router on a stick + routed public range

stevehillin · ‎09-28-2012

Greetings.

I understand router on a stick for inter-vlan routing but where I'm having trouble is having one of the vlans be public addresses. One of my clients has a rack in a colo where there is no router, i.e. their /24 public network has .1 of the network assigned to a colo router, then they have a 2960G switch in the rack that all the gear is connected to. Public IP's are assigned to certain devices / servers with .1 as their GW. Problem is, they also have a private range on the same switch with no vlans and things are a little 'cluttered' and there is no control of traffic.

The assets I have are a 2821 router with (2) GigE interfaces and the 2960G switch. A /30 network is going to assigned on the colo gear to use to push the entire /24 down to the cabinet. I'm going to NAT the local 10.100.x addresses on vlan 10 and I want the public traffic on vlan 20. During a recent test, the private traffic worked as expected but the public traffic didn't work. I don't need a complete config, more of a 10,000 ft. view of how this needs to be done so (a) traffic is vlan'd to keep things segmented, (b) I can static inside / outside public addresses from the /24 to reduce the number of public addresses being assigned directly to servers (some of this is unavoidable, but the less the better), and (c) I can NAT the local subnet to either to the /24 or the /30 (not much very much traffic in this way).

Any help is appreciated.

EDIT: The switch is a C2960S, not G. I cannot enable lanbase-routing, it is apparently unavailable.

* 1 26 WS-C2960S-24TS-S 12.2(55)SE3 C2960S-UNIVERSALK9-M

Jon Marshall · ‎09-28-2012

Steve

So what you have is -

vlan 10 (private addressing) (gi0/0.10)

--- 2821 (gi0/1) /30 subnet -> ?

vlan 11 (public addressing) (gi0/0.11)

can you confirm the above is a correct summary ?

It should be relatively straightforward. The only doubt i have is whether the rouetr will handle having an interface (gi0/0.11) with a public IP and the devices connected with public IPs in vlan 11 and that you can then use the rest of the public addressing for static NAT entries. I think due to the order of routing and NAT you should be fine. If not you can always subnet down the public class C.

If the above setup is what you have then -

1) do you know how to setup vlans on the switch

2) are you okay with the interface config on the 2821 ?

3) the NAT config ?

Jon

stevehillin · ‎09-28-2012

Jon,

Yes, that is exactly correct, and I had it configured as such for the test. The only issue I had was that the public traffic didn't appear to be passing, even though they were being tagged correctly on the switch. The private traffic was fine and was doing NAT as expected. I did have a default route in place to route to the /30.

Yes, I can handle the configs just fine. I was tagging ports on the switch with access vlan {x} and dot1q encap (is the only option on this switch), with a trunked switchport to the router. On the nat, I had a overload pool set up and and an access list to allow the private subnet.

I'm going to do some more testing shortly. Maybe I can use another RFC1918 address scheme to test with without breaking anything.

Jon Marshall · ‎09-28-2012

Steve

Using public or private should make no difference as the switch and router will treat then no differently.

Could you ping between public and private vlans ?

Can you confirm the /24 public range is being routed to the outside interface of your 2821 from whichever device that connects to ?

Jon

stevehillin · ‎09-28-2012

I set up a quick and dirty test with the RFC 1918 addresses and yes, I can ping between subnets (by specifying a source IP that is the vlan IP on the switch), but I cannot hit my /30 interface ( this port has nothing plugged in to it, so I don't know if the router isn't trying because there is no link or there is something else wrong) from either vlan.

Here is the pertinent config from the router:

interface GigabitEthernet0/0

ip address 172.16.1.2 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface GigabitEthernet0/1.10

description Private Interfaces

encapsulation dot1Q 10

ip address 10.100.6.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/1.20

description Public Interfaces

encapsulation dot1Q 20

ip address 192.168.1.1 255.255.255.0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 172.16.1.1

no ip http server

no ip http secure-server

!

ip nat pool ovrld 172.16.1.2 172.16.1.2 netmask 255.255.25.252

ip nat inside source list 7 pool ovrld overload

!

access-list 7 permit 10.100.6.0 0.0.0.255

...........................................................

...and the switch:

vlan 10

name Private

!

vlan 20

name Public

interface GigabitEthernet0/2

switchport trunk allowed vlan 10,20

switchport mode trunk

spanning-tree portfast

interface Vlan10

ip address 10.100.6.2 255.255.255.0

!

interface Vlan20

ip address 192.168.1.2 255.255.255.0

Jon Marshall · ‎09-29-2012

Steve

If the /30 interface has nothing connected then no it won't respond to ping. I suspect if you setup the same as above with one vlan using public addressing it should make no difference ie you should still be able to ping between the vlans.

I suspect this could be a routing issue ie. what does the 2821 connect to on it's outside interface. Whatever device that is will need to know how to reach the /24 public subnet ie. via the 2821 outside interface.

Jon