Hi Andrew,

I will have to use loopbacks as both routers only have 1 FE each, what would the loopback be used for?

For both scenarios would I need just the one VLAN on the switch and put the FE of each router in and for the other scenario one FE of the router and one of the PIX?

Just wondered how you would set this up? I will go away and set this up then.

Thanks

I would:-

Create 3 vlans:- Internet, SiteA & SiteB

Have 3 IP Addressing subnets for each.

The switch would have no SVI's

Create loopback interfaces on both routes (they are the inside)

Assign internal IP subnets to the loopbacks.

Assign the external IP subnet to the physical interfaces (they are the outside)

Create the:-

VPN

No-NAT

Encryption domains

Then to bring the VPN's up - use an extended ping from loopback to loopback, this will work if the rest is setup OK.

For now leave the PIX out of it, once you get the above working - then you can add the pix, as this changes the topology quite a bit.

HTH>

This is most useful. I am trying to draw this before I start, unfortunately I don't have any software to do this, so pen and paper.

I'm a bit confused with the 3 VLAN's.

Router 1 requirements:

Loopback (inside) - 192.168.1.1/24

FE (outside) - 10.10.10.1/24

Add to VLAN 1 on switch

Router 2 requirements:

Loopback (inside) - 192.168.2.1/24

FE (outside) - 10.10.11.1/24

Add to VLAN 2 on switch

VLAN 3 - Internet

How can I get the 3 VLAN's to work as the internet? I have a L2 switch (2950), but also a L3 switch (3550), we I be routing the VLAN's?

For the current setup - the internet vlan is all you need.

The other 2 vlans can come into play with the pix and the 35xx - when you have the above running.

Just put the FE of the 2 routers into the Internet VLAN. They will sumulate the "Internet" the 2 loopbacks will simulate the 2 LAN's of the retmote sites.

Nice and simple - 2 routers, 1 switch - nice topology to start with.

HTH>

Thanks Andrew, I guess the 2 FE's of the 2 routers that are in the "internet" vlan will have to have similar IP's in the same "subnet" to talk to each other as it the routing is working?

No - as you are running a test lab consider:-

Class A ip addressing

Classless routing

And a default gateway out of the FE interfaces

LAB - TEST - DEBUG!

Hi Andrew,

So for the FE's on each router I should use a class A IP?

I'm not sure I understnad the rest. Each router into the same "internet" VLAN, then they must be using a similar IP range to ping each other I guess, before I add the crypto's etc.

Unless you are suggesting I can route within the single "internet" VLAN to 2 completely different IP Peers address and use some static routes?

Thanks

Andy,

Yes - something like:-

rt1 - 1.1.1.1 255.0.0.0

rt2 - 2.1.1.1 255.0.0.0

Yes - that's why you configure classless routing, with a default gateway. I could into a deep an long explaination of both, but for this lab you just need to confgure on both routers:-

ip classless

ip route 0.0.0.0 0.0.0.0 interface FE

Andrew that's great, it makes sense.

Add the route to the FE's for the outbound traffic.

The only other part is the VLAN itself. I have a L2 and L3 switch that I can use here.

I see the 2 IP address for the FE's are on different subnets but in the same VLAN, so the L3 switch will be needed? If so how would this be done?

In my head I was thinking more or 2 vlans for each router and route between the 2, if if there is an easier way then :)

Andy,

You can use the L3 switch if you want to - but for this simple lab I don't see the need to be honest.

The VLAN is layer 2 - so the IP addresses that the routers use will never leave the VLAN will they? As the L2 switch does not have a L3 interface - it just works on L2, effectivly a closed VLAN.

If your routers only have 1 FE interface - how are they going to route to each other if they are in seperate VLANS? For that topology you would need to use the L3 switch, as the L3 switch would have a L3 interface in both VLAN's. Do not forget to have inter-vlan routing you NEED a layer 3 routing device.

HTH>

I see, I couldn't get round in my head that 2 IP's for the FE were on different subnets in the same VLAN so wondered how they would the ping each other, so I assumed some sort of ruting would be needed.

OK - now that's all cleared up you should be good to go.

For simple lab, you can do something like this:

interface f0/1

ip address 192.168.1.1 255.255.255.0

ip address 10.0.0.1 255.255.255.0 secondary

ip address 172.16.1.1 255.255.255.0 secondary

that way, you can connect the router to a hub,

host A on network 192.168.1.0/24 net, host B

on network 10.0.0.0/24 net and host C on

network 172.16.1.0/24 network and they

can ping each other because of secondary

address on the router. No need for VLAN

and switch.