using an additional PVC. Colorado end is using
> a 1600 with a WIC.
>
> Any good white papers to read up on how to make this work?


The configuration is just standard frame relay. Do some digging on Cisco's
website and you will find examples. Be aware, it is very difficult to
configure a good DMZ in this configuration.


 
Reply With Quote
 
Doug
Guest
Posts: n/a
 
      08-13-2004

"Scooby" <(E-Mail Removed)> wrote in message
news:3pWSc.19406$(E-Mail Removed) hlink.net...
> "Doug" <(E-Mail Removed)> wrote in message
> news:h5VSc.246453$%_6.26303@attbi_s01...
>> Thanks Barry, I figured it was something along those lines but I've never
>> done it.
>>
>>
>>
>> "Barry Margolin" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > In article <(E-Mail Removed) >,
>> > (E-Mail Removed) (Doug) wrote:
>> >
>> >> Client in Colorado has a frame-relay connection to our office in
>> >> Dallas via XO frame-relay. They are getting internet via XO coming
>> >> in on that same frame using an additional PVC. Colorado end is using
>> >> a 1600 with a WIC.
>> >>
>> >> Any good white papers to read up on how to make this work?
>> >
>> > Set up sub-interfaces, and then point the default route to the new PVC.
>> >
>> > interface Serial0
>> > no ip address
>> > encapsulation frame-relay
>> >
>> > interface Serial0.1
>> > description PVC to Dallas
>> > ip address <addr> <mask>
>> > frame-relay interface-dlci ###
>> >
>> > interface Serial0.2
>> > description PVC to ISP
>> > ip address <outside addr assigned by ISP> <mask from ISP>
>> > frame-relay interface-dlci ###
>> >
>> > ip route 0.0.0.0 0.0.0.0 Serial0.2
>> >
>> > --
>> > Barry Margolin, (E-Mail Removed)
>> > Arlington, MA
>> > *** PLEASE post questions in newsgroups, not directly to me ***

>>
>>

>
> The problem comes with how to implement your firewall. It is a much nicer
> setup when you have a separate device that interfaces to the internet.
> More
> expensive, but a better solution, I think.


Yeah, that was another concern that I hadn't voiced. I don't the router's
basic NAT skills are going to do the job!



 
Reply With Quote
 
Barry Margolin
Guest
Posts: n/a
 
      08-13-2004
In article <Ds1Tc.244338$a24.171226@attbi_s03>,
"Doug" <(E-Mail Removed)> wrote:

> "Scooby" <(E-Mail Removed)> wrote in message
> news:3pWSc.19406$(E-Mail Removed) hlink.net...
> > The problem comes with how to implement your firewall. It is a much nicer
> > setup when you have a separate device that interfaces to the internet.
> > More
> > expensive, but a better solution, I think.

>
> Yeah, that was another concern that I hadn't voiced. I don't the router's
> basic NAT skills are going to do the job!


It should do fine. Put "ip nat outside" on the sub-interface going to
the ISP, "ip nat inside" on the LAN. If the Denver office should also
have Internet access, put "ip nat inside" on that sub-interface as well.

If you use access lists for firewalling, put them on the ISP
sub-interface and they'll protect both office networks without
interfering with interoffice communications.

--
Barry Margolin, (E-Mail Removed)
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
 
Reply With Quote
 
Scooby
Guest
Posts: n/a
 
      08-13-2004
"Barry Margolin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article <Ds1Tc.244338$a24.171226@attbi_s03>,
> "Doug" <(E-Mail Removed)> wrote:
>
> > "Scooby" <(E-Mail Removed)> wrote in message
> > news:3pWSc.19406$(E-Mail Removed) hlink.net...
> > > The problem comes with how to implement your firewall. It is a much

nicer
> > > setup when you have a separate device that interfaces to the internet.
> > > More
> > > expensive, but a better solution, I think.

> >
> > Yeah, that was another concern that I hadn't voiced. I don't the

router's
> > basic NAT skills are going to do the job!

>
> It should do fine. Put "ip nat outside" on the sub-interface going to
> the ISP, "ip nat inside" on the LAN. If the Denver office should also
> have Internet access, put "ip nat inside" on that sub-interface as well.
>
> If you use access lists for firewalling, put them on the ISP
> sub-interface and they'll protect both office networks without
> interfering with interoffice communications.
>
> --
> Barry Margolin, (E-Mail Removed)
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***


I disagree... I wouldn't want someone connecting to my network that only
had that type of protection from the internet. At minimum, I'd have the
firewall feature set loaded on that router. But, I'd still prefer separate
firewall device. Access lists alone are not a good firewall.



 
Reply With Quote
 
Doug
Guest
Posts: n/a
 
      08-13-2004
(E-Mail Removed) (Doug) wrote in message news:<(E-Mail Removed). com>...
> Client in Colorado has a frame-relay connection to our office in
> Dallas via XO frame-relay. They are getting internet via XO coming
> in on that same frame using an additional PVC. Colorado end is using
> a 1600 with a WIC.
>
> Any good white papers to read up on how to make this work?



Here's a link to the whole WAN
http://www.dougmasters.com/shc-plan.htm




Here's what I'm thinking for the router, but there's a potential
problem... how can I firewall the Denver to Dallas PVC?...




SHC-PPI/Internet#sho run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname SHC-PPI/Internet
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
ip subnet-zero
!
!
!
interface Ethernet0
ip address 205.158.xxx.xxx 255.255.255.0
no ip directed-broadcast
!
interface Serial0
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
logging event subif-link-status
logging event dlci-status-change
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
description PVC to Dallas
ip address 192.168.10.2 255.255.255.0
no ip directed-broadcast
frame-relay interface-dlci 30
!
interface Serial0.2 point-to-point
description PVC to Internet
ip address 67.110.xxx.xxx 255.255.255.0
no ip directed-broadcast
frame-relay interface-dlci ??
!
interface BRI0
no ip address
no ip directed-broadcast
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.2
ip route 10.20.0.0 255.255.0.0 Serial0.1
!
!
line con 0
password XXXXXXXXXXX
login
transport input none
line vty 0 4
password XXXXXXXXXXX
login
!
end

SHC-PPI/Internet#
 
Reply With Quote
 
Scooby
Guest
Posts: n/a
 
      08-13-2004
"Doug" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> (E-Mail Removed) (Doug) wrote in message

news:<(E-Mail Removed). com>...
> > Client in Colorado has a frame-relay connection to our office in
> > Dallas via XO frame-relay. They are getting internet via XO coming
> > in on that same frame using an additional PVC. Colorado end is using
> > a 1600 with a WIC.
> >
> > Any good white papers to read up on how to make this work?

>
>
> Here's a link to the whole WAN
> http://www.dougmasters.com/shc-plan.htm
>
>
>
>
> Here's what I'm thinking for the router, but there's a potential
> problem... how can I firewall the Denver to Dallas PVC?...
>
>
>
>
> SHC-PPI/Internet#sho run
> Building configuration...
>
> Current configuration:
> !
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> service udp-small-servers
> service tcp-small-servers
> !
> hostname SHC-PPI/Internet
> !
> enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
> !
> ip subnet-zero
> !
> !
> !
> interface Ethernet0
> ip address 205.158.xxx.xxx 255.255.255.0
> no ip directed-broadcast
> !
> interface Serial0
> no ip address
> no ip directed-broadcast
> encapsulation frame-relay IETF
> logging event subif-link-status
> logging event dlci-status-change
> service-module t1 timeslots 1-24
> frame-relay lmi-type ansi
> !
> interface Serial0.1 point-to-point
> description PVC to Dallas
> ip address 192.168.10.2 255.255.255.0
> no ip directed-broadcast
> frame-relay interface-dlci 30
> !
> interface Serial0.2 point-to-point
> description PVC to Internet
> ip address 67.110.xxx.xxx 255.255.255.0
> no ip directed-broadcast
> frame-relay interface-dlci ??
> !
> interface BRI0
> no ip address
> no ip directed-broadcast
> shutdown
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial0.2
> ip route 10.20.0.0 255.255.0.0 Serial0.1
> !
> !
> line con 0
> password XXXXXXXXXXX
> login
> transport input none
> line vty 0 4
> password XXXXXXXXXXX
> login
> !
> end
>
> SHC-PPI/Internet#



Doug,

As a bare minimum, I would install the Cisco firewall feature set. You can
apply that along with the access-list to the S0.2 interface. But, I would
strongly suggest you consider a separate drop to your carrier. Your
internet port fee should remain the same, you'll just need to pay a circuit
fee as well. It does bump up your cost by doing this, plus you'll need an
additonal router. In the long run, you'l have much more control and peace
of mind.

That said, one thing I would change about your config is the default route.
Since you are using actual IP addresses on the interface, use the ip address
of the other router, rather than the interface.

Jim



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Internet Explorer 8: C:\Program Files\Internet Explorer\iexplore.exe vs C:\Program Files (x86)\Internet Explorer\iexplore.exe Nathan Sokalski Windows 64bit 16 02-22-2010 08:31 AM
Existing Dll - using Functions from an existing dll Tristin.Colby@gmail.com Ruby 0 02-05-2008 07:38 PM
Why no existing Java type to existing XML schema binding support? nrm Java 3 04-10-2006 04:52 PM
Updating Existing Web Apps via Installer Billy K. ASP .Net 0 02-23-2006 03:24 PM
VS.NET, ASP.NET - using via Frontpage Ext, now via SHAREPOINT? Gerry Hickman ASP .Net 2 12-14-2005 09:25 PM



Advertisments