Solved

Question re:506E Routing Between VLANs?

Posted on 2004-09-16
5
218 Views
Last Modified: 2010-03-17

I have a decent amount of knowledge re:IP/routing/etc. but I'd like to pose a question to make sure I understand my situation and handle it correctly.

My existing topology is very, very simple: I currently have a Cisco 1720 provided by my ISP handling Internet connection.  A WIC on the router goes to the ISP/Internet and this Router's Ethernet Port goes directly to the outside interface of my Cisco PIX 506E.  The inside interface of the 506E is simply connected to the stacked hubs (unmanaged, no VLANs) with the rest of my network -- users and servers, etc.  I have a set of 64 public IP addresses available to me from the ISP (xxx.xxx.xxx.128 /26) and the 506E is setup correctly to do what I need it to do in this configuration.

The issue at hand is that a data vendor of mine wants to "hang" his VPN-configured router off my network so that my users can have connectivity to him.  (I assume that his router is preconfigured with his networks' VPN information and I just have to set up the route tables to route requests to his specific IP addresses through his router rather than my router.)  The question is "How do I get this router integrated into my network?".  One important piece of information is that I've got three Dell 3324 Managed Switches (stacked) awaiting deployment -- and I think their VLAN capability is needed here, so that'll work out nicely.

My best guess is that I configure a small 4 port VLAN as the INTERNET VLAN, and the rest of the ports on those switches become my USER or LOCAL or INTRANET VLAN.  I'll attach 1)my Internet Router and 2)the vendors' Router (e1) and 3)the 506E (e1) all to the INTERNET VLAN.  The other end of the 506E (e0), of course, will go into the USER/LOCAL/INTRANET VLAN.  But I have two (and a half) big questions:

1) Does the vendors' router need to have an (e0) interface going into my USER/LOCAL/INTRANET VLAN?  Or can the 506E remain the only way out of my users' network to the INTERNET VLAN? (how does the request know which router to go "out" through?)  I'm guessing that if I have to connect the vendors' router into my USER VLAN then I'll have to install another Firewall between his router and my USER VLAN for protection (I don't have another Firewall right now, so that's a problem).

2) I've read something about "the 506E cannot route back through the interface which a packet came from".  Does this effect me in the new config?  Does this mean that I need to put a router between the 506E and the USER/LOCAL/INTRANET VLAN?  (I'm guessing "no" -- it's basically the same as my previous config -- (e0) of the 506E attached to the hub (now a VLAN) -- but I'm not sure how the new INTERNET VLAN effects this -- I'm thinking that there might be an issue because I know you need to route between VLANs and I know the 506E is not a true router.

3)Lastly, if I do set up the two VLANs, do I need to do any subnetting?  As you may or may not be able to tell, I'm very new to VLANs and, in general, haven't messed with network configurations (at this level) in a number of years.  I need someone to give me a little brush-up and set me straight on how all of this should work...

Any help with this is greatly appreciated!





0
Comment
Question by:novitz
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
You've got a better understanding than you probably think you do.

It is good practice to put a 3rd pary's connection to your network on the other side of a firewall. Simply adding their Ethernet interface to your internet PUBLIC VLAN will be a good solution. You don't have to worry about the PIX' restrictions on traffic flow. Traffic to / from this vendor will only flow between outside and inside interfaces of the PIX, not on the same interface.

Router
   |
  Switch -- Vendor Router
    |
   PIX outside
   PIX inside
     |
    Switch

These two separate switches can just as easily be two VLAN's on the same switch. However it is common practice NOT to put the inside and outside on the same physical switch.

Think of VLAN's in two ways. 1, each VLAN is just like a physically separate set of switch ports, and 2, most VLAN's are separate subnets, but there is no hard/fast rule about that.
And remember that if you have multiple VLAN's that are sub-netted, then you have to have some Layer3 routing between them, and if your VLAN's span multiple switches, then you need some way to propogate that VLAN knowledge among the switches. That's where VTP trunking and VTP domains comes in.

You do have an option with the latest 6.3(4) code for the PIX 506, and that is to use VTP trunking on the inside interface to create 'virtual' interfaces on one physical port. You can assign them different security levels, traffic restrictions, etc. Pretty slick actually, but breaks all the rules about a packet not going back out an interface it came in on. Guess that one's out the window...

0
 

Author Comment

by:novitz
Comment Utility
Thanks you so much for the response!  Again, I think I understand, but would love to hammer out some more details with you if you've got a few moments.

In the first paragraph above, you used the term "internet PUBLIC VLAN".  You didn't say so, but I'm guessing that this is the same thing as the INTERNET VLAN that I referred to in my assessment.  Now, if that is the case, how does it work exactly?  Again, I've got a set of 64 (62) public IPs at my disposal (xxx.xxx.xxx.128 /26).  Do I assign this "PUBLIC VLAN" to one of those addresses?  (A VLAN does have to have an IP address, correct?)  Of course, the router has one of these public addresses as well, as does the outside interface of the PIX.  Presumably, so would an interface on the vendor's router.  All those items need to get public IPs, right?  

Now, I create another VLAN, my "PRIVATE" VLAN, presumably.  This is a 10.1.xxx.xxx scheme, I suppose, and I'll give one of those addresses to that PRIVATE VLAN itself.  The inside interface of the PIX is attached into this VLAN.  (As you said, it should be on a separate physical switch, but seeing how few ports I need for the PUBLIC VLAN, that would be a bit of a waste, and I'll probably wind up mixing PUBLIC and PRIVATE on the same switch.)

Here's the part I do not understand: the flow in/out of the vendor's router.  It is configured to use my internet connection as a medium for his VPN (he has no internet connection of his own).  How is this going to work?  Let's take the traffic going out of my PRIVATE VLAN first:  A user sends a packet to one of the vendor's IP addresses.  It goes in the PIX inside interface and back out the PIX outside interface to the PUBLIC VLAN.  Somehow (see the next paragraph) it is told to go out through the Vendor's router, which, in turn, is supposed to forward the packet out through his VPN which is (I think) somehow configured to use my Internet router (again -- because his router has no point-to-point or Internet connection of its own -- only my router has an actual internet connection).  Is that whole sequence right?  And when packets come back in from his router to my users, I assume that they wind up on my PUBLIC VLAN, but how do they know to go to the PIX and into the PRIVATE VLAN?  I'm not sure I really understand how that happens or how the various devices need to be configured to make that happen.

In other words, exactly what/how do I tell which devices about the Vendor Router's existence and that packets from users for certain IP addresses need to go out to THAT router/gateway rather than the default gateway (to the Internet)?  Which device(s) do I put that information into (guess: the PIX)?  Where does that info go?

Also, what can/could/should I do about any devices on the PRIVATE VLAN that need to be have exposed public IP/ports to the INTERNET (via translations).  Will it continue to work if I still put them in the PIX and expose them to the PUBLIC VLAN like I'm doing right now?  Seems like it should, but I'm just not positive and need some reassurance.

Also, I'm completely in the dark about this VTP Trunking stuff.  I have the special stacking modules for the Dell 3324 series which connect my three switches using some special daisy-chaining USB-type cabling.  When I access the management console I see all three switches treated as one big switch -- so I'm guessing that all my "trunking" and "domains" are taken care of automagically -- seems to be the case.  There's a lot of settings for LAGs, etc. which I don't totally have my grip on yet...but I don't think I need them either...do I?

Lastly, you briefly mentioned subnetting (because I asked about it).  But since the PUBLIC VLAN uses my public IPs and the PRIVATE VLAN uses 10.1.xxx.xxx schema, I don't understand if/why/how I would use subnetting in this instance (unless it's related to the translation question above).  Any clues?

Thanks again for all the help.  If I can provide any more information or details to you that might help with getting me to understand this more fully, just let me know.

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I'll see if I can either get you more confused, or clear the fog, one..

>A VLAN does have to have an IP address, correct?)  Of course, the router has one of these public addresses as well, as does the outside interface of the PIX.  Presumably, so would an interface on the vendor's router.  All those items need to get public IPs, right?  
 No. A VLAN is just a layer 2 group of interfaces. The group itself does not get an IP address. All of the devices connecting physically to the VLAN can talk to each other if they are on the same IP subnet, but not to anything else. This is good for broadcast control, and important because routers tend to broadcast or multicast a lot (routing updates). It's just like putting these devices on a totally separate switch that is not connected to anything else. The advantage of VLANS is that you can manage and control them from one location without having to go to each independent switch, and a single VLAN can span multiple switches.
What you call a VLAN is just a nmonic to remember what connects to it. They are actually numbered. VLAN1, VLAN2, etc. You can assign names to vlans, so that when you use "show vlan" on a Cisco switch for example, you can see the names, but when you assign a port to a vlan, you assign it to the vlan #.

>internet PUBLIC VLAN = INTERNET VLAN  
Yes.

>exactly what/how do I tell which devices about the Vendor Router's existence and that packets from users for certain IP addresses need to go out to THAT router/gateway rather than the default gateway (to the Internet)?
On the PIX, exactly. Simple route statement, like:
 route outside <vendor IP> <mask> <vendor router LAN IP>

>what can/could/should I do about any devices on the PRIVATE VLAN that need to be have exposed public IP/ports to the INTERNET
Sort of depends. If these servers are for public use only, meaning no interaction to back-end servers that are on your protected private VLAN, then you can put them in a "DMZ" VLAN. A DMZ interface on the PIX into another VLAN on the switch, connecting the servers and the PIX together.
On the PIX, you simply create static NAT translations to bind a public IP to the private IP, like this:
   static (dmz,outside) <public IP> <private IP> netmask 255.255.255.255
   <etc>
If you need them to be on the inside LAN, like an Exchange server because of the dependencies on AD/domain controllers and user access, you do the same thing, just changing the "dmz" to "inside":
   static (inside,outside) <public IP> <private IP> netmask 255.255.255.255
   <etc>
Now you just control access to those public IP's with inbound access-lists:
  access-list inbound permit tcp any host <mailserver public ip> eq 25
  access-list inbound permit tcp any host <webserver public ip> eq 80
  <etc>

>But since the PUBLIC VLAN uses my public IPs and the PRIVATE VLAN uses 10.1.xxx.xxx schema, I don't understand if/why/how I would use subnetting in this instance (unless it's related to the translation question above).  
Reasons to subnet:
   Create security boundaries (VLANs control access at L2, subnets give you packet filter, access control at L3/4)
   Growing larger than 500 devices on one subnet (500 is the max 'rule of thumb' for IP hosts on a single subnet)
   Creating "DMZ" interfaces on a router or firewall. Each interface or sub-interface requires a separate subnet
If your private LAN using 10.1.x.x does not meet the criteria above, then there may not be a logical purpose served by creating multiple subnets.

HTH...     <8-}
0
 

Author Comment

by:novitz
Comment Utility
Thanks again.

I spoke to my vendor, and it looks like I missed one crucial piece.  According to the vendor, his router MUST connect to both the PUBLIC VLAN and the PRIVATE VLAN because otherwise packets from my users would have to go in and out of his router through the same interface (packet from user-->PRIVATE VLAN-->PIX-->PUBLIC VLAN-->VENDOR ROUTER-->PUBLIC VLAN-->INTERNET ROUTER [tunnelled]) -- and that's a no-no.

So....he's got to connect to the PRIVATE VLAN on one side and the PUBLIC VLAN on the other side of his router.  (Or is there another solution that we missed?)  

As such, one choice is to install another firewall between his router and my PRIVATE VLAN (is there such a thing as a cheap firewall that I can use for this very limited purpose?).  Another option is to set my INTERNET ROUTER to only accept VPN traffic coming back from his IP addresses to his router -- that would mitigate a lot of the risk.

Does that all make sense?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Sorry about the delayed response..

Are you still working/planning this? Anything new to add?

>Another option is to set my INTERNET ROUTER to only accept VPN traffic coming back from his IP addresses to his router --
I like this option best.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

    Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now