I want to practise creating a site-t-site VPN at home, possible?
I have a Cisco 2620 and 1721 with a crypto ISO and a Cisco 2950 switch and a cisco Pix 515 with 3Des.
Could I create a VPN between 2 routers? I guess I would need to use the switch with it's VLAN's somehow.
I would also like to setup a router to the Pix after, I just can't working how I can set this up as I believe I will need to use a VLAN to work as the internet?
With your current equipment - yes you can do this.
VLAN's are important in this setup, also more than one LAN interface on the routers, otherwise you will have to use loopback interfaces.
I will have to use loopbacks as both routers only have 1 FE each, what would the loopback be used for?
For both scenarios would I need just the one VLAN on the switch and put the FE of each router in and for the other scenario one FE of the router and one of the PIX?
Just wondered how you would set this up? I will go away and set this up then.
Create 3 vlans:- Internet, SiteA & SiteB
Have 3 IP Addressing subnets for each.
The switch would have no SVI's
Create loopback interfaces on both routes (they are the inside)
Assign internal IP subnets to the loopbacks.
Assign the external IP subnet to the physical interfaces (they are the outside)
Then to bring the VPN's up - use an extended ping from loopback to loopback, this will work if the rest is setup OK.
For now leave the PIX out of it, once you get the above working - then you can add the pix, as this changes the topology quite a bit.
This is most useful. I am trying to draw this before I start, unfortunately I don't have any software to do this, so pen and paper.
I'm a bit confused with the 3 VLAN's.
Router 1 requirements:
Loopback (inside) - 192.168.1.1/24
FE (outside) - 10.10.10.1/24
Add to VLAN 1 on switch
Router 2 requirements:
Loopback (inside) - 192.168.2.1/24
FE (outside) - 10.10.11.1/24
Add to VLAN 2 on switch
VLAN 3 - Internet
How can I get the 3 VLAN's to work as the internet? I have a L2 switch (2950), but also a L3 switch (3550), we I be routing the VLAN's?
For the current setup - the internet vlan is all you need.
The other 2 vlans can come into play with the pix and the 35xx - when you have the above running.
Just put the FE of the 2 routers into the Internet VLAN. They will sumulate the "Internet" the 2 loopbacks will simulate the 2 LAN's of the retmote sites.
Nice and simple - 2 routers, 1 switch - nice topology to start with.
Thanks Andrew, I guess the 2 FE's of the 2 routers that are in the "internet" vlan will have to have similar IP's in the same "subnet" to talk to each other as it the routing is working?
No - as you are running a test lab consider:-
Class A ip addressing
And a default gateway out of the FE interfaces
LAB - TEST - DEBUG!
So for the FE's on each router I should use a class A IP?
I'm not sure I understnad the rest. Each router into the same "internet" VLAN, then they must be using a similar IP range to ping each other I guess, before I add the crypto's etc.
Unless you are suggesting I can route within the single "internet" VLAN to 2 completely different IP Peers address and use some static routes?
Yes - something like:-
rt1 - 188.8.131.52 255.0.0.0
rt2 - 184.108.40.206 255.0.0.0
Yes - that's why you configure classless routing, with a default gateway. I could into a deep an long explaination of both, but for this lab you just need to confgure on both routers:-
ip route 0.0.0.0 0.0.0.0 interface FE
Andrew that's great, it makes sense.
Add the route to the FE's for the outbound traffic.
The only other part is the VLAN itself. I have a L2 and L3 switch that I can use here.
I see the 2 IP address for the FE's are on different subnets but in the same VLAN, so the L3 switch will be needed? If so how would this be done?
In my head I was thinking more or 2 vlans for each router and route between the 2, if if there is an easier way then :)
You can use the L3 switch if you want to - but for this simple lab I don't see the need to be honest.
The VLAN is layer 2 - so the IP addresses that the routers use will never leave the VLAN will they? As the L2 switch does not have a L3 interface - it just works on L2, effectivly a closed VLAN.
If your routers only have 1 FE interface - how are they going to route to each other if they are in seperate VLANS? For that topology you would need to use the L3 switch, as the L3 switch would have a L3 interface in both VLAN's. Do not forget to have inter-vlan routing you NEED a layer 3 routing device.
I see, I couldn't get round in my head that 2 IP's for the FE were on different subnets in the same VLAN so wondered how they would the ping each other, so I assumed some sort of ruting would be needed.
For simple lab, you can do something like this:
ip address 192.168.1.1 255.255.255.0
ip address 10.0.0.1 255.255.255.0 secondary
ip address 172.16.1.1 255.255.255.0 secondary
that way, you can connect the router to a hub,
host A on network 192.168.1.0/24 net, host B
on network 10.0.0.0/24 net and host C on
network 172.16.1.0/24 network and they
can ping each other because of secondary
address on the router. No need for VLAN
People use secondary ip addresses everyday in
a production environment. You see this a lot
on Nokia IP appliances running Checkpoint
I use secondary IP for a lot of customers
What I am trying to say is that you can use
just one interface on the router with multiple
secondary ip addresses to simulate an Internet