Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1298
Views
0
Helpful
7
Replies

Cisco 2851 - 2 LANs from 1 internet connection

crescigno
Level 1
Level 1

‎08-24-2011 06:53 AM - edited ‎03-07-2019 01:51 AM

Hello Guys,

I need some help designing this.  I have one LAN currently on the 10.0.1.x network and am bringing in another client that I need to get on their own separate network from the same internet input (IP scheme does not matter, 10.0.0.x, 10.0.10.x, etc...)  The internet first comes in to a switch, then goes to a Cisco 1700 router, then hops to another switch, then goes into our PIX 515, and from there goes to the Cisco 2851.

I did not design this network originally, and am just now starting to learn Cisco.  Can you guys spread some insight on what I need to look for to get this done?

Thanks in advance for any help.

Labels:
0 Helpful
7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

‎08-24-2011 07:18 AM

Chris

Do you have an internal switch (L2) that connects to the 2821 for clients ?

How important is it that you keep the 2 customers traffic separate ?

Jon

0 Helpful

crescigno
Level 1
Level 1
In response to Jon Marshall

‎08-24-2011 07:21 AM

Yes, from the 2851, we have 7 Dell PC 2724 switches daisy chained for servers, network appliances, and office data.

They are 2 completely different LLC's, so they want it separate.  I recomennded just adding them in our network with domains not trusted.  But, that is not what they want.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to crescigno

‎08-24-2011 07:31 AM

Chris

Thanks for that.

I presume the current network is routed off the 2821 ?

If so you have 2 options depending on spare interfaces available -

1) You can, assuming the dell switches support 802.1Q, run 802.1Q on your LAN interface on the 2821. Basically you have 2 subinterfaces, one for the current network and one for the new network. This obviously splits the gigabit bandwidth between networks.

If you do this then the switchport connecting from the Dell to the 2821 must be setup as a trunk.

You would then need to setup NAT for this network on your pix.

Depending on your routing you may well need to add a route to the pix for the new network pointing to the outside interface of the 2821.

You can then use access-lists on the subinterfaces to deny traffic between the 2 networks.

2) access-lists are not stateful so if that does not provide enough security, you could use an interface on the pix for the new customer network. You could create a new vlan on the switches and run a connection from the switches to the pix interface.

You would need to setup NAT on the pix but routing would be fine.

Obviously you need a spare interface on our pix firewall.

The advantage of this is that your internal networks are now completely separate and you are not relying on acls to filter the traffic. The disdvantage is that it is more "logical" to route everything off the 2821.

Depends really on your need to secure the networks from each other.

Jon

0 Helpful

crescigno
Level 1
Level 1
In response to Jon Marshall

‎08-24-2011 10:58 AM

"I presume the current network is routed off the 2821 ?"

Yes, it is.  The 2 networks do not need to be  completely "secured" from one another as most users won't know there is  another network anyway.

Really, they just want to be on  their own IP scheme.  This is a little over my head as I am just  beginning with Cisco.  Overwhelmed! 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to crescigno

‎08-24-2011 11:42 AM

Chris

Okay, i can't help with dell but i can provide config for rest. Do you know which vlan is in use on the switches currently and do you know if it is the native vlan in use ?

Jon

0 Helpful

crescigno
Level 1
Level 1
In response to Jon Marshall

‎08-25-2011 01:09 PM

Thanks for getting me off on the right start.

I was able to do all of it from the ASDM GUI which was great considered I haven't mastered the cisco commands.  I enabled an extra interface on the PIX and ran a line straight from there to the new networks switch.  I added in a static route and I was able to get to the outside world.  Worked pretty smoothly!!

0 Helpful

crescigno
Level 1
Level 1

‎09-14-2011 09:11 AM

Ok guys, here we go again.

The new network I am adding will have their own firewall that will handle all of their servers/nat issues.

So, as it is setup right now, I have a line coming from our Pix Eth2 interface that is assigned with a private 10.10.81.254 address that goes straight to their switch which feeds their servers.  All of the servers get on the network fine using 10.10.81.254 as gateway and our ISP DNS servers.  But, with this setup, they can't use their firewall.

They are using the Microsoft Forefront TMG firewall on a server.  The server has 2 interfaces (1 for external (firewall) and 1 for internal network). 

He needs a routable public IP address coming from our Interface so he can get his side set up.  How can I do this?  I really don't need to be doing anything with the 10.10.81.254 network as that is all on his side.  I would guess line from our PIX would go to his external interface on his TMG server? 

Any help on this is appreciated.

0 Helpful
Customers Also Viewed These Support Documents