My company is closing in on our transition to our new facility. We have our existing DS3 circuit plugged into our NetVanta 5305 router. At our new location, we’ll have just 2 different segmented LAN’s one for contracts and one for Headquarters. I’m trying to figure out what will be more efficient and secure moving forward. My main goal is to completely segment the two LAN’s with access to both only from the admin level. If that’s not possible I can always run a second computer for network access to the other LAN if need be. Another important factor is that we will have a diverse dedicated backup line from another ISP but it will be handed over as an Ethernet cable not a BNC connector requiring a T3 wide module. I don’t believe we’ll have to worry about load balancing as the DS3 should be fine; our primary concern is having a dedicated backup line on a failover setup in the case Verizon goes down.
Have the NetVanta 5305 as the Gateway Router at the edge of the network. I would utilize only ETH 0/1 port and plug a SnapGear 560u router in behind the NetVanta. The SnapGear 560u has builtin firewall applications as well. I’ve configured this piece to have the primary and secondary Internet feeds. I can program the primary port to the NetVanta 5305 and then have the fail safe/secondary dedicated line in place on the secondary port which would feed directly to our other ISP. The SnapGear 560u has 5 Ethernet ports which I’ve converted 2 of them to dedicated Internet Ports (1 for the NetVanta (Verizon) and 1 for secondary ISP). The other 3 ports will act as LAN segmentations which will point directly to the Primary Line.
This scenario relies totally on the NetVanta 5305 as the gateway router and firewall solution with Dell managed switches behind it using VLAN’s. My question in this scenario is how I utilize my secondary dedicated line on the NetVanta 5305. Are there any tutorials on programming the NetVanta 5305 for Failover and secondary lines? I’m assuming that the line would have to be plugged into the ETH 0/2 line and then configured on the GUI. ETH 0/1 would point to the internal switches.
Any help or guidance is greatly appreciated!
That is a common question about default-route vs. default-gateway. The command you are referencing (ip default-gateway <ip address>) is only applicable if the unit is in bridge mode. Here is an explanation of default-route vs. default-gateway: https://supportforums.adtran.com/docs/DOC-2443
Both scenarios would allow you to accomplish the goals you had in mind. The only question I would have regarding Scenario 1 is whether or not you would still want to restrict access to the 5305 itself. The reason I ask this is that you can leave the 5305's firewall off and simply manage all firewall functionality on the SnapGear 560u. However, if you plan on restricting access through the 5305 (i.e. admin access), then you would have the firewall function turned on for the 5305 and the SnapGear.
With Scenario 1, the failover, firewall, and VLANs would be controlled by the SnapGear. The 5305's functionality would simply be to terminate the T3 and pass of ethernet to the router behind it. You could turn off the firewall functionality on the 5305 and let it simply be a passthrough device. Also, as I mentioned above, you could also turn on the firewall on the 5305 to restrict admin access to it from the outside (or internally), however, the SnapGear would be the primary routing device in your network.
With Scenario 2, the failover, firewall, and VLANs would be controlled by the NetVanta 5305. You could keep your original T3 using the T3 module, and then terminate the secondary internet connection using the unused ethernet interface (ETH 0/2). The following guide explains how to set up WAN failover using network monitoring: Configuring WAN Failover with Network Monitor
in AOS I will add that if the primary internet connection is using HDLC, frame-relay, or PPP, then you can simply use floating static routes instead of network monitoring to configure the failover. However, keep in mind you will still need to configure the NAT rules accordingly. The introduction in the guide will explain this.
As far as the idea of segment the two LANs in the 5305, you could configure trunking between the 5305 LAN port (ETH 0/1) and the switch that plugs directly into it. The switch would be configured for those 2 VLANs. The following guide explains how to configure interVLAN routing on the 5305: Configuring InterVLAN Routing in AOS - Quick Configuration Guide
As I mentioned earlier, either scenario will work and it is really up to the network administrators preference how they would like to set it up. However, please do not hesitate to let us know if you have any further questions.
So in the case of scenario one, if I leave the current configs the way they are, I should be protected from outside access to the admin configs correct?
Also, I have an additional question, in our new building that's being constructed, we have data port connections everywhere but there has been one request to have a wireless signal in a centrally located conference room. I know there are wireless options through the NetVanta 5305 but I don't really want to broadcast from that point outward. Is it possible and logical to run a data cable from our switch panels to a COTS wireless router located inside the conference room? I'd disable all DHCP functions on the router and set the IP address on the specified network needed pointing through the gateway of the specific network. Would this work? Do you see any compatibility options? Your help is greatly apprecated.
- I would have to see your current configuration to verify whether access is available from the outside to the NetVanta 5305, but if the firewall is disabled then anyone would be allowed to access the 5305 and view the configuration (assuming they had the credentials to log in). You can reply to this post with your configuration for us to review, but please remember to remove any information that may be sensitive to your network.
Regarding your wireless question, the NetVanta 5305 can only act as an Access Controller for a NetVanta Access Point (i.e. 150). Unless you have these NetVanta Access Points, the 5305 is unable to provide wireless. I cannot provide a recommendation on the setup or regarding the configuration a non-Adtran wireless router or access point. However, if there was a NetVanta Access Point in your network, you could run a cable from the switch in your LAN to the location you would like to place the wireless router or access point (assuming the distance does not surpass the cable's distance maximum. The NetVanta 5305 would act as the wireless Access Controller, but the wireless signal would not be bound by where the 5305 is located.
Please do not hesitate to let us know if you have any further questions.
I have another question in regards to the segmenting of the networks through VLAN's. With my two physically separated LAN's that I'm joining together at one location, there will be no communication between the the two. Both networks have independent File Servers, Printers and Switches. By using the VLAN option with only the 5305, all I'll need to do is configure the trunking between the ETH 0/1 and the switch correct? Once I have the trunking configured, I can establish the 2 VLAN's needed and then just route accordingly. If there's no communication between the two VLAN's, would there be a necessity for interVLAN routing?
Your help is greatly appreciated.
Please disregard my last comment. I'll need the interVLAN routing because I'm only trunking 1 line from the 5305 ETH 0/1 to the Managed Switch correct?
- That is correct. You would be using ETH 0/2 for your secondary internet connection. The 5305 ETH 0/1 port would be set up as a 802.1q trunk to your managed switch. You would have the ability to restrict access between those VLANs by configuring your firewall if you would like. However, the 5305, since it has routing capabilities, would be able to route between your VLANs.
Let us know if you have any questions.
Are there any specific guides for the 5305 series for configuring the 802.1q trunk in the GUI? Or any guides in relation to that?
Thanks, I just want to make sure I put in the right configurations.
- The following guide explains how to set up intervlan routing on an AOS router: Configuring InterVLAN Routing in AOS - Quick Configuration Guide
Please do not hesitate to let us know if you have any questions.
I've read through the InterVLAN Routing Guide and it's pretty straight forward.
I wanted to run my current information by you to see if you had any suggestions or if what I'm thinking will work. The two locations my company currently has right now are totally separate networks with different ISP's and Networking equipment. When we transition to our new building, the existing T3 line we have at location A will be transitioned. Having said that, the only network hooked into the 5305 right now is our location A office set. They were setup as a Private LAN using the 192.168.0.X/24 subnet (We have about 60 users). The default gateway of the router is 192.168.0.1. Our Location B network was set up years ago on the 192.168.1.x/24 subnet and we have about 15 users.
Having said all that, outside of using the interVLAN routing to hook in both subnets, I do not want to have any communication between the two VLAN's. One VLAN will be our HQ setup, and the other VLAN will be our contract setup. I understand I'll need to identify the two VLAN's in the 5305 using the 802.1Q encapsulation. Should I set up two private Security Zones with no communication between them internally. Basically I'd just be setting rules for each VLAN to be able to access the Internet correct? Also, once I get past that, the current default gateway of the router is 192.168.0.1 should that be changed? I'm trying not to get ahead of myself, I have a pretty good understanding of what I need to do, I'm just trying to make the current configs work that we have, because they've been manually entered into each system.
So my questions from that:
- Do I need to change the default gateway of the 5305?
- I'll need to setup 2 VLAN with independent security zones with no communication between.
- We have Dell Power connect switches that can be managed, I'll just need to identify the two VLAN's and ports being used.
- Am I missing anything?
Your help is so greatly appreciated!