Shared Offices - Present each office with VLAN, Public IP and LAN IP.

GetSmarts · ‎05-19-2018

Shared Offices - Present each office with VLAN, Public IP and LAN IP.

We have a shared fibre connection at our office block.

There are 14 individual offices.

We are using a Cisco 892-K9 Router and a WS3750G Switch.

As an interim environment we have the Router acting as the DHCP server with one basic network which have all parties connecting to it via the switch and it is working fine.

We want to create the following infrastructure.

Each Office to have its own VLAN with an individual Public IP address allocated to that office. We have a pool of Public addresses available to us.
Each office to have its own LAN range of IP's with the DHCP functions being handled by their own internal Router (usually wireless)
Each office to handle their own port forwarding etc. however we would undertake the initial NATting to allow the Public IP address access to the internet.

We are looking for advice as to the best way to achieve all this.

Any suggestions greatly accepted.

Thank you as always.

Karsten Iwen · ‎05-20-2018

It all depends on how much separation you need for the offices.

No separation needed:

Configure routing and 15 VLANs with IP-interfaces on the switch and activate the DHCP-server for the 14 Office-VLans. One VLAN is the transfer-Network to the router where you only have two interfaces (inside-int and outside-int). The router has 14 PAT-rules, one for each office address-space.

Separation needed:

On the switch, you configure one VLAN for each office, but no IP-interfaces for them. The connection to the router is configured as a trunk. On the router you have 14 VLAN-Interfaces for the offices and again 14 PAT-rules. The router also provides DHCP for all VLANs. For the separation you could use simple ACLs or configure a firewall to separate them.

But in this use-case I would prefer an ASA or Meraki MX over the router.

GetSmarts · ‎05-27-2018

Thank you very much for your advice. It was very much appreciated.

I have the Router and Switch setup (as per recommendation 1) and is basically doing what it should be HOWEVER I cannot get external Internet Access on any VLAN except for VLAN 1.

The DHCP Pools are working ok from the Router and the correct IP ranges are being distributed to the correct VLANS from an internal viewpoint so we do not appear to have any issues there to date.

I have an issue with allocating the Public IP addresses to the individual VLANS. I want to attach a Public IP to each private range (VLAN).

For the Public IP's I have added a "secondary IP" range on the Router and NATTED the Public IP to the Internal range. (Testing VLAN 202 - Public IP 210.87.4.180 Internal 1902.168.22.1) However I cannot get this working. (Testing before I add to the other configs)

I have added the basic config (with security associated code removed) for the Router.

ROUTER:

sg-rt01#sh run
Building configuration...

Current configuration : 6796 bytes
!
! Last configuration change at 09:06:17 UTC Sun May 27 2018 by XXXXXXX
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname sg-rt01
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
!
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.2
ip dhcp excluded-address 192.168.12.1
ip dhcp excluded-address 192.168.14.1
ip dhcp excluded-address 192.168.18.1
ip dhcp excluded-address 192.168.22.1
ip dhcp excluded-address 192.168.25.1
ip dhcp excluded-address 192.168.37.1
ip dhcp excluded-address 192.168.32.1
ip dhcp excluded-address 192.168.33.1
ip dhcp excluded-address 192.168.34.1
ip dhcp excluded-address 192.168.28.1
!
ip dhcp pool ccp-pool
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 203.8.183.1 192.189.54.33
lease 0 2
!
ip dhcp pool pool208
import all
network 192.168.28.0 255.255.255.0
default-router 192.168.28.1
dns-server 203.8.183.1 192.189.54.33
lease 7
!
ip dhcp pool pool102
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
dns-server 203.8.183.1 192.189.54.33
lease 7
!
ip dhcp pool pool104
network 192.168.14.0 255.255.255.0
default-router 192.168.14.1
dns-server 203.8.183.1 192.189.54.33
lease 7
!
ip dhcp pool pool108
network 192.168.18.0 255.255.255.0
default-router 192.168.18.1
dns-server 203.8.183.1 192.189.54.33
lease 7
!
ip dhcp pool pool202
network 192.168.22.0 255.255.255.0
default-router 192.168.22.1
dns-server 203.8.183.1 192.189.54.33
lease 7
!
ip dhcp pool pool205
network 192.168.25.0 255.255.255.0
default-router 192.168.25.1
dns-server 203.8.183.1 192.189.54.33
lease 7
!
ip dhcp pool pool307
network 192.168.37.0 255.255.255.0
default-router 192.168.37.1
dns-server 203.8.183.1 192.189.54.33
lease 7
!
ip dhcp pool pool302
network 192.168.32.0 255.255.255.0
default-router 192.168.32.1
dns-server 203.8.183.1 192.189.54.33
lease 7
!
ip dhcp pool pool303
network 192.168.33.0 255.255.255.0
default-router 192.168.33.1
dns-server 203.8.183.1 192.189.54.33
lease 7
!
ip dhcp pool pool304
network 192.168.34.0 255.255.255.0
default-router 192.168.34.1
dns-server 203.8.183.1 192.189.54.33
lease 7
!
!
ip cef
ip domain name sgrt01.XXXXXXXXXXXXX.com.au
ip name-server 203.8.183.1
ip name-server 192.189.54.33
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO892-K9 sn FHK1425797B
!
!
username XXXXXXXXXXXXXXXXXXX privilege 15 secret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0
description --- XXXX WAN ---
ip address 210.8.xxx.xxx 255.255.255.252
ip address 210.87.4.180 255.255.255.0 secondary
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Vlan1
description --- VLAN 1 ---
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan202
description --- VLAN 202 ---
ip address 192.168.22.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 102 interface GigabitEthernet0 overload
ip nat inside source static 192.168.0.1 210.8.210.186
ip nat inside source static 192.168.12.1 210.87.4.177
ip nat inside source static 192.168.14.1 210.87.4.178
ip nat inside source static 192.168.18.1 210.87.4.179
ip nat inside source static 192.168.22.1 210.87.4.180
ip nat inside source static 192.168.25.1 210.87.4.181
ip nat inside source static 192.168.37.1 210.87.4.182
ip nat inside source static 192.168.33.1 210.87.4.184
ip nat inside source static 192.168.34.1 210.87.4.185
ip nat inside source static 192.168.28.1 210.87.4.186
ip route 0.0.0.0 0.0.0.0 210.8.210.185
!
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip any any
!
!
!
!
!
control-plane

I am obviously missing something which I hope is relatively small.

I do not beleive is on the Swithc as that seems to be working very well.

Your assitance would be appreciated.

Thank you

Thank you again.

Karsten Iwen · ‎05-27-2018

If you have the IP-interfaces on the switch, then at least you need some more routes pointing to that switch. Is Vlan1 the transfer-network to that switch?

then configure one static route per VLAN on the router:

ip route 192.168.28.0 255.255.255.0 NEXT-HOP-IP-ON-SWITCH
ip route 192.168.12.0 255.255.255.0 NEXT-HOP-IP-ON-SWITCH

Your NAT-configuration is not ideal, but should cover all networks. So first make sure that all internal networks can communicate out, and then we continue to improve your NAT.

GetSmarts · ‎06-02-2018

Hi Karsten,

Vlan1 is the transfer-network to that switch. (IP: 192.168.0.2)

I have tried adding the configs as you have mentioned but still cannot get outside access.

I have been reading up on forums but not sure where I am going wrong. Are there any other suggestions you may have? or are there any tests I can run to trouble shoot?

Thank you

GetSmarts · ‎06-02-2018

Here is the current SWITCH Config

Current configuration : 4882 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname sg-sw01

!

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx

enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

username xxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxxxx

clock timezone AEST 10

clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 3:00

no ip subnet-zero

!

ip domain-name xxxxx.xxxxxxx.xxxxxxx

ip ssh time-out 120

ip ssh authentication-retries 3

!

port-channel load-balance src-dst-ip

!

spanning-tree mode rapid-pvst

spanning-tree portfast default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

interface GigabitEthernet1/0/1

no ip address

no mdix auto

!

interface GigabitEthernet1/0/2

no ip address

no mdix auto

!

interface GigabitEthernet1/0/3

no ip address

no mdix auto

!

interface GigabitEthernet1/0/4

no ip address

no mdix auto

!

interface GigabitEthernet1/0/5

description --- VLAN 202 ---

switchport access vlan 202

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

no mdix auto

!

interface GigabitEthernet1/0/6

no ip address

no mdix auto

!

interface GigabitEthernet1/0/7

no ip address

no mdix auto

!

interface GigabitEthernet1/0/8

no ip address

no mdix auto

!

interface GigabitEthernet1/0/9

no ip address

no mdix auto

!

interface GigabitEthernet1/0/10

no ip address

no mdix auto

!

interface GigabitEthernet1/0/11

no ip address

no mdix auto

!

interface GigabitEthernet1/0/12

no ip address

no mdix auto

!

interface GigabitEthernet1/0/13

no ip address

no mdix auto

!

interface GigabitEthernet1/0/14

no ip address

no mdix auto

!

interface GigabitEthernet1/0/15

no ip address

no mdix auto

!

interface GigabitEthernet1/0/16

no ip address

no mdix auto

!

interface GigabitEthernet1/0/17

description --- VLAN 205 ---

switchport access vlan 205

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

no mdix auto

!

interface GigabitEthernet1/0/18

no ip address

no mdix auto

!

interface GigabitEthernet1/0/19

no ip address

no mdix auto

!

interface GigabitEthernet1/0/20

no ip address

no mdix auto

!

interface GigabitEthernet1/0/21

no ip address

no mdix auto

!

interface GigabitEthernet1/0/22

no ip address

no mdix auto

!

interface GigabitEthernet1/0/23

no ip address

no mdix auto

!

interface GigabitEthernet1/0/24

no ip address

no mdix auto

!

interface GigabitEthernet1/0/25

no ip address

!

interface GigabitEthernet1/0/26

no ip address

!

interface GigabitEthernet1/0/27

no ip address

!

interface GigabitEthernet1/0/28

no ip address

!

interface Vlan1

ip address 192.168.0.2 255.255.255.0

!

interface Vlan202

ip address 192.168.22.1 255.255.255.0

!

interface Vlan205

ip address 192.168.25.1 255.255.255.0

!

ip classless

ip http server

!

line con 0

logging synchronous

login local

line vty 0 4

password 7 xxxxxxxxxxxxxxxxxxxxxxxxx

login local

transport input ssh

line vty 5 15

password 7 xxxxxxxxxxxxxxxxxxxxxxxxx

login

!

end

sg-sw01#

Georg Pauwen · ‎06-03-2018

Hello,

the access list you use for NAT is wrong. Change it to:

access-list 102 permit ip 192.168.0.0 0.0.255.255 any
!