Cisco Site to site bridge
Cisco site to site bridge.
I have a remote site that has a Cisco 867VAE on ADSL and I can telnet to it. They use it for internet access.
I have a Cisco 2851 at my site (and a shelf full of other ethernet and DSL routers in case this one is not adequate) providing ethernet access for my site.
I need to access a device at the remote site (preferably without taking down Internet Access for more than a few minutes). This device does not have a gateway configured, so I can't simply portforward to it or configure a site to site gre tunnel (as either would require a gateway or route on the device in question)
SO I decided to do a transparent bridge.
All the examples I can find say that a router can either route or bridge, but not both. I don't believe that this is a real limitation. After thinking about it, I want to set up a sub interface on the destination router that will bridge to a router at my site. Presumably, this will involve creating a site to site VPN and attaching it to a bridge group.
Can someone please help me achieve my goal - either using the method I have described - or a totally different method.
I have remote access to configure the remote router. I have no access to the device in question. Physical access to the device or remote site is not possible. There are no computers at the remote site that I can say, TeamViewer to and then connect locally to the device.
thanks
John
I have a remote site that has a Cisco 867VAE on ADSL and I can telnet to it. They use it for internet access.
I have a Cisco 2851 at my site (and a shelf full of other ethernet and DSL routers in case this one is not adequate) providing ethernet access for my site.
I need to access a device at the remote site (preferably without taking down Internet Access for more than a few minutes). This device does not have a gateway configured, so I can't simply portforward to it or configure a site to site gre tunnel (as either would require a gateway or route on the device in question)
SO I decided to do a transparent bridge.
All the examples I can find say that a router can either route or bridge, but not both. I don't believe that this is a real limitation. After thinking about it, I want to set up a sub interface on the destination router that will bridge to a router at my site. Presumably, this will involve creating a site to site VPN and attaching it to a bridge group.
Can someone please help me achieve my goal - either using the method I have described - or a totally different method.
I have remote access to configure the remote router. I have no access to the device in question. Physical access to the device or remote site is not possible. There are no computers at the remote site that I can say, TeamViewer to and then connect locally to the device.
thanks
John
ASKER
Won't IRB help? Or is that aimed at a different scenario?
ASKER
WOuld L2TPv3 work? - I found this link:
https://packetpushers.net/extending-layer-2-across-layer-3-with-l2tpv3-pseudo-wires/
Before I start messing with a production router, I'd love a little advice on whether this would allow internet browsing Via NAT on the remote site router) while also bridging the L2 networks at each site?
thanks in advance
John
https://packetpushers.net/extending-layer-2-across-layer-3-with-l2tpv3-pseudo-wires/
Before I start messing with a production router, I'd love a little advice on whether this would allow internet browsing Via NAT on the remote site router) while also bridging the L2 networks at each site?
thanks in advance
John
ASKER
Hi David, I missed part of your answer, I am am actually trying to re-configure some incorrectly configured equipment at a customer site without needing to visit. It is a multi-tenant wifi network and there are some wifi points on site whose only configuration option is via HTTP. If they were Cisco, I'd telnet/SSH to the router and then to the device. But as these are HTTP only, I don't have that luxury.
I tried using NAT/PAT to forward port 80 to a different external port so I could hit the web interface and configure, but they don't seem to have a gateway set, so return packets don't know how to get to me. SO I hit upon the idea of extending the L2 segment to my site, avoiding the need for a gateway (otherwise I'd do what Ihave done many times before and just pull up a GRE tunnel - but it needs a gateway to be set on the device). This crops up every so often, so I'd like to come up with a method to do it that I can roll out as and when.
SO a bridge over say GRE, IPSec or L2TP sounds like the way to go. With IRB, I thought that there'd be a possibility. I'm pretty handy with Cisco, but this is breaking new ground for me, so I was hoping for a leg-up.
I tried using NAT/PAT to forward port 80 to a different external port so I could hit the web interface and configure, but they don't seem to have a gateway set, so return packets don't know how to get to me. SO I hit upon the idea of extending the L2 segment to my site, avoiding the need for a gateway (otherwise I'd do what Ihave done many times before and just pull up a GRE tunnel - but it needs a gateway to be set on the device). This crops up every so often, so I'd like to come up with a method to do it that I can roll out as and when.
SO a bridge over say GRE, IPSec or L2TP sounds like the way to go. With IRB, I thought that there'd be a possibility. I'm pretty handy with Cisco, but this is breaking new ground for me, so I was hoping for a leg-up.
L2TP should work for you. See this link. This will allow that tunnel to be encrypted.
https://community.cisco.com/t5/routing/vlan-extend-l2tpv3/td-p/2912287
https://community.cisco.com/t5/routing/vlan-extend-l2tpv3/td-p/2912287
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is correct. Routers can only run in one mode at a time, so either normal mode or bridge mode, never both modes.
Maybe provide a diagram of your setup. As stated above, unlikely you can get this to work.
Sounds like you're trying to provide multiple links (net connections) to your site running outside a normal NOC (hosting or colo company).
This can be challenging to setup + get right.
Generally what you'll do is run your incoming connection in bridge mode, which will then connect to your internal connections. Generally this includes a first router device which hands out DHCP addresses to your entire infrastructure. Then other devices are connected to your first router device + all these will be running in bridge mode, so only your first router devices handles IP assignment + all other devices work as bridge mode repeaters.
If you try any other setup, you'll have to come up with your own scheme of DHCP networks + or assign static IPs to various networks you make up on the fly.
If you keep all your IP address assignment at your first device, you'll be fine.
Also remember once you hit the device which will be assigning IP addresses, all other devices will run in bridge mode connecting back the device doing IP assignments.