Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 467
  • Last Modified:

Router config

Experts need some pointers in identifying some info. i'm a bit confused...

i have a router that i will use as a customer edge router in an MPLS network....
the router is a 2800 series...

physical int
T1/E1 0
T1/E1 1

F0/0
F0/1


the provider gave me their IP info but im confused on what IP goes where...

WAN: 15.x.x.16/30
ISP IP: 15.x.x.17/30
Customer IP: 15.x.x.18/30
Mask: 255.255.255.252

LAN: 31.x.x.32/30
Gateway IP: 31.x.x.33/30
Usable IP: 31.x.x.34/30
Mask: 255.255.255.252


i will configure a PAT using the LAN side IP. I also have my inside network i thought that would be the inside LAN but my ISP gave me a LAN IP....my inside network 10.24.x.x/24 (our private inside network)

what goes where????

does the ISP mean "LAN" really my "WAN"...terminology is getting mixed up in my head....

T1/E1 0 >> 157.x.x.18/30 (this interface connects to the circuit)

F0/0 >> 31.x.x.34/30 (this interface goes to my switch)

so where do i configure my inside private network >> 10.24.x.x/24 ???

thanks in advance
0
lurezero
Asked:
lurezero
  • 9
  • 4
  • 3
  • +2
2 Solutions
 
Fred MarshallCommented:
In some respects, LAN and WAN are interchangeable. (i.e. when there's no NAT)
In some cases, (like the Cisco RV042), the WAN side of the router *has* to point toward the internet connection.  
This means if branch offices are going to get internet connection over the MPLS then the LAN side of their RV042s would be on their LAN - but not for the main office where it would be the opposite.
I doubt that's the case for other routers but I don't know.
To me, a router used in router mode should not have a WAN or a LAN really but just interfaces with different subnets on each.  They would not have a "direction" or "orientation".

In general, the routers would be set up in "router" or "non-NAT" mode if that matters to you.

Who has control of these routers?  The description doesn't sound like typical MPLS setups that I know of.  

What I'm used to seeing is an MPLS that looks like a switch from all offices.
This looks more like the ISP has routers involved.

The real question for you should be "What IP address do I route to for Site 1?  For Site 2? For Site 3? etc.  I don't see that information here.  It appears to only address a single site.
Normally I see the *customer* deciding these things.

Here's an example:

Site 1 < > Router 1 <> MPLS
Site 2 <> Router 2 <> MPLS
Site 3 <> Router 3 <> MPLS
etc.
Also examples:
[10.0.1.0/24] Router 1 10.100.100.1/24
[10.0.2.0/24] Router 2 10.100.100.2/24
[10.0.3.0/24] Router 3 10.100.100.3/24
so the MPLS is used with an "interim subnet" 10.100.100.0/24 and there is no gateway or ISP IP address (same thing to me).
Otherwise, it looks like you don't have a private MPLS but rather a public internet set of VPN links of sorts.  Not the same thing......

But I only have experience with one ISP in doing this.
Experience may vary.
Perhaps someone else can shed some light on the approach they've given you.....
0
 
corowerCommented:
wan goes on the "outside" (towards ISP).
lan - goes towards inside (local LAN).

what might be wrong - your provider gave you a /30 network for your internal needs, whereas you planned to use your own private IPs via nat/pat/masq. probably your provider thinks, that you will use another router/appliance on the "lan" side of your 2800.
0
 
fgasimzadeCommented:
WAN: 15.x.x.16/30
ISP IP: 15.x.x.17/30
Customer IP: 15.x.x.18/30
Mask: 255.255.255.252


This is a dedicated IP address to connect to your ISP. The mask is 30 here, means that only 2 host allowed in the subnet, you and your ISP.

So, you will have your T1/E1 configured with 15.x.x.18 255.255.255.252 and you will have a default route pointing to 15.x.x.17

ip route 0.0.0.0 0.0.0.0 15.x.x.17

LAN: 31.x.x.32/30
Gateway IP: 31.x.x.33/30
Usable IP: 31.x.x.34/30
Mask: 255.255.255.252


These are public IP address you can use for your email/website publishing/NAT.
The ISP will have the following route configured on their router

ip route 31.x.x.32 255.255.255.252 15.x.x.18 - pointing to you

Very strange they gave only 2 ip addresses. We have the same scenario in my organization, but we purchased 254 ip addresses (class C subnet) for publishing. You can probably buy more addresses from them

Anyway, it goes to fa0/1

conf t
int fa0/1
ip address 31.x.x.33 255.255.255.252

and

fa0/0
ip address 10.24.x.1 255.255.255.0
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
fgasimzadeCommented:
One more thing to add:

conf t
int fa0/1
ip address 31.x.x.33 255.255.255.252
ip nat outside

and

fa0/0
ip address 10.24.x.1 255.255.255.0
ip nat inside


You internal subnet will be NATed to 31.x.x.33
0
 
lurezeroAuthor Commented:
thank you fgasimzade. question:


demarc/circuit/PE router (15.x.x.17) >>>>    connects to >>>>   my T1 (15.x.x.18)

my F0/0 (31.x.x.34)                           >>>>>   connects to >>>>  my switch




where do i configure my 10.24 subnet? and what would it connect to?
0
 
fgasimzadeCommented:
Do you have only 1 ethernet port on the router?
0
 
lurezeroAuthor Commented:
these are my physical interfaces:

T1/E1 0
T1/E1 1

F0/0
F0/1
0
 
fgasimzadeCommented:
You can configure it on fa0/1
0
 
lurezeroAuthor Commented:
ok, and what would that interface fa0/1 connect to????
0
 
fgasimzadeCommented:
To your switch, as well as you fa0/0 with 31 subnet
0
 
Fred MarshallCommented:
I still don't understand how you can have a private MPLS with public internet addresses.
Are the addresses you've given real??
0
 
Mohammed RahmanCommented:
A router has to has its adjascent IPs in same network. This goes good for the WAN part WAN: 15.x.x.16/30 - ISP IP: 15.x.x.17/30

But I have no clue how can that be acheived on LAN side with LAN: 31.x.x.32/30 (provided by ISP) and 10.24.x.x/24 (that you are interested in)

The LAN interface of your router MUST have to be in the same 10.24.x.x/24 network.

F0/0 >> 31.x.x.34/30 (this interface goes to my switch)
As switch cannot do routing, how will traffic from 10.24.x.x/24 flow via switch to the router's LAN 31.x.x.32/30 ? (I am not a network expert, but I think this is not possible under normal conditions)

Probably you will not require the LAN IP provided by ISP.

Please have a look at the solution/advise on link below.
** You will have to change the IP addresses and interfaces in the below solution, as per your requirements. :)

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_21814067.html
0
 
fgasimzadeCommented:
@mody2579

This is absolutely possible, he will NAT his 10.24.x.x/24 subnet to the F0/0 >> 31.x.x.34/30 on the router.

Switch should not do any routing here, default gateway for 10.24.x.x/24 will be configured on the router as F0/1, router will just NAT this traffic and forward it to the internet

I assume only 31.x.x.34/30 is routed by ISP on the Internet, 15.x.x.16/30 subnet is just used for peering and is not routable in the Internet
0
 
Mohammed RahmanCommented:
@fgasimzade

Thanks for that info.  
When you said default gateway for 10.24.x.x/24 will be configured on the router as F0/1

does it mean, 10.24.x.x/24 traffic will hit the interface F0/0 -- it will then be NAT by F0/1 as 31.x.x.34/30 and then routed to WAN interface 15.x.x.16/30

If Yes, why can't we jump from F0/0 (10.24.x.x/24) to WAN? is it not unnecessary to introduce F0/1 as 31.x.x.34/30 ?

Why shouldn't we configure F0/0 with 10.24.x.x/24 and connect 254 devices (including this router) and avoid NAT (assuming, lurezero is not in need of connecting more than 253 devices).

** Please educate me (if you are in leisure). Any links to articles explaining this phenomena or a detailed description by you would be of great help. Again, I am just learning networking, not an expert :)
0
 
fgasimzadeCommented:
Yes, we can NAT to 15.x.x.x subnet  directly, but it depends on the ISP.

As I said in the previous post, I assume ISP routes only 31.x.x.x subnet in the Internet, 15.x.x.x is used only for peering and is not known to the outside world
0
 
corowerCommented:
As I said in the previous post, I assume ISP routes only 31.x.x.x subnet in the Internet, 15.x.x.x is used only for peering and is not known to the outside world  

FMPOV it seems as extremely bad practice. unnecessary hop + unnecesary micro-splitting... 15.x.x.x are absolutely normal public addresses, if they're supposed to be "not known to internet" then addresses from 10/8 or 172.16/12 or 192.168/16 should be used.
0
 
fgasimzadeCommented:
Yes, they are public, but ISP may decide not to advertise them to the outside world
0
 
corowerCommented:
then why use them in the first place ? :)
0
 
fgasimzadeCommented:
It is up to ISP to decide :)

I have the same topology in my organization, /30 subnet was given from ISP for peering and we purchased /24 subnet for use
0
 
corowerCommented:
this is a different story - if you have the urge to route (and firewall and account) some (more than one) public IPs, that are to be all allocated to one client via PTP link, and you still are able to use that 1 IP you have on PTP links your end, it might be justified. otherwise i would look for ways of making that peering PTP link more transparent to get rid of that /30 subnet... and i would try to allocate a single IP for that client, not waste two /30s (8 IPs). okay, it's not that simple to get rid of PTP links IPs (if you want clients IP to be public), but either clients /30 or the PTP one is a complete waste. really, i can hardly imagine a situation, when ISP is unable to implement this by one hop less than it is drawn now.
0
 
Fred MarshallCommented:
How does one "not advertise"???
If it's connected into the internet then it hardly matters what you call it.

There is NO point in using public addresses (even if not connected to the internet) as there are plenty of private addresses available for your (private) use.  But, if someone who is connected to you does that then you may be stuck with it.  It's hard to imagine though that you would be constrained from using private address ranges on YOUR side of the box.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now