Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
813
Views
0
Helpful
3
Replies

NEED HELP PLEASE Setting up 2 VLANS and a redundant WAN connection

d.stratton
Level 1
Level 1

‎06-06-2006 10:33 PM - edited ‎03-03-2019 03:32 AM

I have a remote branch office which is actually a huge bar/lounge. The bar wants to enable patrons to access the Internet with their wireless laptops. I want to prevent those patrons from accessing our private network, and also prevent them from traversing our static VPN tunnel back to HQ.

The bar processes all credit cards via the T1 connection, and this has caused us to lose money every time the T1 goes down while we're open, since there is no WAN redundancy right now.

Here is my current hardware configuration:

1) one PIX 501 50-user 3des.

2.) two Dell 3024

3.) one Aironet 1100(g) AP.

Current LAN Network: 10.35.35.0

(internal employees only, static VPN tunneled to remote HQ network)

Current Wireless SSID's:

SSID1=PRIVATESSID

SSID2=PUBLICSSID (not currently in use, waiting to figure this out)

Current WAN: one T1 connection.

WHAT I WOULD LIKE TO DO AND NEED HELP FIGURING OUT:

#1a) I want to create two separate VLAN's that are able to share the WAN connection, but not be able to "see" each other.

#1b) These VLAN's would be mapped to their respective SSID's on the AP (PRIVATESSID>10.35.35.0 and PUBLICSSID>192.168.1.0).

#1c) The 192.168.1.0 network should not be able to traverse the static tunnel between the branch site and HQ.

#2) I would like to install a backup WAN connection such as a modem 56k dial-up to an ISP or a cable modem to an ISP. In case the primary T1 goes down, I would like the router to automatically dial out over the modem conection and route all Internet bound traffic over that backup WAN connection, until the primary comes back online.

Question 1:

I'm assuming I need a router to do the intervlan routing. Could this router also do the on-demand WAN backup dialing to an ISP via analog modem?

What IOS version and flavor (IP base, IP+, etc.) would I need? What is the cheapest router I can do all that with (i.e. 2620/2621/1720/3600 series)? What WIC's or NM's would I need?

Question Two:

I would like to prioritize PRIVATESSID's traffic over PUBLICSSID's traffic, which I know I can do on the access point. Can I do this on the router so that any 10.35.35.0 traffic takes priority over any 192.168.1.0 traffic?

Question Three

If the primary T1 WAN connection goes down, I don't want the router to re-route the 192.168.1.0 traffic over the backup 56k dial-up WAN connection. That traffic can wait until the T1 comes back up.

Any help you can provide would be very much appreciated.

Labels:
0 Helpful
3 Replies 3

tdrais
Level 7
Level 7

‎06-07-2006 06:03 AM

Assuming your access points can place SSID into separate vlans and support 802.1q trunks then I can attempt to answer your questions. There are seperate secuity issues with both SSID for protection and VLANs for seperation but in your case in may be minimal.

q1

Any cisco router that will run 802.1q trunking will work. Since you are looking at older routers you will need IP+ to get it. Even 2610's will support 802.1q on their 10m ethernet at the correct code level but 10m and 802.1q is sorta nonstandard. Since your backup is only 56k you can use the internal modem port as a dial backup. A wic-2a/s will also work if you prefer not to use the modem port. You will need some wic to run your t1 line. If you are planning to leave the t1 on another router it makes the next 2 questions much harder.

q2

This is fairly simple and depends on your ios level. "priority queing" is supported on even the older software. I assume you do not control the far end of the t1 line since it sounds as if this goes to a ISP.

You will need to have them do the QoS since most issues with the internet are inbound and not outbound. You can only control outbound traffic.

q3

If the T1 is on the same router then this is fairly simple. You can just put a floating static default route in that will cause the dialer to come up if the the t1 goes down. There is no easy way to protect against the line being up but no traffic passing. This is also why it would be best to have the t1 on the same router. If its not you will need to get very creative to solve this. You could build a GRE tunnel to a remote location and montior the tunnel or run a routing protcol over the tunnel. In the newest software you could use SAA and policy routing to force the traffic over the dialer but the router must support ios 12.4.

3a. You mentioned a cable modem as a backup. That can be much easier sometimes since it is all routing and no dialer interfaces with nasty modem issues. This does not make the issue of the t1 not on the same router easier.

0 Helpful

d.stratton
Level 1
Level 1
In response to tdrais

‎06-07-2006 09:12 AM

q1: I looked up the IOS versions available for a 2621 router. versions 12.3 and 12.4 only show "ipbase" or others. I didn't see a IP PLUS. Am I missing something?

q2: There is no externally orginating traffic going to VLAN2. It's basically for patrons of the bar to surf the Internet, so traffic would originate from the inside. If I can QoS the VLAN2 traffic going out, wouldn't it likely limit the inbound traffic to that VLAN2 anyway?

q3: The T1 is on a separate ISP-provided AdTran router. I cannot plug the T1 straight into our router because it is a dynamic voice/data T1.

Does it help if we know if the T1 is up because we can ping across the VPN tunnel to headquarters? If we cannot ping HQ we know the T1 is down (and vice-versa for us monitoring the branch office).

Can we not simply get a cable modem as a backup and plug into the router (possibly a 2621) since it has two 10/100FE ports?

3304-STRATS2 NetForum Network Diagram.vsd
0 Helpful

tdrais
Level 7
Level 7
In response to d.stratton

‎06-07-2006 10:07 AM

q1 ipbase does include 802.1q but there are issues with the size. I don't think there are images for 12.3t or 12.4 for anything but 2600xm routers. You can load a xm image to a normal 2600 if it fits but cisco will not support it.

q2I wish is was possible. For example a user could open a web page that says GET BIG PICTURE1 GET BG PICTUER2 and then receives 2 files 1meg each. He only sent a tiny amount to data to get it. He of course would be sending ack packets to get the big pictures but even those are 64 bytes and once the sliding window got to 32k he could send 1 ACK for every 32k of data.

q3 This is a link that describes almost exactly what you want to do. It is a fairly complex configuration.

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

I really like this feature but I have to remind myself simple is better.

I have not been able to find a ios image that will run on a 2600 that has this feature. It may be a issue with the software advisor. It is called

PBR For Multiple Track

If you are willing to buy a new router the 1811 or a 2811 has all this stuff.

0 Helpful
Customers Also Viewed These Support Documents