[BLUG] Network Topology Question

Peter G. Brown blug_at_mailman.cs.indiana.edu
Tue, 27 Mar 2007 16:34:28 -0400 

Thanks for the reply David - I only got it today...

On Monday 26 March 2007 13:27, David Ernst wrote:
> I'm not sure I get it all, but I'll take a stab at this:
>
> First, you say you have a couple of public IP addresses.  Is it really
> just two?  That would be pretty weird.  But not impossible.

Sorry - I have a total of 6 available with another 4 taken.
>
> Next question: is the IP address on the T1 Interface of your router
> presently public also?  Is that one of your "couple"?

It is public and is not part of the "couple".
>
> Third: the BSD Machine/ftp server.  How is it able to use its public
> ip address right now?

My router has a public ip address on the serial interface that connects to the 
T1. I have another ethernet card in the second slot that has a public ip 
address (which is on the same ip network as the serial interface (so the 
Cisco comment I can't have two interfaces in the router on the same ip 
network still leaves me puzzled) and through rules diverts ftp traffic to the 
public ftp server, again on the same public ip network. (The problem is that 
this is at 10Mbs not a 100Mbs otherwise I would stick the switch on the end 
of the ethernet interface).

Router serial interface (for example) 21.12.12.88 255.255.255.252
Router ethernet interface 21.12.12.2 255.255.255.248
Router fastEthernet interface 172.20.20.250

>
> My personal prefered set up for this would be to have everything
> behind the Cisco on private IPs, and use NAT on the Cisco to map the
> private IPs to whichever machine you like.

I think I will have to go this way...

>
> If you don't like that, I'd try to create a small network of public IP
> machines right inside the cisco, and make one of them a simple
> ethernet-ethernet firewall to NAT/firewall everything else you're
> doing.  In this case, the best thing would be to have enough public
> IPs so that you make a whole network in this area.  Assigning another
> public IP to the inside of the cisco shouldn't be an issue as long as
> it's on a separate network as the one that's on the outside.  Most T1s
> that I've seen come with a public IP address for the outside interface
> that isn't part of any other public IP addresses you've been
> delegated.  Hopefully that's true of you, in which case you're fine.

With this suggestion are you saying I change the fastEthernet to be a public 
ip address (assuming I can assign it the public ip address on the ethernet 
interface), attach the switch to it (so giving a public area) and install a 
second NIC on the ftp server and have the second nic linked into the two hubs 
on a private ip? (I am fairly comfortable with the pf firewall so would use 
the FreeBSD machine.)

>
> Again, I'm not sure how well I grasp what you're aiming for, but
> hopefully something that I've said is helpful to you.
>

Helpful & Appreciated ;-)

I still think I am missing something however concerning what the Cisco guy 
said. (I think I will call and ask based on what info I now have).

Thank you,
Peter

> David
>
> On Mon, Mar 26, 2007 at 07:35:03AM -0500, Peter G. Brown wrote:
> >Good Morning,
> >
> >I am trying to configure what I need to do (or add) in order to do the
> >following.
> >
> >1st - my current equipment is Cisco 1721 Router (T1 interface,
> > FastEthernet interface and ethernet interface (10 Mbs) used for a ftp
> > server), Cisco Catalyst switch (24 port) and two HP 10/100 24 port hubs.
> >
> >We have a couple of public ip addresses. I want to use them while
> > continuing to protect our private network (using 10. ) and get away from
> > the 10 Mbs interface.
> >
> >I get stuck on the T1 interface part - as if I could just plug our
> > incoming T1 into the switch and then have the router coming off the
> > switch with the two hubs attached to its FastEthernet interface, I can
> > then plug any public IP machines into the switch.
> >
> >With what I have if I assign the router's fastethernet another public ip
> >address (which Cisco tells me I cannot do) and then plug into the switch I
> >would need another router to attach the two hubs to.
> >
> >My ISP forwards the public ips to the one interface (the router) which
> >redirects so I think the router is going to stay where it is and I need to
> >configure behind it.... If so what ip address do I assign the
> > FastEthernet, and what does the network topology behind it look like or
> > need?
> >
> >What else I could throw in:
> >a FreeBSD machine - it functions right now as a ftp server (very little
> >traffic) with a public ip
> >
> >Thank you,
> >Peter Brown
> >_______________________________________________
> >BLUG mailing list
> >BLUG_at_linuxfan.com
> >http://mailman.cs.indiana.edu/mailman/listinfo/blug