Solved: Re: Newbie question

ayosizzle · ‎11-23-2011

Olla,

I would be requiring clarifications on the underlisted issues:

1. Is it possible when connecting sites together ,lets say theoretically like 5, to seperate connection to the internet from WAN connectivity. what i mean here is some sites can be connected to the internet and still have the cappacity to send information to other sites while some sites do not have internet access but can replicate information to other sites? please exlaian with reasons.

2. IS the WAN without the VPN a bunch of LANs connected together that cant send information and how is the process of sending information established without the VPN. KIndly list the process please.

3. what is the difference between WAN and MPLS VPN. does WAN just means connecting sites vis the serial port on ur router using the ISP and MPLS VPN is configured on this link to ensure security?

Any further clarification or explanations would be highly appreciated.

Best Regards,

DJ.

darren.g · ‎11-23-2011

dj sizzle wrote:

Thanks Alain. Another question, i would use a scenario to explain my

question:

If there exists WAN connectivity between a head office and say 6 branches,

internet access is only at the head office and I want 3 of the 6 branches

on my WAN to have internet access and for all the branches to be able to

send data to the central database at the head office, would configuration

of ACLs be my best bet to prevent internet access at these other 3 branches

or is there another way to go about it?

Regards,

DJ

On Wed, Nov 23, 2011 at 3:49 PM, cadetalain <

Assuming your remote branches have separate IP subnets, just put an ACL on your outbound (internet facing) interface on whichever device connects to the internet allowing only the subnets from the branches you want and denying everything else.

So, if you've got 6 branches with the following subnets

10.10.1.0/24

10.10.2.0/24

10.10.3.0/24

10.10.4.0/24

10.10.5.0/24

10.10.6.0/24

And your head office with 10.10.0.0/24

And you want branch office 2, 3 & 5 to be allowed internet access, apply an ACL which reads something like

allow 10.10.0.0/24

allow 10.10.2.0/24

allow 10.10.3.0/24

allow 10.10.5.0.24

deny any

You don't specify what devices you use at your internet edge, so it's difficult to be more specific, but soemthing like that should work.

Cheers.

View solution in original post

darren.g · ‎11-24-2011

dj sizzle wrote:

Thanks alot, but I was thinking wouldnt it be best to apply the acl on the

routers at the branches rather than at the head office. this is just a

proposed design as the network is just being built up so I am looking at

all scenarios and issues that might crop up.

Regards,

DJ

On Thu, Nov 24, 2011 at 4:38 AM, darren.g <

You could do it at the head office, but the list would have to be much more complex on each case - you'd have to specifically designate which networks you want to ALLOW the branch offices to to contact (since "the internet" is a pretty broad range of addresses) and then block everything else - whereas if you apply it at the head office on the egress point to the internet you just have to specify which networks you want to allow out to anywhere - and forget anything else.

So, at each branch office, based on the addressing I said above, you'd have to implement something like this

Office 1

Allow connect to head office

Allow connect to office 2

Allow connect to office 3

Allow connect to office 4

Allow connect to office 5

Allow connect to office 6

Deny connect all

Office 2

Allow connect all

Office 3

Allow connect all

Office 4

Allow connect to head office

Allow connect to office 1

Allow connect to office 2

Allow connect to office 3

Allow connect to office 5

Allow connect to office 6

Deny connect all

Office 5

Allow connect all

Office 6

Allow connect to head office

Allow connect to office 1

Allow connect to office 2

Allow connect to office 3

Allow connect to office 4

Allow connect to office 5

Deny connect all

And every time you added another branch or subnet, you'd have to modify every one of those lists.

If you apply restrictions to the egress port to the Internet at head office, you only need

Allow head office

Allow office 2 out

Allow office 3 out

Allow office 5 out

Deny all

Then you don't have to touch this unless you add another office/subnet you want to allow out - but even if you do, you've only got to edit ONE access list, not all the others at the branch offices.

Anyways, you could do it either way - just depends how much work and maintenance you want to have to put up with.

Cheers.

Please mark questions answered if you're satisified.

View solution in original post

cadet alain · ‎11-23-2011

Hi,

WAN= Wide area Network so usually this means you have connectivity between sites that are enough geographically apart to be categorized as this and not MAN= Metropolitan Area Network or LAN= Local Area Network.

So this is a matter of distance but a LAN is often self administered whereas the WAN is dependant on a third party which is the ISP.Now the ISP may implement this with you in a bunch of ways: L2 frame-relay, L2 PPP leased lines, xDSL, Cable, L3 MPLS VPN to name a few.

To communicate between your LANs you can either use an IPSec VPN or GRE tunnel or any other tunneling method over your xDSL or cable connection.

But you can also decide to get a Frame-relay circuit or a leased line or a MPLs VPN.It all depends about your needs, your infrastructure, etc.

Regards.

Alain

Don't forget to rate helpful posts.

ayosizzle · ‎11-23-2011

Thanks Alain. so would i be right to say without all these protocols, MPLS

VPN , PPP, Framerelay data transmission cannot occur in a WAN. the WAN here

would constitute some serial cables connected to the serial ports of my

router at both ends and my router further connected to my ISP?

On Wed, Nov 23, 2011 at 1:42 PM, cadetalain <

cadet alain · ‎11-23-2011

Hi,

without any layer 2/layer3 protocols you can't communicate over any physical layer.

And yes basically on your router you could consider this your WAN interface but it is not madatory to use serial interfaces.

Regards.

Alain

Don't forget to rate helpful posts.

ayosizzle · ‎11-23-2011

Thanks Alain. Another question, i would use a scenario to explain my

question:

If there exists WAN connectivity between a head office and say 6 branches,

internet access is only at the head office and I want 3 of the 6 branches

on my WAN to have internet access and for all the branches to be able to

send data to the central database at the head office, would configuration

of ACLs be my best bet to prevent internet access at these other 3 branches

or is there another way to go about it?

Regards,

DJ

On Wed, Nov 23, 2011 at 3:49 PM, cadetalain <

cadet alain · ‎11-23-2011

Hi,

so all routers are connected to an ISP through xdsl or cable? or are the branches connected to the CO via a L2 or L3 VPN ?

Regards.

Alain

Don't forget to rate helpful posts.

ayosizzle · ‎11-23-2011

The branches are connected to the CO via MPLS VPN.

On Wed, Nov 23, 2011 at 5:23 PM, cadetalain <

cadet alain · ‎11-23-2011

Hi,

I've never implemented such a config so I can't help you.

Regards.

Alain

Don't forget to rate helpful posts.

ayosizzle · ‎11-23-2011

Thanks Alain, you have been of immense help anyways!

On Wed, Nov 23, 2011 at 8:10 PM, cadetalain <

darren.g · ‎11-23-2011

dj sizzle wrote:

Thanks Alain. Another question, i would use a scenario to explain my

question:

If there exists WAN connectivity between a head office and say 6 branches,

internet access is only at the head office and I want 3 of the 6 branches

on my WAN to have internet access and for all the branches to be able to

send data to the central database at the head office, would configuration

of ACLs be my best bet to prevent internet access at these other 3 branches

or is there another way to go about it?

Regards,

DJ

On Wed, Nov 23, 2011 at 3:49 PM, cadetalain <

Assuming your remote branches have separate IP subnets, just put an ACL on your outbound (internet facing) interface on whichever device connects to the internet allowing only the subnets from the branches you want and denying everything else.

So, if you've got 6 branches with the following subnets

10.10.1.0/24

10.10.2.0/24

10.10.3.0/24

10.10.4.0/24

10.10.5.0/24

10.10.6.0/24

And your head office with 10.10.0.0/24

And you want branch office 2, 3 & 5 to be allowed internet access, apply an ACL which reads something like

allow 10.10.0.0/24

allow 10.10.2.0/24

allow 10.10.3.0/24

allow 10.10.5.0.24

deny any

You don't specify what devices you use at your internet edge, so it's difficult to be more specific, but soemthing like that should work.

Cheers.

ayosizzle · ‎11-23-2011

Thanks alot, but I was thinking wouldnt it be best to apply the acl on the

routers at the branches rather than at the head office. this is just a

proposed design as the network is just being built up so I am looking at

all scenarios and issues that might crop up.

Regards,

DJ

On Thu, Nov 24, 2011 at 4:38 AM, darren.g <

darren.g · ‎11-24-2011

dj sizzle wrote:

Thanks alot, but I was thinking wouldnt it be best to apply the acl on the

routers at the branches rather than at the head office. this is just a

proposed design as the network is just being built up so I am looking at

all scenarios and issues that might crop up.

Regards,

DJ

On Thu, Nov 24, 2011 at 4:38 AM, darren.g <

You could do it at the head office, but the list would have to be much more complex on each case - you'd have to specifically designate which networks you want to ALLOW the branch offices to to contact (since "the internet" is a pretty broad range of addresses) and then block everything else - whereas if you apply it at the head office on the egress point to the internet you just have to specify which networks you want to allow out to anywhere - and forget anything else.

So, at each branch office, based on the addressing I said above, you'd have to implement something like this

Office 1

Allow connect to head office

Allow connect to office 2

Allow connect to office 3

Allow connect to office 4

Allow connect to office 5

Allow connect to office 6

Deny connect all

Office 2

Allow connect all

Office 3

Allow connect all

Office 4

Allow connect to head office

Allow connect to office 1

Allow connect to office 2

Allow connect to office 3

Allow connect to office 5

Allow connect to office 6

Deny connect all

Office 5

Allow connect all

Office 6

Allow connect to head office

Allow connect to office 1

Allow connect to office 2

Allow connect to office 3

Allow connect to office 4

Allow connect to office 5

Deny connect all

And every time you added another branch or subnet, you'd have to modify every one of those lists.

If you apply restrictions to the egress port to the Internet at head office, you only need

Allow head office

Allow office 2 out

Allow office 3 out

Allow office 5 out

Deny all

Then you don't have to touch this unless you add another office/subnet you want to allow out - but even if you do, you've only got to edit ONE access list, not all the others at the branch offices.

Anyways, you could do it either way - just depends how much work and maintenance you want to have to put up with.

Cheers.

Please mark questions answered if you're satisified.