Howdy all,
First, I would like to say a huge thank you to Jay Hennigan, John Neiberger
and
Dusty Harper for their immediate responses and follow-ups to my initial
posting.
Also, many thanks to the other folks who replied in the group and also to my
personal email address.
I (most regrettably) left a vital piece of the puzzle out yesterday - here
is the
"structure" I was playing with:
Internet Connection
|
|
|(External IP address)
|
Firewall
|
|(10.0.0.1)
|
|
--------|----10.0.0.0/24 segment------|---------
|
|
| (10.0.0.250)
|
Router (4000M)
|
| (10.0.10.1)
|
|
-------|------10.0.10.0/24 segment----------|-------
I now realize (with everyone's help!) that my 10.0.0.0 segment would never
see it's way back to the 10.0.10.0 segment without some additional
routing information.
My next question to Jay, John, and Dusty was - What is the "best practice"
method for implementing and routing another segment?
These are the responses for any others who are interested or also in this
learning curve:
John Neiberger suggested:
"If you make your router (the 4000M) the default gateway, it would still
forward packets back to the firewall that were destined for the internet.
Turn on fast switching ("ip route-cache same-interface") on that router
interface
and this design shouldn't affect router CPU very much at all."
Jay Hennigan suggested the following (which would work the best I believe
if I had a router with 3 ethernet interfaces!):
"If there's a third ethernet interface on the router, I'd do something like
|--------10.0.0.0/24
|
Internet----FW----10.255.250.0/24---router
|
|--------10.0.10.0/24
Both the internal segments point to the router as the default GW,
the router has its default as the firewall. The router can route
between the two ethernets. The firewall has a static route that
10.0.0.0/8 goes toward the router."
In questioning Dusty Harper about using NAT between the segments:
"Most people only use NAT to connect their segment to the internet.....
NAT basically just encapsulates the data in a wrapper with a public address.
When the data is sent to your segment , it is addressed for the NAT box, and
the NAT box takes off the wrapper so it can go to the host on the private
segment......you could throw a filter on the NAT box specifying all 10
Network
traffic stays local and create a static route for the NAT box pointing the
10 Net
traffic to its specific router (in this case 10.0.0.250)."
And in response to another question that was emailed to me concerning
which routing protocol am I using:
My understanding is that if I have 2 directly connected segments, using
IP Classless and a default route is the easiest way to route traffic between
the
2 interfaces...???
And finally, the solution that I'm going with for now is to leave my
10.0.0.0
traffic with a default gateway of 10.0.0.1. On my firewall, I've set a
static
route telling it that any traffic heading for 10.0.10.0 needs to be sent to
the 10.0.0.250 gateway. Not the greatest I know, but if anyone wants to
donate an extra ethernet interface for my router, please email! *grin*
Regards,
Becky Pinkard
p.s. Sorry this turned into a book - watch out Chuck, now that I've got
the CCNA, I'll give you a run for your money on long postings! *LOL*
"Becky" wrote in message <8k2uoa$36l$[EMAIL PROTECTED]>...
>I feel pretty stupid - I've just passed the CCNA this past Friday
>and am trying to get a simple 4000M 10baseT router to pass
>traffic from one segment to another. I just got this router to play
>with - yes, I passed the CCNA with out any real hands-on...(I know,
>I know - let the paper-cert debates begin...*grin*)....anyway, here
>is a copy of an extended ping:
>
>Internal1#ping
>Protocol [ip]:
>Target IP address: 10.0.0.115
>Repeat count [5]:
>Datagram size [100]:
>Timeout in seconds [2]:
>Extended commands [n]: y
>Source address or interface: 10.0.10.1
>Type of service [0]:
>Set DF bit in IP header? [no]:
>Validate reply data? [no]:
>Data pattern [0xABCD]:
>Loose, Strict, Record, Timestamp, Verbose[none]:
>Sweep range of sizes [n]:
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 10.0.0.115, timeout is 2 seconds:
>.....
>Success rate is 0 percent (0/5)
>
>I don't understand why I can't ping an address on my 10.0.0.0 segment
>from the 10.0.10.1 interface of my router???? I'm embarrassed to
>be asking this because I fear the answer is so simple, but then again
>I was taught to never be afraid to ask even stupid questions.... ;-)
>
>So, here's my config and I would appreciate any words of wisdom.
>
>Regards,
>Becky
>
>Current configuration:
>!
>version 12.0
>service timestamps debug uptime
>service timestamps log uptime
>no service password-encryption
>!
>hostname Internal1
>!
>enable secret 5 $1$
>enable password
>!
>ip subnet-zero
>!
>!
>!
>interface Ethernet0
> ip address 10.0.0.250 255.255.255.0
> ip directed-broadcast
> media-type 10BaseT
>!
>interface Ethernet1
> ip address 10.0.10.1 255.255.255.0
> ip directed-broadcast
> media-type 10BaseT
>!
>ip classless
>ip route 0.0.0.0 0.0.0.0 10.0.0.1
>!
>dialer-list 1 protocol ip permit
>dialer-list 1 protocol ipx permit
>!
>line con 0
> transport input none
>line aux 0
>line vty 0 4
> password
> login
>!
>end
>
>
>
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>---
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
