891f as a Bridge / Router connecting 2 seperate Subnets.

fbeye · ‎03-09-2019

Hello

I had a similar post trying to access 1 subnet from another going through my 5508-X but my approach was wrong. I was exiting 1 subnet into the ASA and then back into the other subnet via its WAN port but being that the 2nd subnet is on a VPN Tunnel 100% there was no way to enter it. So my new approach is to place a Router between the 2 other routers and accessing them this way, if it is possible.

I would be using the 891f for one simple purpose to connect to 2 other subnets. I have a topology picture showing exactly what I wanted to do.

I assume that on the 891f I would create 2 vlans where they each point to their separate ips from the routers and then create IP Route between the 2? Not sure if I would need NAT or an ACL but really its just going to be utilizes to the connect the 2.

I have 2 Routers because one is on the net no vpn and 1 is always on. If I put all devices on the VPN then I can not access various locations such as my bank or Netflix etc...So really, my NAS and private PC's are on the VPN but I want the subnet on the Open router to access the VPN. This can not happen with a front/WAN approach as the VPN creates the tunnel.

Any guidance would be appreciated.

Georg Pauwen · ‎03-09-2019

Hello,

--> I assume that on the 891f I would create 2 vlans where they each point to their separate ips from the routers and then create IP Route between the 2? Not sure if I would need NAT or an ACL but really its just going to be utilizes to the connect the 2.

If you create two VLANs (and associated SVIs), routing between both will be automatic. What traffic do you want to send where ? Your best option is to use policy routing. Do you already have a configuration you can post ?

fbeye · ‎03-09-2019

Good Morning

Really the only reason I would want my 10.0.1.X Subnet to see my 10.0.2.X subnet would be to access the NAS on 10.0.2.111:9090.

I wanted to go the route of the 2 x VLANS but I get confused over them. Would the Cisco VLANS be set to use one of the ips from their respective Subnets or am I creating a new IP subnet on the 891?

I would assume that vlan 1, connecting to 10.0.1.1 would be told to use 10.0.1.5 IP (example) with a 255.255.255.0 and 10.0.1.1 as a Gateway and the same for the v lan 2 but 10.0.2.x format.

The 891f needs no other internet access except 10.0.1.1 to see 10.0.2.1 (10.0.2.111:9090)

Georg Pauwen · ‎03-09-2019

Hello,

this is what the SVIs would look like. The IP addresses are the default gateways for the clients in Vlan 1 and Vlan 2:

interface Vlan 1
ip address 10.0.1.1 255.255.255.0

interface Vlan 2
ip address 10.0.2.1 255.255.255.0

fbeye · ‎03-09-2019

Thank you so much.

I am at a complete standstill here. I tried to assign each vlan the 10.0.1.1 and 10.0.2.1 but got an IP Address conflict... As the Routers I am connecting to have them as their Gateways so I assigned vlan 2 and vlan 3 10.0.1.115 and 10.0.2.115.

What I have now is through my Cisco ASA I am ping 10.0.1.1, 10.0.1.115, 10.0.2.1, 10.0.2.115 AND 10.0.2.111 (NAS) so that is a plus. There is clearly a route to my NAS.

From my 10.0.1.x PC I can Ping 10.0.1.115 (Cisco vlan 2 interface 6) and 10.0.2.115 (Cisco vlan3 Interface 7) but that is it... So my PC (10.0.1.110) can see this side of the vlan to the other side of the vlan, but not beyond. Being that I can see the other side of the vlan through the Cisco, would the problem lie on a NAT config or IP Route on the Cisco or on my Open Router 10.0.1.x? I figured it was on the Cisco end because technically I can see the other vlan from this one.

Here are some configurations for my ASA:

show ip interface brief

Interface IP-Address OK? Method Status Prot ocol
Async3 unassigned YES unset down down
BRI0 unassigned YES NVRAM administratively down down
BRI0:1 unassigned YES unset administratively down down
BRI0:2 unassigned YES unset administratively down down
FastEthernet0 unassigned YES NVRAM administratively down down
GigabitEthernet0 unassigned YES unset down down
GigabitEthernet1 unassigned YES unset down down
GigabitEthernet2 unassigned YES unset down down
GigabitEthernet3 unassigned YES unset down down
GigabitEthernet4 unassigned YES unset down down
GigabitEthernet5 unassigned YES unset down down
GigabitEthernet6 unassigned YES unset up up
GigabitEthernet7 unassigned YES unset up up
GigabitEthernet8 unassigned YES NVRAM administratively down down
Vlan1 unassigned YES unset down down
Vlan2 10.0.1.115 YES NVRAM up up
Vlan3 10.0.2.115 YES NVRAM up up

show vlans

No Virtual LANs configured.

show vlan-switch

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0, Gi1, Gi2, Gi3, Gi4, Gi5
2 Open active Gi6
3 VPN active Gi7
9 VLAN0009 active
10 VLAN0010 active
20 VLAN0020 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
9 enet 100009 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0

show running-config

Current configuration : 1854 bytes
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated

license udi pid C891F-K9 sn FGL212791GJ
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
switchport access vlan 2
no ip address
!
interface GigabitEthernet7
switchport access vlan 3
no ip address
!
interface GigabitEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 10.0.1.115 255.255.255.0
!
interface Vlan3
ip address 10.0.2.115 255.255.255.0
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 10.0.1.0 255.255.255.255 10.0.2.0
ip route 10.0.1.115 255.255.255.255 10.0.2.0
ip route 10.0.2.0 255.255.255.255 10.0.1.0
ip route 10.0.2.115 255.255.255.255 10.0.1.0
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

fbeye · ‎03-11-2019

I am wondering if I explained my desired scenario correct or if I am misunderstanding you.
In example are you saying that vlan 1 be 10.0.0.1 and vlan 2 be 10.0.2.1. Is that for the vlans to extend/connect to the 2 routers with the same ip scheme or to create their own subnet?
What I mean is, Open and VPN routers are already connected and established. Both using their own 10.0.x.x IP Subnets... I want to use a 3rd router to connect bothers THOSE Subnets to talk. I am thinking g about this because as I said, when using 10.0.x.x on the acidic it says ip conflict.

fbeye · ‎03-13-2019

Any other suggestions?