cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1846
Views
0
Helpful
13
Replies

3825 Setup DHCP and Nat

jtothemak
Level 1
Level 1

Looking for help on on how to setup a 3825 router connecting to an isp via metro ethernet.  The public ip pool given to me by the ISP is a /26.  I would like to have my network equipment(10 3550-48 switches) on public ips and then my end users(workstations plugged into 3550 switches) on a natted .10 network directed to my isp for internet access. 

13 Replies 13

paolo bevilacqua
Hall of Fame
Hall of Fame

Wrong forum, post in "WAN and routing". You can move your posting with the Actions panel on the right.

Thanks, I moved it.  Now just need some help on a solution.

Here is the config I have so far.  I will be doing a vlan per building, with each building on there own ip block via dhcp.  Can someone please let me know if I am making an errors.  Also for the vlan sub interfaces do I need ip nat inside?  I decided to use static nat for remote access to my 3550 switches. 

hostname HueRouter

!

ip subnet-zero

!

ip dhcp excluded-address 10.0.0.1 10.0.0.50

!

ip dhcp pool hue

  network 10.0.0.0 255.0.0.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.0.1

!

interface FastEthernet0

ip address 10.0.0.1 255.0.0.0

no ip directed-broadcast

ip nat inside

no ip mroute-cache

!

interface FastEthernet0/0.10

description Building 1

encapsulation dot1Q 10

ip address 10.10.1.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.20

description  Building 2

encapsulation dot1Q 20

ip address 10.10.2.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.30

description  Building 3

encapsulation dot1Q 40

ip address 10.10.3.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.40

description  Building 4

encapsulation dot1Q 40

ip address 10.10.4.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.50

description  Building 5

encapsulation dot1Q 50

ip address 10.10.5.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.60

description  Building 6

encapsulation dot1Q 60

ip address 10.10.6.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.70

description  Building 7

encapsulation dot1Q 70

ip address 10.10.7.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.80

description  Building 8

encapsulation dot1Q 80

ip address 10.10.8.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.90

description  Building 9

encapsulation dot1Q 90

ip address 10.10.9.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.100

description  Building 10

encapsulation dot1Q 100

ip address 10.10.10.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet1

ip address 1.1.1.1 255.255.255.128

no ip directed-broadcast

ip nat outside

!

ip nat inside source static 10.0.0.2 1.1.1.3

ip nat inside source static 10.0.0.3 1.1.1.4

ip nat inside source static 10.0.0.4 1.1.1.5

ip nat inside source static 10.0.0.5 1.1.1.6

ip nat inside source static 10.0.0.6 1.1.1.7

ip nat inside source static 10.0.0.7 1.1.1.8

ip nat inside source static 10.0.0.8 1.1.1.9

ip nat inside source static 10.0.0.9 1.1.1.10

ip nat inside source static 10.0.0.10 1.1.1.11

ip nat inside source static 10.0.0.11 1.1.1.12

ip nat inside source list 1 interface FastEthernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet1

no ip http server

!

access-list 1 permit 10.0.0.0 0.255.255.255

!

line vty 0 15

password password_here

enable secret password_here

service password-enc

You will need 'ip nat inside' on the internal interfaces.

Thank you,  I was thinking the sub interfaces needed but was unsure.  Anything else that needs attention? 

Everything else looks fine, I have two comments though. If possible I would use the actual IP address for the ISP gateway in your default route rather than the interface. You can also think about using static PAT rather than opening up every port to those hosts.

Have you actually got this configuration on a router? I would think that a Cisco router would not accept this on a main interface ip address 10.0.0.1 255.0.0.0 and this on a subinterface ip address 10.10.1.0 255.255.255.0 because of the overlapping address assignments.

Also I am not sure that you could have these 10 subnets all using the same pool of the /8 address. I would wonder if you will not need 10 individual pools configured.

If you do have it configured and it does work then please post back to the forum confirming that it does work.

HTH

Rick

HTH

Rick

It is not a running config yet.  I will not have access to the gear till the day it is deployed which is what is making me nervous and cutting over a live system.

I ran a simulator GNS3 and was able to give it 10.10.1.1 255.255.255.0 on the sub interface with 10.0.0.1 255.0.0.0 and it let it.  As soon as did a no shut it gave me an overlap.  

I will make a pool for vLAN1 and a seperate pool for each other VLAN. 

Any other issues?  Do I have routing done correctly?

If it gave you an overlap when you did a no shut then I would be very nervous about trying to use this concept for a live cutover.

I had not looked closely at your routing. But now that I do I absolutely do agree with the previous suggestion that you should not use ip route 0.0.0.0 0.0.0.0 FastEthernet1. There are several reasons why this is not a good thing to do and that you should specify the IP of the next hop in the static default route.

HTH

Rick

HTH

Rick

I missed the overlap and the DHCP scope. You would definitely need a scope for each subnet as Richard suggested. Do you need an IP address on the physical interface? Is this one of your subnets for the buildings? You said ten buildings and you already have ten vlans and sub interfaces.

Here is updated config adding a pool for each Vlan.  Will my routing statement and access list 1 work or do I need to do one for each subnet?

hostname HueRouter

!

ip subnet-zero

ip cef

ip cef load-sharing algorithm original

!

no ip dhcp conflict logging

ip dhcp excluded-address 10.0.50.1 10.0.50.100

ip dhcp excluded-address 10.0.1.1 10.0.1.20

ip dhcp excluded-address 10.0.2.1 10.0.2.20

ip dhcp excluded-address 10.0.3.1 10.0.3.20

ip dhcp excluded-address 10.0.4.1 10.0.4.20

ip dhcp excluded-address 10.0.5.1 10.0.5.20

ip dhcp excluded-address 10.0.6.1 10.0.6.20

ip dhcp excluded-address 10.0.7.1 10.0.7.20

ip dhcp excluded-address 10.0.8.1 10.0.8.20

ip dhcp excluded-address 10.0.9.1 10.0.9.20

ip dhcp excluded-address 10.0.10.1 10.0.10.20

!

ip dhcp pool lan1

  network 10.10.50.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.50.1

  lease 0 3

!

ip dhcp pool bld1

  network 10.10.1.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.1.1

  lease 0 3

!

ip dhcp pool bld2

  network 10.10.2.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.2.1

  lease 0 3

!

ip dhcp pool bld3

  network 10.10.3.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.3.1

  lease 0 3

!

ip dhcp pool bld4

  network 10.10.4.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.4.1

  lease 0 3

!

ip dhcp pool bld5

  network 10.10.5.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.5.1

  lease 0 3

!

ip dhcp pool bld6

  network 10.10.6.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.6.1

  lease 0 3

!

ip dhcp pool bld7

  network 10.10.7.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.7.1

  lease 0 3

!

ip dhcp pool bld8

  network 10.10.8.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.8.1

  lease 0 3

!

ip dhcp pool bld9

  network 10.10.9.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.9.1

  lease 0 3

!

ip dhcp pool bld10

  network 10.10.10.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.10.1

  lease 0 3

!

interface FastEthernet0/0

ip address 10.10.50.1 255.255.255.0

no ip directed-broadcast

ip nat inside

no ip mroute-cache

!

interface FastEthernet0/0.10

description Building 1

encapsulation dot1Q 10

ip address 10.10.1.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.20

description  Building 2

encapsulation dot1Q 20

ip address 10.10.2.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.30

description  Building 3

encapsulation dot1Q 40

ip address 10.10.3.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.40

description  Building 4

encapsulation dot1Q 40

ip address 10.10.4.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.50

description  Building 5

encapsulation dot1Q 50

ip address 10.10.5.1 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.60

description  Building 6

encapsulation dot1Q 60

ip address 10.10.6.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.70

description  Building 7

encapsulation dot1Q 70

ip address 10.10.7.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.80

description  Building 8

encapsulation dot1Q 80

ip address 10.10.8.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.90

description  Building 9

encapsulation dot1Q 90

ip address 10.10.9.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.100

description  Building 10

encapsulation dot1Q 100

ip address 10.10.10.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/1

ip address 1.1.1.1 255.255.255.128

no ip directed-broadcast

ip nat outside

!

ip nat inside source static 10.0.50.2 1.1.1.3

ip nat inside source static 10.0.50.3 1.1.1.4

ip nat inside source static 10.0.50.4 1.1.1.5

ip nat inside source static 10.0.50.5 1.1.1.6

ip nat inside source static 10.0.50.6 1.1.1.7

ip nat inside source static 10.0.50.7 1.1.1.8

ip nat inside source static 10.0.50.8 1.1.1.9

ip nat inside source static 10.0.50.9 1.1.1.10

ip nat inside source static 10.0.50.10 1.1.1.11

ip nat inside source static 10.0.50.11 1.1.1.12

ip nat inside source list 1 interface FastEthernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet1

no ip http server

!

access-list 1 permit 10.0.0.0 0.255.255.255

!

line vty 0 15

password password_here

enable secret password_here

service password-enc

!

end

Looks good, except why do you need this?

interface FastEthernet0/0

ip address 10.10.50.1 255.255.255.0

no ip directed-broadcast

ip nat inside

no ip mroute-cache

And remember to point the default route to the next hop IP if you can.

Richard Burts
Hall of Fame
Hall of Fame

I like the individual DHCP scopes. I believe that your access list 1 and address translation will work ok. You still have a problem with your static default route specifying just the outbound interface. There are several negative aspects of doing it this was. You should change it to also specify the next hop IP address.

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: