cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4290
Views
15
Helpful
2
Replies

ASR1001-x VLANS on Sub-interfaces

RBrien
Level 1
Level 1

We have just installed an ASR1001-x router and need to suport 3 vlans at present 

is there any information/documentation on how to do this 

 

At present we have three sub-interfaces on Physical Port G0/0/3 - namely 0/0/3.3, 0/0/3.4 and 0/0/3.5

how do i configure the Physical and Logical ports to comunicate with the LAN and Internet.

 

Any suggestions or references will be greatly appreciated.

 

With kind regards, Rob.

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Rbrien,

you need to associate each subinterface to the desired Vlan id

 

Example:

int gi0/0/3

no shut

no ip address

int gi0/0/3.3

encapsulation dot1q 30

ip address 10.10.30.1 .255.255.255.0

exit

int gi0/0/3.4

enc dot1q 40

ip address 10.10.40.1 255.255.255.0

exit

int gi0/0/3.5

enc dot1q 50

ip address 10.10.50.1 255.255.255.0

 

note: usually best practice is to use a subinterface index equal to the Vlan id you want to associate

example

int gi0/0/3.60

enc dot1q 60

 

This helps in troubleshooting, but the subinterface index can be different then the associated Vlan with the encapsulation command.

 

The gi0/0/3 port has to be connected to a switch configured as an 802.1Q trunk allowing all necessary Vlans

 

Example:

int gi0/25

desc to ASR1001 : gi0/0/3

switchport

switchpot mode trunk

switchport trunk allowed vlan 30,40,50

!

 

This should allow the new router to act as a router on a stick using subinterfaces and performs inter Vlan routing if required.

 

For Internet access you will need to use NAT = Network Address translation.

 

all internal interfaces will have ip nat inside command

 

int gi0/0/3.x

ip nat inside

 

the interface to the internet having a public IP address (likely) for example gi0/0/0

will have ip nat outside

int gi0/0/0

desc interface to internet

! public IP address

ip nat outside

 

Then you will define an access--list like the following

 

access-list 11 permit 10.10.30.0 0.0.0.255

access-list 11 permit 10.10.40.0 0.0.0.255

access-list 11 permit 10.10.50.0 0.0.0.255

 

! key command to enable NAT, the overload option is needed to allow multiple internal hosts to access the internet

ip nat inside source list 11 interface gi0/0/0 overload

 

Note:

the NAT configuration proposed above is a basic setup that works well if you haven't IPSEC VPNs with remote sites and a single exit interface to the internet.

The IPSEC VPN site to site would require NAT to be skipped when an internal LAN speaks to a remote LAN IP subnet.

This would require using an IP extended ACL that can be invoked by a route-map and then using the route-map in the ip nat inside source route-map NAT interface gi0/0/0 overload command.

The IP extended ACLs would contain deny statements for LAN to LAN communications over VPN and then the equivalent of permit statements used in the standard ACL used above.

 

Hope to help

Giuseppe

 

View solution in original post

2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Rbrien,

you need to associate each subinterface to the desired Vlan id

 

Example:

int gi0/0/3

no shut

no ip address

int gi0/0/3.3

encapsulation dot1q 30

ip address 10.10.30.1 .255.255.255.0

exit

int gi0/0/3.4

enc dot1q 40

ip address 10.10.40.1 255.255.255.0

exit

int gi0/0/3.5

enc dot1q 50

ip address 10.10.50.1 255.255.255.0

 

note: usually best practice is to use a subinterface index equal to the Vlan id you want to associate

example

int gi0/0/3.60

enc dot1q 60

 

This helps in troubleshooting, but the subinterface index can be different then the associated Vlan with the encapsulation command.

 

The gi0/0/3 port has to be connected to a switch configured as an 802.1Q trunk allowing all necessary Vlans

 

Example:

int gi0/25

desc to ASR1001 : gi0/0/3

switchport

switchpot mode trunk

switchport trunk allowed vlan 30,40,50

!

 

This should allow the new router to act as a router on a stick using subinterfaces and performs inter Vlan routing if required.

 

For Internet access you will need to use NAT = Network Address translation.

 

all internal interfaces will have ip nat inside command

 

int gi0/0/3.x

ip nat inside

 

the interface to the internet having a public IP address (likely) for example gi0/0/0

will have ip nat outside

int gi0/0/0

desc interface to internet

! public IP address

ip nat outside

 

Then you will define an access--list like the following

 

access-list 11 permit 10.10.30.0 0.0.0.255

access-list 11 permit 10.10.40.0 0.0.0.255

access-list 11 permit 10.10.50.0 0.0.0.255

 

! key command to enable NAT, the overload option is needed to allow multiple internal hosts to access the internet

ip nat inside source list 11 interface gi0/0/0 overload

 

Note:

the NAT configuration proposed above is a basic setup that works well if you haven't IPSEC VPNs with remote sites and a single exit interface to the internet.

The IPSEC VPN site to site would require NAT to be skipped when an internal LAN speaks to a remote LAN IP subnet.

This would require using an IP extended ACL that can be invoked by a route-map and then using the route-map in the ip nat inside source route-map NAT interface gi0/0/0 overload command.

The IP extended ACLs would contain deny statements for LAN to LAN communications over VPN and then the equivalent of permit statements used in the standard ACL used above.

 

Hope to help

Giuseppe

 

All fixed thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: