pacman_d
asked on
Setting up bridging for a 2811 router
Hello Experts,
I am looking to set up bridging for a cisco 2811 router with a T1 Frame-relay on the WAN interface.
My objective is to transparently bridge the (2) LAN interfaces FE/0 and FE/1 with the ISP assigned IPs to (2) Firewalls; allowing for transparent access to the external firewall interfaces.
This is my basic setup.
------------------------IS P 10.10.1.1 ----------------------
|
S0/0/0
no ip
|
S0/0/0.500
10.10.1.2
| |
FE/0 FE/1
10.10.2.10 10.10.2.11
| |
FW1 FW2
10.10.2.12 10.10.2.13
I would like to have the following
------------------------IS P 10.10.1.1 ----------------------
|
S0/0/0
no ip
|
S0/0/0.500
10.10.1.2
| |
FE/0 FE/1
Bridge Bridge
| |
FW1 FW2
10.10.2.10 10.10.2.11
Now as you can see in my config I have a Frame-Relay T configured with IPSEC tunnels to the ISP for some Hosted Voice services.
I have been provided routable IPs for the S/000 and the F/0 interfaces (a /28 and a /29)
After this I will set up QoS for the Voice services but would like to sort this out first.
Thanks!
P
I am looking to set up bridging for a cisco 2811 router with a T1 Frame-relay on the WAN interface.
My objective is to transparently bridge the (2) LAN interfaces FE/0 and FE/1 with the ISP assigned IPs to (2) Firewalls; allowing for transparent access to the external firewall interfaces.
This is my basic setup.
------------------------IS
|
S0/0/0
no ip
|
S0/0/0.500
10.10.1.2
| |
FE/0 FE/1
10.10.2.10 10.10.2.11
| |
FW1 FW2
10.10.2.12 10.10.2.13
I would like to have the following
------------------------IS
|
S0/0/0
no ip
|
S0/0/0.500
10.10.1.2
| |
FE/0 FE/1
Bridge Bridge
| |
FW1 FW2
10.10.2.10 10.10.2.11
Now as you can see in my config I have a Frame-Relay T configured with IPSEC tunnels to the ISP for some Hosted Voice services.
I have been provided routable IPs for the S/000 and the F/0 interfaces (a /28 and a /29)
After this I will set up QoS for the Voice services but would like to sort this out first.
Thanks!
P
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router01.bfl.local
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$HCf9$K3e7uEWJiWuI03MIv1BQB1
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip domain name router01.bfl.local
ip name-server X.X.120.197
!
!
!
crypto pki trustpoint TP-self-signed-1607074452
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1607074452
revocation-check none
rsakeypair TP-self-signed-1607074452
!
!
crypto pki certificate chain TP-self-signed-1607074452
certificate self-signed 01
3082025F 308201C8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363037 30373434 3532301E 170D3130 31303238 31363430
34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36303730
37343435 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C6B4 493B383B 57D15C78 5DBD7BE0 18BF86F6 7BD2C733 35DC8675 8F976707
9D62B7C6 855133C2 FB6D57B0 F9D209FB 6A3DD082 9774DBA1 8F3CF811 2B1FD9C2
D65209DD 52CEF5AA 8F0A3005 65CA1FF5 662C1E90 BEB53AEE 84E77E76 9C5142D4
1FE9A12F C6FA7A14 915C252C EDC50216 FE6DD278 346B82E6 D9939780 A71EED04
E7D50203 010001A3 81863081 83300F06 03551D13 0101FF04 05300301 01FF3030
0603551D 11042930 27822572 6F757465 7230312E 62666C2E 6C6F6361 6C2E726F
75746572 30312E62 666C2E6C 6F63616C 301F0603 551D2304 18301680 14452767
F362FD67 5FB1DC8F 9EA08B08 C9B55D4E 7C301D06 03551D0E 04160414 452767F3
62FD675F B1DC8F9E A08B08C9 B55D4E7C 300D0609 2A864886 F70D0101 04050003
81810032 CB1AEB6E 0B0239E1 DBF1F261 B5A5CF47 15805EC2 87F61D9E B9FE8B71
8E359510 5D9F9063 80EE2004 322345DC B1478593 1176952A 7E259B5E F7B6D8A6
C43B9CB4 B5ED9A48 18BF603D BE770F7E FAF14D58 817C2AA3 C425A659 621640D6
E39428BA 8DBD78AA EC7296AB 603A2CD3 91AEEAD8 8C8C8884 B09CA448 FED34953 4B0983
quit
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key gUmw7pQVH8zmIzOmqyVRTirQ0dL address x.x.103.238
crypto isakmp key gUmw7pQVH8zmIzOmqyVRTirQ0dL address x.x.121.238
crypto isakmp key gUmw7pQVH8zmIzOmqyVRTirQ0dL address x.x.77.238
crypto isakmp key gUmw7pQVH8zmIzOmqyVRTirQ0dL address x.x.173.238
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ipcom esp-3des esp-md5-hmac
!
crypto map sip 1 ipsec-isakmp
description RTO
set peer x.x.103.238
set transform-set ipcom
set pfs group2
match address 120
crypto map sip 2 ipsec-isakmp
description ELB
set peer x.x.121.238
set transform-set ipcom
set pfs group2
match address 121
crypto map sip 3 ipsec-isakmp
description DNG
set peer x.x.77.238
set transform-set ipcom
set pfs group2
match address 122
crypto map sip 4 ipsec-isakmp
description HSJ
set peer x.x.173.238
set transform-set ipcom
set pfs group2
match address 123
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address x.x.111.18 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/1
description CoreLan
ip address x.x.11.19 255.255.255.248
duplex auto
speed auto
!
interface Serial0/0/0
description OutsideFrameRelay
no ip address
encapsulation frame-relay IETF
service-module t1 cablelength short 440ft
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0/0.500 point-to-point
description Outside
ip address x.x.78.150 255.255.255.252
frame-relay interface-dlci 500
crypto map sip
!
ip classless
ip route 0.0.0.0 0.0.0.0 152.179.78.149 permanent
ip route 192.168.10.0 255.255.255.0 FastEthernet0/1
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface Serial0/0/0.500
!
access-list 120 permit ip host x.x.78.150 x.x.178.0 0.0.0.127
access-list 121 permit ip host x.x.78.150 x.x.90.0 0.0.0.127
access-list 122 permit ip host x.x.78.150 x.x.16.0 0.0.0.127
access-list 123 permit ip host x.x.78.150 x.x.104.0 0.0.0.127
snmp-server community bfl RO
!
!
control-plane
!
!
!
line con 0
password fjsdfidseiJDJnendxXXd233
line aux 0
line vty 0 4
password FjdjeuduFEIS9332jddjjs
transport input ssh
!
scheduler allocate 20000 1000
!
end
ASKER
Hi Ikalmar,
Not sure i understand what you mean. I am simply looking to take the FastEthernet ports on the router and make them transparent so that the firewalls behind the router are using the IP addresses originally assigned to the FE0 and FE1 interfaces. (Effectively turning the LAN side of the router into a switch for the firewalls to do the routing).
It is not clear to me what that has to do with the bandwidth going out as I am not looking to do anything to make things transparent on the WAN interface.
Maybe i am missing something that you can clear up for me but I am a bit confused. :)
Thanks!
P
Not sure i understand what you mean. I am simply looking to take the FastEthernet ports on the router and make them transparent so that the firewalls behind the router are using the IP addresses originally assigned to the FE0 and FE1 interfaces. (Effectively turning the LAN side of the router into a switch for the firewalls to do the routing).
It is not clear to me what that has to do with the bandwidth going out as I am not looking to do anything to make things transparent on the WAN interface.
Maybe i am missing something that you can clear up for me but I am a bit confused. :)
Thanks!
P
ASKER
So I'm thinking perhaps I wasn't very clear on my original post.
I need the LAN ports to be transparent to the firewall interfaces.
Thanks,
P
Current.png
- The Circuit is an internet T-1
- The P2P VPN is just for the Voice Traffic
-
- (10) Polycom IP Phones
- The Serial interface is responsible for the connection to the internet and everything is routed there.
-
- The block for this interface is assigned by the ISP
- The block for this interface is assigned by the ISP
- There are (2) Business units that share the T-1 and Phones but wish to be logically segmented.
-
- They are partitioned on the phone switch as (2) Different companies
- They have (2) Different firewalls supporting each LAN segment.
- There are (2) LAN Ports on my 2811 Router
-
- Each of these is assigned a routable address from a new Subnet
- I want them to be bridged to each other while still being able to provide the routing out through the Serial interface.
I need the LAN ports to be transparent to the firewall interfaces.
Thanks,
P
Current.png
ASKER
Bumping this up.. Looking for Guidance.
Thanks,
P
Thanks,
P
ASKER
it has been pretty tough for me to get help lately.
Last i checked my bank account, this was a paid service...
CAN A FELLA GET AN EXPERT?
Last i checked my bank account, this was a paid service...
CAN A FELLA GET AN EXPERT?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I went in a different Direction...
P
P
Bridging not recommended on low speed WAN lines!