bridging

[Greg Brewer]

Here's a situation. I have an isolated web server with its on T1 and
router. I also have a mail server and a lan on another T1 and router. I
want to bridge the 2. I have a small problem in that I haven't been able to
get into into the isolated router (just a quick try that failed. It's
exactly the same as the non-isolated router so should work. I can only
guess that someone changed its IP address. I'll have to go in through other
means but that's a bit of work.) The isolated server has a static IP
address that is compatible with the rest of the network.

My plan is to use Sonic Wall firewall device to bridge the 2. The Sonic
Wall has 3 ports: WAN, LAN, and DMZ. I'll connect the WAN port to the
router, the DMZ port to the LAN server, and the LAN port to the switch for
our mail server/network. I also plan to verify that the LAN router's local
IP address has been changed to something compatible with the rest of our
network and the DHCP has been disabled (which I would expect to be automatic
when it's IP is no longer x.x.x.1). Finally, I plan to add records to the
local DNS server to send traffic that currently has to go through the
internet directly to the web server.

I've never done this so I'm a bit nervous. I'm new on the job and I don't
want to give myself a black mark. So, am i missing anything?

Greg Brewer

 

[Phillip Windell]

want to bridge the 2. I have a small problem in that I haven't been able to
get into into the isolated router (just a quick try that failed. It's

I wouldn't call that a small problem, it's a rather large one.

means but that's a bit of work.) The isolated server has a static IP
address that is compatible with the rest of the network.

Define compatible in this context. Compatible because it *is* in the same
subnet, or compatible because it is *not* in the same subnet. Why do you
think "bridging" is the answer instead of "routing"? I'm asking
honestly,...I'm trying to get a grip on your situation so I might be able to
come up with a solution.

My plan is to use Sonic Wall firewall device to bridge the 2. The Sonic
Wall has 3 ports: WAN, LAN, and DMZ. I'll connect the WAN port to the
router, the DMZ port to the LAN server, and the LAN port to the switch for

Creating a DMZ is not "bridging", nor it is "routing" either. Bridging is a
specific Layer2 Function where "packet switching" is done based on MAC
addresses with Hosts on a single subnet. Bridging is what a typical LAN
Switch does, infact a Bridge is nothing more than a LAN Switch with only two
ports.

Plese explain the network Topology Design and the Addressing Scheme, then
explain what the Goal is,...let *us* worry about comming up with a method to
reach the goal.

 

[Greg Brewer]

It's a small problem because I don't have an immediate need to get into the
router other than to confirm settings. It would be a big problem if I need
to change them.

Compatible: I can plug it into the local network and it will be on the same
subnet and its static IP address would not conflict with any existing IP
addresses (dynamic or static). I don't know the router's IP address doesn't
conflict but I suspect it doesn't -- I can't get to it at its default IP
address which implies it has been changed. If someone changed it then I
would hope they changed it to an open (as in outside the range given the
DHCP to dish out and not given any other comptuer) IP address. Without
knowing what it was given, I can't get to it. As somepoint, I will connect
to it and check it out.

Since I wrote my original post, I have connected a cable from the web
router to the switch for the rest of the network -- I could then ping the
web server from the rest of our network. Yeah! I then put the SonicWall in
that line. I could no longer ping the web server. Awww!

Also, since I wrote my original post, I found that my SonicWall is not the
model I thought it was. This one does not have a DMZ port. The router has
4 ports on it so I expect I can just connect the Wan port to the router and
the LAN port to the switch. But it doesn't work.

Greg

 

[Phillip Windell]

It's a small problem because I don't have an immediate need to get into the
router other than to confirm settings. It would be a big problem if I need
to change them.

I suspect that is about to happen.

Since I wrote my original post, I have connected a cable from the web
router to the switch for the rest of the network -- I could then ping the
web server from the rest of our network. Yeah! I then put the SonicWall in
that line. I could no longer ping the web server. Awww!

You can't simply put the PIX "in the line" without redesigning the topology.

Having it work while running without the PIX implies that the Web Router's
LAN Interface and the "rest of the network" are on the same subnet. Once the
PIX is introduced that will no longer be the case. You will have two
subnets,...one between the "rest of the network" and the PIX and will have a
second subnet between the PIX and the former LAN Interface of the Web
Router.

This means either the LAN will need re-addressed to compensate or the Web
Router's LAN Interface will need reconfigured with a new subnet and
address,...and that means you have to be able to get into the Router's
configuration.

 

[Greg Brewer]

I suspect that is about to happen.

It isn't a problem I'm ignoring; just not a priority yet.

SonicWall
in that line. I could no longer ping the web server. Awww!
You can't simply put the PIX "in the line" without redesigning the topology.

Having it work while running without the PIX implies that the Web Router's
LAN Interface and the "rest of the network" are on the same subnet. Once the
PIX is introduced that will no longer be the case. You will have two
subnets,...one between the "rest of the network" and the PIX and will have a
second subnet between the PIX and the former LAN Interface of the Web
Router.

Either my knowledge of this is way off or I have not been clear. Currently,
we have
2 T1s and 2 PIXs. One PIX is connected to a WEB Server.
The other PIX is connected to our MAIL server and network. The WEB Server
does have an address that is on the same subnet and has a static address not
in
use by the rest of the network.

I don't understand where you coming from with "running without the PIX".
All I did
was use a jumper cable to to run from the web server PIX to one of our
network
switches. I was never running without both PIX.

Is it not possible that whoever set these 2 systems up has already designed
it so that
the two LANs can be connected with any reconfigure? The evidence so far
suggests
that this is the case.

Greg

 

[Phillip Windell]

Either my knowledge of this is way off or I have not been clear. Currently,
we have

It gets more unclear with every post.

2 T1s and 2 PIXs. One PIX is connected to a WEB Server.
The other PIX is connected to our MAIL server and network.

You don't connect PIX's to individual machines. They are connected between
two subnets,...what is in those subnets is beside the point.

The WEB Server does have an address that is on the same subnet and has a
static address not in use by the rest of the network.

I have no "context" to know what that means and how it fits into this.

I don't understand where you coming from with "running without the PIX".
All I did was use a jumper cable to to run from the web server PIX to one of our
network switches.

There is no such thing as a jumper cable in networking. Here's what I mean:

(Before the PIX)
<LAN>--[subnet1]--<Internet Router>
-------------------------------------------------------------------

(After PIX)
<LAN>--[subnet1]--<PIX>--[subnet2]--<Intnet Router>
--------------------------------------------------------------------

(PIX with Tri-Homed DMZ)
<LAN>--[subnet1]--<PIX>--[subnet2]--<Intnet Router>
|
[DMZ]
|
<machines on DMZ>
-----------------------------------------------------------------------

Is it not possible that whoever set these 2 systems up has already designed
it so that the two LANs can be connected with any reconfigure?

It isn't that simple. A Firewall Device is physicaly part of the Topology
design, you can't simply take it in or out as your please. If it was
designed with out then you can't remove it and expect things to work. If it
was designed without one then it must be redesigned to be able to add one.

 

[Phillip Windell]

design, you can't simply take it in or out as your please. If it was
designed with out then you can't remove it and expect things to work. If

it

Supposed to say "...was designed with one then you can't..."

 

[Greg Brewer]

I'm not sure where my vocabulary is failing

Here is the setup
---------------------------------------------------------------
Internet -- <T1 modem[1]> -- <Cisco PIX 501[1]> -- <Web Server>

Internet -- <T1 modem[2]> -- <Cisco PIX 501[2]> -- <switch>
-- <mail server, file server, workstations>

---------------------------------------------------------------

Now, if I ping the local IP address for the Web Server from one
of the workstations, I get time outs which makes sense since the webserver
isn't on the local subnet.

Web Server has IP/subnet mask of 192.168.1.200/255.255.255.0

File Server has IP/subnet mask of 192.168.1.4/255.255.255.0

Next, I take a cable I bought. It was labeled Cat 5e Jumper Cable -- 3'.
It is of the type currently used to connect PIX[2] to <switch>. I use it
to connect one of the ports on the built-in switch on the two PIX routers.
In can now ping the webserver from a workstation.

Now, I have .... okay, I can't figure out how to draw a line from
Cisco PIX 501[1] to Cisco PIX 501[2] in the above diagram just copying
it and adding text. I could space over and use | characters but that
may not look the same when you get it as when I sent it. For that matter,
I'm not sure that you will get the diagram as I created it already.

Hopefully, this is clearer.

Greg

Either my knowledge of this is way off or I have not been clear. Currently,
we have

It gets more unclear with every post.

2 T1s and 2 PIXs. One PIX is connected to a WEB Server.
The other PIX is connected to our MAIL server and network.

You don't connect PIX's to individual machines. They are connected between
two subnets,...what is in those subnets is beside the point.

The WEB Server does have an address that is on the same subnet and has a
static address not in use by the rest of the network.

I have no "context" to know what that means and how it fits into this.

I don't understand where you coming from with "running without the PIX".
All I did was use a jumper cable to to run from the web server PIX to

one
of our

network switches.

There is no such thing as a jumper cable in networking. Here's what I mean:

(Before the PIX)
<LAN>--[subnet1]--<Internet Router>
-------------------------------------------------------------------

(After PIX)
<LAN>--[subnet1]--<PIX>--[subnet2]--<Intnet Router>
--------------------------------------------------------------------

(PIX with Tri-Homed DMZ)
<LAN>--[subnet1]--<PIX>--[subnet2]--<Intnet Router>
|
[DMZ]
|
<machines on DMZ>
-----------------------------------------------------------------------

Is it not possible that whoever set these 2 systems up has already designed
it so that the two LANs can be connected with any reconfigure?

It isn't that simple. A Firewall Device is physicaly part of the Topology
design, you can't simply take it in or out as your please. If it was
designed with out then you can't remove it and expect things to work. If it
was designed without one then it must be redesigned to be able to add one.

 

[Phillip Windell]

I'm not sure where my vocabulary is failing

No problem.....

I just have to make extra sure I know what someone is really talking about
before I suggest changes to their stuff that might get them in trouble if it
doesn't work.

---------------------------------------------------------------
Internet -- <T1 modem[1]> -- <Cisco PIX 501[1]> -- <Web Server>

Internet -- <T1 modem[2]> -- <Cisco PIX 501[2]> -- <switch>
-- <mail server, file server, workstations>

---------------------------------------------------------------

Ok. I understand now. We have something like that here. We have a Video
Server that downloads "content" that we broadcast over the air. It requires
a lot of Internet bandwidth for recieving, so rather than run it over our
already busy T1, we run it out a separate Internet connection all by itself.

Now I am going to assume that the T1 and PIX[1] is to be dedicated only for
the Web Server,...So....

The easiest way to deal with this:

[Option #1] - If each of the PIXs use same subnet on the Internal
Interface.....
Connect the Webserver's NIC into the switch right along with all the other
machines. Do the same for *both* PIXs. Just make them one big happy family
together. Then you want the Webserver's Network Settings to be statically
assigned and you would change it's Default Gateway to the PIX[1] that you
wanted it to use to get to the Internet. All other machines stay the way
they are and will use the PIX[2] to get to the Internet.

<Internet>-- PIX[1]--
\
- [Switch]--<all machines and
Webserver>
/
<Internet>--PIX[2]--

[Option #2] - If PIXs have different subnets on the Internal
Interface........
Connect the Webserver's NIC into the switch right along with all the other
machines, but *not* the PIX[1] in this case. Just make them one big happy
family together. Then you add a second NIC to the Webserver and set it up
with the right network settings to talk to the PIX[1] and make the PIX[1]
the Default Gateway for the Web Server. The NIC on the Webserver that faces
the LAN requires a *blank* Default Gateway. Do *not* enable "routing" on the
webserver, it is not a router. As long as your LAN does not have multiple
subnets that the Webserver needs to "talk" to there isn't anything else to
do, but if there are other subnets then Static Routes must be added to the
Webserver's Routing Table to overcome the fact that the Gateway is blank.

<To Internet>---PIX[1]----<Webserver>
|
<To Internet>---PIX[2]-------[Switch]----<all machines>

 

[Phillip Windell]

Line wrap messed up my "lovely" drawings
The first one should look like this:

<Internet>--PIX[1]--
\
- [Switch]--<all machines & Webserver>
/
<Internet>--PIX[2]--

 

[Greg Brewer]

Thanks for the clarification; I did figure it out but it took me 2 minutes.

Can you tell me where I went wrong in describing the setup? I have read
about this stuff a lot and worked with it a bit but I don't really get to
talk to anyone about it. With most people, I say DNS and DHCP and their
eyes glaze over. Even most of my IT buddies aren't at my level; they call
me for help. And I'm usually able to. I want more but I get bored in
classes. So I read books.

Greg

 

[Phillip Windell]

Thanks for the clarification; I did figure it out but it took me 2 minutes.

Can you tell me where I went wrong in describing the setup? I have read

Well, I'm not sure I can point a finger at any certain thing, I don't even
have the first post anymore. It just had too many details that weren't
related that made it hard to see the root of the problem, and the Subj was
"Bridging" but there really isn't any bridging involved here at all other
than the normal functioning of the Switch.

about this stuff a lot and worked with it a bit but I don't really get to
talk to anyone about it. With most people, I say DNS and DHCP and their
eyes glaze over. Even most of my IT buddies aren't at my level; they call
me for help. And I'm usually able to. I want more but I get bored in
classes. So I read books.

Books can be good, but they can be bad too. Sometimes the authors
improperly use terminology and create confusion. Quite often words get used
in a "slang" sense when those words also have an "official" meaning that is
different, so people get confused on that. "Bridging" and "routing" are
probably the two most butchered terms in the industry.

Personally I like Classes better than books because of the human interaction
and you can ask for clarification on something that the book doesn't make
sense on. In my opinion the best classes to start with are the Cisco CCNA
classes that many local colleges and universities have. The classes & the
program are developed by Cisco. They consist of four classes that provide
an excellent base for everything else to be built on. There are other
programs that go beyond CCNA to CCNP & CCNE, but the CCNA is the first one.

 

[Greg Brewer]

Books can be good, but they can be bad too. Sometimes the authors
improperly use terminology and create confusion. Quite often words get used
in a "slang" sense when those words also have an "official" meaning that is
different, so people get confused on that. "Bridging" and "routing" are
probably the two most butchered terms in the industry.
Personally I like Classes better than books because of the human interaction
and you can ask for clarification on something that the book doesn't make
sense on. In my opinion the best classes to start with are the Cisco CCNA
classes that many local colleges and universities have. The classes & the
program are developed by Cisco. They consist of four classes that provide
an excellent base for everything else to be built on. There are other
programs that go beyond CCNA to CCNP & CCNE, but the CCNA is the first one.
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Classes can be good. My problem is that on day one I have already read the
book and know 90% of the material. So when the instructor goes over the
basic material, I get bored. Like go to a class and the instructor goes
into the basics of DHCP. I always seem to be the only one that has read the
book. I remember my ADA class 10 years ago; I was so bored. Most people
thought I was asleep. Unless the instructor said anything that deviated
from the book. Then I was flipping pages and raising my hand.

Give me any clues you can on something. Last week, one of our T1's was
yoyo'ing. The techs couldn't trace the problem because it was up by the
time they could check it out. What I want to do is set the thing up that if
the primary T1 for either Web Server or Mail Server goes down, it will go
around. I know the basic design is a DOD project and this ability was part
of the design. But what do I have to do to enable it. I'm guessing that my
ISP controls which router is hit and can put in records that will cause it
to move to the second route if the primary is down. I remember reading
somewhere about this type of setup but none of my current books cover it.

I just try a CCNA class sometime soon.

Greg

 

[Phillip Windell]

time they could check it out. What I want to do is set the thing up that if
the primary T1 for either Web Server or Mail Server goes down, it will go
around.

You can not easily do "fail over" with those T1s and still uses them like
you currently are at the same time. You can manually switch them, but the
way you do that depends on the methods you are currently using now in the
"normal" operation.

I could do ours with one toggle on one device because my Default Gateway for
all machines is a LAN Router (not a firewall) and the firewall is the LAN
Router's DFG. So if a link went down I would simply change the DFG on the
LAN Router and would be all done, assuming both links had firewalls using
the same subnet.

You could have the T1s setup for "fail over" themselves but that requires
they both be from the same ISP and the ISP would actually be the one to rig
it up since those lines are more their "territory" than yours. This would
change the whole way you are now running your stuff. Most likely the ISP
would run both lines into the same Internet Router and would use a Router
capable of doing the fail-over between redundant links. From your side of
the network it would appear as a single Internet link rather than two as you
have now. Now if the T1s are from different ISPs then you would have very
few if any options.

 

[Greg Brewer]

Someone pointed out a flaw in my plans. I was figuring on being able to use
the internal network to go around a T1 failure. Of course, that won't work
because it is the router that has the IP address; not the server.

My new idea is to get a couple of new public IP addresses for the routers
and move the current ones to the servers. But that would mean they aren't
on the same subnet. Hmmm, perhaps a second NIC with a private IP address.

Any thoughts?

Greg

 

[Phillip Windell]

This doesn't make any sense at all to me. The Servers don't have anything to
do with this.

It is not about IP#s. It is about physical links and what devices have
control over them.

If the two links come into the same physical device (a router) then that
physical device can handle the "fail-over" (if it is capable). If two links
come into two separate physical devices than "fail over" is not typically
possible. Routers perform this by using redundant physical links and use
their own built in abilities combined with routing protocols (RIP, IGRP,
EIGRP, etc) to perform the "fail over". It is the routing protocols that
determine a link is no longer operational and causes changes to the "routing
tables" in the next routing table update, and the new changes in the
routing tables cause a different route to be taken to a given destination if
a redundant path exists.

This is why the ISP has to be the one to build a solution. It is thier
lines, it is their equipment (in part), it is their service, and it is they
you have to work together with to create a solution.

 

[Greg Brewer]

If working with the ISP is what I have to do then I will do it. My goal
is to look at all possibilities. We have reasons for doing as we do.

On the internet as a whole, if there are multiple routes to a destination
and one route becomes unavailable then the second route will be used. Using
this gives me my "fail-over" capability. All I should have to do is
establish two routes over the two separate physical devices.

Greg

This doesn't make any sense at all to me. The Servers don't have anything to
do with this.

It is not about IP#s. It is about physical links and what devices have
control over them.

If the two links come into the same physical device (a router) then that
physical device can handle the "fail-over" (if it is capable). If two links
come into two separate physical devices than "fail over" is not typically
possible. Routers perform this by using redundant physical links and use
their own built in abilities combined with routing protocols (RIP, IGRP,
EIGRP, etc) to perform the "fail over". It is the routing protocols that
determine a link is no longer operational and causes changes to the "routing
tables" in the next routing table update, and the new changes in the
routing tables cause a different route to be taken to a given destination if
a redundant path exists.

This is why the ISP has to be the one to build a solution. It is thier
lines, it is their equipment (in part), it is their service, and it is they
you have to work together with to create a solution.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Someone pointed out a flaw in my plans. I was figuring on being able to use
the internal network to go around a T1 failure. Of course, that won't work
because it is the router that has the IP address; not the server.

My new idea is to get a couple of new public IP addresses for the routers
and move the current ones to the servers. But that would mean they aren't
on the same subnet. Hmmm, perhaps a second NIC with a private IP address.

Any thoughts?

Greg



will
go Gateway
for to
rig as
you

 

[Phillip Windell]

this gives me my "fail-over" capability. All I should have to do is
establish two routes over the two separate physical devices.

Pretty much, but it is two routes with the *same* physical device. That is
the key point. It must be a single device,..and the single device is what
makes the determination which route is used. In other words both T1s must
come into the same router. Most all commercial grade routers have at least
3 ports,...one Ethernet and two Serial ports. A T1 comes to each serial port
and the router determines which serial port the traffic is to go out of.
Because the ISP owns both T1s and own the routers at the opposite end of
each T1 they are the primary ones to rig this up because all *three* routers
must be setup to work together with this. The topology will look like a
"triangle" and you are only one point of the triangle, they represent two
points on the triangle,..therefore they have more to do with rigging this up
than you do.

 

[Greg Brewer]

I think I'll branch this into 2 seperate threads.

First point is that I may well do it your way; it looks like the easiest
way. But I am interested in knowing why what I have envisioned won't work.
Consider the following diagrams,
1) R1(somewhere) --- R2(at ISP) --- R3(at our site) -- WS (our webserver)
2) R1(somewhere) --- R4(at ISP) --- R5(at our site) -- R6(at our site) --
WS (our webserver)

Now R2 could well be the same device as R4 as I'm not sure what an ISP has
in terms of routers.
Why is something like this unworkable? Would not #1 be the prefered route
since it has fewer hops but if the R2---R3 link fails then R1 would use
route #2.

Greg

 

[Greg Brewer]

I guess I wasn't following you before. This looks simpler.

Let me see if I follow
A) IP address 1
1) R1(at ISP) --- R2(at our site) --- WS (web server)
2) R1(at ISP) --- R3(at our site) --- WS
B) IP address 2
1) R1(at ISP) --- R3(at our site) --- MS (mail server)
2) R1(at ISP) --- R2(at our site) --- MS

where the ISP router R1 has been programmed to send IP address 1 traffic to
R2 if it can but R3 if it cannot. Futher, it has been programmed to send IP
address 2 traffic to R3 if it can but R2 if it cannot. Finally, R3 --- WS
and R2 --- MS traffic would be able to flow over our private network. What
kind of changes would I need to make to my routers to do this? And what
kind of settings would I need to have the ISP make?

This interests me a lot.

Greg