Solved

Multiple Cisco Routers on one connection

Posted on 2009-05-07
3
263 Views
Last Modified: 2012-05-06
Hello experts.

I've never encountered this scenario so I am hoping someone can point me in the right direction.

This is the scenario: I have one Cisco 1721 router which has a primary and secondary network setup on F0. There is a T1 connection here which provides an MPLS connection back to the CORP offiice. The CORP office has an Internet connection via a seperate router and 3xT connection.

10.0.43.1 = pri network
10.254.0.1 = sec network

These point to the MPLS network router --> 10.10.0.1 (Cisco 2821) --> 10.10.1.8 = Firewall Device --> Internet

Currently, I would like to seperate the two networks to two seperate Cisco routers, both 1721's. So:

10.0.43.1 --> Router 1 --> 10.10.0.1 (Cisco 2821) --> 10.10.1.8 = Firewall Device --> Internet
10.254.0.1 --> Router 2  --> 10.10.0.1 (Cisco 2821) --> 10.10.1.8 = Firewall Device --> Internet

With this scenario, here is what I need to accomplish:

10.0.43.1 is setup with an ACL that only allows certain traffiic across the MPLS network, and very few ports are open. Internet access is turned off except a few IPs which are mandated via the firewall policies on the firewall.

10.254.0.1 will be much less restricted and allow most traffic controlled via firewall policy.

However, there will only be one T1 connection to share bwtween the two. So, how do I accomplish what I need? My logic says that the least restricted router, 10.254.0.1 should be where the T1 comes in at, and that router should allow access to the other router for restricted access? Basically, all I need to happen is that 10.254 is least restricted and 10.43 is very restricted via ACL and Firewall policy. My confusion is with the MPLS network and where to place the T1.

How can I accomplish this with best practices in mind?

Thanks for the help all!




0
Comment
Question by:swcrook
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 8

Accepted Solution

by:
Sniper98G earned 500 total points
ID: 24332176
You cannot split your T-1 between two devices unless you have a multiplexer on both ends. The only real realistic way to do this is to leave a single router on the outside of the firewalls to interconnect your Ethernet networks to the MPLS network. You could still do it with only two routers though just use one router on the outside and one on the inside. THen you would just need to setup policy routes on both devices to send the appropriate traffic through the appropriate device.
0
 

Author Comment

by:swcrook
ID: 24333654
I dont want to split the T2 per se, but I simply want to have one router on outside but also havea  seperate network (2nd router) which also has INternet access. So, couldn't the second router just have a route to the first one.. say ip route 0.0.0.0 0.0.0.0 10.254.1.1? Just thinking out loud.
0
 

Author Comment

by:swcrook
ID: 24339517
Okay. Let me re-phrase my last post. If I leave router one as the "outside router" and then have the inside router connect to it, I should still be able to accomplish what I need, correct? Here are my thoughts:
Outside Router
MPLS = Serial WIC

Primary Network 10.0.43.1 = F0 > switch 1 > workstations at location 43
Secondary Network 10.0.254.1 = F0 > switch 1 > inside router

Inside Router
F0 = 10.254.1.2
E0 (Ethernet WIC) = 10.251.0.1
ip route 0.0.0.0 0.0.0.0 10.0.254.1

F0 anf E0 are natted.
I haven't natted anything yet, as I ran out of time before meeting, but I could see the outside router deom an static IP of 10.251.0.2.

If I nat F0 and E0 shouldn't I be able to get Internet that way? Then form there I can just create firewall policies and ACL's on the routers to pass whatever traffic I want.
Will this work?
Thanks!
 
0

Featured Post

Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question