10-24-2013 02:08 PM - edited 03-04-2019 09:24 PM
Looking for help on on how to setup a 3825 router connecting to an isp via metro ethernet. The public ip pool given to me by the ISP is a /26. I would like to have my network equipment(10 3550-48 switches) on public ips and then my end users(workstations plugged into 3550 switches) on a natted .10 network directed to my isp for internet access.
10-24-2013 09:18 PM
10-25-2013 05:24 AM
Thanks, I moved it. Now just need some help on a solution.
10-25-2013 10:24 AM
Here is the config I have so far. I will be doing a vlan per building, with each building on there own ip block via dhcp. Can someone please let me know if I am making an errors. Also for the vlan sub interfaces do I need ip nat inside? I decided to use static nat for remote access to my 3550 switches.
hostname HueRouter
!
ip subnet-zero
!
ip dhcp excluded-address 10.0.0.1 10.0.0.50
!
ip dhcp pool hue
network 10.0.0.0 255.0.0.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.0.1
!
interface FastEthernet0
ip address 10.0.0.1 255.0.0.0
no ip directed-broadcast
ip nat inside
no ip mroute-cache
!
interface FastEthernet0/0.10
description Building 1
encapsulation dot1Q 10
ip address 10.10.1.0 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.20
description Building 2
encapsulation dot1Q 20
ip address 10.10.2.0 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.30
description Building 3
encapsulation dot1Q 40
ip address 10.10.3.0 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.40
description Building 4
encapsulation dot1Q 40
ip address 10.10.4.0 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.50
description Building 5
encapsulation dot1Q 50
ip address 10.10.5.0 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.60
description Building 6
encapsulation dot1Q 60
ip address 10.10.6.0 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.70
description Building 7
encapsulation dot1Q 70
ip address 10.10.7.0 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.80
description Building 8
encapsulation dot1Q 80
ip address 10.10.8.0 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.90
description Building 9
encapsulation dot1Q 90
ip address 10.10.9.0 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.100
description Building 10
encapsulation dot1Q 100
ip address 10.10.10.0 255.255.255.0
no snmp trap link-status
!
interface FastEthernet1
ip address 1.1.1.1 255.255.255.128
no ip directed-broadcast
ip nat outside
!
ip nat inside source static 10.0.0.2 1.1.1.3
ip nat inside source static 10.0.0.3 1.1.1.4
ip nat inside source static 10.0.0.4 1.1.1.5
ip nat inside source static 10.0.0.5 1.1.1.6
ip nat inside source static 10.0.0.6 1.1.1.7
ip nat inside source static 10.0.0.7 1.1.1.8
ip nat inside source static 10.0.0.8 1.1.1.9
ip nat inside source static 10.0.0.9 1.1.1.10
ip nat inside source static 10.0.0.10 1.1.1.11
ip nat inside source static 10.0.0.11 1.1.1.12
ip nat inside source list 1 interface FastEthernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet1
no ip http server
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
line vty 0 15
password password_here
enable secret password_here
service password-enc
10-25-2013 11:20 AM
You will need 'ip nat inside' on the internal interfaces.
10-25-2013 12:17 PM
Thank you, I was thinking the sub interfaces needed but was unsure. Anything else that needs attention?
10-25-2013 12:52 PM
Everything else looks fine, I have two comments though. If possible I would use the actual IP address for the ISP gateway in your default route rather than the interface. You can also think about using static PAT rather than opening up every port to those hosts.
10-25-2013 12:59 PM
Have you actually got this configuration on a router? I would think that a Cisco router would not accept this on a main interface ip address 10.0.0.1 255.0.0.0 and this on a subinterface ip address 10.10.1.0 255.255.255.0 because of the overlapping address assignments.
Also I am not sure that you could have these 10 subnets all using the same pool of the /8 address. I would wonder if you will not need 10 individual pools configured.
If you do have it configured and it does work then please post back to the forum confirming that it does work.
HTH
Rick
10-25-2013 01:21 PM
It is not a running config yet. I will not have access to the gear till the day it is deployed which is what is making me nervous and cutting over a live system.
I ran a simulator GNS3 and was able to give it 10.10.1.1 255.255.255.0 on the sub interface with 10.0.0.1 255.0.0.0 and it let it. As soon as did a no shut it gave me an overlap.
I will make a pool for vLAN1 and a seperate pool for each other VLAN.
Any other issues? Do I have routing done correctly?
10-25-2013 01:39 PM
If it gave you an overlap when you did a no shut then I would be very nervous about trying to use this concept for a live cutover.
I had not looked closely at your routing. But now that I do I absolutely do agree with the previous suggestion that you should not use ip route 0.0.0.0 0.0.0.0 FastEthernet1. There are several reasons why this is not a good thing to do and that you should specify the IP of the next hop in the static default route.
HTH
Rick
10-25-2013 02:16 PM
I missed the overlap and the DHCP scope. You would definitely need a scope for each subnet as Richard suggested. Do you need an IP address on the physical interface? Is this one of your subnets for the buildings? You said ten buildings and you already have ten vlans and sub interfaces.
10-25-2013 02:28 PM
Here is updated config adding a pool for each Vlan. Will my routing statement and access list 1 work or do I need to do one for each subnet?
hostname HueRouter
!
ip subnet-zero
ip cef
ip cef load-sharing algorithm original
!
no ip dhcp conflict logging
ip dhcp excluded-address 10.0.50.1 10.0.50.100
ip dhcp excluded-address 10.0.1.1 10.0.1.20
ip dhcp excluded-address 10.0.2.1 10.0.2.20
ip dhcp excluded-address 10.0.3.1 10.0.3.20
ip dhcp excluded-address 10.0.4.1 10.0.4.20
ip dhcp excluded-address 10.0.5.1 10.0.5.20
ip dhcp excluded-address 10.0.6.1 10.0.6.20
ip dhcp excluded-address 10.0.7.1 10.0.7.20
ip dhcp excluded-address 10.0.8.1 10.0.8.20
ip dhcp excluded-address 10.0.9.1 10.0.9.20
ip dhcp excluded-address 10.0.10.1 10.0.10.20
!
ip dhcp pool lan1
network 10.10.50.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.50.1
lease 0 3
!
ip dhcp pool bld1
network 10.10.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.1.1
lease 0 3
!
ip dhcp pool bld2
network 10.10.2.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.2.1
lease 0 3
!
ip dhcp pool bld3
network 10.10.3.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.3.1
lease 0 3
!
ip dhcp pool bld4
network 10.10.4.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.4.1
lease 0 3
!
ip dhcp pool bld5
network 10.10.5.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.5.1
lease 0 3
!
ip dhcp pool bld6
network 10.10.6.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.6.1
lease 0 3
!
ip dhcp pool bld7
network 10.10.7.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.7.1
lease 0 3
!
ip dhcp pool bld8
network 10.10.8.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.8.1
lease 0 3
!
ip dhcp pool bld9
network 10.10.9.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.9.1
lease 0 3
!
ip dhcp pool bld10
network 10.10.10.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.10.1
lease 0 3
!
interface FastEthernet0/0
ip address 10.10.50.1 255.255.255.0
no ip directed-broadcast
ip nat inside
no ip mroute-cache
!
interface FastEthernet0/0.10
description Building 1
encapsulation dot1Q 10
ip address 10.10.1.1 255.255.255.0
no snmp trap link-status
ip nat inside
!
interface FastEthernet0/0.20
description Building 2
encapsulation dot1Q 20
ip address 10.10.2.1 255.255.255.0
no snmp trap link-status
ip nat inside
!
interface FastEthernet0/0.30
description Building 3
encapsulation dot1Q 40
ip address 10.10.3.1 255.255.255.0
no snmp trap link-status
ip nat inside
!
interface FastEthernet0/0.40
description Building 4
encapsulation dot1Q 40
ip address 10.10.4.1 255.255.255.0
no snmp trap link-status
ip nat inside
!
interface FastEthernet0/0.50
description Building 5
encapsulation dot1Q 50
ip address 10.10.5.1 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.60
description Building 6
encapsulation dot1Q 60
ip address 10.10.6.1 255.255.255.0
no snmp trap link-status
ip nat inside
!
interface FastEthernet0/0.70
description Building 7
encapsulation dot1Q 70
ip address 10.10.7.1 255.255.255.0
no snmp trap link-status
ip nat inside
!
interface FastEthernet0/0.80
description Building 8
encapsulation dot1Q 80
ip address 10.10.8.1 255.255.255.0
no snmp trap link-status
ip nat inside
!
interface FastEthernet0/0.90
description Building 9
encapsulation dot1Q 90
ip address 10.10.9.1 255.255.255.0
no snmp trap link-status
ip nat inside
!
interface FastEthernet0/0.100
description Building 10
encapsulation dot1Q 100
ip address 10.10.10.1 255.255.255.0
no snmp trap link-status
ip nat inside
!
interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.128
no ip directed-broadcast
ip nat outside
!
ip nat inside source static 10.0.50.2 1.1.1.3
ip nat inside source static 10.0.50.3 1.1.1.4
ip nat inside source static 10.0.50.4 1.1.1.5
ip nat inside source static 10.0.50.5 1.1.1.6
ip nat inside source static 10.0.50.6 1.1.1.7
ip nat inside source static 10.0.50.7 1.1.1.8
ip nat inside source static 10.0.50.8 1.1.1.9
ip nat inside source static 10.0.50.9 1.1.1.10
ip nat inside source static 10.0.50.10 1.1.1.11
ip nat inside source static 10.0.50.11 1.1.1.12
ip nat inside source list 1 interface FastEthernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet1
no ip http server
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
line vty 0 15
password password_here
enable secret password_here
service password-enc
!
end
10-25-2013 07:24 PM
Looks good, except why do you need this?
interface FastEthernet0/0
ip address 10.10.50.1 255.255.255.0
no ip directed-broadcast
ip nat inside
no ip mroute-cache
And remember to point the default route to the next hop IP if you can.
10-25-2013 07:30 PM
I like the individual DHCP scopes. I believe that your access list 1 and address translation will work ok. You still have a problem with your static default route specifying just the outbound interface. There are several negative aspects of doing it this was. You should change it to also specify the next hop IP address.
HTH
Rick
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide