Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2988
Views
5
Helpful
4
Replies

How do I configure three separate internal network (private) to access the internet using a single ISP nat outside access

Go to solution
Wendell Taroa
Level 1
Level 1

‎06-24-2019 01:50 AM - last edited on ‎06-23-2022 10:49 AM by Community Manager

Hello, hope there'd be someone to share some "CISCO luminous sparks" in my network issue.
I have a network where we plan to configure three VLANs for our internal network using private ip address space.
We are using an ISR Cisco 892 FSP router which has switch port which the ISP took advantage of to configure one VLAN which
they name Data. After which one of the switch port was configured with switch port access VLAN 200 which is then connected to a
our unconfigured Cisco 2960 X series switch connecting our internal network. We do not have a server and are using our router to
provide dhcp deployment and with such a network with greedy users and applications, congestion became and issue cos its a to big broadcast
as per my ip dhcp binding results. I must find a way to rectify this and its going to be through VLANs.

Extracts of the necessary configurations I wish to share are here to give you
an idea of our network logical configuration:

interface Vlan200
description DATA
ip address 10.188.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT-LIST interface Virtual-PPP10 overload
ip route 0.0.0.0 0.0.0.0 Virtual-PPP10
ip route 172.18.0.0 255.255.0.0 172.18.0.5
!
ip access-list standard NAT-LIST
permit 10.188.1.0 0.0.0.255

Following this configurations, I would like to configure other two networks, network 10.188.2.0 and Network 10.188.3.0
to also have a similar access as above, utilizing the same NAT point (Virtual-PP10 overload).
Please share some CISCO "luminous sparks" project.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎06-24-2019 02:45 AM - last edited on ‎06-23-2022 10:57 AM by Community Manager

Hello,

 

your best option would be to use subinterfaces on the 892, and connect one of the routed ports to the 2960X (make sure the port connected on the 2960X is a trunk port). Below is a sample config. Make sure you create the Vlans (which are arbitrary, you might use other Vlan numbers) on the router as well:

 

ip dhcp excluded-address 10.188.1.1
ip dhcp excluded-address 10.188.2.1
ip dhcp excluded-address 10.188.3.1
!
ip dhcp pool VLAN200
network 10.188.1.0 255.255.255
default-router 10.188.1.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool VLAN201
network 10.188.2.0 255.255.255
default-router 10.188.2.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool VLAN202
network 10.188.3.0 255.255.255
default-router 10.188.3.1
dns-server 8.8.8.8 8.8.4.4
!
interface FastEthernet8
description Trunk to 2960X
!
interface FastEthernet8.200
encapsulation dot1q 200
ip address 10.188.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet8.201
encapsulation dot1q 201
ip address 10.188.2.1 255.255.255.0
ip nat inside
!
interface FastEthernet8.202
encapsulation dot1q 202
ip address 10.188.3.1 255.255.255.0
ip nat inside
!
ip nat inside source list NAT-LIST interface Virtual-PPP10 overload
ip route 0.0.0.0 0.0.0.0 Virtual-PPP10
ip route 172.18.0.0 255.255.0.0 172.18.0.5
!
ip access-list standard NAT-LIST
permit 10.188.1.0 0.0.0.255
permit 10.188.2.0 0.0.0.255
permit 10.188.3.0 0.0.0.255

View solution in original post

0 Helpful

Go to solution
Wendell Taroa
Level 1
Level 1

‎03-25-2021 05:38 PM

It was really awesome to look back in the lane where intellectual freedom is really expressed in technology, this piece of question and the remarkable response has been a great and spontaneous benchmark where we actually kicked off from in our server room some years back, it would not have been so without the help from cisco community. I just love it.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Sergey Lisitsin
VIP Alumni
VIP Alumni

‎06-24-2019 02:29 AM - last edited on ‎06-23-2022 10:51 AM by Community Manager

Wendell Taroa,

 

All you need to do for it to happen is add your new LAN interfaces, for example, copy the configuration of VLAN 200, giving it a new VLAN number and new IP address. Also, add the new network into your NAT access list. That's all.

For example:

interface Vlan201
description DATA1
ip address 10.188.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in




ip access-list standard NAT-LIST
permit 10.188.1.0 0.0.0.255

permit 10.188.2.0 0.0.0.255


That's it

 

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-24-2019 02:43 AM - last edited on ‎06-23-2022 10:56 AM by Community Manager

Hello Wendell,

you can create additional Vlans 201, 202 on both the router C892 and Catalyst 2960 (on Cat2960 you probably need to create Vlan 200 too if it is used with default configuration ).

Router

config t

vlan 201

name DATA2

vlan 202

name DATA3

exit

int vlan 201

desc DATA2

ip address 10.188.2.1 255.255.255.0

ip nat inside

no shut

exit

int vlan 202

desc DATA3

ip address 10.188.3.1 255.255.255.0

ip nat inside

no shut

exit


Now the router physical port to the switch has to be configured in the following manner

 

interface gi2

description to the C2960 giX

switchport

switchport mode trunk

switchport trunk allowed vlan 200,201,202




The NAT ACL has to be updated as follows

ip access-list standard NAT-LIST
permit 10.188.1.0 0.0.0.255

permit 10.188.2.0 0.0.0.255

permit 10.188.3.0 0.0.0.255


You need to gain access to the switch via a console cable and to configure it for the three Vlans and to be managed remotely

Let us suppose the default username cisco cisco is still there you access on the console with it

if you get enabled prompt #

You can do the following

config t

vlan 200

name DATA

vlan 201

name DATA1

vlan 202

name DATA2

exit

int vlan 200

ip address 10.188.1.2 255.255.255.0

description management

no shut

exit

ip default-gateway 10.188.1.1


The switch port connected to the router can be found using

show cdp neighbors

 

Let us suppose it is gi0/0 you need to configure it as a trunk carrying Vlans 200,201,202

 

interface gi0/0

description to router:gi2

switchport

switchport mode trunk

switchport trunk allowed vlan 200,201,202


WARNING NOTE:

There is an important impact in this change:

up to now you have used default configuration on the switch that means all ports are access ports in Vlan 1.

With the proposed change you need to move all access ports to vlan 200, then selected ports will be in vlan 201 and other selected ports in vlan 202.

 

config t

interface range gi0/1 - 24

switchport

switchport access vlan 200


to be able to telnet to the switch you need the following config

config t

line vty 0 4

login local

login privilege 15

exit

You are recommended to configure a username and password pair of your choice and to remove the default cisco/cisco

username  myadmin privilege 15 password <your-password>

 

It is wise also to set an enable passord on the switch if you are not able to reach level 15 by telnet

enable secret <your-secret-password>

 

note: the enable secret will be encrypted you must remember the password you have entered to be able to use it later

 

Hope to help

Giuseppe

 

 

 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎06-24-2019 02:45 AM - last edited on ‎06-23-2022 10:57 AM by Community Manager

Hello,

 

your best option would be to use subinterfaces on the 892, and connect one of the routed ports to the 2960X (make sure the port connected on the 2960X is a trunk port). Below is a sample config. Make sure you create the Vlans (which are arbitrary, you might use other Vlan numbers) on the router as well:

 

ip dhcp excluded-address 10.188.1.1
ip dhcp excluded-address 10.188.2.1
ip dhcp excluded-address 10.188.3.1
!
ip dhcp pool VLAN200
network 10.188.1.0 255.255.255
default-router 10.188.1.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool VLAN201
network 10.188.2.0 255.255.255
default-router 10.188.2.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool VLAN202
network 10.188.3.0 255.255.255
default-router 10.188.3.1
dns-server 8.8.8.8 8.8.4.4
!
interface FastEthernet8
description Trunk to 2960X
!
interface FastEthernet8.200
encapsulation dot1q 200
ip address 10.188.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet8.201
encapsulation dot1q 201
ip address 10.188.2.1 255.255.255.0
ip nat inside
!
interface FastEthernet8.202
encapsulation dot1q 202
ip address 10.188.3.1 255.255.255.0
ip nat inside
!
ip nat inside source list NAT-LIST interface Virtual-PPP10 overload
ip route 0.0.0.0 0.0.0.0 Virtual-PPP10
ip route 172.18.0.0 255.255.0.0 172.18.0.5
!
ip access-list standard NAT-LIST
permit 10.188.1.0 0.0.0.255
permit 10.188.2.0 0.0.0.255
permit 10.188.3.0 0.0.0.255
0 Helpful

Go to solution
Wendell Taroa
Level 1
Level 1

‎03-25-2021 05:38 PM

It was really awesome to look back in the lane where intellectual freedom is really expressed in technology, this piece of question and the remarkable response has been a great and spontaneous benchmark where we actually kicked off from in our server room some years back, it would not have been so without the help from cisco community. I just love it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card