Solved: Re: ASR1001-x VLANS on Sub-interfaces

RBrien · ‎07-10-2019

We have just installed an ASR1001-x router and need to suport 3 vlans at present

is there any information/documentation on how to do this

At present we have three sub-interfaces on Physical Port G0/0/3 - namely 0/0/3.3, 0/0/3.4 and 0/0/3.5

how do i configure the Physical and Logical ports to comunicate with the LAN and Internet.

Any suggestions or references will be greatly appreciated.

With kind regards, Rob.

Giuseppe Larosa · ‎07-11-2019

Hello Rbrien,

you need to associate each subinterface to the desired Vlan id

Example:

int gi0/0/3

no shut

no ip address

int gi0/0/3.3

encapsulation dot1q 30

ip address 10.10.30.1 .255.255.255.0

exit

int gi0/0/3.4

enc dot1q 40

ip address 10.10.40.1 255.255.255.0

exit

int gi0/0/3.5

enc dot1q 50

ip address 10.10.50.1 255.255.255.0

note: usually best practice is to use a subinterface index equal to the Vlan id you want to associate

example

int gi0/0/3.60

enc dot1q 60

This helps in troubleshooting, but the subinterface index can be different then the associated Vlan with the encapsulation command.

The gi0/0/3 port has to be connected to a switch configured as an 802.1Q trunk allowing all necessary Vlans

Example:

int gi0/25

desc to ASR1001 : gi0/0/3

switchport

switchpot mode trunk

switchport trunk allowed vlan 30,40,50

!

This should allow the new router to act as a router on a stick using subinterfaces and performs inter Vlan routing if required.

For Internet access you will need to use NAT = Network Address translation.

all internal interfaces will have ip nat inside command

int gi0/0/3.x

ip nat inside

the interface to the internet having a public IP address (likely) for example gi0/0/0

will have ip nat outside

int gi0/0/0

desc interface to internet

! public IP address

ip nat outside

Then you will define an access--list like the following

access-list 11 permit 10.10.30.0 0.0.0.255

access-list 11 permit 10.10.40.0 0.0.0.255

access-list 11 permit 10.10.50.0 0.0.0.255

! key command to enable NAT, the overload option is needed to allow multiple internal hosts to access the internet

ip nat inside source list 11 interface gi0/0/0 overload

Note:

the NAT configuration proposed above is a basic setup that works well if you haven't IPSEC VPNs with remote sites and a single exit interface to the internet.

The IPSEC VPN site to site would require NAT to be skipped when an internal LAN speaks to a remote LAN IP subnet.

This would require using an IP extended ACL that can be invoked by a route-map and then using the route-map in the ip nat inside source route-map NAT interface gi0/0/0 overload command.

The IP extended ACLs would contain deny statements for LAN to LAN communications over VPN and then the equivalent of permit statements used in the standard ACL used above.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎07-11-2019

Hello Rbrien,

you need to associate each subinterface to the desired Vlan id

Example:

int gi0/0/3

no shut

no ip address

int gi0/0/3.3

encapsulation dot1q 30

ip address 10.10.30.1 .255.255.255.0

exit

int gi0/0/3.4

enc dot1q 40

ip address 10.10.40.1 255.255.255.0

exit

int gi0/0/3.5

enc dot1q 50

ip address 10.10.50.1 255.255.255.0

note: usually best practice is to use a subinterface index equal to the Vlan id you want to associate

example

int gi0/0/3.60

enc dot1q 60

This helps in troubleshooting, but the subinterface index can be different then the associated Vlan with the encapsulation command.

The gi0/0/3 port has to be connected to a switch configured as an 802.1Q trunk allowing all necessary Vlans

Example:

int gi0/25

desc to ASR1001 : gi0/0/3

switchport

switchpot mode trunk

switchport trunk allowed vlan 30,40,50

!

This should allow the new router to act as a router on a stick using subinterfaces and performs inter Vlan routing if required.

For Internet access you will need to use NAT = Network Address translation.

all internal interfaces will have ip nat inside command

int gi0/0/3.x

ip nat inside

the interface to the internet having a public IP address (likely) for example gi0/0/0

will have ip nat outside

int gi0/0/0

desc interface to internet

! public IP address

ip nat outside

Then you will define an access--list like the following

access-list 11 permit 10.10.30.0 0.0.0.255

access-list 11 permit 10.10.40.0 0.0.0.255

access-list 11 permit 10.10.50.0 0.0.0.255

! key command to enable NAT, the overload option is needed to allow multiple internal hosts to access the internet

ip nat inside source list 11 interface gi0/0/0 overload

Note:

the NAT configuration proposed above is a basic setup that works well if you haven't IPSEC VPNs with remote sites and a single exit interface to the internet.

The IPSEC VPN site to site would require NAT to be skipped when an internal LAN speaks to a remote LAN IP subnet.

This would require using an IP extended ACL that can be invoked by a route-map and then using the route-map in the ip nat inside source route-map NAT interface gi0/0/0 overload command.

The IP extended ACLs would contain deny statements for LAN to LAN communications over VPN and then the equivalent of permit statements used in the standard ACL used above.

Hope to help

Giuseppe

RBrien · ‎07-11-2019

All fixed thank you

jroy777 · ‎04-25-2024

I have an ASR 10g interface that is connected to a native vlan1 in a HP switching fabric (8 switches) for databases (inside for ASA), now I want to create a sub interface on that same 10g interface to another set of switches that are also on a separate switch fabric (4 switches) app/web servers dmz on ASA). Currently they talk to each only thru ASA. since both sets of switches are vlan1, how would I do this? The other side of ASR goes to AWS Direct connect environment and we need to move data between Data Center and AWS.