I have been tasked with a project that I don’t know if it is feasible. This company X has 3 physically separated networks for security reasons no vlan tagging and everything is fine. However no they have gotten to a point where they want to move all 3 subnets to a new building (a physically detached building) actually 3 buildings. They have a PTP set up between building and now they want to send all three networks through this link without mixing them and then separating them again on the other side. I have used CCR routers before but for nothing like this. I have a couple of small soho MK routers Lv4 and I am trying to set them up on the bench, before I purchase beefier MK routers I need to know if anyone has done this before and if you can help with how the config should look like.
For example eth1 will the link on both sides and will carry all 3 networks over the PTP link and separate them on the other side again.
Ether 2 will be one network and it should only talk to Ether 2 on the other side with the ability to pass dhcp a so forth just like a bridge.
Same for Ether 3 and Ether 4.
Is this Possible using MK routers.
Thank again
Juan
Not sure how exactly would you achieve that with Virtual Routing and Forwarding, MPLS/VPLS? you will be “mixing” them and I can’t see how would you achieve that without VLANs anyway, however as Juan said
want to send all three networks through this link without mixing them and then separating them again on the other side.
Which is crontradictory, maybe something got lost in translation?
From a point of security these VLANs will exist only inside the PTP, and there are simple means to prevent anyone from “tapping into” any VLAN with “forged” packets and also to secure the link further.
Sometimes corporate heads get to the level of absurdity regarding “security” as they understand it (typically because they really don’t truly understand networking nor that your maximum security security is that of the “weakest link in the chain”) .
In these times to deal with their foolishness, I simply point them to other, flagrant security flaws they have already (post-it notes with passwords sticked underneath keyboards or monitors, etc, very usual in “pseudo uber security” companies that make things too hard for their employees, physical access flaws…), and the increased expenses plus the added inconveniences so that they “get real”.
I won’t be surprised at all if getting access to those PTPs for physical tapping into them could be at the reach of anyone in the building, either by climbing or by the maintenance/cleaning service, etc.
VRFs provide a logical separation. When the OP mentioned not using VLANs, I rightly or wrongly assumed, he didn’t want them being able to “talk” to each other.
I agree with what you said in regards to security. There also may simply be a miscommunication where we are not fully understanding the goal and limitations.
Good idea but how it differs from VLANs ?
It is just another kind of packet in packet. Encryption does not separate it more than VLAN tagging. It just better hides inner data but all packets flow via same “pipe” in the only one PtP connection.
Thanks for all your posts, I’ve been trying to to figure this out to no avail. I will try these suggestions and where it takes me, but yes some of these projects are very strange to say the least. I am open to any and all suggestions. Thanks thus far guys.
And yes these subnets should NOT be able to talk to each other. I offered 3 PTMPs and this way they will continue to physically separated, they are worried about RF interference: however, I managed a WiSP with 150-200 AP’s throughout the network and I was able to keep interference in check. Something this small interference should not come into play. Management whats this way.
bout “without VLAN usage no matter what” -approach - you can try simply bring up virtual interfaces in PTP link and then completely isolate/firewall them from each other “just in case”.
you can also use VPLS, which isn’t bad idea anyway.
