11-23-2011 03:13 AM - edited 03-04-2019 02:22 PM
Olla,
I would be requiring clarifications on the underlisted issues:
1. Is it possible when connecting sites together ,lets say theoretically like 5, to seperate connection to the internet from WAN connectivity. what i mean here is some sites can be connected to the internet and still have the cappacity to send information to other sites while some sites do not have internet access but can replicate information to other sites? please exlaian with reasons.
2. IS the WAN without the VPN a bunch of LANs connected together that cant send information and how is the process of sending information established without the VPN. KIndly list the process please.
3. what is the difference between WAN and MPLS VPN. does WAN just means connecting sites vis the serial port on ur router using the ISP and MPLS VPN is configured on this link to ensure security?
Any further clarification or explanations would be highly appreciated.
Best Regards,
DJ.
Solved! Go to Solution.
11-23-2011 07:37 PM
dj sizzle wrote:
Thanks Alain. Another question, i would use a scenario to explain my
question:
If there exists WAN connectivity between a head office and say 6 branches,
internet access is only at the head office and I want 3 of the 6 branches
on my WAN to have internet access and for all the branches to be able to
send data to the central database at the head office, would configuration
of ACLs be my best bet to prevent internet access at these other 3 branches
or is there another way to go about it?
Regards,
DJ
On Wed, Nov 23, 2011 at 3:49 PM, cadetalain <
Assuming your remote branches have separate IP subnets, just put an ACL on your outbound (internet facing) interface on whichever device connects to the internet allowing only the subnets from the branches you want and denying everything else.
So, if you've got 6 branches with the following subnets
10.10.1.0/24
10.10.2.0/24
10.10.3.0/24
10.10.4.0/24
10.10.5.0/24
10.10.6.0/24
And your head office with 10.10.0.0/24
And you want branch office 2, 3 & 5 to be allowed internet access, apply an ACL which reads something like
allow 10.10.0.0/24
allow 10.10.2.0/24
allow 10.10.3.0/24
allow 10.10.5.0.24
deny any
You don't specify what devices you use at your internet edge, so it's difficult to be more specific, but soemthing like that should work.
Cheers.
11-24-2011 03:04 PM
dj sizzle wrote:
Thanks alot, but I was thinking wouldnt it be best to apply the acl on the
routers at the branches rather than at the head office. this is just a
proposed design as the network is just being built up so I am looking at
all scenarios and issues that might crop up.
Regards,
DJ
On Thu, Nov 24, 2011 at 4:38 AM, darren.g <
You could do it at the head office, but the list would have to be much more complex on each case - you'd have to specifically designate which networks you want to ALLOW the branch offices to to contact (since "the internet" is a pretty broad range of addresses) and then block everything else - whereas if you apply it at the head office on the egress point to the internet you just have to specify which networks you want to allow out to anywhere - and forget anything else.
So, at each branch office, based on the addressing I said above, you'd have to implement something like this
Office 1
Allow connect to head office
Allow connect to office 2
Allow connect to office 3
Allow connect to office 4
Allow connect to office 5
Allow connect to office 6
Deny connect all
Office 2
Allow connect all
Office 3
Allow connect all
Office 4
Allow connect to head office
Allow connect to office 1
Allow connect to office 2
Allow connect to office 3
Allow connect to office 5
Allow connect to office 6
Deny connect all
Office 5
Allow connect all
Office 6
Allow connect to head office
Allow connect to office 1
Allow connect to office 2
Allow connect to office 3
Allow connect to office 4
Allow connect to office 5
Deny connect all
And every time you added another branch or subnet, you'd have to modify every one of those lists.
If you apply restrictions to the egress port to the Internet at head office, you only need
Allow head office
Allow office 2 out
Allow office 3 out
Allow office 5 out
Deny all
Then you don't have to touch this unless you add another office/subnet you want to allow out - but even if you do, you've only got to edit ONE access list, not all the others at the branch offices.
Anyways, you could do it either way - just depends how much work and maintenance you want to have to put up with.
Cheers.
Please mark questions answered if you're satisified.
11-23-2011 04:41 AM
Hi,
WAN= Wide area Network so usually this means you have connectivity between sites that are enough geographically apart to be categorized as this and not MAN= Metropolitan Area Network or LAN= Local Area Network.
So this is a matter of distance but a LAN is often self administered whereas the WAN is dependant on a third party which is the ISP.Now the ISP may implement this with you in a bunch of ways: L2 frame-relay, L2 PPP leased lines, xDSL, Cable, L3 MPLS VPN to name a few.
To communicate between your LANs you can either use an IPSec VPN or GRE tunnel or any other tunneling method over your xDSL or cable connection.
But you can also decide to get a Frame-relay circuit or a leased line or a MPLs VPN.It all depends about your needs, your infrastructure, etc.
Regards.
Alain
11-23-2011 06:05 AM
Thanks Alain. so would i be right to say without all these protocols, MPLS
VPN , PPP, Framerelay data transmission cannot occur in a WAN. the WAN here
would constitute some serial cables connected to the serial ports of my
router at both ends and my router further connected to my ISP?
On Wed, Nov 23, 2011 at 1:42 PM, cadetalain <
11-23-2011 06:49 AM
Hi,
without any layer 2/layer3 protocols you can't communicate over any physical layer.
And yes basically on your router you could consider this your WAN interface but it is not madatory to use serial interfaces.
Regards.
Alain
11-23-2011 07:39 AM
Thanks Alain. Another question, i would use a scenario to explain my
question:
If there exists WAN connectivity between a head office and say 6 branches,
internet access is only at the head office and I want 3 of the 6 branches
on my WAN to have internet access and for all the branches to be able to
send data to the central database at the head office, would configuration
of ACLs be my best bet to prevent internet access at these other 3 branches
or is there another way to go about it?
Regards,
DJ
On Wed, Nov 23, 2011 at 3:49 PM, cadetalain <
11-23-2011 08:23 AM
Hi,
so all routers are connected to an ISP through xdsl or cable? or are the branches connected to the CO via a L2 or L3 VPN ?
Regards.
Alain
11-23-2011 08:32 AM
The branches are connected to the CO via MPLS VPN.
On Wed, Nov 23, 2011 at 5:23 PM, cadetalain <
11-23-2011 11:10 AM
Hi,
I've never implemented such a config so I can't help you.
Regards.
Alain
11-23-2011 11:44 PM
Thanks Alain, you have been of immense help anyways!
On Wed, Nov 23, 2011 at 8:10 PM, cadetalain <
11-23-2011 07:37 PM
dj sizzle wrote:
Thanks Alain. Another question, i would use a scenario to explain my
question:
If there exists WAN connectivity between a head office and say 6 branches,
internet access is only at the head office and I want 3 of the 6 branches
on my WAN to have internet access and for all the branches to be able to
send data to the central database at the head office, would configuration
of ACLs be my best bet to prevent internet access at these other 3 branches
or is there another way to go about it?
Regards,
DJ
On Wed, Nov 23, 2011 at 3:49 PM, cadetalain <
Assuming your remote branches have separate IP subnets, just put an ACL on your outbound (internet facing) interface on whichever device connects to the internet allowing only the subnets from the branches you want and denying everything else.
So, if you've got 6 branches with the following subnets
10.10.1.0/24
10.10.2.0/24
10.10.3.0/24
10.10.4.0/24
10.10.5.0/24
10.10.6.0/24
And your head office with 10.10.0.0/24
And you want branch office 2, 3 & 5 to be allowed internet access, apply an ACL which reads something like
allow 10.10.0.0/24
allow 10.10.2.0/24
allow 10.10.3.0/24
allow 10.10.5.0.24
deny any
You don't specify what devices you use at your internet edge, so it's difficult to be more specific, but soemthing like that should work.
Cheers.
11-23-2011 11:44 PM
Thanks alot, but I was thinking wouldnt it be best to apply the acl on the
routers at the branches rather than at the head office. this is just a
proposed design as the network is just being built up so I am looking at
all scenarios and issues that might crop up.
Regards,
DJ
On Thu, Nov 24, 2011 at 4:38 AM, darren.g <
11-24-2011 03:04 PM
dj sizzle wrote:
Thanks alot, but I was thinking wouldnt it be best to apply the acl on the
routers at the branches rather than at the head office. this is just a
proposed design as the network is just being built up so I am looking at
all scenarios and issues that might crop up.
Regards,
DJ
On Thu, Nov 24, 2011 at 4:38 AM, darren.g <
You could do it at the head office, but the list would have to be much more complex on each case - you'd have to specifically designate which networks you want to ALLOW the branch offices to to contact (since "the internet" is a pretty broad range of addresses) and then block everything else - whereas if you apply it at the head office on the egress point to the internet you just have to specify which networks you want to allow out to anywhere - and forget anything else.
So, at each branch office, based on the addressing I said above, you'd have to implement something like this
Office 1
Allow connect to head office
Allow connect to office 2
Allow connect to office 3
Allow connect to office 4
Allow connect to office 5
Allow connect to office 6
Deny connect all
Office 2
Allow connect all
Office 3
Allow connect all
Office 4
Allow connect to head office
Allow connect to office 1
Allow connect to office 2
Allow connect to office 3
Allow connect to office 5
Allow connect to office 6
Deny connect all
Office 5
Allow connect all
Office 6
Allow connect to head office
Allow connect to office 1
Allow connect to office 2
Allow connect to office 3
Allow connect to office 4
Allow connect to office 5
Deny connect all
And every time you added another branch or subnet, you'd have to modify every one of those lists.
If you apply restrictions to the egress port to the Internet at head office, you only need
Allow head office
Allow office 2 out
Allow office 3 out
Allow office 5 out
Deny all
Then you don't have to touch this unless you add another office/subnet you want to allow out - but even if you do, you've only got to edit ONE access list, not all the others at the branch offices.
Anyways, you could do it either way - just depends how much work and maintenance you want to have to put up with.
Cheers.
Please mark questions answered if you're satisified.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide