Problem with LAN and WAN in same switch.

gkonheiser · ‎10-18-2011

I am trying to figure out why the following hardware config will not work, I must be missing something obvious? I have my LAN, 192.168.1.0 , plugged into my Cat 2960, I want to also plug my the WAN interface of my IPSs router, 212.xxx.xxx.25 (my default route), into the the same switch and plug the WAN interface of my router, 212.xxx.xxx.26, into the same switch. when I have this setup I can ping from the router out to the web but not form my clients in my LAN. I hope I have explained this well. Any help much apriceated.

jyoung · ‎10-18-2011

What is the default gateway of the clients on your LAN?

Sent from Cisco Technical Support iPhone App

Jon Marshall · ‎10-18-2011

So to clarify you have a router with 2 fast ethernet interfaces + an ISP router interface. You have connected all 3 interfaces into a 2960 switch so -

int fa0/0 is the LAN interface -> 192.168.1.x

int fa0/1 is the WAN interface -> 212.x.x.26

int fa0/? is the interface on the ISP router -> 212.x.x.25

if the above is correct then things to check -

1) 2 vlans on the switch - one for 192.168.1.x subnet and one for 212.x.x. subnet ?

2) default-gateway of clients set to fa0/0 interface on your router

3) default-route on your router pointing to 212.x.x.25

4) nat is setup on your router ie. you need this config -

int fa0/0 <-- this is your LAN interface

ip nat inside

int fa0/1 <-- this is your WAN interface

ip nat outside

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 101 interface fa0/1 overload

by the way this is not a recommended setup ie. having your LAN and your internet subnet on the same switch. You should really have separate switches for this.

Jon

gkonheiser · ‎10-18-2011

Hi There

Yes all ethernet interfaces go into the 2960, f0/0 LAN 192.168.1.x, f0/1 WAN 212.x.x.26 and f0/? on ths IPSs Router 212.x.x.25.

The config on the router is good as when I dont have every thing running into the 2960 it works fine.

1) Why do they need to be in sperate VLANS, would it not work if they were in the same VLAN?

2) Yes default gateway for LAN is set correctly.

3) Also set corrctly.

4) NAT is all good.

Why is this not a recommended setup?

Thanks again for taking the time to help me.

Jon Marshall · ‎10-19-2011

1) Never tried it with one vlan to be honest but i suspect it may well confuse the router. The logical setup is to segregate the subnets with the router and not have both subnets in the same vlan.

The problem with this setup is your LAN switch is exposed to the internet. So if your switch has a bug for example where a malformed packet could bring it down then you not only lose the internet, you lose your entire LAN as well.

General best practice would be to keep your LAN separate from the internet side so the router in your case acts as a firewall between you and the rest of the world. By putting it all on one switch you are blurring the lines and with one vlan it is even more blurred.

First i would try using 2 vlans on the switch one for the LAN and one for the outside.

Jon

gkonheiser · ‎10-19-2011

Hi Jon

I see your point, I will try with 2 VLANs and see if that works. I will keep you posted on my progress, thanks for your help.

Gordon