share router yet keep networks separate

Hello,

I have a temporary need to add a second network that will be allowed
Internet access yet to be completely separate otherwise from the currently
installed permanent network.

The T1 router is a Cicso 1720 with only one LAN port handling dynamic NAT
for the permanent network on a private subnet such as 192.168.1.0/24. My
thoughts are tp add a nix box (which will also handle DHCP and DNS for
this new temporary network) with 2 nic cards, one on the 192.168.1.0/24
subnet and the other on, for example, the 192.168.2.0/24 subnet and set it
up to route to the current gateway.

Adding a second network port to the 1720 would probably be the best way
but the need is temporary (and also immediate) and a PC (or even 2) is
available for the task.

Questions. Will this work? Are there better ways?

Thanks.

Chris

On Sat, 22 Nov 2003 16:44:29 -0500, Chris Smith
<chrisNO@SPAMrealcomputerguy.INVALID.com> wrote:

>My
>thoughts are tp add a nix box (which will also handle DHCP and DNS for
>this new temporary network) with 2 nic cards, one on the 192.168.1.0/24
>subnet and the other on, for example, the 192.168.2.0/24 subnet and set it
>up to route to the current gateway.

I think that the Cisco ethernet port can have sub-interfaces defined,
with VLAN tagging, so the private subnets could be defined in the
Cisco, on each sub-interface, and then use a VLAN-capable lan switch
to untag and separate the traffic onto each half of the switch. No
old PC or *nix routing required.

- Eric

Eric wrote:

> On Sat, 22 Nov 2003 16:44:29 -0500, Chris Smith
> <chrisNO@SPAMrealcomputerguy.INVALID.com> wrote:
>
>>My
>>thoughts are tp add a nix box (which will also handle DHCP and DNS for
>>this new temporary network) with 2 nic cards, one on the 192.168.1.0/24
>>subnet and the other on, for example, the 192.168.2.0/24 subnet and set it
>>up to route to the current gateway.
>
> I think that the Cisco ethernet port can have sub-interfaces defined,
> with VLAN tagging, so the private subnets could be defined in the
> Cisco, on each sub-interface, and then use a VLAN-capable lan switch
> to untag and separate the traffic onto each half of the switch. No
> old PC or *nix routing required.
>
> - Eric

I don't believe that the 1700 series routers do that. If they do, you'll
need a Plus feature set which has been my experience on 2600s and 3640s.

--
Donovan Hill

Chris Smith wrote:

> Hello,
>
> I have a temporary need to add a second network that will be allowed
> Internet access yet to be completely separate otherwise from the currently
> installed permanent network.
>
> The T1 router is a Cicso 1720 with only one LAN port handling dynamic NAT
> for the permanent network on a private subnet such as 192.168.1.0/24. My
> thoughts are tp add a nix box (which will also handle DHCP and DNS for
> this new temporary network) with 2 nic cards, one on the 192.168.1.0/24
> subnet and the other on, for example, the 192.168.2.0/24 subnet and set it
> up to route to the current gateway.
>
> Adding a second network port to the 1720 would probably be the best way
> but the need is temporary (and also immediate) and a PC (or even 2) is
> available for the task.
>
> Questions. Will this work? Are there better ways?
>
> Thanks.
>
> Chris

Yes, fairly simple to do and will give you a good start. As your needs grow,
look into Ethernet Bridging on Linux - this will give you capabilities that
the really high0-end routers give you for a fraction of the cost (though
it's more complex to keep running). Most of those routers are really
bespoke boxes round a standard computer with software in just this manner.

Best option is to put one box on the Cisco router, and set that one up to
handle traffic inside and through the Cisco router (it will need three
ethernet cards).

Have the insecure intranet on one card, the secure intranet on another card
and the Cisco router on the third. Unless your PC gets hacked, it's a very
secure setup.

A Pentium with a fair whack of memory (256MB-1GB) and a decent HDD (2GB+)
will be ample.

If your needs are sufficiently commercial to make IP spoofing worthwhile,
use another computer as a DNS host and only allow DNS requests to go to the
router from this machine (even use MAC address as well as ethernet card to
lock others out). All internal requests from the secure and insecure
intranets will go to this box.

Since this box is single-purpose, even a 386DX will do. More than ~32MB
memory is fine and again a 1+GB HDD.

If you have more than a few hundred users inside to look after, you may want
to upgrade a step. More than a few hunder thousand, and you can afford
professional help!