Solved: WAN Access for Switch VLANs via Router Config Examples

derrwill · ‎08-10-2012

Hello Forum,

Hopefully this is the proper channels for this type of request. I have a customer who is looking for some online documentation that shows the configurations needed to accomplish the following:

They have a L3 switch (3560-E) where all their VLANs are located and doing interVLAN routing and wish to use their ISR 871w as a default gateway to the Internet for all their VLANs configured on the switch. They want to leave the router as only as external device (to handle all traffic that comes and goes outside) and keep all other internal functions like DHCP, etc. on the 3560-E.

They are primarily looking for guidance on the NAT and IP routing configurations needed on the ISR and switch to accomplish this.

Any documents or configuration examples that you can reference will be greatly appreciated!

Thanks in advance!

Peter Paluch · ‎08-11-2012

Hello,

I do not know any document that would describe this scenario but this looks like a pretty basic configuration. The primary ideas are:

The 3560 should be connected to the 871 via a routed link, i.e. the port on the 3560 will be configured using the no switchport and assigned a (possibly private) IP address. The 871 attached to this port will have another IP address assigned from the same network.
The 3560 must be configured with a default route pointing to the IP address of the router. This is accomplished by a simple static default route entered on the 3560.
The 871 must know about the addresses of all VLANs attached to the 3560 to be able to route packets to them. This can be accomplished either by a set of static routes configured on the 871, or a routing protocol can be run between 3560 and 871 to perform this task.
The 871 will be configured with NAT according to the customer's requirements.

As an example:

3560:

interface FastEthernet0/24

description => Connection to 871 <=

no switchport

ip address 10.255.255.2 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 10.255.255.1

!

router rip ! Choose any protocol supported by both 3560 and 871

version 2

no auto-summary

passive-interface default

no passive-interface FastEthernet0/24

network 10.0.0.0

network ... ! Network statements for individual addresses in VLANs

871:

interface FastEthernet0/0

description => Connection to 3560-E <=

ip address 10.255.255.1 255.255.255.252

ip nat inside

no shutdown

!

interface XXX ! The WAN interface

ip nat outside

! All other necessary configuration

!

router rip ! Choose any protocol supported by both 3560 and 871

version 2

no auto-summary

passive-interface default

no passive-interface FastEthernet0/0

network 10.0.0.0

!

ip access-list standard NAT

permit N.N.N.N M.M.M.M ! Permit a VLAN for NAT

...

!

ip nat inside source list NAT interface XXX overload

!

ip route 0.0.0.0 0.0.0.0 I.I.I.I ! Substitute with appropriate ISP's next hop router

Does this help at least a little? Please feel welcome to ask further!

Best regards,

Peter

View solution in original post

Peter Paluch · ‎08-11-2012

Hello,

I do not know any document that would describe this scenario but this looks like a pretty basic configuration. The primary ideas are:

The 3560 should be connected to the 871 via a routed link, i.e. the port on the 3560 will be configured using the no switchport and assigned a (possibly private) IP address. The 871 attached to this port will have another IP address assigned from the same network.
The 3560 must be configured with a default route pointing to the IP address of the router. This is accomplished by a simple static default route entered on the 3560.
The 871 must know about the addresses of all VLANs attached to the 3560 to be able to route packets to them. This can be accomplished either by a set of static routes configured on the 871, or a routing protocol can be run between 3560 and 871 to perform this task.
The 871 will be configured with NAT according to the customer's requirements.

As an example:

3560:

interface FastEthernet0/24

description => Connection to 871 <=

no switchport

ip address 10.255.255.2 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 10.255.255.1

!

router rip ! Choose any protocol supported by both 3560 and 871

version 2

no auto-summary

passive-interface default

no passive-interface FastEthernet0/24

network 10.0.0.0

network ... ! Network statements for individual addresses in VLANs

871:

interface FastEthernet0/0

description => Connection to 3560-E <=

ip address 10.255.255.1 255.255.255.252

ip nat inside

no shutdown

!

interface XXX ! The WAN interface

ip nat outside

! All other necessary configuration

!

router rip ! Choose any protocol supported by both 3560 and 871

version 2

no auto-summary

passive-interface default

no passive-interface FastEthernet0/0

network 10.0.0.0

!

ip access-list standard NAT

permit N.N.N.N M.M.M.M ! Permit a VLAN for NAT

...

!

ip nat inside source list NAT interface XXX overload

!

ip route 0.0.0.0 0.0.0.0 I.I.I.I ! Substitute with appropriate ISP's next hop router

Does this help at least a little? Please feel welcome to ask further!

Best regards,

Peter

derrwill · ‎08-11-2012

Peter,

Thanks for the response!

I will pass this information along to my customer.

Thanks again!