We are planning to re-arrange our network setup as it is not well structured and to meet some new requirements. Below is my proposed network setup for everyone's kind reference. (Expecting everyone's valuable suggestions and support about my proposed diagram).
Following are our key requirements
1) How can we configure intervlan communication and internet access for the both the vlans
2) Secure access to the Servers from outside using the public ips (like static nat in the 1811 router to routers)
3) Need to implement unauthorized access/attacks from outside since in my plan the public is assigned in the 1811 router interface (like enabling firewall/IDS in router)
4) Need to configure wireless access to both VLANs in future since the wireless access point is integrated in the 1811W ISR
Kindly give your valuable suggessions and advice for meeting the above mentioned requirements, queries.
1. Since ur set up has a 3550 switch, the Inter vlan communication can be done creating SVI's and the internet access for both the vlans can be done by creating a static route from the router to the Internet.
We can use the router as well to perform inter-vlan routing and use the switch as a pure L2 Switch
2 and 3: Can be done with the help of Access Control Lists.
4. could not completely understand the requirement. can you please eloborate a little more on this.
1.But how can we enable communication between 3550 Switch and 1811 Router . The link needs to be made trunk , right ?
Even if SVI s are created on the 3550 Switch how can the communication between 3550 Switch and the router be possible ? Would configuring a default gateway work ? Is it possible that we can create SVIs on router 1811 (considering the future wireless requirement) ?
2 and 3 )Since the router is open to the internet what all should I block to restrict unauthorized traffic and provide safe public access to Servers . Like in ASA we have predefined security levels blocking traffic from outside to inside .Can you also please provide the standard blocking guidelines for Routers open to the internet ?
4. May be in future I will need to provide wireless access to the two VLANs without re arranging the current setup . So I just want to make sure the current setup holds good when trying to configure Wireless in future
1. yes.. if you are performing inter-vlan routing at Router, then the link between the switch and the router should be a trunk to carry the traffic of the required Vlan's.
if the intervlan routing is performed at the cisco 3550, you have to enable routing on the switch , the port leading towards the router should be a routed port, configure either a default route or run a routing protocol between the switch and the router.
SVI is only on L3 switch and not in Router.
2 and 3) MAy be this link on access list might help. Look for Extended access list which can be tweeked according to the requirement.
1)Configured 3550 as layer 3 switch and create a default route to 192.168.2.254
2) Configured 2 static routes(for 2 vlan range traffic) and one default route to 192.168.3.254
3) ip pass through is not configured yet, still the public ip is configured at the isp router
1811 static route configs
Ip route 0.0.0.0 0.0.0.0 192.168.3.254
Ip route 192.168.1.0 255.255.255.0 192.168.2.1
Ip route 10.0.1.0 255.255.255.0 192.168.2.1
3550 static route config
Ip route 0.0.0.0 0.0.0.0 192.168.2.254
1)All lan communications are working fine(inter vlan also), ping to all servers from router is getting and ping to outside public ips are getting from router,but not getting ping from switch to 192.168.3.254 and outside ips.
Kindly advice what is the problem in the current configs.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...