|
Posted by Will on July 6, 2007, 3:05 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi,
> We have just replaced our existing DSL based VPN solution with a metro
> ethernet one, connecting our 3 sites together over 10Mbit links.
> Now i just have a simple question.
> The telco setup the metro ethernet (layer 2 multipoint ethernet
> connection between the 3 sites) and installed Nortel 1400 ESM switches
> at each site. After that, they were gone and could'nt tell me how to
> further configure it.
>
> If i'm right, i actually have an ethernet link between every site, but
> i cannot just plug the Nortels in the existing switches at each site
> since all sites are on a different subnet, right?
Forget router, I would put in a routing firewall. Whatever makes you
believe the telco's promise that they have you on a private virtual
ethernet? I know the Nortel OPTera 3500 product (which is probably what
they build their metro network around if they are using a Nortel solution)
well enough to know it would be extremely easy for them to put another
company's virtual ethernets overlapping yours, even if by accident. One
day in the future you might wake up finding that you have invited several
other companies directly onto your internal network, with direct routes onto
any of your hosts.
> So do i need an ethernet router at each site, connected between the
> Nortel (WAN) and the existing LAN and setup another new subnet for the
> "WAN net"? But what would i use as gateway at the wan ip side?
Did the ISP providing you the virtual ethernet also provide you an Internet
connection on the same virtual ethernet? I don't see how they could do
that unless they were providing an NAT router for you. I wouldn't feel
safe connecting to the Internet through another vendor's NAT alone.
Presumably they gave you some instructions about your Internet router? The
routing firewalls would route all Internet bound packets on a separate
subnet that is exposed outbound to the Internet. Internal traffic between
sites could go on a separate subnet connecting the various sites.
Personally I would place your internal networks at each site on separate
subnets of each routing firewall that are separate from the subnets that
interconnect sites, and use VPN and firewall routing rules to make sure
anything coming in from one of your other sites is probably authenticated.
--
Will
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map