Setup Metro ethernet (KPN EVPN)

Hi, We have just replaced our existing DSL based VPN solution with a metro ethernet one, connecting our 3 sites together over 10Mbit links. Now i just have a simple question. The telco setup the metro ethernet (layer 2 multipoint ethernet connection between the 3 sites) and installed Nortel 1400 ESM switches at each site. After that, they were gone and could'nt tell me how to further configure it.

If i'm right, i actually have an ethernet link between every site, but i cannot just plug the Nortels in the existing switches at each site since all sites are on a different subnet, right?

So do i need an ethernet router at each site, connected between the Nortel (WAN) and the existing LAN and setup another new subnet for the "WAN net"? But what would i use as gateway at the wan ip side?

Should it be like this?

site1 lan1lan2

etc.

Can somebody please point me in the right direction with this, since i'm a bit new to this kind of setup?

Thanks, Dennes

Reply to
Dennes
Loading thread data ...

is it this?

formatting link

could be - ie the WAN "cloud" is just an Ethernet.

if all your sites have the same IP subnet, you could just plug them in - but that would not be a good idea if you have any other links out. So routers at each site would be much better.

or there might be some structure in the WAN - i have seen Ethernet WANs where different destinations selected by 802.1Q VLAN.

either way you need a router or a layer 3 switch at each location.

a mid range router (Cisco 2811 or 3825) should be able to cope with 10M even if you need some processor intensive stuff turned on such as QoS and multicast.

but if you think you might want faster links later then a layer 3 switch would be better (or if you already have a L3 capable box on the sites, you could just use a port on that).

Reply to
stephen

Yep, that's it

All sites have different subnets, so plugging in won't work i guess. If i put routers at every site (3 in total), do i need to create a separate WAN subnet to interconnect the routers?

If i use a layer 3 switch instead of a router. Does that need configuring, or is it just a matter of plugging in and it works? Do you have a suggestion for a good, but not too expensive layer 3 switch?

Thanks for taking the time to help! Much appreciated. Dennes

Reply to
Dennes

that would be the classic way to do it. It also makes it easier to add extra sites later.

it is just a router with built in hardware driven engine - so roughly same amount of config as a router.

that translates into a few lines to type for simple, going up to dozens of lines when you add security, QoS and all the other stuff that might be needed.

if you might have to hire in expertise, the estiest to find already trained people is probably Cisco.

I like the Catalyst 3560s for low end boxes, since they have most things you might want with the advanced s/w, and you can add that later if need be - but low end still means $3k list each, or $5k with the advanced s/w....)

formatting link
if that is too painful then Foundry, HP, maybe 3Com?

ultimate in low cost is possibly build a router on a linux PC or server with some 10/100 cards.

Reply to
stephen

The common configuration has your router as a leaf node, with only one upstream router. That isn't the case that you describe.

Some Linksys routers have a configuration setting called Gateway/Router. Gateway being the default setting with one upstream router, Router allowing static or dynamic (RIP) routes to multiple routers.

To work right, each router needs to know the address of each other router, and the (sub)nets reachable through that router.

-- glen

Reply to
glen herrmannsfeldt

Forget router, I would put in a routing firewall. Whatever makes you believe the telco's promise that they have you on a private virtual ethernet? I know the Nortel OPTera 3500 product (which is probably what they build their metro network around if they are using a Nortel solution) well enough to know it would be extremely easy for them to put another company's virtual ethernets overlapping yours, even if by accident. One day in the future you might wake up finding that you have invited several other companies directly onto your internal network, with direct routes onto any of your hosts.

Did the ISP providing you the virtual ethernet also provide you an Internet connection on the same virtual ethernet? I don't see how they could do that unless they were providing an NAT router for you. I wouldn't feel safe connecting to the Internet through another vendor's NAT alone.

Presumably they gave you some instructions about your Internet router? The routing firewalls would route all Internet bound packets on a separate subnet that is exposed outbound to the Internet. Internal traffic between sites could go on a separate subnet connecting the various sites. Personally I would place your internal networks at each site on separate subnets of each routing firewall that are separate from the subnets that interconnect sites, and use VPN and firewall routing rules to make sure anything coming in from one of your other sites is probably authenticated.

Reply to
Will

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.