Link to home
Start Free TrialLog in
Avatar of pacman_d
pacman_dFlag for United States of America

asked on

Setting up bridging for a 2811 router

Hello Experts,

I am looking to set up bridging for a cisco 2811 router with a T1 Frame-relay on the WAN interface.

My objective is to transparently bridge the (2) LAN interfaces FE/0 and FE/1 with the ISP assigned IPs to (2) Firewalls; allowing for transparent access to the external firewall interfaces.

This is my basic setup.

------------------------ISP 10.10.1.1 ----------------------
                                           |
                                      S0/0/0
                                        no ip
                                           |
                                     S0/0/0.500
                                      10.10.1.2
                                   |                     |
                                FE/0               FE/1
                           10.10.2.10      10.10.2.11
                                   |                      |
                               FW1                FW2
                           10.10.2.12        10.10.2.13
                           

I would like to have the following


------------------------ISP 10.10.1.1 ----------------------
                                           |
                                      S0/0/0
                                        no ip
                                           |
                                     S0/0/0.500
                                      10.10.1.2
                                   |                     |
                                FE/0               FE/1
                               Bridge           Bridge
                                   |                      |
                               FW1                FW2
                           10.10.2.10       10.10.2.11

Now as you can see in my config I have a Frame-Relay T configured with IPSEC tunnels to the ISP for some Hosted Voice services.

I have been provided routable IPs for the S/000 and the F/0 interfaces (a /28 and a /29)

After this I will set up QoS for the Voice services but would like to sort this out first.

Thanks!

P
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router01.bfl.local
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$HCf9$K3e7uEWJiWuI03MIv1BQB1
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip domain name router01.bfl.local
ip name-server X.X.120.197
!
!
!
crypto pki trustpoint TP-self-signed-1607074452
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1607074452
 revocation-check none
 rsakeypair TP-self-signed-1607074452
!
!
crypto pki certificate chain TP-self-signed-1607074452
 certificate self-signed 01
  3082025F 308201C8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31363037 30373434 3532301E 170D3130 31303238 31363430 
  34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36303730 
  37343435 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100C6B4 493B383B 57D15C78 5DBD7BE0 18BF86F6 7BD2C733 35DC8675 8F976707 
  9D62B7C6 855133C2 FB6D57B0 F9D209FB 6A3DD082 9774DBA1 8F3CF811 2B1FD9C2 
  D65209DD 52CEF5AA 8F0A3005 65CA1FF5 662C1E90 BEB53AEE 84E77E76 9C5142D4 
  1FE9A12F C6FA7A14 915C252C EDC50216 FE6DD278 346B82E6 D9939780 A71EED04 
  E7D50203 010001A3 81863081 83300F06 03551D13 0101FF04 05300301 01FF3030 
  0603551D 11042930 27822572 6F757465 7230312E 62666C2E 6C6F6361 6C2E726F 
  75746572 30312E62 666C2E6C 6F63616C 301F0603 551D2304 18301680 14452767 
  F362FD67 5FB1DC8F 9EA08B08 C9B55D4E 7C301D06 03551D0E 04160414 452767F3 
  62FD675F B1DC8F9E A08B08C9 B55D4E7C 300D0609 2A864886 F70D0101 04050003 
  81810032 CB1AEB6E 0B0239E1 DBF1F261 B5A5CF47 15805EC2 87F61D9E B9FE8B71 
  8E359510 5D9F9063 80EE2004 322345DC B1478593 1176952A 7E259B5E F7B6D8A6 
  C43B9CB4 B5ED9A48 18BF603D BE770F7E FAF14D58 817C2AA3 C425A659 621640D6 
  E39428BA 8DBD78AA EC7296AB 603A2CD3 91AEEAD8 8C8C8884 B09CA448 FED34953 4B0983
  quit

!
! 
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key gUmw7pQVH8zmIzOmqyVRTirQ0dL address x.x.103.238
crypto isakmp key gUmw7pQVH8zmIzOmqyVRTirQ0dL address x.x.121.238
crypto isakmp key gUmw7pQVH8zmIzOmqyVRTirQ0dL address x.x.77.238
crypto isakmp key gUmw7pQVH8zmIzOmqyVRTirQ0dL address x.x.173.238
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ipcom esp-3des esp-md5-hmac 
!
crypto map sip 1 ipsec-isakmp 
 description RTO
 set peer x.x.103.238
 set transform-set ipcom 
 set pfs group2
 match address 120
crypto map sip 2 ipsec-isakmp 
 description ELB
 set peer x.x.121.238
 set transform-set ipcom 
 set pfs group2
 match address 121
crypto map sip 3 ipsec-isakmp 
 description DNG
 set peer x.x.77.238
 set transform-set ipcom 
 set pfs group2
 match address 122
crypto map sip 4 ipsec-isakmp 
 description HSJ
 set peer x.x.173.238
 set transform-set ipcom 
 set pfs group2
 match address 123
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$
 ip address x.x.111.18 255.255.255.248
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description CoreLan
 ip address x.x.11.19 255.255.255.248
 duplex auto
 speed auto
!
interface Serial0/0/0
 description OutsideFrameRelay
 no ip address
 encapsulation frame-relay IETF
 service-module t1 cablelength short 440ft
 service-module t1 remote-alarm-enable
 frame-relay lmi-type ansi
!
interface Serial0/0/0.500 point-to-point
 description Outside
 ip address x.x.78.150 255.255.255.252
 frame-relay interface-dlci 500   
 crypto map sip
!
ip classless
ip route 0.0.0.0 0.0.0.0 152.179.78.149 permanent
ip route 192.168.10.0 255.255.255.0 FastEthernet0/1
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface Serial0/0/0.500
!
access-list 120 permit ip host x.x.78.150 x.x.178.0 0.0.0.127
access-list 121 permit ip host x.x.78.150 x.x.90.0 0.0.0.127
access-list 122 permit ip host x.x.78.150 x.x.16.0 0.0.0.127
access-list 123 permit ip host x.x.78.150 x.x.104.0 0.0.0.127
snmp-server community bfl RO
!
!
control-plane
!
!
!
line con 0
 password fjsdfidseiJDJnendxXXd233
line aux 0
line vty 0 4
 password FjdjeuduFEIS9332jddjjs
 transport input ssh
!
scheduler allocate 20000 1000
!
end

Open in new window

Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image

Hi,


Bridging not recommended on low speed WAN lines!
Avatar of pacman_d

ASKER

Hi Ikalmar,

Not sure i understand what you mean. I am simply looking to take the FastEthernet ports on the router and make them transparent so that the firewalls behind the router are using the IP addresses originally assigned to the FE0 and FE1 interfaces. (Effectively turning the LAN side of the router into a switch for the firewalls to do the routing).

It is not clear to me what that has to do with the bandwidth going out as I am not looking to do anything to make things transparent on the WAN interface.

Maybe i am missing something that you can clear up for me but I am a bit confused. :)

Thanks!

P





So I'm thinking perhaps I wasn't very clear on my original post.

  • The Circuit is an internet T-1
  • The P2P VPN is just for the Voice Traffic
    • (10) Polycom IP Phones
  • The Serial interface is responsible for the connection to the internet and everything is routed there.
    • The block for this interface is assigned by the ISP
  • There are (2) Business units that share the T-1 and Phones but wish to be logically segmented.
    • They are partitioned on the phone switch as (2) Different companies
    • They have (2) Different firewalls supporting each LAN segment.
  • There are (2) LAN Ports on my 2811 Router
    • Each of these is assigned a routable address from  a new Subnet
    • I want them to be bridged to each other while still being able to provide the routing out through the Serial interface.
The snapshot below details the current logical configuration...

I need the LAN ports to be transparent to the firewall interfaces.

Thanks,

P

Current.png
Bumping this up.. Looking for Guidance.

Thanks,

P
it has been pretty tough for me to get help lately.

Last i checked my bank account, this was a paid service...

CAN A FELLA GET AN EXPERT?
ASKER CERTIFIED SOLUTION
Avatar of pacman_d
pacman_d
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I went in a different Direction...

P