adding a hop

Discussion in 'Cisco' started by PL, Mar 25, 2008.

  1. PL

    PL Guest

    I'm additing a router hop (for policy-based routing) to my network and
    have a few questions...

    First, the old config:

    T1-router-A
    |
    |
    ASA-firewall
    |
    |
    -------
    | |
    LAN DMZ

    Instead of trying to make up ip addressing schemes for this exercise,
    let me just label the interfaces this way:

    T1-router-A [NET_1]
    ASA-firwall [NET_1,NET_4,NET_5]
    LAN [NET_4]
    DMZ [NET_5]


    Now, the new config:

    T1-router-A T1-router-B
    |_______________|
    |
    |
    PBR-router
    |
    |
    ASA-firewall
    |
    |
    -------
    | |
    LAN DMZ

    T1-router-A [NET_1]
    T1-router-B [NET_2]
    PBR-router [NET_1,NET_2,NET_3]
    ASA-firwall [NET_3,NET_4,NET_5]
    LAN [NET_4]
    DMZ [NET_5]

    For simplicity, let's just say that all LAN clients will be routed
    through T1-router-A and all DMZ clients will be routed through
    T1-router-B. Currently, the ASA performs all translations from NET_4
    to NET_1, some clients have statics, others don't. Since I'm putting
    in the PBR-router, it adds a hop, so the ASA can't keep the same
    translations, right? Do I have to translate twice now? ASA will
    translate from NET_4 to NET_3 and the PBR will translate from NET_3 to
    NET_1? Is there a simpler way of doing this?
    PL, Mar 25, 2008
    #1
    1. Advertising

  2. PL

    p_teatreeoil Guest

    You shouldn't have to do any additional NAT translations. I'm
    assuming that currently, you are using public IPs from the same subnet
    for your links between the T1 router and the firewall.

    Just move the IP on the first T1 router to the interface on the PBR
    router that connects to the firewall. Assign any /30 IP blocks you
    want to the links between T1A and T1B and the PBR router (I'm assuming
    you're using separate interfaces). Put static routes in the T1
    routers pointing the public NAT to the PBR router outside interface
    and also one in the PBR router pointing to the outside firewall
    interface.

    The original config is easy because the T1 router knows how to get to
    the LAN because it is a connected route. Since they won't be
    connected anymore, you'll have to use statics.
    p_teatreeoil, Mar 25, 2008
    #2
    1. Advertising

  3. PL

    Merv Guest

    why would you not just connect T1-router-A to T1-router-B directly
    and hand-off whatever traffic you want by configuring policy on A ?
    Merv, Mar 25, 2008
    #3
  4. PL

    Merv Guest

    Is the new T1 going to your current ISP or a new ISP ?
    Merv, Mar 25, 2008
    #4
  5. PL

    PL Guest

    New ISP

    On Tue, 25 Mar 2008 02:15:34 -0700 (PDT), Merv <>
    wrote:

    >Is the new T1 going to your current ISP or a new ISP ?
    >
    PL, Mar 25, 2008
    #5
  6. PL

    PL Guest

    That is a great idea, hasn't occurred to me. Sometimes you just need
    a fresh pair of eyes to see the obvious... Thanks.


    On Tue, 25 Mar 2008 01:51:13 -0700 (PDT), Merv <>
    wrote:

    >
    >why would you not just connect T1-router-A to T1-router-B directly
    >and hand-off whatever traffic you want by configuring policy on A ?
    >
    >
    PL, Mar 25, 2008
    #6
  7. PL

    Merv Guest

    On Mar 25, 2:07 pm, PL <> wrote:
    > That is a great idea, hasn't occurred to me. Sometimes you just need
    > a fresh pair of eyes to see the obvious... Thanks.
    >
    > On Tue, 25 Mar 2008 01:51:13 -0700 (PDT), Merv <>
    > wrote:
    >
    >
    >
    > >why would you not just connect T1-router-A to T1-router-B directly
    > >and hand-off whatever traffic you want by configuring policy on A ?


    With two T1 circuits you will also want to consider what happens to
    your traffic in the event of a failure of each of these T1

    Will the new ISP carry the traffic that currently only goes to your
    present ISP in the event of that ISP's T1 ???

    Which then of course brings us to the question of routing protocols to
    use now between you and your ISP's

    Ideally you can get both ISP's to advertise default to you via BGP
    and you can annouce your networks to both ISP's via BGP.

    A little bit of planinng to do here ...



    Also during a maintence window I would encourage you to fail each T1
    and see if all of your traffic flows on the other T1
    Merv, Mar 25, 2008
    #7
  8. PL

    PL Guest

    Got it, thanks for the explanation, makes sense. One question, is the
    static on the PBR required? The PBR has an interface that's assigned
    one of the IPs that are part of my public block, so it's a connected
    route, no?

    Also, I just found that the new ISP does not actually provide a T1 in
    the traditional sense of the term, they don't provide a router. They
    only provide an ethernet connection with a static IP. This being the
    case, they won't route the traffic from my other public source IPs,
    right? How do I get around that?


    On Mon, 24 Mar 2008 22:59:02 -0700 (PDT), p_teatreeoil
    <> wrote:

    >You shouldn't have to do any additional NAT translations. I'm
    >assuming that currently, you are using public IPs from the same subnet
    >for your links between the T1 router and the firewall.
    >
    >Just move the IP on the first T1 router to the interface on the PBR
    >router that connects to the firewall. Assign any /30 IP blocks you
    >want to the links between T1A and T1B and the PBR router (I'm assuming
    >you're using separate interfaces). Put static routes in the T1
    >routers pointing the public NAT to the PBR router outside interface
    >and also one in the PBR router pointing to the outside firewall
    >interface.
    >
    >The original config is easy because the T1 router knows how to get to
    >the LAN because it is a connected route. Since they won't be
    >connected anymore, you'll have to use statics.
    PL, Mar 26, 2008
    #8
  9. PL

    PL Guest

    I just found out that the new ISP does not provide a true T1 in the
    traditional sense of the term, even though they call it that, but
    rather just an ethernet connection with a static IP. That being the
    case, they won't route the traffic from my other public IPs as the
    source, right? How do I get around that?


    On Tue, 25 Mar 2008 01:51:13 -0700 (PDT), Merv <>
    wrote:

    >
    >why would you not just connect T1-router-A to T1-router-B directly
    >and hand-off whatever traffic you want by configuring policy on A ?
    >
    >
    PL, Mar 26, 2008
    #9
  10. PL

    p_teatreeoil Guest

    On Mar 26, 4:07 pm, PL <> wrote:
    > I just found out that the new ISP does not provide a true T1 in the
    > traditional sense of the term, even though they call it that, but
    > rather just an ethernet connection with a static IP. That being the
    > case, they won't route the traffic from my other public IPs as the
    > source, right? How do I get around that?


    They will route traffic if you run BGP, but you have to have /24 or
    larger subnets, they need to be SWIPPED to you, and you will need your
    own ASN.

    Alternatively, you still need /24 or larger networks, you can get
    both ISPs to put in static routes. The drawback is that you don't
    have any control over on which connection incoming traffic enters your
    LAN.
    p_teatreeoil, Mar 28, 2008
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ben Low
    Replies:
    0
    Views:
    510
    Ben Low
    Feb 28, 2004
  2. Walter Roberson

    TX, fully switched -- hop limit myths?

    Walter Roberson, May 20, 2004, in forum: Cisco
    Replies:
    13
    Views:
    6,354
    Andrey Tarasov
    May 22, 2004
  3. Robut2

    OSPF Hop Count

    Robut2, Jun 11, 2004, in forum: Cisco
    Replies:
    1
    Views:
    6,026
    shope
    Jun 11, 2004
  4. Brad
    Replies:
    14
    Views:
    7,667
    Ivan OstreŇ°
    Mar 3, 2005
  5. Brad
    Replies:
    3
    Views:
    671
Loading...

Share This Page