Hi Mitchell,

Thank you for your reply..

You mostly have the gist of what I am trying to do, but let me clarify a few things.

Due to the insensitive nature of the data going between the two locations, I am not too worried about security of the connection. In addition, I would like to reduce the overhead by eliminating the VPN.

I believe the connection we are buying/using is a L2 link. We have the option of IP's if we want them, but in this situation I don't believe we need them. Essentially, the link is being handed off to us as an untagged VLAN connection - basically a 300 mile Ethernet cable.

If it weren't for the fact that this is a VLAN connection, I could just plug both ends into a switch on both sides, reconfigure the IP's and gateways on the remote side and be done with it since the remote location needs access to servers at this location.

But since this is a VLAN connection, I realize I will have to configure VLAN interfaces. I can do this with the Enterasys B3 layer 3 switch we have. I have already configured and tested the configuration on the switch. But as I stated, I believe the ASA may be better suited to the job.

Another thing that I forgot to mention is that the remote location also has a 2921 on site. We have dual T1 lines to the remote location. One provides POTS and one provides internet access.  I believe the router is there to service these T1 lines. Unfortunately I don't have any more information on what is there and why. I am new to this company and there isn't any documentation as to the network configuration at either location. I've figured out most of what is going on at this location simply because I am here.

Anyway, I am getting a little off track here. The idea I had was to keep it simple. Since we really don't need a site to site VPN connection, I believe we can eliminate the 5505 at the remote location, and possibly the 2921 depending on what it's being used for.

I envision one end of the VPN link going straight to the switch at the remote location, and one end going to the ASA-5510 at the main office. This way all I have to do is configure the 5510 and we're off to the races. Since there are no IT personnel at the remote location, I will have to get this side mostly set up, then go over there and complete the installation. So I am going to have to keep the transition as seamless as possible in order to reduce the down time as much as possible. I will be able to access the 5510 from the remote location.

But, I am certain you have far more experience than I at getting something like this up and running, so if I am off base, or what I am trying to do is not the best or correct way to do it, please let me know. I'm all ears. It is frustrating being so ignorant about Cisco equipment, but hey, we all had to start somewhere, right?

Thank You,

Michael

Any help here?

Thanks,

Michael

Hello Michael,

Sorry for the delayed response. So no need for the VPN across the point-to-point link - check.

I don't know what kind of timeframe you have to complete the work described above but for me - it's always a must to create a topology diagram, often times it is a lot easier to see where the problem/bottleneck lies simply by creating a document such as this. Also, it might help me assist you (I'm a visual kind of a guy). I took the liberty of creating a quick visio with what I think you have setup currently and what you are trying to accomplish.

To keep things simple, I would terminate the 75Mbit point to point link at the main site into one of the 5510 interfaces, and the other end in one of the 2921 Gig interfaces. Both the 2921 (http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf) and the 5510 (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html) have the throughput to handle a point to point link of this speed. You would be able to phase out both the ASA5505 and the DS1 at the remote site.

Your previous comment regarding configuring one site then migrating the other site over is correct. You should be able to get everything setup at the main site without affecting existing traffic flow between sites and then travel to the remote site and complete the configuration of the remote site along with the final touches to get internet based traffic routed through the main site.

I think you might be overcomplicating the fact that the point to point link is a "VLAN" connection. Treat it just like you described, a 300 mi ethernet cable. The benefit of using layer 3 addresses at either end of the point to point link is to prevent unneccessary broadcast traffic from traveling over the link.

If you are concerned with throughput for inter-vlan routing at the main site (I don't know how many VLANs you have at the main site) then you would probably want to terminate the point-to-point link at the main site on the switch using a routed port or an unused VLAN, or whatever the equivalents are in Enterasys terms. Using an unused VLAN technically provides greater throughput but the link isn't fast enough to saturate a routed port anyhow so it would be irrelevant.

I'm not familiar with Enterasys (I'll be honest, I've never heard of the company) but to do this on a L3 Cisco switch:

Routed Port: (limited by the speed of the port)

     int gi 1/0/35 (assuming you are connecting the point to point link into port 35)

          no switchport

          ip add 172.30.0.1 255.255.255.252

VLAN: (limited by the speed of the backplane)

     int vlan 4000

          ip add 172.30.0.1 255.255.255.252

          no shut

     int gi 1/0/35 (assuming you are connecting the point to point link into port 35)

          switchport mode access vlan 4000

Hope this helps.

Hello Mitchell,

Thank you for your reply. I apologize for my impatience.

Your diagrams are mostly correct. I don't have Visio to use here, so I drew up my current configuration, the Enterasys B3 switch option and the 5510-2921 link options in Paint.

Below is the current set up. We currently do not have any VLANs configured at all. In reality, even counting both locations we are a fairly small network with approximately 100 workstations, laptops and servers. If you include printers, access points, switches, etc, we have approx 150 total devices on the LAN.

Now, I am not 100% sure of the set up on the remote side regarding the voice T1 line. I believe this is the way it is set up because otherwise I would have no idea why the 2921 was even there since the ASA-5505 should be able to handle the routing for the incoming data T1 line all by itself. However, I could be wrong. It certainly wouldn't be the first time.

Below is the first idea I had as far as keeping it simple. Although the Enterasys switch is routing at a layer 3 level, I believe you are correct in that this is essentially a layer 2 link. I also believe you are correct in that broadcast traffic will travel over the link. Bear in mind that I have already tested this configuration and it worked on my test bench. All I had to do in order to get it to work was to enable RIP on the ASA-5510 and it was working. As long as I configured the gateway IP on the PCs attached to the VLAN interfaces, then both VLANs could communicate freely back and forth - which is what I am after since both networks must share servers.

As a side note, I am aware that I could dedicate more of the B3 ports to VLAN 200 and use the secondary NIC cards in the servers for these ports. But I have no need at this point to keep the VLANs separate, although I know it is an option for the future if I find it necessary to do so.

Below is the second option I was thinking of. Again, I believe you are correct in stating this is a layer 3 link which would isolate the broadcast traffic. What I am confused about is the IP configuration. In your diagram, you have picked an IP of 172.30.0.0/30. I am confused as to why you would select this IP. Maybe I am not thinking about it correctly, but wouldn't the interface on both sides of the connection require it's own IP? To use the IP range you selected for example, wouldn't the Ethernet port on the 2921 need to be configured with let's say 172.30.0.10, and then the PCs on the 10.3.0.0/16 network would need 172.30.0.10 configured as a gateway? And vice-versa on the main site side. If the interface on the 5510 was configured as let's say 172.30.0.20 wouldn't the PCs on this side need their gateway set to 172.30.1.20? If so, this would cause Windows machines to complain about the gateway not being on the same subnet as defined by the IP address and subnet. This is why I set the IP's the way I did on the B3 switch experiment.

Am I missing something here?

Long story short, I am looking for the best overall way to set this up while still keeping it relatively simple and keeping the overhead on the link as low as possible.

I realize my inexperience with routing in general and setting up Cisco equipment is a huge handicap for me in this instance. I really appreciate the patience and the assistance. Step by step instructions are a HUGE help for me at this stage of my knowledge.

Thank you very much,

Michael

Hello Mitchell,

Ok, I think I now completely understand what you are explaining to me. Sorry for being so dense.

A couple of questions. In your instructions above, which interface should I be configuring vlan300 for? Inside? Or are these global commands?

Also, do you think it would be possible to set up everything on the main office side that needs to be set up before going to the remote site *without* breaking our current VPN connection? It would be far easier to be able to do that since once I start messing with the connection at the remote location I may lose connectivity to the 5510. Although I do plan to take a mobile hotspot with me so I have a backup connection.

The reason I ask is because it seems to be that once I add:

asa (config)# route point-to-point 10.3.0.0 255.255.0.0 172.30.0.2

to the ASA that it will begin to try to route all traffic for the 10.3.0.0/16 network over the point to point interface instead of the Outside interface.

And one last question. Assuming that I am incorrect about the 2921 handling the voice T1, wouldn't it also be possible to use the ASA-5505 instead of the 2921 to achieve the same result?

Thanks,

Michael

Mitchell,

Okay, thank you for that. I was a little confused by the references to VLAN on the 5510.

I think I have the information I need to get started on this project. This main office equipment has been installed. We are waiting on the remote site to get installed and for the provider to let us know that everything is ready to go..

I will come back and rate these posts after I get everything up and running. If I have more questions I'll post them.

Thanks again for all your help, I really appreciate your time.

Michael

Hi Mitchell..

Ok, I am back.. With more information.

I have pre-configured the ASA-5510 per your instructions. No problems except with the management access. I had to remove management access from the inside interface and reassign it to the point to point interface.

Our connection should be finished and handed off to us tomorrow, which means on Monday I will be at the remote location to do the set up.

I also found out that the Cisco 2921 does not have anything to do with the telephones over there. There is separate equipment for the voice T1. It turns out that the only reason the 2921 is there is to basically convert the T1 into Ethernet.

So that opens up the possibility of using the ASA-5505 instead of the 2921.

This unit has a base license though, so I understand that only 2 VLANs can communicate with each other using this license.

But, since I am going to be shutting down the internet connection there, couldn't I reconfigure it?

The current configuration is as follows:

eth 0/0: Outside, vlan2, Security level 0

eth 0/1: Management, vlan1, security level 50 (This seems to be set up as a DMZ?)

eth 0/2-0/7: Inside, vlan12, security level 100

So what I was thinking is if I reconfigured eth 0/0, set it's security level to 100, then used the same-security-traffic inter-interface command to allow traffic between vlan1 and vlan12.

If I am correct in my thinking, how would I go about doing this? I think I can figure it out by your instructions above, but I'd like to double check just to be on the safe side.

Oh, and one more thing. Do I need the same-security-traffic inter-interface command on the ASA5510 in the remote office also?

Thank You!

Michael

Hi Mitchell,

Yes, this helps a lot.

I had to re-read your post to understand what you are saying, but I got it now. My thought was to reconfigure the "outside" interfarec, but your suggestion is to reconfigure the "management" interface instead. Two different ways to achieve the same result.

I am nowhere near being an expert, but I think I am slowly starting to wrap my head around these devices and I am becoming slightly more comfortable with the CLI. Now if I just knew the commands and how to use them better I wouldn't feel as lost.

Thanks very much for the help.

Michael

Hi Mitchell...

Ok.. I am stuck now... I configured both devices, but I cannot get traffic to pass over the link. I have verified that the WAN link is working because I can manage the 5510 from the remote location. When I connect the 5505 to the link, I can ping the 5510 from inside the 5505. But that is all I can do.

The WAN interface on the 5510 side is named Mabton

The WAN interface on the 5505 side is named MountVernon

I configured the 5510 with:

#  route Mabton 10.3.0.0 255.255.0.0 172.30.0.2

I configured the 5505 with:

# route MountVernon 0.0.0.0 0.0.0.0 172.30.0.1

I tried some variables but nothing seems to work. I can paste my running config for you if you'd like.

I am hoping you are available since I am at the remote location and stuck.

Thanks,

Michael