I've been asked to set one of our statlite offices up with a couple of voip phones, a couple of WAPs and a few control devices and PCs, I only just passed ROUTE so am still quite new to this.
I am hoping to use a dsl line and a suitable cisco 800series router with maybe a 3750 if we need extra ports. My intention is set this up as a vpn client back to our 6500.
My problem is that on campus we tend to use set Vlans for voice and wifi and if, say, three of these could be trunked to the remote site that would save us a lot of trouble - we're a univesity so we use eduroam for wifi and would not want to set this site up just to give access to the internet directly via the dsl line, the phones ideally and control devices especially need IP addresses from a preset private range.
We would normally be inclined to use dark fibre or a dedicated line, but are hoping to save some cash by going with dsl.
Can you suggest: i] is this doable? ii] is it desirable, or at least not kill out network iii] can you think of a better or cheaper alternative that doe not require a dedicated line?
If you can point me in the direction of any cisco docs for the implemetation I would be most grateful
If I understand you correctly, you want to continue your VLANs at the campus to satellite office. Regardless of whether you use an IPSec VPN or an MPLS solution, you will have a problem with routing.
If one of your vlans is 10.10.10.0/24 at the Campus, and you want to use that at the Satellite office as well, how does your network know where 10.10.10.0/24 is? It is in two locations separated by a WAN link. For a VPN, you have to specify source and destination traffic to match for encryption. Your crypto-map would look like this; match traffic source 10.10.10.0/24 destination 10.10.10.0/24. This will not work.
You could subnet 10.10.10.0/24 into smaller networks, say 10.10.10.0/25 and 10.10.10.128/25 and assign them to each location. All though this will work, it is not ideal and should be avoided if possible.
What you need to do is create 3 new subnets for the Satellite office and assign them to the appropriate VLANs. Add routes to your network advertise the new subnets, and add routes at the Satellite office for the Campus networks.
I am going to have to think abou tthis a bit more.... The Control devices especially, want to be in a particular network range and as far as I know, won't work if they are not. I'm wondering if is worth trying to forward some ports with a some multihomed linux boxes and IPtables. Or will NAT do the job?
The phones, as I understand it, are capable of connection to the VPN themselves, so this might be a better option, assuming a DSL line will cut the mustard QoSwise.
Then there is the Wifi, arround campus we use cisco aironet 1140 as thin clients, I have just read:
The Cisco Aironet 1140 Series is a component of the Cisco Unified Wireless Network, which can scale up to 18,000 access points with full Layer 3 mobility across central or remote locations on the enterprise campus, in branch offices, and at remote sites.
Not had much to do with this before, on campus, we just plug them in and the start to work, but if they can work at a remote location and contact our controller & radius servers directly then this should be ok, but I guess that's another thread...
You need to answer approximately 2 million questions before a final answer can be given. But first and probably most importantly is, what type of bandwidth are you planning for on this link? Because unless it's pretty low, an 800 series router isn't going to cut it. Look on the Cisco site for the portable products data sheet, divide those numbers by four, then pick a generally more suitable router, which I'm going to guess will be no less than a 2911.
one solution could be to use GRE tunnel to encapsulate L2 packets (I tested GRE to encapsulate L3, not L2).
The idea is to use 2 features:
- GRE tunneling
- IRB (Intergrating Routing and Brisgin), which permit to use 2 router interfaces as a bridge.
Configuration elements on the remote router :
- 1 physical Ethernet interface for each vlan
- 3 classical GRE tunnels up to the C6500 (or more probably the access router)
- 3 bridge-group, each bridge-group associated to each tunnel
The idea is that each packet of each vlan on the remote network is forwarded in a dedicated GRE tunnel.
On the main site, the GRE tunnels deliver packet in the right vlan.
Not sure it will work exactly following this way, but I am wite sure the direction is the good one.
Another solution is L2VPN, using MPLS (so, it is necessary to hace LDP feature available on both side), which I think is even more simple to implement (the idea is to create a tunnel between 2 physical interfaces configure in the same way).
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...