Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6199
Views
55
Helpful
18
Replies

Setting up a cisco router behind a broadband modem

Go to solution
Areyouserious
Level 1
Level 1

‎10-03-2018 09:53 AM - edited ‎03-05-2019 10:57 AM

Hello everyone I'm trying to set up routing between a basic broadband modem and a cusco 2811.

 

 I have two sites which both comprise of a GRA tunnel established between them using a pair of Cisco 2811 Routers.

 

each Router is connected to a basic broadband modem through ethernet cable connection but all devices including the switch the modem and the router and all in. Devices are on the same network on each end. for devices that need to use the tunnel their gateway is pointed to the IP address of the Cisco routers.

 

I want to set up VLANs and different IP networks on the Cisco switches connected to the routers using router on a stick.

 

but to do this properly I need to set up routing between the Cisco routers and the broadband modems on each end. The purpose is to in enhance security by implementing vlans, and eventually apply access control lists to prevent certain VLANs talking to each other. 

 

At the moment all devices can talk to each other unrestricted and no vlans are set up

 

I have IP telephones, security systems, computers ect, that need to be on separate VLANs so they can't talk to each other.

 

at the same time, the security system on site B needs to be accessible through the GRE tunnel through to site A. 

 

problem is the broadband modems  are using NAT.   I had a go last night but was unsuccessful. I figured that NAT had to be implemented on the Cisco routers instead of the modems, and to have a default route  Set up on each router.  for example:  0.0.0.0 0.0.0.0 192.168.1.1

0.0.0.0 0.0.0.0 102.168.1.2

 

 

I tried using RIP V2,  as one of my broadband modems wouldnt allow RIP routing if nat was enabled on the dsl service interface. 

 

 at the moment I can't afford to purchase the DSL interface card for my Cisco routers  otherwise I would set them up directly connected .

 

my main question is how do you set up routing between a broadband modem and a Cisco router, so that the vlans on a switch connected to this router can all access the Internet but can't talk to each other.

 

i'm assuming that I will also have to enable sone access control lists but another problem to is that I'm worried this will stop the GRE tunnel from working. 

 

just wondering if anyone can help me set up NAT, and some ACL's.

 

Thanks

0 Helpful
18 Replies 18

Go to solution
Georg Pauwen
VIP
VIP
In response to Areyouserious

‎10-04-2018 02:29 PM

Hello,

 

the tunnel itself is the protection, I don't see how somebody could get into the tunnel. That said, both CBAC and ZBF (Zone Based Firewall) are good additional security measures...

Go to solution
paul driver
VIP
VIP

‎10-03-2018 04:59 PM - edited ‎10-03-2018 05:00 PM

Hello

Another way you could do this without apply ACL's between your vlans is to use VRF's and domainless nat

 

Example:
ip dhcp use vrf remote


ip dhcp pool phones
   vrf phones
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   lease 0 2

ip dhcp pool data
   vrf data
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.1
   lease 0 2

ip dhcp pool video
   vrf video
   network 192.168.30.0 255.255.255.0
   default-router 192.168.30.1
   lease 0 2

ip vrf data
 rd 1:20

ip vrf phones
 rd 1:10

ip vrf video
 rd 1:30

interface FastEthernet0/0
Description LAN


interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding phones
ip address 192.168.10.1 255.255.255.0
ip nat enable

interface FastEthernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding data
ip address 192.168.20.1 255.255.255.0
ip nat enable

interface FastEthernet0/0.30
encapsulation dot1Q 30
ip vrf forwarding video
ip address 192.168.30.1 255.255.255.0
ip nat enable

interface x/x
Description WAN
ip address 10.1.12.1 255.255.255.0
ip nat enable

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 10.1.12.2 < global default
ip route vrf data 0.0.0.0 0.0.0.0 10.1.12.2 global < default into vrf rib)
ip route vrf phones 0.0.0.0 0.0.0.0 10.1.12.2 global < default into vrf rib)
ip route vrf video 0.0.0.0 0.0.0.0 10.1.12.2 global < default into vrf rib)

ip nat source list 20 interface FastEthernet0/1 vrf data overload
ip nat source list 10 interface FastEthernet0/1 vrf phones overload
ip nat source list 30 interface FastEthernet0/1 vrf video overload

access-list 10 permit 192.168.10.0 0.0.0.255
access-list 20 permit 192.168.20.0 0.0.0.255
access-list 30 permit 192.168.30.0 0.0.0.255
....
Replicate at site B


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Alex Pfeil
Level 7
Level 7
In response to paul driver

‎10-04-2018 05:44 PM

Thanks for this example. This is the first example I have seen using a VRF as a security measure on a LAN. Nice!
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Alex Pfeil

‎10-05-2018 12:36 AM

Hello Alex

I like this also as its another tool to be able to segregate your network if need be, Sometimes vacl's,racl's private vlans etc..can be very administrative.

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents