Internet via existing Frame-relay

Discussion in 'Cisco' started by Doug, Aug 12, 2004.

  1. Doug

    Doug Guest

    Client in Colorado has a frame-relay connection to our office in
    Dallas via XO frame-relay. They are getting internet via XO coming
    in on that same frame using an additional PVC. Colorado end is using
    a 1600 with a WIC.

    Any good white papers to read up on how to make this work?
    Doug, Aug 12, 2004
    #1
    1. Advertising

  2. In article <>,
    (Doug) wrote:

    > Client in Colorado has a frame-relay connection to our office in
    > Dallas via XO frame-relay. They are getting internet via XO coming
    > in on that same frame using an additional PVC. Colorado end is using
    > a 1600 with a WIC.
    >
    > Any good white papers to read up on how to make this work?


    Set up sub-interfaces, and then point the default route to the new PVC.

    interface Serial0
    no ip address
    encapsulation frame-relay

    interface Serial0.1
    description PVC to Dallas
    ip address <addr> <mask>
    frame-relay interface-dlci ###

    interface Serial0.2
    description PVC to ISP
    ip address <outside addr assigned by ISP> <mask from ISP>
    frame-relay interface-dlci ###

    ip route 0.0.0.0 0.0.0.0 Serial0.2

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Margolin, Aug 13, 2004
    #2
    1. Advertising

  3. Doug

    Doug Guest

    Thanks Barry, I figured it was something along those lines but I've never
    done it.



    "Barry Margolin" <> wrote in message
    news:...
    > In article <>,
    > (Doug) wrote:
    >
    >> Client in Colorado has a frame-relay connection to our office in
    >> Dallas via XO frame-relay. They are getting internet via XO coming
    >> in on that same frame using an additional PVC. Colorado end is using
    >> a 1600 with a WIC.
    >>
    >> Any good white papers to read up on how to make this work?

    >
    > Set up sub-interfaces, and then point the default route to the new PVC.
    >
    > interface Serial0
    > no ip address
    > encapsulation frame-relay
    >
    > interface Serial0.1
    > description PVC to Dallas
    > ip address <addr> <mask>
    > frame-relay interface-dlci ###
    >
    > interface Serial0.2
    > description PVC to ISP
    > ip address <outside addr assigned by ISP> <mask from ISP>
    > frame-relay interface-dlci ###
    >
    > ip route 0.0.0.0 0.0.0.0 Serial0.2
    >
    > --
    > Barry Margolin,
    > Arlington, MA
    > *** PLEASE post questions in newsgroups, not directly to me ***
    Doug, Aug 13, 2004
    #3
  4. Doug

    Scooby Guest

    "Doug" <> wrote in message
    news:h5VSc.246453$%_6.26303@attbi_s01...
    > Thanks Barry, I figured it was something along those lines but I've never
    > done it.
    >
    >
    >
    > "Barry Margolin" <> wrote in message
    > news:...
    > > In article <>,
    > > (Doug) wrote:
    > >
    > >> Client in Colorado has a frame-relay connection to our office in
    > >> Dallas via XO frame-relay. They are getting internet via XO coming
    > >> in on that same frame using an additional PVC. Colorado end is using
    > >> a 1600 with a WIC.
    > >>
    > >> Any good white papers to read up on how to make this work?

    > >
    > > Set up sub-interfaces, and then point the default route to the new PVC.
    > >
    > > interface Serial0
    > > no ip address
    > > encapsulation frame-relay
    > >
    > > interface Serial0.1
    > > description PVC to Dallas
    > > ip address <addr> <mask>
    > > frame-relay interface-dlci ###
    > >
    > > interface Serial0.2
    > > description PVC to ISP
    > > ip address <outside addr assigned by ISP> <mask from ISP>
    > > frame-relay interface-dlci ###
    > >
    > > ip route 0.0.0.0 0.0.0.0 Serial0.2
    > >
    > > --
    > > Barry Margolin,
    > > Arlington, MA
    > > *** PLEASE post questions in newsgroups, not directly to me ***

    >
    >


    The problem comes with how to implement your firewall. It is a much nicer
    setup when you have a separate device that interfaces to the internet. More
    expensive, but a better solution, I think.
    Scooby, Aug 13, 2004
    #4
  5. Doug

    PES Guest

    "Doug" <> wrote in message
    news:...
    > Client in Colorado has a frame-relay connection to our office in
    > Dallas via XO frame-relay. They are getting internet via XO coming
    > in on that same frame using an additional PVC. Colorado end is using
    > a 1600 with a WIC.
    >
    > Any good white papers to read up on how to make this work?


    The configuration is just standard frame relay. Do some digging on Cisco's
    website and you will find examples. Be aware, it is very difficult to
    configure a good DMZ in this configuration.
    PES, Aug 13, 2004
    #5
  6. Doug

    Doug Guest

    "Scooby" <> wrote in message
    news:3pWSc.19406$...
    > "Doug" <> wrote in message
    > news:h5VSc.246453$%_6.26303@attbi_s01...
    >> Thanks Barry, I figured it was something along those lines but I've never
    >> done it.
    >>
    >>
    >>
    >> "Barry Margolin" <> wrote in message
    >> news:...
    >> > In article <>,
    >> > (Doug) wrote:
    >> >
    >> >> Client in Colorado has a frame-relay connection to our office in
    >> >> Dallas via XO frame-relay. They are getting internet via XO coming
    >> >> in on that same frame using an additional PVC. Colorado end is using
    >> >> a 1600 with a WIC.
    >> >>
    >> >> Any good white papers to read up on how to make this work?
    >> >
    >> > Set up sub-interfaces, and then point the default route to the new PVC.
    >> >
    >> > interface Serial0
    >> > no ip address
    >> > encapsulation frame-relay
    >> >
    >> > interface Serial0.1
    >> > description PVC to Dallas
    >> > ip address <addr> <mask>
    >> > frame-relay interface-dlci ###
    >> >
    >> > interface Serial0.2
    >> > description PVC to ISP
    >> > ip address <outside addr assigned by ISP> <mask from ISP>
    >> > frame-relay interface-dlci ###
    >> >
    >> > ip route 0.0.0.0 0.0.0.0 Serial0.2
    >> >
    >> > --
    >> > Barry Margolin,
    >> > Arlington, MA
    >> > *** PLEASE post questions in newsgroups, not directly to me ***

    >>
    >>

    >
    > The problem comes with how to implement your firewall. It is a much nicer
    > setup when you have a separate device that interfaces to the internet.
    > More
    > expensive, but a better solution, I think.


    Yeah, that was another concern that I hadn't voiced. I don't the router's
    basic NAT skills are going to do the job!
    Doug, Aug 13, 2004
    #6
  7. In article <Ds1Tc.244338$a24.171226@attbi_s03>,
    "Doug" <> wrote:

    > "Scooby" <> wrote in message
    > news:3pWSc.19406$...
    > > The problem comes with how to implement your firewall. It is a much nicer
    > > setup when you have a separate device that interfaces to the internet.
    > > More
    > > expensive, but a better solution, I think.

    >
    > Yeah, that was another concern that I hadn't voiced. I don't the router's
    > basic NAT skills are going to do the job!


    It should do fine. Put "ip nat outside" on the sub-interface going to
    the ISP, "ip nat inside" on the LAN. If the Denver office should also
    have Internet access, put "ip nat inside" on that sub-interface as well.

    If you use access lists for firewalling, put them on the ISP
    sub-interface and they'll protect both office networks without
    interfering with interoffice communications.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Margolin, Aug 13, 2004
    #7
  8. Doug

    Scooby Guest

    "Barry Margolin" <> wrote in message
    news:...
    > In article <Ds1Tc.244338$a24.171226@attbi_s03>,
    > "Doug" <> wrote:
    >
    > > "Scooby" <> wrote in message
    > > news:3pWSc.19406$...
    > > > The problem comes with how to implement your firewall. It is a much

    nicer
    > > > setup when you have a separate device that interfaces to the internet.
    > > > More
    > > > expensive, but a better solution, I think.

    > >
    > > Yeah, that was another concern that I hadn't voiced. I don't the

    router's
    > > basic NAT skills are going to do the job!

    >
    > It should do fine. Put "ip nat outside" on the sub-interface going to
    > the ISP, "ip nat inside" on the LAN. If the Denver office should also
    > have Internet access, put "ip nat inside" on that sub-interface as well.
    >
    > If you use access lists for firewalling, put them on the ISP
    > sub-interface and they'll protect both office networks without
    > interfering with interoffice communications.
    >
    > --
    > Barry Margolin,
    > Arlington, MA
    > *** PLEASE post questions in newsgroups, not directly to me ***


    I disagree... I wouldn't want someone connecting to my network that only
    had that type of protection from the internet. At minimum, I'd have the
    firewall feature set loaded on that router. But, I'd still prefer separate
    firewall device. Access lists alone are not a good firewall.
    Scooby, Aug 13, 2004
    #8
  9. Doug

    Doug Guest

    (Doug) wrote in message news:<>...
    > Client in Colorado has a frame-relay connection to our office in
    > Dallas via XO frame-relay. They are getting internet via XO coming
    > in on that same frame using an additional PVC. Colorado end is using
    > a 1600 with a WIC.
    >
    > Any good white papers to read up on how to make this work?



    Here's a link to the whole WAN
    http://www.dougmasters.com/shc-plan.htm




    Here's what I'm thinking for the router, but there's a potential
    problem... how can I firewall the Denver to Dallas PVC?...




    SHC-PPI/Internet#sho run
    Building configuration...

    Current configuration:
    !
    version 12.0
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    service udp-small-servers
    service tcp-small-servers
    !
    hostname SHC-PPI/Internet
    !
    enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
    !
    ip subnet-zero
    !
    !
    !
    interface Ethernet0
    ip address 205.158.xxx.xxx 255.255.255.0
    no ip directed-broadcast
    !
    interface Serial0
    no ip address
    no ip directed-broadcast
    encapsulation frame-relay IETF
    logging event subif-link-status
    logging event dlci-status-change
    service-module t1 timeslots 1-24
    frame-relay lmi-type ansi
    !
    interface Serial0.1 point-to-point
    description PVC to Dallas
    ip address 192.168.10.2 255.255.255.0
    no ip directed-broadcast
    frame-relay interface-dlci 30
    !
    interface Serial0.2 point-to-point
    description PVC to Internet
    ip address 67.110.xxx.xxx 255.255.255.0
    no ip directed-broadcast
    frame-relay interface-dlci ??
    !
    interface BRI0
    no ip address
    no ip directed-broadcast
    shutdown
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0.2
    ip route 10.20.0.0 255.255.0.0 Serial0.1
    !
    !
    line con 0
    password XXXXXXXXXXX
    login
    transport input none
    line vty 0 4
    password XXXXXXXXXXX
    login
    !
    end

    SHC-PPI/Internet#
    Doug, Aug 13, 2004
    #9
  10. Doug

    Scooby Guest

    "Doug" <> wrote in message
    news:...
    > (Doug) wrote in message

    news:<>...
    > > Client in Colorado has a frame-relay connection to our office in
    > > Dallas via XO frame-relay. They are getting internet via XO coming
    > > in on that same frame using an additional PVC. Colorado end is using
    > > a 1600 with a WIC.
    > >
    > > Any good white papers to read up on how to make this work?

    >
    >
    > Here's a link to the whole WAN
    > http://www.dougmasters.com/shc-plan.htm
    >
    >
    >
    >
    > Here's what I'm thinking for the router, but there's a potential
    > problem... how can I firewall the Denver to Dallas PVC?...
    >
    >
    >
    >
    > SHC-PPI/Internet#sho run
    > Building configuration...
    >
    > Current configuration:
    > !
    > version 12.0
    > service timestamps debug uptime
    > service timestamps log uptime
    > no service password-encryption
    > service udp-small-servers
    > service tcp-small-servers
    > !
    > hostname SHC-PPI/Internet
    > !
    > enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
    > !
    > ip subnet-zero
    > !
    > !
    > !
    > interface Ethernet0
    > ip address 205.158.xxx.xxx 255.255.255.0
    > no ip directed-broadcast
    > !
    > interface Serial0
    > no ip address
    > no ip directed-broadcast
    > encapsulation frame-relay IETF
    > logging event subif-link-status
    > logging event dlci-status-change
    > service-module t1 timeslots 1-24
    > frame-relay lmi-type ansi
    > !
    > interface Serial0.1 point-to-point
    > description PVC to Dallas
    > ip address 192.168.10.2 255.255.255.0
    > no ip directed-broadcast
    > frame-relay interface-dlci 30
    > !
    > interface Serial0.2 point-to-point
    > description PVC to Internet
    > ip address 67.110.xxx.xxx 255.255.255.0
    > no ip directed-broadcast
    > frame-relay interface-dlci ??
    > !
    > interface BRI0
    > no ip address
    > no ip directed-broadcast
    > shutdown
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Serial0.2
    > ip route 10.20.0.0 255.255.0.0 Serial0.1
    > !
    > !
    > line con 0
    > password XXXXXXXXXXX
    > login
    > transport input none
    > line vty 0 4
    > password XXXXXXXXXXX
    > login
    > !
    > end
    >
    > SHC-PPI/Internet#



    Doug,

    As a bare minimum, I would install the Cisco firewall feature set. You can
    apply that along with the access-list to the S0.2 interface. But, I would
    strongly suggest you consider a separate drop to your carrier. Your
    internet port fee should remain the same, you'll just need to pay a circuit
    fee as well. It does bump up your cost by doing this, plus you'll need an
    additonal router. In the long run, you'l have much more control and peace
    of mind.

    That said, one thing I would change about your config is the default route.
    Since you are using actual IP addresses on the interface, use the ip address
    of the other router, rather than the interface.

    Jim
    Scooby, Aug 13, 2004
    #10
  11. Doug

    Doug Guest

    Thanks Scoob!

    Q1: What does this Firewall Feature Set cost, roughly?
    Q2: Access-lists & "ip nat" weren't covered in my CCTH (Cisco Certified
    Two-bit Hack) training, other than Cisco's site, any other good resources
    for the intelligent but uninformed?



    "Scooby" <> wrote in message
    news:x06Tc.259$...
    >
    > Doug,
    >
    > As a bare minimum, I would install the Cisco firewall feature set. You
    > can
    > apply that along with the access-list to the S0.2 interface. But, I
    > would
    > strongly suggest you consider a separate drop to your carrier. Your
    > internet port fee should remain the same, you'll just need to pay a
    > circuit
    > fee as well. It does bump up your cost by doing this, plus you'll need an
    > additonal router. In the long run, you'l have much more control and peace
    > of mind.
    >
    > That said, one thing I would change about your config is the default
    > route.
    > Since you are using actual IP addresses on the interface, use the ip
    > address
    > of the other router, rather than the interface.
    >
    > Jim
    Doug, Aug 13, 2004
    #11
  12. In article <x06Tc.259$>,
    "Scooby" <> wrote:

    > That said, one thing I would change about your config is the default route.
    > Since you are using actual IP addresses on the interface, use the ip address
    > of the other router, rather than the interface.


    I disagree. If the ISP changes the address of the frame relay
    connection, this means you have to change it in two places rather than
    just one.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Margolin, Aug 14, 2004
    #12
  13. In article <_13Tc.170$>,
    "Scooby" <> wrote:

    > I disagree... I wouldn't want someone connecting to my network that only
    > had that type of protection from the internet. At minimum, I'd have the
    > firewall feature set loaded on that router. But, I'd still prefer separate
    > firewall device. Access lists alone are not a good firewall.


    I wasn't recommending using just ACLs as a firewall replacement, just
    explaining how to set them up if that's all you have.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Margolin, Aug 14, 2004
    #13
  14. Doug

    Doug Guest

    "Barry Margolin" <> wrote in message
    news:...
    > In article <_13Tc.170$>,
    > "Scooby" <> wrote:
    >
    >> I disagree... I wouldn't want someone connecting to my network that only
    >> had that type of protection from the internet. At minimum, I'd have the
    >> firewall feature set loaded on that router. But, I'd still prefer
    >> separate
    >> firewall device. Access lists alone are not a good firewall.

    >
    > I wasn't recommending using just ACLs as a firewall replacement, just
    > explaining how to set them up if that's all you have.
    >
    > --
    > Barry Margolin,
    > Arlington, MA
    > *** PLEASE post questions in newsgroups, not directly to me ***


    Thanks for your input on this Barry! I had dinner & drinks with a friend
    last night and we came up with some other ideas on how to secure the LANs.
    I have to throw them at the boss and see what he says, but both will work.

    Option 1: Pull Denver off of the shared 2600 with Vail, and put them on
    their own router on the Dallas end, I have a spare 1604 I can use. Then
    put another IPCop between that Dallas 1604 & the Dallas LAN. IPCop's are
    free & we're not left with egg on our face. Not me, but I'm sure someone at
    our office said "Sure.. this will work, no problem....." And they are
    technically correct, it'll work, just not securely.

    Option 2: Denver cannot get DSL at their location, building wiring is old &
    won't support it. However, I (Dallas) can get all the DSL I can handle!
    Get DSL at my office for Denver, run it across the frame back to Denver.
    Just did the same thing with another client that had two offices. "Main"
    office couldn't get DSL, but the "remote" office could, and the offices are
    connected with a p-t-p T1.

    Less hassle with either option, and low cost to the client. The only thing
    with option two is that it would require dropping that frame-internet from
    XO, and someone probably signed a contract on that... It hasn't been
    implemented fully yet, so maybe they can get out of it.
    Doug, Aug 14, 2004
    #14
  15. Doug

    Hansang Bae Guest

    In article <x06Tc.259$>, mmscooby1
    @removeme.earthlink.net says...
    [snip]
    > That said, one thing I would change about your config is the default route.
    > Since you are using actual IP addresses on the interface, use the ip address
    > of the other router, rather than the interface.


    On serial point to point interfaces, there's no real drawback to
    pointing it to the interface. This is absolutely not recommended on
    ethernet interfaces, but on point to point serials, it's fine.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Aug 14, 2004
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jose E. Calderon
    Replies:
    0
    Views:
    630
    Jose E. Calderon
    Oct 23, 2003
  2. wr
    Replies:
    0
    Views:
    581
  3. Greg Krzeszkowski

    Frame Relay Internet with ISDN Internet Backup

    Greg Krzeszkowski, Apr 13, 2004, in forum: Cisco
    Replies:
    1
    Views:
    635
  4. Vimokh
    Replies:
    3
    Views:
    5,588
    Vimokh
    Sep 6, 2006
  5. Replies:
    0
    Views:
    507
Loading...

Share This Page