Hoping someone can help me. We just recieved a new T1 line into our office with a IAD 2431 from the ISP. The 2431 has only one LAN port.
We have two offices in our building with separate networks. Primary network (same location as the 2431) is using an SMC VPN/Router and separate SMC Switch. Router is direct to the 2431 at the moment.
The second office is using a small router to support 6 users and connect to a isdn line.
We would like to share the T1 internet access with the second office and keep the router they are using at thier location. We need thier network to be completely separate (secure) from the primary network but have access to the internet over the T1.
What is the best way to accomplish this? There is a IAD2432 with two LAN ports, but our ISP does not supply these. Also, is there a way to limit or prioritize the bandwidth giving preference to the primary office?
Of course we are looking for the least expensive solution. :)
I believe that 2431 supports 802.1q encapsulation on the fastethernet port. Therefore, what you can do it to connect the second office to the switch at your primary location. Then, configure the switch so that the connections to the primary network and those to the secondary network are on separate VLANs on the switch. For example, use VLAN 100 for all connections to the primary site devices and use VLAN 200 for all connections to the secondary site devices.
Then, configure your IAD as such:
ip address x.x.x.x ....
encapsulation dot1q 100
ip address x.x.x.x ....
encapsulation dot1q 200
You will have to configure routes on the 2431 that point to the two networks....
So I messed around with our switch and it seems setting up the VLAN on the switch is pretty straight forward. I like the QOS selection too- I can give the primary office network priority. So far so good.
This puts both networks behind the same firewall/router. I need to offer some level of security between the two networks. I dont deem the secondary network as a major security risk but the primary network has requirements for classified documents.
If I understand correctly, I can configure the IAD for the two VLANs as well? What significance does this have?
The config I supplied in my first post is what configures the IAD for the 2 VLANs. You need to do this in order to get the traffic separation you want.
Now, in order to provide the security that you require, I would configure inbound access-lists on both of the fastethernet sub-interfaces on the IAD. Configure the ACLs so that they prohibit traffic from each segment from entering the other segment.
I see a slight problem with the solution so far. I did not realise that you had a firewall between the IAD and the switch. That is going to mean that you cannot extend the VLANs out to the IAD. However, that does not mean that all is lost. You have to verify whether the SMC Firewall (which I am not familiar with) is capable of terminating dot1q trunks. If that is the case, you can simply move the functionality we were hoping to configure on the IAD to the SMC.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...